≡ Menu

Protect Your Java Code from Reverse Engineering

Java Coffee Cup

 

If you are developing java application, it is important to understand that the java class files can be easily reverse engineered using java decompilers. In this article, let us explore how a java class file is reverse engineered and how to protect your source code from being reverse engineered by someone.

The java source code is compiled to a class file that contains byte code. Java Virtual Machine needs only the class file for execution. The problem is that the class file can easily be decompiled into the original source code using java decompiler tools. The best solution to prevent reverse engineering is to obfuscate the class file so that is will be very hard to reverse engineer. According to the dictionary Obfuscate means “to make obscure or unclear”. That is exactly what lot of java obfuscator tool will do as explained below.

I. Decompile Java class file.

Before understanding how to obfuscate the java code, let us first try to understand how someone can reverse engineer your java application. Following 3 steps explains how a class file is reverse engineered to the original java source code.

1. Create HelloWorld.java as shown below.

public class HelloWorld {
    public static void main (String args[]) {
        String userMessage = "Hello World!";
        int userCount = 100;
        userCount = userCount + 1;
        System.out.println(userMessage);
        System.out.println(userCount);
    }
}

2. Compile HelloWorld.java program and execute it to make sure it works properly.

$ javac HelloWorld.java
$ java HelloWorld
Hello World!
101

Java class file contains only byte code. If you try to view a class file, it will be non-readable as shown below.

$ vi HelloWorld.class
Ãþº¾^@^@^@2^@
^@^G^@^P^H^@^Q  ^@^R^@^S
^@^T^@^V^G^@^W^G^@^X^A^@^F<init>^A^@^C()V^A^@^DCode^A^@^OLineNumberTable
^A^@^Dmain^A^@^V([Ljava/lang/String;)V^A^@
SourceFile^A^@^OHelloWorld.java^L^@^H^@ ^A^@^LHello World!^G^@^Y^L^@^Z^@^[^G^@^\^L^@^]^@^^^L^@^]^@^_^A^@
HelloWorld^A^@^Pjava/lang/Object^A^@^Pjava/lang/System^A^@^Cout^A^@^ULjava/io/PrintStream;^A
^@^Sjava/io/PrintStream^A^@^Gprintln^A^@^U(Ljava/lang/String;)V^A^@^D(I)V^@!^@^F^@^G^@^@^@^@^@^B^@^A^@^H^@  ^@^A^@

3. Decompile HelloWorld.class file and view the original source.

For this demonstration let us use Jad decompiler which is free for non-commercial use. Download the appropriate jad for your platform. Use jad to reverse engineer the HelloWorld.class file to get the original source as shown below.

$ unzip jadls158.zip
$ ./jad HelloWorld.class
Parsing HelloWorld.class...
Generating HelloWorld.jad
$ vi HelloWorld.jad <This will show the reverse engineered original source code>

II. Obfuscate your java application

Let us review how to obfuscate and protect your source code from reverse engineering using ProGuard a free GPL licensed software.

1. Download and Install ProGuard

$ cd /home/jsmith
$ unzip proguard4.2.zip

2. Create a proguard config file

Create myconfig.pro that contains all the information about your java application.

  • -injar : Specify the location of your jar file. i.e the compiled java application that contains the class files
  • -outjar: This is the jar file proguard will create after obfuscation. This will contain all the mangled, obscure naming convention of the methods and variables in the class file if someone tries to reverse engineer.
  • -printmapping: ProGurad outputs all the mapping information in this file for your reference.
  • -keep: Indicate the class files or the methods that you don’t want ProGuard to obfuscate. For e.g. mypkg.MainAppFrame contains the entry point for the application with the main class, which will not get obfuscated in this example.
$ cat myconfig.pro
-injars /home/jsmith/myapp.jar
-outjars /home/jsmith/myapp-obfuscated.jar This is the obfuscated jar file
-libraryjars /usr/java/jdk1.5.0_14/jre/lib/rt.jar
-printmapping proguard.map
-verbose
-keep public class mypkg.MainAppFrame

3. Execute ProGuard.

$ cd /home/jsmith/proguard4.2/lib
$ java -jar proguard.jar @myconfig.pro

This creates the following two files:

  • myapp-obfuscated.jar: Contains the obfuscated class files of your application. You can distribute this without having to worry about someone reverse engineering your application easily.
  • proguard.map: This file contains the mapping information for your reference.

