Whenever I build my app all classes (logically) are visible in the .jar that comes out of it.
Aswell as a class that holds information to my MYSQL server (for the app to connect to). But I dont want this information to be publicly visible!
How can I "hide" this code or "hide" the class?
Thanks!!
I think you mean you dont want someone to do reverse engineering with your .class inside your jar file. There are many decompilers that can do that.
So you would need to Obfuscate your code with an obfuscator utility.
The process of obfuscation will convert bytecode into a logical
equivalent version that is extremely difficult for decompilers to pick
apart. Keep in mind that the decompilation process is extremely
complicated and cannot be easily 'tweaked' to bypassed obfuscated
code. Essentially the process is as follows:
Compile Java source code using a regular compiler (ie. JDK)
Run the obfuscator, passing in the compiled class file as a
parameter. The result will be a different output file (perhaps with a
different extension).
This file, when renamed as a .class file, will be functionally
equivalent to the original bytecode. It will not affect performance
because a virtual machine will still be able to interpret it.
Here is an article describing this process in more detail and
introducing an early obfuscator, Crema:
http://www.javaworld.com/javaworld/javatips/jw-javatip22.html
Related
As in C/C++ the program is first given to the preprocessor to include files & perform macro expansions etc... then given to the compiler to convert the code into assembly format and the process goes on.But in Java I do not see the use of preprocessor.Why so and then who does all the task that normally the preprocessor handles?
The pre-processor is not a necessary step of the compilation process in Java.
In C/C++, functions stored in different files are "included" in other files, which essentially means they are copied and pasted in their entirety into the document. This was a pretty good idea at the time, given the hardware capabilities at the time, but nowadays more modern languages use something called "symbolic imports".
Symbolic imports involve looking for symbols in another file rather than using text directly. In Java, this can involve importing constants or classes. These imports act as references to code in other files. Thus, rather than having to go through the trouble of having the pre-processor copy and paste code around and eventually figuring out what code belongs to which file, Java allows doing these imports on a semantic level directly.
This makes a pre-processor unnecessary to the compilation process of the language, and has therefore, along with other reasons been left out.
I'm trying to reverse engineering a .jar file (basically a group of .class files). However, there are two difficulties:
Some of the variables, methods and classes are named with unicode characters, which cannot be properly displayed. This makes source editing very inconvenient.
Some of the classes are named with Java keywords (such as if). Therefore Java compiler will complain when recompiling the reverse-engineered source files.
Are there any Java deobfuscators that can overcome these difficulties?
There are several tools that can rename Java identifers. For example, you can just run Proguard on it to rename everything.
That being said, I would suggest reconsidering your approach. Java compilation and decompilation are both lossy processes. Decompilation is useful for reverse engineering, but you generally cannot expect to be able to recompile the decompiled code. If it has previously been obfuscated, you may as well forget it.
The best way to modify obfuscated code is to use the Krakatau assembler and disassembler. Krakatau assembly can be reversibly transformed to and from bytecode, meaning you can edit arbitrary classes without messing things up, no matter how they have been obfuscated. The only downside is that you have to be familiar with Java bytecode.
Cuchaz's Enigma supports renaming local variables. It's no longer being updated and runs on BCEL which is also no longer being updated. As long as you're not decompiling anything BCEL can't handle it should work just fine though.
I am trying to take files from a jar that is part of a working project, and put them back in to the project so I can run it while making subtle changes to the classes.
I have read it is possible to extract a jar, decompile, edit, reassemble the jar and run the project, but I dont want to do all that every time I make a small edit.
I have tried extracting and decompiling the jar, and then creating a new package in eclipse with the same name as the original jar, and then adding all the files back in; however I get hundreds of errors.
I am very new to java and I realize this is beyond my current skill level, so any help is greatly appreciated if there is a simple way to do this. None of the other threads on this give a clear answer.
Compilation and decompilation are lossy processes, so in general, you can't expect to be able to re-compile decompiled code. If you want to make changes to an application and run the modified version, your best best is disassemble it with Krakatau, edit the assembly file, and reassemble. The Krakatau assembly format is designed to be very close to the classfile format, so you can make changes without disrupting everything. The downside is that you have to understand Java bytecode.
I'd also suggest checking out Konloch's Bytecode Viewer or Samczsun's Helios, which might be able to do what you want.
How to open and edit java class files? I've searched, but I either found how to open them without being able to edit them, or how to be able to edit only the bytecode. I want to be able to read and edit .class in the "normal" view. (as source code, not bytecode)
What you are asking for is basically impossible. The ".class" files do not contain source code, and do not contain enough information to reconstruct the original source code.
