Reputation: 113
obfuscate default java packages and classes names using proguard
i have an application written in java, and i am using proguard to obfuscate it and its working very well, i mean the classes and members (data and functions) are renamed to a, ax, xy, z etc.
but when i decompile it using jd-gui-1.2.0.jar i found that all the default java packages and classes are visible for readers ex:
import java.awt.GridLayout;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import javax.swing.JButton;
import javax.swing.JFrame;
and also the classes and functions name are visible to readers ex:
try
{
Class.forName("org.sqlite.JDBC");
this.ab = DriverManager.getConnection("jdbc:sqlite:db.db");
}
catch (ClassNotFoundException|SQLException localClassNotFoundException)
{
JOptionPane.showMessageDialog(this, "Database Not Found", "Exception Occured", 0);
}
i am not talking about the string encrytion but the classes and functions name that are in default java packages ex: java.sql.Connection and DriverManager.getConnection("")
i am wondering how can i hide or rename all this default classes and functions names using proguard, at this point i can only thing that it could be there somewhere in proguard by mapping their names or any other way..
any help or suggestion would be a great help..
Upvotes: 2
Views: 1119
Answers (1)
Reputation: 4121
When you get right down to it, code obfuscation is a form of security by obscurity. In well written code that's more or less self documenting, names of classes/methods/functions can tell you exactly what a piece of code is doing. Obfuscating the code in light of that is immensely helpful for keeping out less determined / knowledgeable people.
As one of my projects for teaching myself reverse engineering I wanted to find out the answer to this question: can you hit a bomb on the first click in [windows xp] minesweeper. All I had to go off of is my knowledge of assembly, winapi, etc. As I examined the disassembly I was able to figure out what many of the functions were doing and give them a name that was meaningful to me. I eventually found the memory being used for the board and was able to reliably determine that the layout of the board wasn't chosen until after the 1st click; the code for generating the board layout always ensured a non-bomb was in the clicked square.
While method names & whatnot were obscured by only having addresses (that I gave meaningful names to), there's not a lot they could do to hide system/winapi/library calls. There are a lot of creative tricks for doing just that, but they all boil down to obscure ways to do a lookup table. Anyone with enough skill to write a tool like jd-gui-1.2.0.jar, or capable of modifying its source for their own purposes, won't have a problem figuring out any scheme you use for doing the lookup.
A common technique used for analyzing viruses that use some form of encryption/compression is to identify the code used to unpack the executable code and use that directly instead of rolling your own. After all, why go through the effort of writing your own when the code you need is right there?
My point: although it's technically possible to do what you want I'm of the personal opinion that it's not worth your time.
Upvotes: 2
Related Questions
- Proguard keep class names?
- Obfuscate Class Names With Main Methods
- Proguard: how to filter certain packages from being obfuscated?
- How to obfuscate classes present in a package by proguard Android?
- How to tell ProGuard to obfuscate method and class names?
- Proguard - Keep all classes and methods names, but obfuscated Fields
- Android: Proguard configuration to obfuscate class names and methods
- Hiding Package Name using Proguard but keeping certain Methods in a class public
- How to obfuscate a library jar in ProGuard?
- How to tell Proguard to obfuscate class names