Protect Your Java Code from Reverse Engineering

by Ramesh Natarajan on June 15, 2008

Java Coffee Cup

 

If you are developing java application, it is important to understand that the java class files can be easily reverse engineered using java decompilers. In this article, let us explore how a java class file is reverse engineered and how to protect your source code from being reverse engineered by someone.

The java source code is compiled to a class file that contains byte code. Java Virtual Machine needs only the class file for execution. The problem is that the class file can easily be decompiled into the original source code using java decompiler tools. The best solution to prevent reverse engineering is to obfuscate the class file so that is will be very hard to reverse engineer. According to the dictionary Obfuscate means “to make obscure or unclear”. That is exactly what lot of java obfuscator tool will do as explained below.

I. Decompile Java class file.

Before understanding how to obfuscate the java code, let us first try to understand how someone can reverse engineer your java application. Following 3 steps explains how a class file is reverse engineered to the original java source code.

1. Create HelloWorld.java as shown below.

public class HelloWorld {
    public static void main (String args[]) {
        String userMessage = "Hello World!";
        int userCount = 100;
        userCount = userCount + 1;
        System.out.println(userMessage);
        System.out.println(userCount);
    }
}

2. Compile HelloWorld.java program and execute it to make sure it works properly.

$ javac HelloWorld.java
$ java HelloWorld
Hello World!
101

Java class file contains only byte code. If you try to view a class file, it will be non-readable as shown below.

$ vi HelloWorld.class
Ãþº¾^@^@^@2^@
^@^G^@^P^H^@^Q  ^@^R^@^S
^@^T^@^V^G^@^W^G^@^X^A^@^F<init>^A^@^C()V^A^@^DCode^A^@^OLineNumberTable
^A^@^Dmain^A^@^V([Ljava/lang/String;)V^A^@
SourceFile^A^@^OHelloWorld.java^L^@^H^@ ^A^@^LHello World!^G^@^Y^L^@^Z^@^[^G^@^\^L^@^]^@^^^L^@^]^@^_^A^@
HelloWorld^A^@^Pjava/lang/Object^A^@^Pjava/lang/System^A^@^Cout^A^@^ULjava/io/PrintStream;^A
^@^Sjava/io/PrintStream^A^@^Gprintln^A^@^U(Ljava/lang/String;)V^A^@^D(I)V^@!^@^F^@^G^@^@^@^@^@^B^@^A^@^H^@  ^@^A^@

3. Decompile HelloWorld.class file and view the original source.

For this demonstration let us use Jad decompiler which is free for non-commercial use. Download the appropriate jad for your platform. Use jad to reverse engineer the HelloWorld.class file to get the original source as shown below.

$ unzip jadls158.zip
$ ./jad HelloWorld.class
Parsing HelloWorld.class...
Generating HelloWorld.jad
$ vi HelloWorld.jad <This will show the reverse engineered original source code>

II. Obfuscate your java application

Let us review how to obfuscate and protect your source code from reverse engineering using ProGuard a free GPL licensed software.

1. Download and Install ProGuard

$ cd /home/jsmith
$ unzip proguard4.2.zip

2. Create a proguard config file

Create myconfig.pro that contains all the information about your java application.

  • -injar : Specify the location of your jar file. i.e the compiled java application that contains the class files
  • -outjar: This is the jar file proguard will create after obfuscation. This will contain all the mangled, obscure naming convention of the methods and variables in the class file if someone tries to reverse engineer.
  • -printmapping: ProGurad outputs all the mapping information in this file for your reference.
  • -keep: Indicate the class files or the methods that you don’t want ProGuard to obfuscate. For e.g. mypkg.MainAppFrame contains the entry point for the application with the main class, which will not get obfuscated in this example.
$ cat myconfig.pro
-injars /home/jsmith/myapp.jar
-outjars /home/jsmith/myapp-obfuscated.jar This is the obfuscated jar file
-libraryjars /usr/java/jdk1.5.0_14/jre/lib/rt.jar
-printmapping proguard.map
-verbose
-keep public class mypkg.MainAppFrame

3. Execute ProGuard.

$ cd /home/jsmith/proguard4.2/lib
$ java -jar proguard.jar @myconfig.pro

This creates the following two files:

  • myapp-obfuscated.jar: Contains the obfuscated class files of your application. You can distribute this without having to worry about someone reverse engineering your application easily.
  • proguard.map: This file contains the mapping information for your reference.

