views:

519

answers:

8

How to obfuscate code quickly. I have a very small Java App and I want to deliver the obfuscated code to my client. I have heard a lot about ProGuard to obfuscate code and have downloaded it but doesn't know how to obfuscate my "abc.jar" file.

I checked out its website but it contains a lot of material to read. I don't need heavy obfuscation. I just need a obfuscate that simply changes the name of variables, methods and classes to some unreadable ones. I know proguard provide all of this with a ton of other functionalities too.

Q1. So could anyone tell me please some simple obfuscators or some simple steps to use proguard so that I can just input "abc.jar" and it outputs "obfuscate_abc.jar" or something simple like that.

Q2. One more thing, as my java program uses external libraries, so should i need to obfuscate those libraries too?

Q3. Is there any eclipse or netbeans plugin availabe to this obfuscation?

I have also heard that we should retain the mapping table file with us so that in future we can debug or edit that obfuscated code by first de-obfuscating with the help of that mapping-table which was created at the time of obfuscation.

Q4. So, one more question is Why do we need to keep that mapping-table with us. We can simply retain a copy of un-obfuscated application so as to make changes in that (if required in future). Is there any reason to retain that mapping-table file with us?

+1  A: 

You only need to obfuscate the other libraries in the case where you need to protect them against whatever you think obfuscation is doing for your code. However you should read the licences for those other libraries to see whether they restrict you from distributing modified versions.

Paul Clapham
+1 for advising me to check those licenses of those libraries.
Yatendra Goel
+7  A: 

"I checked out [the Proguard] website but it contains a lot of material to read."

Seriously, you're asking a question here because you can't be bothered reading the manual or searching for examples?

Q2: Don't obfuscate libraries.

Q4: You need the mapping table for when you're trying to decipher a stack trace.

Christopher
@Christopher... I didn't ask you to read that manual... That question was for those persons who already know how to deal with ProGuard.
Yatendra Goel
I never said you did. I know how to use ProGuard -- because I *have* read the manual.
Christopher
So keep your knowledge with you... :)
Yatendra Goel
I think I should also give you a Nobel Prize for you have read that manual :)
Yatendra Goel
Oh come on. Seriously you couldn't click Manual > Examples, then read the *very first item*?
Christopher
Oh.. really ... now you have got time to share your knowledge and telling me how to find that example :)Keep your knowledge in safe. You will get reward acc. to the amount of knowledge you have kept secret with you.Please don't bother to tell me that. Just search other questions on SO to down vote them and fill useless comments and answers.:)
Yatendra Goel
You're right.. I'm not sharing my knowledge, I'm sharing common sense instead. There is no reason for us to **duplicate** the already-comprehensive ProGuard manual and examples by repeating them on here. If you had actually made an effort and had a problem, then I and others would be happy to help you solve it -- that's why we are on this site. But if you can't be bothered to even read **the basics** why should we waste our time to help the lazy?
Christopher
{...why should we waste our time...} I didn't aware of the fact that positing such useless answers and comments don't waste our time...:)
Yatendra Goel
Clearly neither of us want to spend more time on this. **Please** just take a moment to read the comments on your question and understand **why** so many people have voted negatively or made comments similar to mine. We *are* all here to help, but you have to try things for yourself. If you can better appreciate how this site works and put some effort into your problems first, it *will* cut down on wasted time for everyone and increases the quality of answers we all get to share here on Stack Overflow.
Christopher
+1  A: 

regarding Q4: The mapping is used when users send you bug reports that contain exception stacktraces from the obfuscated code. ProGuard allows you to translate these stacktraces back to the original class names and line numbers if you have the mapping.

x4u
+1  A: 

Just answering Q4…

There is a good reason to keep the mapping. If the client ever sends you a stacktrace, it can be very useful to know where in the code that stacktrace came from. The purpose of an obfuscator is to get rid of that information ;-) By keeping the mapping, you enable the conversion of the stacktrace into where the problem occurred in the original code.

Paul Wagland
+1 for your answer...
Yatendra Goel
+1  A: 

I can answer question 4. You should retain it for debugging. Say you have a bug in function "printTheAlphabet()" on line 23, after obfuscating the stack trace might say something like "Error in j6z9r() on line 27" which makes it pretty impossible to locate the error in your source code.

ZoFreX
+1  A: 

Q1. So could anyone tell me please some simple obfuscators or some simple steps to use proguard so that I can just input "abc.jar" and it outputs "obfuscate_abc.jar" or something simple like that.

Just go for ProGard, it's definitely a good tool (recommended in many answers here on SO like this one, this one and this one).

Q2. One more thing, as my java program uses external libraries, so should i need to obfuscate those libraries too?

No need IMHO (not even mentioning that you may not).

Q3. Is there any eclipse or netbeans plugin availabe to this obfuscation?

I'd rather suggest to use the Ant Task or the proguard-maven-plugin. See this question about the maven plugin if required.

Q4. So, one more question is Why do we need to keep that mapping-table with us. We can simply retain a copy of un-obfuscated application so as to make changes in that (if required in future). Is there any reason to retain that mapping-table file with us?

Yes, to "translate" stacktrace.

Pascal Thivent
I got all of my answers in a simple and clear way from you. Thanks
Yatendra Goel
and accepted another answer instead :(
KevinDTimm
+1  A: 

I tried this from scratch. It should get you started. I think the key will be to understand the "keep options" in the configuration file.

Using this code:

import java.util.*;

public class Example {

    public static void main(String... args) {
        Example ex = new Example();
        ex.go();
    }

    public void go() {
        String[] strings = { "abc", "def", "ijk" };
        for (String s : strings) {
            System.out.println(s);
        }
    }

}

I created an Example.jar. I copied the proguard.jar from the ProGuard lib directory, and ran this command-line

java -jar proguard.jar @myconfig.pro

where myconfig.pro contains:

-injars Example.jar
-outjars ExampleOut.jar
-libraryjars <java.home>/lib/rt.jar

-keep public class Example {
    public static void main(java.lang.String[]);
}

This produces ExampleOut.jar which contains the same functionality and is obfuscated (verified with JAD). Note that I did not use a manifest, so to test functionality, I unjarred and tested the class. Execution entry-points within jars are left to the reader.

There are many more keep options listed in the Usage section.

Michael Easter
It is showing that <b>Warning: scraper.Main: can't find referenced class com.gargoylesoftware.htmlunit.html.HtmlTableCell</b> means it can't find the com.garg... lib but it it there in the same folder. Should I need to mention the external libraries too in the .pro file
Yatendra Goel
A: 

I have had a quick look at yGuard before and liked the fact that you could integrate the obfuscation steps into an Ant script. This allows you to use it very easily in Eclipse etc if you want.

The documentation it comes with provide a number of ready made Ant scripts to get you started. These just need to be modified to work with your projects layout, ie setting the correct package names etc.

If your not clear on how to get Ant going in Eclipse, you pretty much just need to add a build.xml file to the project, copy the example script that comes with yGuard into it, modify the script to work with your project and run the yGuard task from the Ant view.

With regards to your mapping table question. The only reason I can think you might need something like this would be if you can't replicate a bug your obfuscated jar exhibits, from your original code. At this point you might need to work with the obfuscated version, maybe to determine if the obfuscation has caused a problem.

Binary Nerd