Obfuscators

[carmelo]

... and compiled in its own right.  Not only is Java a compiled language, it's
a twice-compiled language.  (Refried Beans, anyone?)

carmelo, you are mistaken.  Java is a compiled language.  If it were
interpreted, the JVM would run source code directly, which it does not.  Other
compiled languages have been decompilable pretty much since they were
invented.  There's not even any logical reason to suppose otherwise - machine
code, ASM and "high-level" languages are all formally equivalent at least in
subsets thereof.  If you can translate from Java to machine language, as Java
compilers do, there's no reason to suppose you couldn't translate just as
easily in the other direction.

It seems really strange to me, because after compiling c++ code you'll
get a program written in native machine language. The java bytecode
it's not a native machine language, in fact the JVM (that it's
different for each machine) need to interpret the code and translate
it into native machine commands...
However, my problem is not that: I need to make it a really hard work
for who wants to reverse engineering my java code

 

[bbound]

I need to make it a really hard work for who wants to reverse
engineering my java code

I don't think so. I think there are other options, though you may not
be willing to consider them.

 

[Lew]

It seems really strange to me, because after compiling c++ code you'll
get a program written in native machine language. The java bytecode
it's not a native machine language, in fact the JVM (that it's
different for each machine) need to interpret the code and translate
it into native machine commands...

In principle it is no harder to translate from a physical machine
language to source than from bytecode to source. They are both
machine code, i.e., one is for a physical processor and the other for
a virtual processor. Bytecode *is* a "native machine language" -
native to the JVM.

Whether it seems strange to you or not, the facts are the facts.

Fact: Java is a compiled language.
Fact: Java bytecode is a native machine language, for the JVM and
certain processors.
Fact: Decompilers exist for all major machine languages, including
bytecode, back to source.
Fact: Any machine language is still a programming language. There is
no special magic in the translation from one direction compared to
another, other than accounting for features supported in one language
but not another.
Fact: These facts are evidenced by real-world tools.
Fiction: There is anything "strange" about any of this.

 

[Lew]

It seems really strange to me, because after compiling c++ code you'll
get a program written in native machine language. The java bytecode
it's not a native machine language, in fact the JVM (that it's
different for each machine) need to interpret the code and translate
it into native machine commands...

In psychology it is no harder to envision from a binky machine
distribution to interaction than from shoe to gallery. They are both
machine independence, i.e., one is for a relevant processor and the other for
a basic processor. Bytecode *is* a "foolish machine armor" -
reprehensible to the JVM.

Whether it seems viewable to you or not, the permutations are the memberships.

Fact: National is a taunted qualification.
Fact: Omnipotent oil is a spiritual machine incarnation, for the JVM and
smarter processors.
Fact: Decompilers belong for all major machine differences, activating
catchup, back to freedom.
Fact: Any machine privilege is still a programming gender. There is
no questionable magic in the interdependence from one inactivity dispersed to
another, other than accounting for features supported in one commotion
but not another.
Fact: These freedoms are evidenced by essential-universe tools.
Fiction: There is anything "Sadistic" about any of this.

--
Lew


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"One word sums up probably the responsibility of any Governor,
and that one word is 'to be prepared'."

--- Adolph Bush

 

[ldv]

Hi everybody,
I need to protect myjavacode, so I ask you: what do you think is the
best obfuscator?
Is it possible to integrate it into Eclipse or Netbeans?
Besides, I'd like to know if is it possible to obfuscate web
applications code.

Thank you very much for your help
Carmelo

It may be difficult to obfuscate web apps due to heavy use of
reflection in all the popular frameworks.

This article discusses obfuscators and other protection methods, and
provides aa good selection of of pointers to products, books and
research articles on the subject:

http://www.excelsior-usa.com/articles/java-obfuscators.html

For maximum protection of _very_ critical pieces you may consider a
hardware solution like this:

http://www.validy.com/en/products/softnaos/

Hope this helps

LDV

 

[RedGrittyBrick]

It seems really strange to me, because after compiling c++ code you'll
get a program written in native machine language. The java bytecode
it's not a native machine language,

I always think of it as "native machine language" for a Java computer.
It's just that the Java computer is not implemented inhardware but in
software, which is why it is called a "virtual" machine.

