Java Obfuscation with focus on added useless opcodes

Question

I am looking for a Java Bytecode obfuscator that "scrambles" the existing opcodes and adds new (useless) code. I am not interested in renamings of any kind, which is something most obfuscators seem to do.

A bit of background: As part of my PhD thesis I am developing a tool that identifies useless parts of a (Java Bytecode) program. In order to present nice results, I'd love to have some input programs with a significant amount of useless code. Besides the examples I am currently focussing on (which have subtle bugs that make code useless, think calling "equals" with a wrong argument) I could also need examples with just "weird" code - produced by a code obfuscator.

I already played around with ProGuard, however it seems it just optimizes (and therefore modifies) the code slightly. The part that renames methods, fields, ... is not relevant to me at all, which is why I switched it off.

Answer 1

I have to tell that I do agree with the answer given by @dkatzel: it looks like what you really need is not obfuscation. To my understanding, obfuscation is about making the code harder to understand (in order to achieve different purposes like security, prevent copying, etc - the Wikipedia's article mentioned indeed explains it quite well).

So, considering a source code correctly done (I mean, without redundant parts or useless code, as you've put), obfuscating it (in the common sense) would simply make the code unintelligible without changing its execution path. This implies that obfuscating code usually has no (or very little) impact in the code performance, and this is different than what you want to produce for your tests. For instance, the kind of obfuscation proposed in this very cool article (http://www.kahusecurity.com/2011/brilliant-javascript-obfuscation-technique/) would not help you at all, right? (I mean, disregarding that it is about Javascript, not Java)

Thus, I think the answers already provided (specially the ones about searcing stuff at Github and using ASM) is the way to go. There is a famous obfuscated code championship for C code (http://en.wikipedia.org/wiki/International_Obfuscated_C_Code_Contest) where people try to be creative and perhaps their sources do have useless code (even though that is not the main intention) that you can use in your tests (if you find similar championships for Java code - I honestly didn't check for that).

In your shoes, I would also consider creating a very simple source code manipulation tool that would directly insert useless snippets in the .Java file, at random valid locations. You could define those snippets yourself with things like:

• { System.out.println("Hello world!"); }
• { String s; for(int i = 32; i < 127; i++) s += (char) i; s = s.toUpperCase(); }
• { new Thread( new Runnable() { public void run() { System.out.println("Hello world again!"); } } ).start(); }
• Etc

Since we are talking about a scientific research (your PhD project), I agree with you that it is important for the results of the initial prototype to be easily reproduced. Hence, by having such a tool to add snippets that are known to be useless to your simple test code, you can have a pre-validation. However, probably in the future you will also want to process well known source code (from important open source projects, for instance), pass it through your removal-useless-code-tool, present the code removed, and finally argument logically about the useless of the bits removed as well as validate the output of the modified version of the code against the previous one (without the removed stuff).

Good luck with your research, mate. :)

Cheers

Answer 2

It sounds to me like what you're looking for (and I emphasize "to me" because it seems like each responder has a different take) is something that gives you the capacity to generate code within existing, useful code that makes the resulting code have useless or suboptimal code mixed into it.

At first I thought the purpose of this tool was to prevent reverse engineering, since the key word here is "obfuscation" -- that is, to render the code unclear or unintelligible. But you say you want "useless" code. Code doesn't have to be unclear to be useless. It just has to not do anything.

So now the question is, how do we create useless code?

I don't know, but here's an idea: You could start with code that has useless elements and then optimize it. In fact, your tool sounds a lot to me like a code optimizer. You could take poorly-written code (ask your colleagues for student code submissions?) and compare it to what comes out of a code optimizer. That would get you more than simply unused methods and classes. Though now I have a question (with all due respect): How is your project different from a code optimizer?

Answer 3

What you want isn't actually obfuscation.

What you want is a tool like ASM which can add whatever byte code you want including adding/changing methods.

Answer 4

If you do obfuscate, stay away from obfuscators that modify the code by changing code flow and/or adding exception blocks and such to make it hard to disassemble it. To make the code unreadable it is usually enough to just change all names of methods, fields and classes.

Answer 5

Your task is very interesting but it sounds that it is not java byte code obfuscators are designed for.

If you want to add useless code to some project why not just to add to it yet another project (or part of it). Obviously the added code will be "useful": no-one really calls it from the original project. You can add parts of source or even byte code from absolutely different project. Obviously this code will be written in different classes.

If you want to add the code to your existing classes you can probably develop your own tool using for example CGLIB that takes some even existing byte code and appends it to the byte code of your classes. Let's say appends static methods that will not break consistency of your existing class.