PDA

View Full Version : java obfuscators, which ones?


Shub-nigurrath
July 28th, 2011, 10:11
Hi everybody

I am investigating which is the state of art for the Java obfuscators. Specifically I would understand which have already been compromised o for which exists a de-obfuscator (either manual technique or automatic tool).

Reading a thesis wrote in March 2011 (http://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1160&context=etd_projects) it seems that the best ones were KlassMaster, Proguard and DashO. Proguard seems to be broken now, isn't it? Anyway what about the other two? DashO especially sounds interesting due to its calling-home feature in case of a detected tampering.

TIA,
Shub

OHPen
September 1st, 2011, 10:27
Hi,

I would recommend you to use the Allatori Obfuscator. I've been using the commercial Version and it's pretty neat. You can find it here: http://www.allatori.com/

Nevertheless I have to tell you that currently all Obfuscator are beaten by the dis decompiler: http://java.decompiler.free.fr/?q=jdgui

That tool is even free and probably the best decompiler for java out there. Although the code resulting from the decompilation process of JD GUI is not runnable at the beginning, but with slight modification and eclipse it is not a problem to reconstruct bytecode to source code.

Regards,
OHPen

Shub-nigurrath
September 12th, 2011, 04:47
thanks you mate,
it seems the string obfuscation algorithm of Allatori has been reversed

https://www.moparisthebest.com/smf/index.php?topic=238584.0

OHPen
September 12th, 2011, 11:00
Ok, i see, but honestly have we expect more than a simple xor encryption !?

I my opinion more is also not very good because of performance issues arising when you make the string enc/dec too complex. Java is not very fast and so the developer has to have an eye on execution speed...
if you need proper protection i always recommend to write your own stuff. that is at least what i did and so far nobody break that stuff ( at least i don't know ;DD )

Regards,
OHPen

Shub-nigurrath
June 7th, 2012, 08:37
HI I return to this thread because now I need to find a working solution.

What I did so far is to analyze the performances of Proguard, Allatori and DashO Pro. Proguard is not fine for me because its obfusation is quite trivial: the logic flow is not obfuscated and using latest decompilers you can easily reverse the logic of your java code (there are even some tools to reverse alphabetical method names to real names). It either has no string obfuscation, but this is not a problem because I agree with OHPen that the string obfuscation isn't that important (it takes time and at the end the JVM always need a decoded string, thus it's not su mandatory).

I also considered Allatori and DashO, their obfuscations are definitely better and the string encryption algos are just partially compromised.

Beside this I also identified some custom techniques I can use to do a preemptive obfuscation before using these tools, they have been directly taken from some java malware circulating.

What I was now anyway wondering is that the only really reliable solution would be the code logic flow obfuscation. Any other type of obfuscation (mainly on the bytecode) is soon or later broken. What can really stop me from reversing a java code is to get a totally screwed decompiled code, hard to follow and whose logic is totally scrambled. The statement is then to make the code appear more complicated than it actually is, before bytecode obfuscation.

So my question is if there's some obfuscator working more on the logic flow rather than on the bytecode. Apparently the Semantic Designs Java Obfuscator could do this work, but it's not available for trial!

TIA,
Shub