1

I just had an idea, is that possible to protect my java sources (packed into a jar file) which are loaded with a custom class loader, using a JNI code or something?

As the JNI code cannot be decompiled, it could be great to be able to protect the java code too.

Is that possible?

Thanks.

Jens Bannmann
  • 4,845
  • 5
  • 49
  • 76
Manitoba
  • 8,522
  • 11
  • 60
  • 122
  • "As the JNI code cannot be decompiled" -- maybe not as easily as Java byte code, but still possible. – Philipp Reichart Jun 25 '12 at 13:51
  • Duplicate of [Can I use native compilation as Java obfuscation](http://stackoverflow.com/q/4232283/127035) – ewan.chalmers Jun 25 '12 at 13:52
  • @PhilippReichart Yeah I know thta using a basic debugger will give me a big clue on how the code works, but that will certainly limit the amount of person that will crack my app. – Manitoba Jun 25 '12 at 13:56
  • 1
    Have a look at [this article](http://www.excelsior-usa.com/articles/java-obfuscators.html). It shows some ways to make it harder to reverse-engineer your Java application. – Chris Ortner Jun 25 '12 at 13:58
  • The best thing would be a kind of custom JRE detector that would stop the dumper. – Manitoba Jun 25 '12 at 13:58

1 Answers1

2

I've searched for something like this a lot and here's my take on it.

Write your own custom boot strap class loader at the JVM level, which would have to be coded in C. This class loader would use a cryptographic key to decrypt the already encryped java class files on the fly into byte arrays for class definition.

Now you're left with where to store your cryptographic key and how to secure it.

In the end, you may be better off just purchasing Excelsior-Jet, I've used it before and it's a really great app. Well worth the $3,000 or so you would spend on it.

george_h
  • 1,562
  • 2
  • 19
  • 37
  • Upvoted for mentioning our product (I work for Excelsior), but I have to point you to a DZone article explaining why [*software* encryption of bytecode does not make much sense](http://java.dzone.com/articles/gun-great-equalizer-openjdk) – Dmitry Leskov Jul 12 '12 at 04:47
  • And re Excelsior JET price, there are [discounts for small businesses](http://www.excelsior-usa.com/store/jetmb.html). – Dmitry Leskov Jul 12 '12 at 04:48
  • Thanks for the upvote Dmitry, I read all the articles on excelsior's site about bytecode encryption and it was mentioned that there are some hardware USB tokens to do the low-level crypto work. I mention modifying the JVM's bootstrap class loader it self not using a class loader in Java. So essentially the JVM is re-compiled to do the encryption/decryption work natively. I haven't done that yet because it's a head-ache. I'd rather buy excelsior and have everything in native :) – george_h Jul 12 '12 at 05:05