Java obfuscators

views:

1331

answers:

+4 Q:

I'm looking for a good Java obfuscator.

I've done initial research into the following Java obfuscators: proguard, yguard, retroguard, dasho, allatori, jshrink, smokescreen, jobfuscate, marvin, jbco, jode, javaguard, jarg, joga, cafebabe, donquixote, mwobfu, bbmug, zelix klassmaster, sandmark, jcloak, thicket, blufuscator, and java code protector.

I tried proguard and it has a really nice GUI, seems really stable, and seems to be the most popular, but it seemed to not like some enumeration on a referenced jar file (not within the code I was trying to obfuscate) which was weird. Yguard seems to require some interaction with ant, which I didn't know too much about.

What is a good java obfuscator? It doesn't need to be free, it just needs to work well and be easy to use.

+2 A:

What is the issue with ProGuard ? (which is recommended both by this question and this one).

There is a section of troubleshooting about enumerator, but they seem to be taken into account just fine.

However, Obfuscation breaks some attempts at reflection, even though modern obfuscators can detect and to some extend adjust usages of reflection in the code they're obfuscating.

VonC 2008-11-21 23:28:50

The issue is that the application uses code in an external jar, and I've "kept" the files that use enumeration in my own jar code, but at run time I'm still getting problems inside the external jar's code that relates to enumeration. I've followed the proguard troubleshooting the best I could.

jbu 2008-11-21 23:40:49

Do you have the error messages that Proguard generates ?

VonC 2008-11-21 23:49:51

yes, I posted it as an answer in this thread

jbu 2008-11-22 00:15:48

hi VonC, I have trouble using proguard. I have 3 class files which I am packaging into one jar(with manifest). Now when I issue command : java -jar myjar.jar @myjar.pro I expect an output jar like myjar_out.jar stated in myjar.pro. But, that command runs the jar instead of creating a output jar.

Chandan . 2009-07-06 05:33:21

According to http://proguard.sourceforge.net/manual/usage.html , aren't you supposed to type `java -jar proguard.jar @myjar.pro`? Because I can confirm that `java -jar myjar.jar ...` will execute the main class found in myjar.jar.

VonC 2009-07-06 06:13:16

Oh yes...my bad...what was I thinking...:-). Thanks.

Chandan . 2009-07-06 06:33:17

+6 A:

I use ProGuard heavily for all my release builds and I have found it is excellent. I can't recommend it enough!

I have encountered obscure bugs caused by it's optimizations on several occasions and I now disable optimizations across the board - haven't had a problem caused by ProGuard since. Though, to be fair, these were all quite some versions ago - YMMV.

I use the GUI only to get a config started, and then I resort to editing the text config myself, which is really very simple to do.

I have quite complex projects all of which involve dynamic loading and reflection. I also heavily use reflection for a callback implementation. ProGuard has coped with these very well.

EDIT: We also use DashO Pro for one of our products - I looked into it for packaging the products I am responsible for and concluded that it's configuration was too convoluted and complex; also integrating it into the build script seemed like a bit of a pain. But again, to be fair, this was about 7 years ago... so it might be better in current versions.

Software Monkey 2008-11-22 00:13:19

DashO build script support includes both a command line interface as well as an Ant task.

Joe Kuemerle 2009-01-15 04:45:13

i wish there would be a link to progurad so i wouldnt have to use google now ... ;-)

Chris 2009-10-07 12:08:39

@Chris: Done...

Software Monkey 2009-10-07 17:16:26

+1 A:

I used Zelix Klassmaster in a commercial application for several years and found it to be excellent. I threw quite a few resources at the obfuscated code, and was not able to "break" it. It's pricey, but good.

I only stopped using it when my version got old enough that the upgrade cost was significant. My needs had changed and I didn't really need to obfuscate the classes anymore. However, if the need arises again, I'd pay for it and use it in a flash.

Cheers,

-Richard

Huntrods 2008-11-22 02:13:33

I use this a long time ago too. It is very good. Additionally IntellJ Idea plugin is available. http://blogs.jetbrains.com/idea/2006/08/analyzing-external-stack-traces/

OscarRyz 2009-02-06 20:50:15

We are using Zelix Klassmaster for couple years and I can recommend it.

FoxyBOA 2008-11-27 20:33:37

+1 A:

A good collection of links to free and commercial tools is given in this arcticle

"Protect Your Java Code - Through Obfuscators And Beyond"

The author also discusses the strong and weak points of bytecode obfuscation

2009-11-12 22:56:46

+1: An excellent article.

Software Monkey 2009-12-24 07:50:19

ansaurus

tags:

views:

answers:

Java obfuscators

related questions