[Advanced Java Concepts] Obfuscation

In this video, we look at how obfuscation works on Java JAR files and how to decompile JARs.

ProGuard: http://proguard.sourceforge.net
JD-GUI: http://jd.benow.ca

---

Closed Caption:

hey guys program here and this video
we're going to be talking about
obfuscation which is very interesting
kind of principle or idea that can be
applied to code so if you've taken the
time to write a very are powerful and
compelling application and you you don't
want to make it open source you want to
maintain the source code for yourself
perhaps you want to sell the product an
issue that you could run into is you
know you just read the product to all
the people and then they can look at
your source code see exactly what she
did and then copy it and perhaps even
improve on it or at the very least know
exactly how everything works and compile
their own versions in other languages
isn't such a big issue especially
languages the compiled down into machine
code but Java isn't partially
interpreted language so there is the
ability to take our code that has been
exported into a jar file and um
converted back into readable regular
Java code instead of java bytecode so
this video I'm going to demonstrate how
to confiscate a jar file and the
difference between an obfuscated and non
obfuscating jar file servers obfuscation
of course refers to the idea of kind of
hiding all of your code or really just
making your code hard to decipher so all
of these different classes the classes
that aren't part of javis in this main
class and it's a researcher class that I
made in my example those can be renamed
and all of these variables you know like
input and s and searcher an index they
can also be renamed
and some certain lines of code can be
rewritten like calm for each loops or
four in loops are often rewritten as
iterators so you actually use it a while
loop with an iterator so just makes the
code more confusing and harder to read
and of course the package names actually
i'm not sure i think you can i change
that setting but but it'll make the code
harder to read and harder to reverse
engineer and that's really the whole
point of it there are two programs that
we are going to use in this video the
first one is called proguard and
proguard is program free program very
nice program that you can use to arm
obfuscate your files so if you have
anything that you want to hide before
you distribute it you know it especially
if you're selling something then this is
a great thing to use so right here I'm
going going going to grab the latest
version of proguard and I'll put this
link in the description to go ahead and
download it on fire . 2.1 is latest
version at this point so it's downloaded
and then the other program that we're
going to use is the java decompiler JD
dash GUI this is a little program you
can stick a jar file in and it will
decompile the jar file for you so we
have our programs i have kegui right in
there and then here is proguard and it
is right there
this is I believe what we want to open
oops that's not right and I download the
wrong version prude
now we did it just say okay there she is
so it is under lib and programs GUI
awesome so this is what we're going to
actually be using to walk through the
obfuscation process i just want to make
sure that it will show up here so it's
loading and in the meantime I'm going to
show you actually we're going to export
this there is perfect as a jar file
we're gonna come back to that in a
second
I have this little project here a
researcher you just enter bunch of
values and calls this add method that
sticks them into the arraylist and then
there's a search to just under bunch of
things to search for and it will just
use a really simple sequential search to
find them you'll see added this is a
test that a new line to continue and
then you know this is a test found all
of them and then I tried h.f and it
didn't find them because they're not in
the right so very very simple example
but it does have two classes and bunch
of variables and stuff so I'm going to
export this as a runnable jar file and
we're going to choose the launch
configuration for this and the expert
destination will just stick it on the
desktop and we'll just call it will be
demo I'm going to have a couple
different files and then you kind of
course export jar files in IntelliJ
which I could just show in another video
so um let me just try to minimize some
of this stuff so here is the demo I'm
going to make a copy of this just
because one of them will be confiscated
and one will not
ok so let's take a look
first if i run this in the terminal it
will just run through the program i'll
just quickly show you that have a
dashboard and I'm going to stick in my
file and you'll see it'll just work it
will say this to test and whatever so it
clearly works and i'm going to open up
JD GUI right here and I'm gonna just
drag it in there and you'll see here's
my jar file there's the package and then
i can look at the classes and you'll see
that it does a pretty good job of
decompiling it i don't really see any
difference here it's pretty good at it
so even though this was compiled into a
jar file into that java bytecode it was
able to get right back to where it was
before so clearly this is not good
because I could just you know open this
up and you'll see how easy it is to arm
go back the only possibly weird thing is
it uses the word this everywhere which I
didn't do and then also the generics
obviously don't exist so it has to cast
to a string but otherwise it's really
