• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to save my jar from java decompilers?  RSS feed

 
santhosh bhagavathi
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would like to distribute my java software to my clients. But I understand that jar files can be de-compiled by using java decompilers. How can I save it from such decompilers?
 
Maneesh Godbole
Bartender
Posts: 11445
18
Android Eclipse IDE Google Web Toolkit Java Mac Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch.

1) Doubly make sure your jar does not include the source code as well (this one is a no brainer)
2) Obfuscate your jar

Besides these two frankly speaking there is nothing you can do.
 
santhosh bhagavathi
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Maneesh,

I saw a website where if I give my class file, it rips out the code from it. I have to save my jar from such websites. How can I do it?
 
fred rosenberger
lowercase baba
Bartender
Posts: 12563
49
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
re-read Maneesh's post. The short and simple answer is you can't. You can make it harder for people to read it, but in the end, anyone determined enough can figure it out.
 
Stuart A. Burkett
Ranch Hand
Posts: 679
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
santhosh bhagavathi wrote:Maneesh,

I saw a website where if I give my class file, it rips out the code from it. I have to save my jar from such websites. How can I do it?

Include a licence with your software that limits what the client can do with it, get the client to sign a watertight contract and get a good lawyer.
 
Jayesh A Lalwani
Rancher
Posts: 2762
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Obfuscators can't prevent people from decompiling your code, but they can make it so that the code is very hard to read. It will change all the variable and function names to be meaningless. For most projects, a person with extraordinarily high intelligence will be able to "read" obfuscated code, however, chances are that such a person will find it easier to just write the code themselves rather than decompile someone else's code.

Note that obfuscation also makes it harder for you to read your own stack traces. Allthe calls in your stack trace will use obfuscated method names.
 
Winston Gutkowski
Bartender
Posts: 10575
66
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
santhosh bhagavathi wrote:How can I save it from such decompilers?

My advice: Assume that you can't, and add the value elsewhere.

If you look around the Net, you'll see that a lot of companies basically give their software away, and add the value in their service contracts.

Now I'm not saying that you shouldn't make it difficult (which is where obfuscators and the other good advice come in), but don't for one minute assume that you'll have made it impossible.

A great piece of advice that was given to me when I first started out as a Systems Admin:
The Net is big and bad and anarchic; and if someone has enough time and expertise, they WILL crack your system. Your job is to make it as difficult as possible, and to limit the damage they can cause if they do manage it.

HIH

Winston
 
Tony Docherty
Bartender
Posts: 3271
82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jayesh A Lalwani wrote:For most projects, a person with extraordinarily high intelligence will be able to "read" obfuscated code,

Hey, in the past I've disassembled and re-engineered obfuscated code (legitimately I hasten to add), does that mean I have extraordinarily high intelligence

however, chances are that such a person will find it easier to just write the code themselves rather than decompile someone else's code.

And yes it probably would have been easier to rewrite it, which I guess proves I haven't
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One approach that may or may not be feasible is not to include the most sensitive code in the jar, but to run it on a server, and then the code in the jar file could connect to it via some API.
 
Maneesh Godbole
Bartender
Posts: 11445
18
Android Eclipse IDE Google Web Toolkit Java Mac Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
santhosh bhagavathi wrote:Maneesh,
I saw a website where if I give my class file, it rips out the code from it. I have to save my jar from such websites. How can I do it?

Really?

Imagine this is your source code


Does the site give you back exactly the same?
OR
Does it give something like

or even

source

If it is #2 or #3, the site is disassembling the class file using javap
If you get your original source code back, please do share the website with us.

EDIT: Just realized something like JAD exists which seems to be capable of really decompiling. I do not have any first hand experience about it. Maybe someone else can confirm it is indeed possible to decompile and retrieve the original source code.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, decompiling Java code is for real. If the Java compiler is run with debugging info turned on (-g), then the recovered source code will often be very close to the original code. But even if not, the code will more often than not be compilable, which is in most cases sufficient for the purposes of the attacker. Obfuscators (like the excellent ProGuard) make the decompiled code harder to read, and can sometimes ensure that it can not easily be compiled, but that's about it.
 
Tony Docherty
Bartender
Posts: 3271
82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All the decompilers I tried (can't remember their names but JAD was certainly one) struggled to decompile some inner classes. I didn't investigate what it was about particular inner classes that caused them so much trouble but in the code I was decompiling the same inner classes were mangled by all the decompilers I tried.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!