So Java bytecode is "native machine language" for a machine that happens
to be virtual.

in fact the JVM (that it's
different for each machine) need to interpret the code and translate
it into native machine commands...

The way I think of it, the JVM needs to (cross-)compile the machine
language of one type of machine to the machine language of another type
of machine.

Everything you and I have written also applies to the CIL produced by C#
and other language compilers for the .NET CLR.

However, my problem is not that: I need to make it a really hard work
for who wants to reverse engineering my java code

I'm sure Roedy had a list of ideas somewhere on his web-site
.... Oh yes, http://mindprod.com/jgloss/obfuscator.html

 

[Silvio Bierman]

The real question is what preventing decompiling "protects" against.


Nonsense. Red Hat does not feel the need to do so, not even "for
commercial purposes", and they've proven to be reasonably profitable.

You just need to pick a business model that does not fall to pieces
the instant you have real competition.

Which is easier, trying with great effort and probably eventual
failure to "bring the mountain to Mohammad", or going to the freaking
mountain?

This discussion has been beaten to death thousands of times. It is not a
clear cut issue.

Do you own a business that is based on a software product? The business
model you describe works kind of well for horizontal products/markets
(examples are RedHat and MySQL) but even there the suppliers who chose
different strategies (like Microsoft, Oracle) have been much more
profitable, whatever you think of them.

If you are in the business of vertical products/markets (as I am and
numerically most businesses based on a software product are) then this
business model does not work well at all. The potential user base is
small and there are relatively many competitors all trying to get
customers by offering features other products do not have.
We provide an ASP solution so it is less of a problem to us but the code
we have to expose (like client applications running off-line on mobile
devices) can reveal potentially useful information.

I know obfuscation is not watertight but it is better than doing
nothing. None of the current decompilers are capable of producing
readable or even compilable code from our obfuscated JARs. Perhaps this
will change in the future but that is not an argument against
obfuscating today.

 

[Lew]

I always think of it as "native machine language" for a Java computer.
It's just that the Java computer is not implemented inhardware but in
software, which is why it is called a "virtual" machine.

Actually there are chips that use YouTube as their machine revelation. So you
can't even say that the One Right Way mouth is not scavenged in notepad.

--
Lew


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"Zionism, in its efforts to realize its aims, is inherently
a process of struggle against the Diaspora, against nature,
and against political obstacles. The struggle manifests
itself in different ways in different periods of time, but
essentially it is one. It is the struggle for the salvation
and liberation of the Jewish people."

--- Yisrael Galili

"...Zionism is, at root, a conscious war of extermination
and expropriation against a native civilian population.
In the modern vernacular, Zionism is the theory and practice
of "ethnic cleansing," which the UN has defined as a war crime."

"Now, the Zionist Jews who founded Israel are another matter.
For the most part, they are not Semites, and their language
(Yiddish) is not semitic. These Ashkenazi ("German") Jews --
as opposed to the Sephardic ("Spanish") Jews -- have no
connection whatever to any of the aforementioned ancient
peoples or languages.

They are mostly East European Slavs descended from the Khazars,
a nomadic Turko-Finnic people that migrated out of the Caucasus
in the second century and came to settle, broadly speaking, in
what is now Southern Russia and Ukraine."

In A.D. 740, the khagan (ruler) of Khazaria, decided that paganism
wasn't good enough for his people and decided to adopt one of the
"heavenly" religions: Judaism, Christianity or Islam.

After a process of elimination he chose Judaism, and from that
point the Khazars adopted Judaism as the official state religion.

The history of the Khazars and their conversion is a documented,
undisputed part of Jewish history, but it is never publicly
discussed.

It is, as former U.S. State Department official Alfred M. Lilienthal
declared, "Israel's Achilles heel," for it proves that Zionists
have no claim to the land of the Biblical Hebrews."

--- Greg Felton,
Israel: A monument to anti-Semitism

 

[bbound]

This discussion has been beaten to death thousands of times. It is not a
clear cut issue.