4. Sample proguard.map file

This is a sample proguard.map file that indicates the original name of the java source objects (classfile, methods, variable etc.) and the new obfuscated name.

myapp.AppToolBar -> myapp.ae:
javax.swing.JButton btnNew -> d
javax.swing.JButton btnOpen -> e

5. Sample java source code (myapp.AppToolBar) before obfuscation.

btnNew = changeButtonLabel(btnNew, language.getText("new"));
btnOpen = changeButtonLabel(btnOpen, language.getText("open"));

6. Sample java source code that was decompiled from the class file (myapp.ae) after obfuscation.

d = a(d, n.a("new"));
e = a(e, n.a("open"));

You can see that the line “btnNew = changeButtonLabel(btnNew, language.getText(“new”));” got translated to “d = a(d, n.a(“new”));”, by the ProGuard, which will not make any sense to someone who is using java decompiler tools to reverse engineer the class file.

Help me spread the news about The Geek Stuff.

Please leave your comments and feedback regarding this article. If you like this post, I would really appreciate if you can spread the word around about “The Geek Stuff” blog by adding it to del.icio.us or Digg through the link below.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • James June 16, 2008, 1:09 am

    Hi
    Great introduction to obfuscation – I’d really like to get this reposted on JavaLobby with your permission
    If you’re interested, please send me a mail and we’ll organise it.
    James

  • Shilpan | successsoul.com June 18, 2008, 8:39 am

    Ramesh,

    I’m very humbled and grateful that you are taking time to read my blog despite the fact that you are heavily into technology whereas I’m in personal development. If anything I can do for you, please send me a shout. I’m your friend forever.

    Shilpan

  • Mark - Productivity501 June 22, 2008, 2:45 pm

    I’ve solved some very difficult issues for clients (who had lost source code) where the only way to help them was to decompile some java code, make the fix and then reinject the corrected code into their production system. I am very glad they didn’t use this technique. 🙂

  • Ramesh June 22, 2008, 3:06 pm

    @James,

    Thanks for posting this article on java.dzone.com.

    @Shilpan,

    Thanks for those kind words. I’m strongly believe in personal development and your posts are always inspiring. I’ll definitely get in touch with you for any help.

    @Mark,

    Thanks for reading my post. I’m glad it worked out well for you. At work, a developer should not obfuscate the code, especially if they did not write documentation (or) check-in the source code to any source code control repository.

  • Manas June 27, 2008, 3:25 am

    Hello there,
    its nice there are people who write things that r immensely helpful to a larger community.
    you have done a decent job in achieving that motive.

  • viralpatel.net January 8, 2009, 1:25 am

    Hi Ramesh,
    Really nice writeup. I was looking for something like this only. Also, if you would like to see the Structure of a Java Class file read following tutorial.

    Java Class file Format

    Do post latest info about Java, I will definitely like to visit your site.

    Thanks.

  • saad February 14, 2009, 11:57 pm

    um, what if i just write a parser to remap the java source files from the map? doh! obfuscation is a false sense of confidence

  • Stuart L. Riley May 6, 2009, 7:38 am

    For deployed, stand-alone applications, try these in combination.

    I’m not sure how well they work to protect your code, but I suspect they do a pretty good job, if used in this combination.

    1. Obfuscate your jar file using ProGuard. It’s free at http://proguard.sourceforge.net/

    2. Convert the obfuscated jar file to an exe using Launch4j. It’s free at http://launch4j.sourceforge.net/

    3. Use Enigma Protector to wrap license control around the exe file. This program also gives you trialware capability. It’s not free ($99 – but worth it) at http://www.enigmaprotector.com/en/home.html

    That’s what I do to prep my programs for deployment.

    One final note. In case you are interested in an installer program, I recommend NSIS (free) at http://nsis.sourceforge.net/Download. There are many add-ons that make using this package easier.

