Debugging java obfuscated code

views:

325

answers:

+3 Q:

Debugging java obfuscated code

We are going to obfuscate our project but don't want to lose the ability of remote debugging and hotswapping.

Is it possible? Which tools can handle this? I'd be happy with simple obfuscation - just renaming classes/methods/variables.

[Edited] We're using Intellij IDEA but wasn't able to find any plugin for this task.

+4 A:

We have the same kind of needs (simple obfuscation, need to debug later) and we use ProGuard. It's a Java app, which can be integrated in an Ant task.

It can do a lot of things, but it's also fully tuneable. So you can keep your obfuscation simple. One of the options is to generate a "Symbol Correspondance Table", which allows you to retrive the non-obfucated code from the obfuscated one. (it keeps track that the variable xyz in the class qksdnqd is in fact myCuteVarName in the class MeaningfulClassName)

Edit: Obfuscation can be tricky. Some examples:

You can't change the name of your main method.
Do you use a classloader? Can it still retrieve the class after the obfuscation?
What about your ORM Mapping? Your Spring Context? (if any)

Edit2: You can also see:

http://stackoverflow.com/questions/12088/do-you-obfuscate-your-commercial-java-code

Antoine Claval 2009-09-03 07:50:31

Yes, I know about SC table. But me and my team aren't that gurus who can easily debug and change obfuscated code even using the table :) So I'm just looking for a tool which will allow me to transparently debug code.

Vitaly 2009-09-03 15:31:52

You dont have to be guru, you provide the table and the obfuscated jar to the app, and they become readable again ( minus the comment ). Ah... but i dont think you can "hotswaping" with this process ( it's as removing and replace all the jar )

Antoine Claval 2009-09-04 09:01:44

May be I don't understand something. Will I be able to "step by step" remotely debug the obfuscated code and see the "normal" code in the same time in some sort of debugger (without any additional actions like looking at the table, launching other apps and etc)?

Vitaly 2009-09-06 07:11:37

After some serious work of configuration, you will have two ant task.One who make your compiled code unreable, and create a file as output.And a second ant task who take the file and your unreadable compiled code as input, and output readable compiled code.

Antoine Claval 2009-09-07 07:45:12

Addition to the previous comment : the file is the symbol table. And your app is runing on a server, you will have to stop it.

Antoine Claval 2009-09-07 07:48:49

See SD Java Obfuscator. It strips comments and whitespace, and renames all members/methods/class names that aren't public.

It also providew you with a map of how the code was obfuscated, e.g., for each symbol FOO obfuscated as XYZ, a map FOO->XYZ. This means if you get a backtrace mentioning XYZ, you can easily determine the original symbol FOO. Of course, since only you (the person doing the obfuscation) has this map, only you can do this.

Ira Baxter 2009-10-03 05:01:43

ansaurus

tags:

views:

answers:

Debugging java obfuscated code

related questions