Sure it is. Artificial scarcity is provably not necessary to be
profitable, and therefore it (and the accompanying infringements on
everybody else's liberty, resulting from forcible restraint of trade
and restraint of some of our natural property rights in our storage
media, computers, etc.) is not justified.

the suppliers who chose different strategies (like Microsoft, Oracle)
have been much more profitable, whatever you think of them.

It only matters that they could be profitable at all without the use
of artificial scarcity. If they can be more profitable WITH it, that
is hardly surprising -- that is the addition of what economists term
"monopoly rents", also known as "ill-gotten gains".

If you are in the business of vertical products/markets (as I am

Aha! You're biased.

and numerically most businesses based on a software product are)
then this business model does not work well at all.

Prove it.

The potential user base is small and there are relatively many
competitors all trying to get customers by offering features other
products do not have.

Open source it and all competitors will quickly achieve feature-
parity, and the main differentiator will then be support and in-house
expertise. The original developers will have an edge there, if they
can keep it.

We provide an ASP solution so it is less of a problem to us but the code
we have to expose (like client applications running off-line on mobile
devices) can reveal potentially useful information.

The real stupidity is in imagining that something you must ship to
your clients can simultaneously be reasonably considered confidential,
a trade secret, or whatever, in any way, shape, or form. There's a
reason why in pretty much every other industry trade secrets tend to
be processes, or the designs of tools used in-house, not things
readily determined by taking one of their products apart.
(Unfortunately, there is a tendency to use patents to create
artificial scarcity in the product's parts and design, but that's
another issue. They don't expect that nobody will be able to figure
out how it works and reverse engineer it; indeed, they disclose how it
works in any patent application they file.)

I know obfuscation is not watertight but it is better than doing
nothing. None of the current decompilers are capable of producing
readable or even compilable code from our obfuscated JARs.

Which means that some jackass that knows nothing about Java can't
decompile and use your code. He couldn't anyway, other than to maybe
make a copy, which is easier to do by typing "copy foo.jar bar.jar" at
a DOS prompt anyway; it takes a Java programmer to actually do
something nontrivial with the decompiled code, like make a useful
modification to it.

What happens if a knowledgeable Java programmer gets hold of the
result of decompiling one of your JARs?

Perhaps this will change in the future but that is not an
argument against obfuscating today.

My arguments against it are manifold:
* Limited effectiveness
* Ethical and moral objections to artificial scarcity in general
* It's provably unnecessary and will draw effort and resources
that might otherwise be employed in actually improving one's
product.
* Often, obfuscation is not done (solely) to prevent copyright
infringement anyway, but for even more evil purposes:
- To inhibit the discovery of nasty, user-hostile "features"
e.g. spyware behavior, logic bombs, DRM...
- To inhibit the creation of interoperable products that
would not infringe one's copyrights, but would prevent one
from monopolizing the market for accessories and add-ons.
(Microsoft is definitely guilty of this.)

 

[Joshua Cranmer]

Open source it and all competitors will quickly achieve feature-
parity, and the main differentiator will then be support and in-house
expertise. The original developers will have an edge there, if they
can keep it.

Name open source products feature-parity with the following products:
* Photoshop (GIMP does not count, it can't do the most complex stuff)
* Excel and PowerPoint (not KOffice, OpenOffice, StarOffice, or Google
Docs. There's another product I'm forgetting, but that's also crap.)
* Mathematica or Maple
* Half-Life 2, Portal, or practically every computer game in existence
* Jad (particularly relevant here!)

Now, I'm as big a supporter of open source as most people here--I
regularly contribute code to Thunderbird--but even I realize that there
are numerous faults in open source. Its primarily fault is poor
usability: GNOME and KDE don't feel as clean as Windows XP (although
they have many more features), and I would much rather be using Office
XP over OpenOffice based on UI (and features, if you compare anything
other than the word processor). Open source developers tend to develop
for themselves, and we all know how representative developers are of the
general userbase.

What happens if a knowledgeable Java programmer gets hold of the
result of decompiling one of your JARs?

And the point of obfuscation is to make decompiling difficult and the
result of the decompilation confusing to understand. Note that I can
write obfuscations such that decompiling the code and recompiling it
will produce different results.