really similar and that could be
dangerous for applications such as put
JD GUI down for a second and now we're
going to actually run proguard and we're
going to see how this works
so proguard is going to help us out here
and we'll see
actually I think ok so we want to just
stick so the input i guess actually want
to input the plane we want to output the
artifice skated so I think that will
work it will take all of the plane the
plane jar and it will output into the
office cated and then there are bunch of
different things i'll just leave them
the way that they aren't you work of
course you want to do our offense key
right there and then all that good
I'm just going to ignore all the stuff
for now but let's go it's a process and
it who just finished and you'll see this
is still too kilobytes still the same
size but now we're going to go ahead and
open this up and you'll see that we have
the demo confiscated this is the you
know new file here that was just
exported you'll notice that there's main
class and a . loss the main class
retains its name because for the
manifest file it has to know the correct
name so maybe you could change it but
you know that's perfectly fine so let's
look in the main class first arm because
that is that is this right here and we
can actually kind of put them
side-by-side and take a look and see how
it did so obviously retains the name and
added this print stream and import so
we'll take a look and see
so first of all armed I so the that's
interesting so you see that arm arts was
renamed to / am array of strength and
then it was then set equal to a new
scanner which is quite strange but I
suppose at this point on it will work
and then we have searched was renamed to
be called local a and it's that a class
we're going to work out in one second
you'll see the string values are
obviously the same because you know you
can't change that but you'll see we have
this differences if not str equals
parameters of string . next line x
equals and you'll see arm that it's
actually able to figure out that I set
input or str equal to s . next line so
it actually just compounds that into one
line and then of course it will call
this a is a method with the string which
is you know
also we're gonna look at the a-class
I did a little bit of a better job than
this class just because this is a lot of
words and things that can't be changed
and you'll see that here
a similar thing happened but overall
it's really not that much different but
let's take a look in the a class and see
if it did any better so first of all the
class was declared final just because
there's no inheritance going on nothing
extends from it and it was just renamed
a so now you would have to guess that
this is an array searcher theoretically
because you wouldn't know otherwise and
if you have a project with you know 30
different files then it would become
very hard to decide you know what is
this a class do give co-main declare
some a and then here I call the a method
in the a-class which then adds a string
to and realist and it gets a lot more
confusing but you'll see so we have this
a method takes in a string and it calls
add and then we have searched which will
of course do that casting and because
the generics are not there but again
they do look pretty similar because this
is an incredibly simple example but if
you apply this to a bigger project then
you will notice that there's a big
difference
one great example of this is minecraft
the minecraft server files that are
included in CraftBukkit and spigot are
you know hundreds or possibly thousands
maybe multiple thousands of files from
all the different packets and you know
different things that manage the game
the entities the achievements and
everything to manage the game there are
tons of files and all of their fields
are confiscated so you imagine that in
one project you could have 2,000 methods
that are named a and it becomes
incredibly hard to juggle you know
here's class-a oh here's method
a method a appears everywhere because
you know everything has the name is
classes nameday this variables named a
methods named a it just makes everything
very confusing and very hard to reverse
engineer so someone were to take a file
like this and try to improve it or steal
the code and you know maybe redistribute
it with some minor changes they have a
lot harder of a time because they have
to decipher what exactly everything does
so again it's not a perfect our way to
protect your code but it's certainly
helpful and it's incredibly simple to do
I mean you saw that arm you know in
about one minute i downloaded the
obfuscation program and I ran it on a
jar file which took in turn one minute
to export so it's definitely very
helpful and you may come across if you
ever try to decompile the jar that you
download some obfuscation so this is
just kind of an explanation of what that
is how to do it to protect your own code
and then kind of a comparison of what it
looks like
so just to wrap up I want to show you
guys really quickly that it does
actually still work so i will do javed
estar would be demo confiscated and
you'll see i can say this is a cat
whatever and then i can write this is a
test is not found that is so there you
go it still does the exact same thing
that the other file does it's just that
the code is a lot harder to read a lot
harder to decipher so that's all for
this video hope you guys enjoyed as
always subscribe if you wanna see more
comment with what you want to learn if
you like this video click the like
button and I'll see you guys who was
more programming by friend