问
如果我把我的class文件加密在运行时用指定的类加载器(class loader)装入并解密它这样子能防止被反编译吗?
答
防止JAVA字节码反编译这个问题在java语言雏形期就有了尽管市面上存在一些反编译的工具可以利用但是JAVA程序员还是不断的努力寻找新的更有效的方法来保护他们的智慧结晶在此我将详细给大家解释这一直来在论坛上有争议的话题
Class文件能被很轻松的重构生成JAVA源文件与最初JAVA字节码的设计目的和商业交易有紧密地联系另外JAVA字节码被设计成简洁平台独立性网络灵活性并且易于被字节码解释器和JIT (justintime)/HotSpot 编译器所分析可以清楚地了解程序员的目的 Class文件要比JAVA源文件更易于分析
如果不能阻止被反编译的话至少可以通过一些方法来增加它的困难性例如: 在一个分步编译里你可以打乱Class文件的数据以使其难读或者难以被反编译成正确的JAVA源文件前者可以采用极端函数重载后者用操作控制流建立控制结构使其难以恢复正常次序有更多成功的商业困惑者采用这些或其他的技术来保护自己的代码
不幸的是哪种方法都必须改变JVM运行的代码并且许多用户害怕这种转化会给他们的程序带来新的Bug而且方法和字段重命名会调用反射从而使程序停止工作改变类和包的名字会破坏其他的JAVA APIS(JNDI URL providers etc)除了改变名字如果字节码偏移量和源代码行数之间的关系改变了在恢复这有异常的堆栈将很困难
于是就有了一些打乱JAVA源代码的选项但是这将从本质上导致一系列问题的产生
加密而不打乱
或许上述可能会使你问假如我把字节码加密而不是处理字节码并且JVM运行时自动将它解密并装入类加载器然后JVM运行解密后的字节码文件这样就不会被反编译了对吗?
考虑到你是第一个提出这种想法的并且它又能正常运行我表示遗憾和不幸这种想法是错误的
下面是一个简单的类编码器
为了阐明这种思想我采用了一个实例和一个很通用的类加载器来运行它该程序包括两个类
public class Main
{
public static void main (final String [] args)
{
Systemoutprintln (secret result = + MySecretClassmySecretAlgorithm ());
}
} // End of class
package de;
import javautilRandom;
public class MySecretClass
{
/**
* Guess what the secret algorithm just uses a random number generator
*/
public static int mySecretAlgorithm ()
{
return (int) s_randomnextInt ();
}
private static final Random s_random = new Random (SystemcurrentTimeMillis ());
} // End of class
我想通过加密相关的class文件并在运行期解密来隐藏deMySecretClass的执行用下面这个工具可以达到效果(你可以到这里下载Resources)
public class EncryptedClassLoader extends URLClassLoader
{
public static void main (final String [] args)
throws Exception
{
if (runequals (args []) && (argslength >=))
{
// Create a custom loader that will use the current loader as
// delegation parent:
final ClassLoader appLoader =
new EncryptedClassLoader (EncryptedClassLoaderclassgetClassLoader ()
new File (args []));
// Thread context loader must be adjusted as well:
ThreadcurrentThread ()setContextClassLoader (appLoader);
final Class app = appLoaderloadClass (args []);
final Method appmain = appgetMethod (main new Class [] {String []class});
final String [] appargs = new String [argslength ];
Systemarraycopy (args appargs appargslength);
appmaininvoke (null new Object [] {appargs});
}
else if (encryptequals (args []) && (argslength >= ))
{
encrypt specified classes
}
else
throw new IllegalArgumentException (USAGE);
}
/**
* Overrides javalangClassLoaderloadClass() to change the usual parentchild
* delegation rules just enough to be able to snatch application classes
* from under system classloaders nose
*/
public Class loadClass (final String name final boolean resolve)
throws ClassNotFoundException
{
if (TRACE) Systemoutprintln (loadClass ( + name + + resolve + ));
Class c = null;
// First check if this class has already been defined by this classloader
// instance:
c = findLoadedClass (name);
if (c == null)
{
Class parentsVersion = null;
try
{
// This is slightly unorthodox: do a trial load via the
// parent loader and note whether the parent delegated or not;
// what this accomplishes is proper delegation for all core
// and extension classes without my having to filter on class name:
parentsVersion = getParent ()loadClass (name);
if (parentsVersiongetClassLoader () != getParent ())
c = parentsVersion;
}
catch (ClassNotFoundException ignore) {}
catch (ClassFormatError ignore) {}
if (c == null)
{
try
{
// OK either c was loaded by the system (not the bootstrap
// or extension) loader (in which case I want to ignore that
// definition) or the parent failed altogether; either way I
// attempt to define my own version:
c = findClass (name);
}
catch (ClassNotFoundException ignore)
{
// If that failed fall back on the parents version
// [which could be null at this point]:
c = parentsVersion;
}
}
}
if (c == null)
throw new ClassNotFoundException (name);
if (resolve)
resolveClass (c);
return c;
}
/**
* Overrides javanewURLClassLoaderdefineClass() to be able to call
* crypt() before defining a class
*/
protected Class findClass (final String name)
throws ClassNotFoundException
{
if (TRACE) Systemoutprintln (findClass ( + name + ));
// class files are not guaranteed to be loadable as resources;
// but if Suns code does it so perhaps can mine
final String classResource = namereplace ( /) + class;
final URL classURL = getResource (classResource);
if (classURL == null)
throw new ClassNotFoundException (name);
else
{
InputStream in = null;
try
{
in = classURLopenStream ();
final byte [] classBytes = readFully (in);