    S. L. Riley

    PS – I also posted this at: http://www.javaworld.com/community/?q=node/2056#comment-3572

  • Ramesh Natarajan May 8, 2009, 5:33 pm

    @Manas,
    Thanks for the nice comments about this article. I’m glad you found it very helpful.
     
    @VirtalPatel,
    You got a very good article on the Java-class-file-format. Yeah, I need to start writing more articles on Java. Most of my readers are Linux users. So, I’m not finding lot of motivation to write articles on Java. But, I’ll definitely try to write few in the coming days.
     
    @saad ,
    The end-user who is using your software will not have the map-file to reverse engineer. Ofcourse, as a developer who does the obfuscation should be able to do reverse engineer to get the code back using the map-file.
     
    @Stuart L. Riley,
    Excellent points. I totally agree with you. Combining ProGuard, Launch4J would be a great option. I have never tried the Enigma Protector. I’ll check-out their trial version. Thanks for your great suggestions.

  • Narue July 24, 2009, 12:23 am

    Thanks !
    Great tool, the mapping is very usefull ^ ^

  • Dmitry Leskov September 27, 2009, 2:35 am

    Ramesh, you may wish to check out my article covering a couple other options for protecting Java apps:

    http://www.excelsior-usa.com/articles/java-obfuscators.html

  • Anurag Rana March 26, 2010, 10:33 am

    sir when i tries to install java from package manager it says that…

    E: Could not get lock /var/cache/apt/archives/lock – open (11: Resource temporarily unavailable)
    E: Unable to lock the download directory

    what is this error…and what should i do….

  • haresh prajapati February 24, 2011, 10:41 pm

    it delete the main method so the application will not run

  • Charan November 2, 2011, 12:22 pm

    Hi, Have you tried obfuscating a war file (JSP’s, classes etc.) using proguard?

  • Bekhbayar January 27, 2012, 3:51 am

    @Charan
    it’s not so special. just do the way you obfuscate ear,jar,class. Every step would be same.

  • fa November 22, 2012, 10:38 pm

    Hi,
    I have an issue. Would be of great help if you can show some pointers. My jar has an encrypted zip file, due to which progaurd is not creating the new jar and throwing an error, “encrypted ZIP entry not supported”

  • padmanabha December 19, 2012, 12:49 am

    I tried to obfuscate a war file in the same way like jar file.
    I got Out Of Memory error.my war file is about the size of 54mb.
    wat’s the solution for this?

  • Tacit Melvis January 5, 2013, 6:19 pm

    Hi,

    This is a very well written article and just what I was looking for.

    With respect to protecting your work it’s probably worth remembering the good old copyright notice as well.

    Thanks and regards

    Melvis

  • wasim shaikh January 16, 2013, 12:23 am

    plz tell me this method is secure or not if secure than at which extend

  • moh March 11, 2013, 11:45 pm

    thank you

  • amitsalyan March 12, 2013, 4:56 pm

    Excellent stuff!
    Thanks for posting

  • abhishek June 18, 2013, 1:04 am

    Hi,

    When i am executing command for obsfucation it is getting excuted. it is not able to reach the .jar file .
    Please reply

  • Ganesh October 7, 2013, 11:42 pm

    thank , I is very good example for beginner .

  • sam January 6, 2014, 8:32 am

    Dear author,

    I have a question.

    Obfuscating the code seems to be an extremely ineffective way to guard against reverse-engineering if I were to use Eclipse, NetBeans or a similar IDE to reverse-engineer it. I could rename all these obfuscated classes, variables, and methods names to more appropriate, readable, meaningful names very easily by just pressing Ctrl+Shift+R or Alt+Shift+R.

    These shortcut keys for Eclipse and NetBeans automatically rename ALL instances of the name in your project AT ONCE.

    So other than obfuscating the code, is there any way to guard against reverse-engineering?

    Regards,

    Sam

  • Tushar April 5, 2016, 6:33 am

    Does proguard support spring mvc application ? if so what will be the options one need to choose.

  • Kalyan April 11, 2017, 3:07 am

    Can we execute the project in windows environment

  • Kalyan April 11, 2017, 3:15 am

    Can we use Proguard in Windows environment and with JDK 1.5 version. If so, where should we use .pro file and how to mention options in .pro file