4. Sample proguard.map file

This is a sample proguard.map file that indicates the original name of the java source objects (classfile, methods, variable etc.) and the new obfuscated name.

myapp.AppToolBar -> myapp.ae:
javax.swing.JButton btnNew -> d
javax.swing.JButton btnOpen -> e

5. Sample java source code (myapp.AppToolBar) before obfuscation.

btnNew = changeButtonLabel(btnNew, language.getText("new"));
btnOpen = changeButtonLabel(btnOpen, language.getText("open"));

6. Sample java source code that was decompiled from the class file (myapp.ae) after obfuscation.

d = a(d, n.a("new"));
e = a(e, n.a("open"));

You can see that the line “btnNew = changeButtonLabel(btnNew, language.getText(“new”));” got translated to “d = a(d, n.a(“new”));”, by the ProGuard, which will not make any sense to someone who is using java decompiler tools to reverse engineer the class file.

Help me spread the news about The Geek Stuff.

Please leave your comments and feedback regarding this article. If you like this post, I would really appreciate if you can spread the word around about “The Geek Stuff” blog by adding it to del.icio.us or Digg through the link below.


Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 24 comments… read them below or add one }

1 James June 16, 2008 at 1:09 am

Hi
Great introduction to obfuscation – I’d really like to get this reposted on JavaLobby with your permission
If you’re interested, please send me a mail and we’ll organise it.
James

2 Shilpan | successsoul.com June 18, 2008 at 8:39 am

Ramesh,

I’m very humbled and grateful that you are taking time to read my blog despite the fact that you are heavily into technology whereas I’m in personal development. If anything I can do for you, please send me a shout. I’m your friend forever.

Shilpan

3 Mark - Productivity501 June 22, 2008 at 2:45 pm

I’ve solved some very difficult issues for clients (who had lost source code) where the only way to help them was to decompile some java code, make the fix and then reinject the corrected code into their production system. I am very glad they didn’t use this technique. :)

4 Ramesh June 22, 2008 at 3:06 pm

@James,

Thanks for posting this article on java.dzone.com.

@Shilpan,

Thanks for those kind words. I’m strongly believe in personal development and your posts are always inspiring. I’ll definitely get in touch with you for any help.

@Mark,

Thanks for reading my post. I’m glad it worked out well for you. At work, a developer should not obfuscate the code, especially if they did not write documentation (or) check-in the source code to any source code control repository.

5 Manas June 27, 2008 at 3:25 am

Hello there,
its nice there are people who write things that r immensely helpful to a larger community.
you have done a decent job in achieving that motive.

6 viralpatel.net January 8, 2009 at 1:25 am

Hi Ramesh,
Really nice writeup. I was looking for something like this only. Also, if you would like to see the Structure of a Java Class file read following tutorial.

Java Class file Format

Do post latest info about Java, I will definitely like to visit your site.

Thanks.

7 saad February 14, 2009 at 11:57 pm

um, what if i just write a parser to remap the java source files from the map? doh! obfuscation is a false sense of confidence

8 Stuart L. Riley May 6, 2009 at 7:38 am

For deployed, stand-alone applications, try these in combination.

I’m not sure how well they work to protect your code, but I suspect they do a pretty good job, if used in this combination.

1. Obfuscate your jar file using ProGuard. It’s free at http://proguard.sourceforge.net/

2. Convert the obfuscated jar file to an exe using Launch4j. It’s free at http://launch4j.sourceforge.net/

3. Use Enigma Protector to wrap license control around the exe file. This program also gives you trialware capability. It’s not free ($99 – but worth it) at http://www.enigmaprotector.com/en/home.html

That’s what I do to prep my programs for deployment.