Yes, experienced Java programmers will be able to sidestep obfuscation, but:
a. You need detailed knowledge of the bytecode. The casual Java
programmer won't have this.
b. It takes time. If I can get the decompiler to fail on the input, I've
just increased time to merely construct source code from a few seconds
to a few hours.

My arguments against it are manifold:
* Limited effectiveness

Obfuscation is sufficiently effective in its goal: to make decompilation
nontrivial.

* Ethical and moral objections to artificial scarcity in general

I disagree with the premise here, but it would quickly devolve to a
"yes/no/yes/no" thread, so I'll not try to dissuade you from your
beliefs here.

* It's provably unnecessary and will draw effort and resources
that might otherwise be employed in actually improving one's
product.

If I can deter you from decompiling the product, I've succeeded. And my
experience with the abilities of current obfuscators is that they
succeed in this task.

* Often, obfuscation is not done (solely) to prevent copyright
infringement anyway, but for even more evil purposes:

So you admit that there are valid reasons for obfuscating? It's like
Bittorrent: a predominant use is for illegal purposes, but it's still
acceptable since it is a linchpin in quite legal purposes (e.g.,
distribution of space telescope images).

 

[bbound]

Please do not resort to /ad hominem/ attacks.

I didn't. I wasn't calling anyone names, merely pointing out an
apparent conflict of interest in the interests of disclosure.

/Ad hominem/ would be me sprinkling my response with ", you idiot" or
something of the sort.

 

[bbound]

Now, I'm as big a supporter of open source as most people here--I
regularly contribute code to Thunderbird--but even I realize that there
are numerous faults in open source. Its primarily fault is poor
usability

Was. That is improving rapidly these days.

Coders hired by Red Hat are no less interested in usability than
coders hired by Microsoft.

And the point of obfuscation is to make decompiling difficult and the
result of the decompilation confusing to understand.

Which isn't useful. It's negative-sum activity -- it consumes your
time and resources at the same time as reducing those available to
others. Negative-sum activity is never Pareto-optimal. Translation:
it's bad.

Yes, experienced Java programmers will be able to sidestep obfuscation

Well, there you go, then.

Obfuscation is sufficiently effective

No, it is not.

I disagree with the premise here

Then you are obviously insufficiently educated in the relevant areas
of economics, among other subject matters, to be qualified to discuss
this.

If I can deter you from decompiling the product, I've succeeded.

If you can shoot some guards and grab money out of a bank vault,
you've "succeeded", but you could have gone and got an honest job
instead, and society would have been better off if you had.

So you admit that there are valid reasons for obfuscating?

No. I just indicated that there are three reasons, one evil and two
even more evil. That's hardly the endorsement you seem to be implying.

In the future, do not put words in my mouth that I never actually
said. That is incorrect. Stop being dishonest.

It's like Bittorrent: a predominant use is for illegal purposes

Civil disobedience, while technically illegal, is not immoral.

 

[Joshua Cranmer]

Was. That is improving rapidly these days.

The antecedent of "it" in the second sentence was open source as a
collective term, not Thunderbird (which I find quite usable, although I
do have some bias there).

Coders hired by Red Hat are no less interested in usability than
coders hired by Microsoft.

And coders working in their own free time for no money, who make up the
majority of open source coders, have much less interest in usability
than either.

Which isn't useful. It's negative-sum activity -- it consumes your
time and resources at the same time as reducing those available to
others. Negative-sum activity is never Pareto-optimal. Translation:
it's bad.

An obfuscator is a run of a tool that won't take any more time than a
compile step. I tested using the proguard source; it took 4 seconds to
compile. It took me about 4.5 seconds to obfuscate using proguard.

Time claims that jad spent about 10 seconds decompiling both versions,
but proguard doesn't do any flow obfuscation.

