Re: Re: Java class obfuscation

["Nicolas RUFF (lists)" <ruff.lists () edelweb fr>]

northern snowfall wrote:
> > I was wondering if anyone has any documents compairing the different 
> > java class / method obfusction tools that are available.
> > I am in particular currious to know about the ones that are very easy 
> > to bypass vs. those that are extremely difficult.
>
> You can't obfuscate java interpreted byte code just like
> you can't obfuscate CPU machine code. The JVM would have
> to be altered to ingest your obfuscated machine code.
> Every type of obfuscation can be defeated as soon as it
> loads the byte-code into memory for analysis by the JVM.
> Thus, you may not have readible byte-code on the disk,
> but, you *will* have it in core.

Sure, basic bytecode obfuscation is known to be reversible and to cause 
trouble depending on your JVM (Sun, Microsoft, Netscape, Symantec, ...).

Even if you cannot make the code unreadable, you certainly can make it 
unusable by a human reader. I recently had a look at Citrix Java ICA 
Client, and they use at least the following techniques :

- Replace all variables by letters (a, b, c, ...)
- Use the same variable names in all scopes (global, class local, 
function local, ...) => you cannot substitute variable names with a 
find/replace tool that is not aware of Java language grammar
- Replace variables by language keywords when possible (after byte-code 
generation, variable names are not restricted by the JVM) => you cannot 
recompile the code
- And so on ...

Believe me, such obfuscated code is really hard to understand.

PS. AFAIK, native CPU machine code encryption is part of the TCPA/NGSCB 
project ...

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html