So, I was trying to learn how to decompile java code and how to prevent the same. I came across this post on coderanch and wanted to reply there. Unfortunately, the post is locked.
I'd like to continue it and make this post a repository for java decompiling related information.
Kaspersky analysis of Java applets with anti-decompling tricks:
Kaspersky article on Icefog malware:
Protect Your Java Code — Through Obfuscators And Beyond:
I took many links from the above link. Here are some books on decompiling:
Despite its title, Decompiling Java by Godfrey Nolan has a chapter on code protection, most of which is in turn devoted to obfuscation.
Alex Kalinovsky in his Covert Java: Techniques for Decompiling, Patching, and Reverse Engineering again mostly covers the topics listed in the book title, but has also included a chapter on
obfuscation and cracking obfuscated code. By coincidence, that particular chapter is available online, so I have just saved you twenty dollars.
Covert java book
Crema obfuscator can help protect your Java code from decompilers such as Mocha:
Javaworld anti decompiling tip
How to debug an applet: Malware in a Jar
Stack overflow post on decompiling
Note that none of those tools prevent someone from de-compiling your code. What they do is make it harder for someone to read that de-compiled code by using worse variable names and the like. It has to be possible to get the bytecode for a class which means it is possible with enough time to figure out what is going on.
sid smith wrote:I learned that malware programmers use some coding practices to prevent a java decompiler from converting malicious class files into java code.
That doesn't sound quite right - I think most Java developers do that who care about making it harder to recover their source code, not malware authors specifically.
ProGuard is a good tool for obfuscation. JODE (also on SourceForge) is a good decompiler, and being written in Java, you can study how it works. It doesn't understand all the class file changes in Java 5 and newer, but for study purposes it's fine.
Jeanne wrote:What they do is make it harder for someone to read that de-compiled code
Yes and no. Good obfuscators (like DashO) can create bytecode that can't be decompiled by the freely available decompilers like JODE and JD-GUI. That raises the bar in terms of effort I need to go to recover source code, which may be enough for the purposes of whoever tries to protect his code.