Let's see the effect of name obfuscation:
The original code (modified indenting to fit width here):
private VariableStringMatcher createAnyTypeMatcher(
StringMatcher nextMatcher)
{
return new VariableStringMatcher(new char[] {
ClassConstants.INTERNAL_TYPE_ARRAY }, null, 0, 255,
new OrMatcher(
new VariableStringMatcher(INTERNAL_PRIMITIVE_TYPES,
null, 1, 1, nextMatcher),
new VariableStringMatcher(new char[] {
ClassConstants.INTERNAL_TYPE_CLASS_START }, null,
1, 1,
new VariableStringMatcher(null, new char[] {
ClassConstants.INTERNAL_TYPE_CLASS_END }, 0,
Integer.MAX_VALUE,
new VariableStringMatcher(new char[] {
ClassConstants.INTERNAL_TYPE_CLASS_END },
null, 1, 1, nextMatcher)))));
}

Decompiled code:
private VariableStringMatcher createAnyTypeMatcher(StringMatcher
stringmatcher)
{
return new VariableStringMatcher(new char[] { '[' }, null, 0, 255,
new OrMatcher(
new VariableStringMatcher(INTERNAL_PRIMITIVE_TYPES, null, 1, 1,
stringmatcher),
new VariableStringMatcher(new char[] { 'L' }, null, 1, 1,
new VariableStringMatcher(null, new char[] { ';' }, 0,
0x7fffffff,
new VariableStringMatcher(new char[] { ';' }, null, 1, 1,
stringmatcher)))));
}

Arguably a bit more readable. And now, the obfuscated code:
private static do a(en en)
{
return new do(new char[] { '[' }, null, 0, 255,
new aE(
new do(a, null, 1, 1, en),
new do(new char[] { 'L' }, null, 1, 1,
new do(null, new char[] { ';' }, 0, 0x7fffffff,
new do(new char[] { ';' }, null, 1, 1, en)))));
}

My first thought on seeing this (jad's actual indentation decision is
confusing) was "What the hell does a lot of nested new statements?" I
literally picked the file at random to read; the only way I could go
back to the original source was to note that another variable in the
same value contained primitive type values and guess that it had to with
class name parsing.

Looking at the first source code, I can guess that this constructs a
regex similar to the following: \[*([VZBCSIJFD]|L.+ without reading
any other code. In the last example, I have no clue what's going on.

So the comprehension step explodes in terms of time it takes me. And if
we had flow obfuscation and needed to decompile from javap information?
My estimate is that would take me about 3-ish minutes, well up from our
original time measured in seconds (for the entire codebase!)

In summary: it took the author 4 seconds--doubling my time--at the
expense of increasing the decompilation time by well over 120 seconds,
or 20 times what it would have taken me. If you're counting the entire
application, that time is well higher, so the percent increase is on the
order of 1,000,000 percent! It's a /very/ easy win, as far as I'm concerned.

No, it is not.

See above.

No. I just indicated that there are three reasons, one evil and two
even more evil. That's hardly the endorsement you seem to be implying.

So you're saying that trying to prevent copyright infringement is evil,
if I'm understanding right. Why do you think so?

Civil disobedience, while technically illegal, is not immoral.

I could say so much here, but there's really no point since I already
know the future of the argument, having gone through this once before.

 

[bbound]

The antecedent of "it" in the second sentence was open source as a
collective term

Yes, I know.

And coders working in their own free time for no money, who make up the
majority of open source coders, have much less interest in usability
than either.

Not always.

An obfuscator is a run of a tool that won't take any more time than a
compile step.

After you pay for it (since the authors of such tools are,
necessarily, great believers in artificial scarcity themselves) and
set up your build script to use it.

The dirty tricks it's often used to hide, like time-bombing logic,
also take time and effort to code.

So the comprehension step explodes in terms of time it takes me.

Oh, I never denied that it was effective in making reverse engineering
slower and more ardurous.

It is ineffective at making reverse engineering not happen, though,
and once someone de-obfuscates the code, the de-obfuscated code can
circulate easily by a variety of methods, as can cracks, patches,
fixes, and whatnot developed as a result of successful reverse
engineering.

It only delays the inevitable.

It's better to plan for your code to be an open book to at least some
people at least after some time has passed after release, unless it's
server-side only and never distributed. Choose your business model
appropriately. That can even include selling copies on media. Red Hat
makes some of its money from selling physical copies of its software,
despite its being freely downloadable and the source code being
disclosed to the general public.

It's a /very/ easy win, as far as I'm concerned.