One final note. In case you are interested in an installer program, I recommend NSIS (free) at http://nsis.sourceforge.net/Download. There are many add-ons that make using this package easier.

S. L. Riley

PS – I also posted this at: http://www.javaworld.com/community/?q=node/2056#comment-3572

9 Ramesh Natarajan May 8, 2009 at 5:33 pm

@Manas,
Thanks for the nice comments about this article. I’m glad you found it very helpful.
 
@VirtalPatel,
You got a very good article on the Java-class-file-format. Yeah, I need to start writing more articles on Java. Most of my readers are Linux users. So, I’m not finding lot of motivation to write articles on Java. But, I’ll definitely try to write few in the coming days.
 
@saad ,
The end-user who is using your software will not have the map-file to reverse engineer. Ofcourse, as a developer who does the obfuscation should be able to do reverse engineer to get the code back using the map-file.
 
@Stuart L. Riley,
Excellent points. I totally agree with you. Combining ProGuard, Launch4J would be a great option. I have never tried the Enigma Protector. I’ll check-out their trial version. Thanks for your great suggestions.

10 Narue July 24, 2009 at 12:23 am

Thanks !
Great tool, the mapping is very usefull ^ ^

11 Dmitry Leskov September 27, 2009 at 2:35 am

Ramesh, you may wish to check out my article covering a couple other options for protecting Java apps:

http://www.excelsior-usa.com/articles/java-obfuscators.html

12 Anurag Rana March 26, 2010 at 10:33 am

sir when i tries to install java from package manager it says that…

E: Could not get lock /var/cache/apt/archives/lock – open (11: Resource temporarily unavailable)
E: Unable to lock the download directory

what is this error…and what should i do….

13 haresh prajapati February 24, 2011 at 10:41 pm

it delete the main method so the application will not run

14 Charan November 2, 2011 at 12:22 pm

Hi, Have you tried obfuscating a war file (JSP’s, classes etc.) using proguard?

15 Bekhbayar January 27, 2012 at 3:51 am

@Charan
it’s not so special. just do the way you obfuscate ear,jar,class. Every step would be same.

16 fa November 22, 2012 at 10:38 pm

Hi,
I have an issue. Would be of great help if you can show some pointers. My jar has an encrypted zip file, due to which progaurd is not creating the new jar and throwing an error, “encrypted ZIP entry not supported”

17 padmanabha December 19, 2012 at 12:49 am

I tried to obfuscate a war file in the same way like jar file.
I got Out Of Memory error.my war file is about the size of 54mb.
wat’s the solution for this?

18 Tacit Melvis January 5, 2013 at 6:19 pm

Hi,

This is a very well written article and just what I was looking for.

With respect to protecting your work it’s probably worth remembering the good old copyright notice as well.

Thanks and regards

Melvis

19 wasim shaikh January 16, 2013 at 12:23 am

plz tell me this method is secure or not if secure than at which extend

20 moh March 11, 2013 at 11:45 pm

thank you

21 amitsalyan March 12, 2013 at 4:56 pm

Excellent stuff!
Thanks for posting

22 abhishek June 18, 2013 at 1:04 am

Hi,

When i am executing command for obsfucation it is getting excuted. it is not able to reach the .jar file .
Please reply

23 Ganesh October 7, 2013 at 11:42 pm

thank , I is very good example for beginner .

24 sam January 6, 2014 at 8:32 am

Dear author,

I have a question.

Obfuscating the code seems to be an extremely ineffective way to guard against reverse-engineering if I were to use Eclipse, NetBeans or a similar IDE to reverse-engineer it. I could rename all these obfuscated classes, variables, and methods names to more appropriate, readable, meaningful names very easily by just pressing Ctrl+Shift+R or Alt+Shift+R.

These shortcut keys for Eclipse and NetBeans automatically rename ALL instances of the name in your project AT ONCE.

So other than obfuscating the code, is there any way to guard against reverse-engineering?

Regards,

Sam

Leave a Comment

Previous post:

Next post: