如何保护 Java 代码免受反编译器的侵害?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1879061/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to protect Java codes against decompiler?
提问by Forrest
As we know , there are a lot of java decompiler tools which can convert .class to .java file.
众所周知,有很多java反编译工具可以将.class文件转换为.java文件。
Therefore,we need to protect our .java files against decompiler. I know this is a big topic,and maybe there is no ending.
因此,我们需要保护我们的 .java 文件免受反编译器的侵害。我知道这是一个很大的话题,也许没有结局。
Usually, there are two ways : obfuscator and customized classloader.
通常有两种方式:混淆器和自定义类加载器。
Is there any mature solution or open source framework, which combined those two ways ?
有没有成熟的解决方案或开源框架,将这两种方式结合起来?
Another aspect is related with exe4j, which package jars to exe file,seems like it can protect java codes , because what we can see is exe file instead of jars or class files. But indeed, when it runs, it decompose all jars files into temporary directories, that means it is easy to get class files for decompiler. So any considerations for protecting java codes from the aspect of exe4j ?
另一个方面与exe4j有关,它把jars打包成exe文件,似乎可以保护java代码,因为我们看到的是exe文件,而不是jars或class文件。但是确实,当它运行时,它将所有jar文件分解到临时目录中,这意味着很容易获得反编译器的类文件。那么从 exe4j 方面保护 java 代码有什么考虑吗?
Thanks for your comments and suggests.
感谢您的意见和建议。
Updating
更新中
Thanks everyone for your suggest or experience share. That is helpful to me. To make a conclusion, I will give up any obfuscator or customized classloader with encryption things. Because finally Java codes can be disclosed before clever hackers.
感谢大家的建议或经验分享。这对我很有帮助。总而言之,我将放弃任何带有加密功能的混淆器或自定义类加载器。因为终于可以在聪明的黑客面前公开 Java 代码了。
I will remove some core codes during compiler time using tricks like "#ifdef" in C language. In Java, static and final boolean class variable can be used to do the same job. Then the compilered class file will not contain need-protected java codes.
我将在编译期间使用 C 语言中的“#ifdef”等技巧删除一些核心代码。在 Java 中,静态和最终布尔类变量可用于完成相同的工作。那么编译后的类文件将不包含需要保护的 java 代码。
回答by Emmanuel Dupuy
- You can use an obfuscator, like ProGard or Ygard, but it is not too complex to decrypt strings and rename classes, fields and methods.
- You can encrypt your classes with a private key, and use a custom classloader to decrypt your classes with a public key before loading into memory, but it is not too complex to modify the classloader to save onto a disc all the classes loaded.
- You can try crash decompilers. JAD is one of the best decompilers but if you add corrupted entries in the constant pools, all products powered by JAD crash. However, some decompilers are still working.
- 您可以使用混淆器,如 ProGard 或 Ygard,但解密字符串和重命名类、字段和方法并不太复杂。
- 您可以使用私钥加密您的类,并使用自定义类加载器在加载到内存之前使用公钥解密您的类,但修改类加载器以将所有加载的类保存到光盘上并不太复杂。
- 您可以尝试崩溃反编译器。JAD 是最好的反编译器之一,但是如果您在常量池中添加损坏的条目,所有由 JAD 提供支持的产品都会崩溃。但是,一些反编译器仍在工作。
The only way to protect your software, is to deploy it in a SaaS/PaaS.
保护软件的唯一方法是将其部署在 SaaS/PaaS 中。
But keep one's head: most people use a decompiler because they have a technical problem and the documentation is poor or nonexistent. Write a good documentation and use a solid EULA is the better solution.
但是请注意:大多数人使用反编译器是因为他们有技术问题并且文档很差或根本不存在。编写好的文档并使用可靠的 EULA 是更好的解决方案。
回答by David Harris
You can't protect the class files from a decompiler and from malicious users. However the output of the decompiler may not be valid java.
您无法保护类文件免受反编译器和恶意用户的侵害。然而,反编译器的输出可能不是有效的 java.lang.
The best method is to document your API (assuming this is available for your customers to use) and application very very well. And have your support personnel be able to resolve API and application issues. Then your customers will have no reason to want to use a decompiler to explore why things are not working correctly.
最好的方法是很好地记录您的 API(假设这可供您的客户使用)和应用程序。让您的支持人员能够解决 API 和应用程序问题。那么您的客户将没有理由想要使用反编译器来探索为什么事情不能正常工作。
回答by Thilo
Software as a Service.
软件作为服务。
回答by DrPizza
The only way that's particularly effective is to offer your program as a web service of some kind, so that the compiled code is never even available on an end-user machine.
唯一特别有效的方法是将您的程序作为某种 Web 服务提供,这样编译后的代码甚至永远不会在最终用户机器上可用。
The next most effective solution, which is one that is widely used in practice, is to make your program so terrible that no-one wants to use it or spend the time reverse engineering it in the first place. I suspect that when this happens it is typically accidental, however.
下一个最有效的解决方案,也是在实践中广泛使用的解决方案,是让你的程序变得如此糟糕,以至于没有人想要使用它,或者一开始就花时间对它进行逆向工程。但是,我怀疑发生这种情况通常是偶然的。
回答by Jay Zeng
In fact, not only Java, silverlight and flash also have the same issue. Anyone who downloaded the package can decompress and then decompile to reverse engineer your code.
其实不止Java,silverlight和flash也有同样的问题。任何下载该软件包的人都可以解压然后反编译以对您的代码进行逆向工程。
I agree with Saas will be the best solution, having the web service to handle all the underlying logic and provides data establishes a relatively secured & isolated layer to the end clients to consume data.
我同意 Saas 将是最好的解决方案,让 Web 服务来处理所有底层逻辑并提供数据,为最终客户端建立一个相对安全和隔离的层来消费数据。
回答by Stephen C
My advice is that if you are really serious about this, you should only release the demo software to people who have signed a legally binding non-disclosure agreement. And be prepared to go to court if they breach the agreement.
我的建议是,如果您真的对此很认真,您应该只向签署了具有法律约束力的保密协议的人发布演示软件。如果他们违反协议,准备好上法庭。
By all means, obfuscate your demo application, etc as well, but don't imagine that this will stop a determined hacker from discovering the "secret sauce" in your application. It is not possibleto prevent this, in theory and in practice. Piracy is inevitable if you use the pay-for-license model of monetizing your software.
无论如何,混淆您的演示应用程序等,但不要想象这会阻止坚定的黑客发现您的应用程序中的“秘密武器”。这在理论上和实践中都无法阻止。如果您使用软件货币化的付费许可模式,盗版是不可避免的。
(Actually, it is theoretically possible, but only with a totally secured platform like TPM. And that ain't an option for you. Trust me.)
(实际上,这在理论上是可能的,但只能使用像TPM这样的完全安全的平台。这不是您的选择。相信我。)
回答by BalusC
Everything is hackable. Just have a solid EULA and put the efforts in there instead of wasting them to hopeless attempts to protect the code.
一切都是可以破解的。只要有一个可靠的 EULA 并将努力放在那里,而不是将它们浪费在保护代码的无望尝试上。
回答by divesh premdeep
What about encrypting your class files and using a customised classloader to load your class files ?
加密类文件并使用自定义类加载器加载类文件怎么样?
