T o o l s
Hashjava is a java
library to alter symbol names in a set of bytecode files. It includes
an example application to obfuscate applets by renaming all class,
method and field names to random strings. Using hashjava on your
applets does not make it safe from decompilation, it just takes a
little longer to make sense of it. Please use version 0.2 released
on Jan 14, 1997 which contains an important bug fix.
Hashjava comes with an
example application which obfuscates applets.
You give it an html file containing applet tags, and an output
directory to write out the obfuscated applets. The obfuscator
loads the applets in the HTML file, renames field,
method and class names in the bytecode and writes them all back
into the output directory. Debugging symbols can be altered or removed.
The altered symbol names are a mixture of random java keywords and
numbers. This is usually sufficient to prevent casual inspection
of your bytecode. However, control flow is not altered so loops and
branches in your code will still be detected.
Play it safe! Back up your applets before using this application.Start the application by running the class HashApplet
% java HashAppletThis will launch a session which you can guide to load, obfuscate and write out applets from an HTML file. If the obfuscation was successful, you will find a copy of the original HTML file and obfuscated bytecode in the output directory.
|HashApplet and mocha|
is a popular freely available decompiler.
Mocha's author also provides an obfuscator *Crema, which however is not freely available if you want to obfuscate applets. The free version of Crema inserts illegal identifiers in applets which does not pass security checks in many browsers.By default, HashApplet inserts a few confusing debugging attributes (this does not affect the applet unless it runs under a debugger) which consistently seems to crash mocha. If you change the settings to instead remove all debugging attributes, mocha appears to work again.
Here is mocha generated output on a class from one of the JDK demos before and after using HashApplet.
|programming with hashjava|
Hashjava is really just a
library to fix up references in a set of bytecode files as you alter
symbol names in any of them. The
API lets you add a set of classes and examine and alter symbols
So to create an Environment, you have to hand it an instance of the BytecodeFactory and the Obfuscator interfaces. You actually have to pass an instance of the Statistics interface as well, which effectively observes the state of the Environment.
The distribution includes Example.java under the hashjava/src directory. This is a small application which demonstrates how to use the library.Once you create an Environment, obfuscation works in three stages.
Hashjava is freely distributed with
source code under the
GNU Library General
Public License (LGPL). Code generated by hashjava does not fall
under the same license, and you can obfuscate commercial or
non-commercial code with no restrictions or license fees.
Under the LGPL, you can also use hashjava as a library and call its public classes or methods in commercial or non-commercial applications without disclosing your own source code, provided you supply the source code to hashjava, and enable anyone modifying hashjava (without changing its public API) to freely link with your application. The license has the final word in all cases, but feel free to contact me for any clarifications.
Yes, I know it is ironic to distribute a program which actively tries to mask source code under the LGPL. And despite the free-with-source-ware on this site, I believe in a programmers right to protect their source code when they choose to do so. The LGPL label allows everyone, especially hobbyist programmers like me, to easier and better protect their source code if they choose to do so.
T o o l s