northern snowfall wrote: >> I was wondering if anyone has any documents compairing the different >> java class / method obfusction tools that are available. >> I am in particular currious to know about the ones that are very easy >> to bypass vs. those that are extremely difficult. > > You can't obfuscate java interpreted byte code just like > you can't obfuscate CPU machine code. The JVM would have > to be altered to ingest your obfuscated machine code. > Every type of obfuscation can be defeated as soon as it > loads the byte-code into memory for analysis by the JVM. > Thus, you may not have readible byte-code on the disk, > but, you *will* have it in core. Sure, basic bytecode obfuscation is known to be reversible and to cause trouble depending on your JVM (Sun, Microsoft, Netscape, Symantec, ...). Even if you cannot make the code unreadable, you certainly can make it unusable by a human reader. I recently had a look at Citrix Java ICA Client, and they use at least the following techniques : - Replace all variables by letters (a, b, c, ...) - Use the same variable names in all scopes (global, class local, function local, ...) => you cannot substitute variable names with a find/replace tool that is not aware of Java language grammar - Replace variables by language keywords when possible (after byte-code generation, variable names are not restricted by the JVM) => you cannot recompile the code - And so on ... Believe me, such obfuscated code is really hard to understand. PS. AFAIK, native CPU machine code encryption is part of the TCPA/NGSCB project ... Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) ----------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Fri Jun 20 2003 - 05:02:24 PDT