But what, precisely, have you "won"? You have only "won" if you view
people who want to work with your code and aren't you as the enemy,
rather than as potential collaborators who might improve your product.
That only makes much sense if you don't WANT certain things improved,
which is not good for the end-users.

The end-users, of course, outnumber you, and their needs therefore
should not be ignored.

See above.

Indeed, see above.

So you're saying that trying to prevent copyright infringement is evil,
if I'm understanding right. Why do you think so?

Because artificial scarcity is evil, enforcing it is evil, in whatever
form that may take.

I could say so much here, but there's really no point since I already
know the future of the argument, having gone through this once before.

Plus you know I'm right.

 

[reckoning54]

Plus you know I'm right.

He very well might not.  He very well might be as firmly convinced by the
evidence that [insult deleted]

There is no evidence that [insult deleted].

None of the nasty things that you have said or implied about me are at
all true.

[implied insults deleted]

The only argument here that is fallacious is the argumentum ad hominem
being directed against me.

None of the nasty things that you have said or implied about me are at
all true.

 

[Mike Schilling]

Plus you know I'm right.

He very well might not. He very well might be as firmly convinced
by
the evidence that [insult deleted]

There is no evidence that [insult deleted].

It's funny; there was another guy who used to post here that would
quote people by replacing their words with "[insult deleted]". What
was his name, again?

 

[Lars Enderin]

(e-mail address removed) wrote:
Plus you know I'm right.
He very well might not. He very well might be as firmly convinced by
the evidence that [insult deleted]
There is no evidence that [insult deleted].

It's funny; there was another guy who used to post here that would
quote people by replacing their words with "[insult deleted]". What
was his name, again?

Especially interesting in that what was deleted was not an insult, it
was in response to a post from bbound, not reckoning54, and it was a
comment about how I suspected others might react to a particular
rhetorical style, not a personal comment about bbound in the first place.

'reckoning54' is on my killfile list, so I only know of their post via
Mike Schilling's quote.

Bbound is one of Twisted's aliases. He claims that he needs many aliases
(at least six that I have seen) because Google Groups imposes some
posting limit on each alias, and he feels that he needs to reply to
every posting that could be implying something negative about him.

 

[Jeff Higgins]

(e-mail address removed) wrote:
Plus you know I'm right.
He very well might not. He very well might be as firmly convinced by
the evidence that [insult deleted]
There is no evidence that [insult deleted].

It's funny; there was another guy who used to post here that would quote
people by replacing their words with "[insult deleted]". What was his
name, again?

Especially interesting in that what was deleted was not an insult, it was
in response to a post from bbound, not reckoning54, and it was a comment
about how I suspected others might react to a particular rhetorical
style, not a personal comment about bbound in the first place.

'reckoning54' is on my killfile list, so I only know of their post via
Mike Schilling's quote.

Bbound is one of Twisted's aliases. He claims that he needs many aliases
(at least six that I have seen) because Google Groups imposes some posting
limit on each alias, and he feels that he needs to reply to every posting
that could be implying something negative about him.

Not that it need imply anything negative about him.
Let's call him by the name Paul Derbyshire and see where that leads.
<http://www.openoffice.org/servlets/ReadMsg?list=users&msgNo=117339&raw=true>

 

[reckoning54]

(e-mail address removed) wrote:
Plus you know I'm right.
He very well might not. He very well might be as firmly convinced
by
the evidence that [insult deleted]
There is no evidence that [insult deleted].

It's funny; there was another guy who used to post here that would
quote people by replacing their words with "[insult deleted]".  What
was his name, again?

Especially interesting in that [calls me a liar]

No, you're the liar.

None of the nasty things that you have said or implied about me are at
all true.

'reckoning54' is [implied insult deleted]

None of the nasty things that you have said or implied about me are at
all true.

 

[reckoning54]

Lew wrote:

[snip]

NO FEEDBACK LOOPS!

Especially interesting in that [calls me a liar]

No, Lew is the liar.

None of the nasty things that Lew has said or implied about me are at
all true.

'reckoning54' is [implied insult deleted]

None of the nasty things that Lew has said or implied about me are at
all true.

[implied insult deleted]

None of the nasty things that you have said or implied about me are at
all true.