If you are a bit lucky, a good decompiler would be able to create compilable source code that means the same thing as the ".class" files. However:
That decompiled source code won't have the original comments.
The original names of any local variables are not recoverable.
The structure of the decompiled code may be different; e.g. string concatenation, for loops and try/catch structures may be transformed.
The code is not guaranteed to be correct, or compilable at all. (It depends on the decompiler, and how well it deals with the version of Java you are trying to decompile.)
And if the code you are trying to edit was obfuscated, then your chances of success are greatly reduced. An obfuscator deliberately transforms the ".class" files to remove useful information, and to confuse decompilers.
To my knowledge, no IDE supports editing of ".class" files like this.
Before my suggestion, I wanna point out that as far as I've searched, there has yet to exist a free decompiler that allows you to edit the source code produced, and save it automatically. I believe this is due to decompilers only being able to attempt to decompile the code, and the source code produced is not always exact/error free/compilable.
What you can do
You must use a decompiler, such as JAD, copy the source code that it produces and paste it into a new file.
As for the download link, you can find that on google, as I am unsure of the safest place to get it.
A decompiler does its best at converting the content (bytecode) within .class files into readable Java source code. Not only will some identifiers (method, variable and class names) will be replaced with generic names, meaning String name; in bytecode might decompile to String aString1;. Random variables might also be generated (tmp variables), which can lead to the produced code being unable to compile.
I'm trying to create a process to patch our current java application so users only need to download the diffs rather than the entire application. I don't think I need to go as low level as a binary diff since most of the jar files are small, so replacing an entire jar file wouldn't be that big of a deal (maybe 5MB at most).
Are there standard tools for determining which files changed and generating a patch for them? I've seen tools like xdelta and vpatch, but I think they work at a binary level.
I basically want to figure out - which files need to be added, replaced or removed. When I run the patch, it will check the current version of the software (from a registry setting) and ensure the patch is for the correct version. If it is, it will then make the necessary changes. It doesn't sound like this would be too difficult to implement on my own, but I was wondering if other people had already done this. I'm using NSIS as my installer if that makes any difference.
Thanks,
Jeff
Be careful when doing this--I recommend not doing it at all.
The biggest problem is public static variables. They are actually compiled into the target, not referenced. This means that even if a java file doesn't change, the class must be recompiled or you will still refer to the old value.
You also want to be very careful of changing method signatures--you will get some very subtle bugs if you change a method signature and do not recompile all files that call that method--even if the calling java files don't actually need to change (for instance, change a parameter from an int to a long).
If you decide to go down this path, be ready for some really hard to debug errors (generally no traces or significant indications, just strange behavior like the number received not matching the one sent) on customer site that you cannot duplicate and a lot of pissed off customers.
Edit (too long for comment):
A binary diff of the class files might work but I'd assume that some kind of version number or date gets compiled in and that they'd change a little every compile for no reason but that could be easily tested.
You could take on some strict development practices of not using public final statics (make them private) and not every changing method signatures (deprecate instead) but I'm not convinced that I know all the possible problems, I just know the ones we encountered.
Also binary diffs of the Jar files would be useless, you'd have to diff the classes and re-integrate them into the jars (doesn't sound easy to track)
Can you package your resources separately then minimize your code a bit? Pull out strings (Good for i18n)--I guess I'm just wondering if you could trim the class files enough to always do a full build/ship.
On the other hand, Sun seems to do an okay job of making class files that are completely compatible with the previous JRE release, so they must have guidelines somewhere.
You may want to see if Java WebStart can help you as it is designed to do exactly those things you want to do.
I know that the documentation describes how to create and do incremental updates, but we deploy the whole application as it changes very rarely. It is then an issue of updating the JNLP when ready.
How is it deployed?
On a local network I just leave everything as .class files in a folder. The startup script uses robocopy or rsync to copy from network share to local. If any .class file is different it is synced down. If not, it doesn't sync.
For non-local network I created my own updater. It downloads a text file of md5sums and compares to local files. If different it pulls file down from http.
A long time ago the way we solved this was to used Classpath and jar files. Our application was built in a Jar file, and it had a launcher Jar file. The launcher classpath had a patch.jar that was read into the classpath before the main application.jar. This meant that we could update the patch.jar to supersede any classes in the main application.
However, this was a long time ago. You may be better using something like the Java Web Start type of approach, which offers more seamless application updating.