两种免费的Java Obfuscator比较

两种免费的Java Obfuscator比较

【2006-04-07 13:34】 【】 【Matrix】

　　Java的bytecode很容易通过JAD等反编译工具搞出源代码, 目前最有效的保护方法是obfuscate类名和方法名。注意: 用obfuscate防盗版是根本不可能, 连汇编这种东西都能被破解掉, 破解java代码简直就是小菜。用obfuscate主要是为了保护源代码的知识产权, 别人无法用反编译的源代码做事情.

　　本文从几个不同的方面比较了两种Free的Java Obfuscator的优缺点..

　　两种Free的Java Obfuscator: yguard和Proguard.

　　yguard:http://www.yworks.com/en/products_yguard_about.htm

　　Proguard:http://proguard.sourceforge.net/

　　下面列出两者的不同和优缺点

　　1. 速度

　　yguard的速度远远高于proguard, 主要区别在于proguard不管用没有用, 上来就扫描jre/lib/rt.jar和其他所有用到的library。这个回合yguard胜出

　　2. 是否Opensource以及遵循协议

　　yguard: ywork公司的产品,免费使用, 但不是Open source

　　Proguard是GPL(这里GPL只是指Proguard本身, 对于obfuscate出来的jar没有限制), 可以从sourceforge.net下载源代码 但是作者并不希望别人参与,没有CVS,所以也无从知道作者的最新进展.

　　这个回合proguard胜出

　　3. 是否支持Package Name obfuscate

　　yguard支持Package Name obfuscate

　　Proguard不支持

　　这其实是很重要的一个特性, 一个好的Java程序往往在一个package里只有10个以下Class,根据package Name很容易猜出各个Class是干什么的, 比如:

　　com.mycompany.license.a com.mycompany.license.b com.mycompany.license.c

　　虽然obfuscate了Class Name,但是因为这个license只有3个Class,很容易猜出来是干什么的

　　但是如果你obfuscate成:

　　com.mycompany.a.a com.mycompany.a.b com.mycompany.a.c

　　则大大增加了困难, 尤其大型software, 有几十个package的情况下, 会呈几何级数增加反编译的难度

　　这个回合yguard胜出, 但是Proguard已经准备在4.0里推出这个特性

　　4. 增量obfuscate

　　proguard支持增量obfuscate , yguard不支持.

　　也就是在obfuscate a.jar时, 记住所有的名字映射关系(比如MyUtil->a), 然后在obfuscate b.jar的时候, 使用那个映射关系(所有调用MyUtil改成调用a)

　　假设a.jar里面有一个MyUtil被b.jar里面的Main使用, 在没有Incremental Obfuscate的情况下, 你必须指定不obfuscate a.jar里的MyUtil.

　　没有增量obfuscate 坏处是很显然的: 第一obfuscate的配置复杂了, 第二,暴露了某些Class

　　这个回合Proguard胜出

　　5. 其它

　　其他不太重要的特性:

　　- Proguard可以用一篇文章中的词(比如莎士比亚的剧本)作为变量名字, 呵呵

　　- Proguard可以删除所有没有用到的Class或者方法(叫做Shrink)

　　- Yguard能够obfuscate资源名称, 比如Messages.properties->a.properties并且修改相应的ResourceBundle类

　　- Yguard可以replace指定文本文件里的Class Name,比如修改eclipse plugin.xml里的Class名字

　　我个人不太赞成这种做法

　　总结

　　对于小型java应用(只有一个package,一个jar文件), 两者区别很小, (但是小型的java应用值得obfuscate么?呵呵)

　　目前因为没有obfuscate package name这个重要特性, 所以目前我偏向用yguard, 但是yguard没有incremental obufscate, 真伤脑筋, 现在就等Proguard4.0出来, 马上移植到Proguard4.0上去

This document explains how to use the yGuard Java obfuscation and shrinking software together with Ant. yGuard is a product of , creator of the outstanding Java^TM graph visualization framework and other fine .

Documentation for the deprecated Ant syntax of previous yGuard releases is still .

yGuard 2.1 Ant Task Documentation

Contents

Introduction

Using the yGuard Ant task, name obfuscation and code shrinking can be seamlessly integrated into your deployment process.
The task contains two nested elements that perform the name obfuscation and code shrinking separately:

The element removes all code elements that are not reachable from the entrypoints given in the nested element. The element performs name-obfuscation, renaming all packages, classes, methods and fields according to a selectable name-mapping scheme.
Elements can be excluded from the renaming process using a nested element. Both elements operate on the same set of input and output files specified in the containing element.

Installation

In order to make use of yGuard's yguard task you must have Ant properly installed and configured to run it. After and extracting the jar file (yguard.jar), place it in a path near to your build script. You may use absolute paths, but in the following example, we expect the jar file to lie in the same directory as your build file.

In order the get the Ant task running you should insert a couple of lines in your build script (build.xml):

    <target name="yguard">
      <taskdef name="yguard"
      classname="com.yworks.yguard.YGuardTask"
      classpath="yguard.jar"/>
      <yguard>
        <!-- insert your yguard elements here -->
      </yguard>
    </target>

For a complete build.xml file have a look at the .

General Hints & Troubleshooting

There are a couple of things you should be aware of when obfuscating and shrinking software.
The weakest part of an application considering name obfuscation and code shrinking is code that uses reflection to dynamically load classes, invoke methods etc. Therefore, you have to be especially careful when using the yguard task on applications that rely on reflection. <!--You can find a lot of information on <a href="http://www.retrologic.com">http://www.Retrologic.com</a>. This is the site which hosts 'Retroguard'. The yGuard <i>library</i> has been derived from Retroguard. -->
The most important facts to keep in mind when using yGuard are described here briefly:

If you use the rename task, code in the form of MyApplication.class will break if MyApplication will be obfuscated by name and the obfuscation switch is set to false. The shrink task will currently recognize code in the form of MyApplication.class only if the java files were compiled using an arbitrary version of the standard javac compiler (although the shrinking engine might recognize the .class construct also if the classes were compiled using a compiler that generates similar bytecode). Automatic introspection and reflection will break in most cases, when you decide to obfuscate the corresponding methods and fields. If you use the shrink task and your application uses reflection you should explicitly designate all entities loaded per reflection as code entrypoints using the element.
If your application is broken after using the shrink task, consider using the attribute of the shrink task to find out which additional entities you need to include in the element. Class.forName(className) will not work when using the rename task unless you use the obfuscated name string in your variable or the String is a local constant and is not set or set to true . If you use the shrink task, className should be contained in the list of entrypoints using the element. The customized serialization mechanism will not work if you obfuscated or shrinked the writeObject and readObject methods as well as the serializationUID field. Simple bean introspection will not work, if you decide to obfuscate your public accessor methods, since it makes use of reflection. If you do not set the -Xmx property for the Java virtual machine, the yguard Ant task might fail due to a java.lang.OutOfMemoryError.
To solve this problem, set the -Xmx option in the ANT_OPTS variable, e.g.:

bash> export ANT_OPTS="-Xmx512M"
or
cshell> setenv ANT_OPTS "-Xmx512M"

DTD used for Ant <yguard>

The obfuscation and shrinking process can be completely configured inside your Ant script. The yguard task and nested elements should be used according to the following DTD (please note that this is for information purposes only, i.e. you do not have to include the following lines anywhere):

  <!ELEMENT yguard (inoutpair+,externalclasses?,attribute*,(shrink|rename)+)>

  <!ELEMENT inoutpair EMPTY>
  <!ATTLIST inoutpair
  in CDATA #REQUIRED
  out CDATA #REQUIRED>

  <!ELEMENT externalclasses ANY>
  <!-- the externalclasses element is used just like Ant's classpath
  element. See the Ant documentation for further details-->

  <!ELEMENT attribute (patternset)*>

  <!ELEMENT shrink (entrypointjar*,keep?)>

  <!ELEMENT rename (property*,patch?,adjust*,map?,keep?)>

  <!ELEMENT property EMPTY>
  <!ATTLIST property
  name CDATA #REQUIRED
  value CDATA #REQUIRED>

  <!ELEMENT patch (class)*>

  <!ELEMENT adjust (#PCDATA)>
  <!ATTLIST adjust
  replaceName CDATA #REQUIRED
  replaceContent CDATA #REQUIRED
  replacePath CDATA #REQUIRED>

  <!ELEMENT map (class|method|field|package)*>

  <!ELEMENT package (#PCDATA)>
  <!ATTLIST package
  name CDATA #REQUIRED
  map CDATA #REQUIRED>

  <!ELEMENT keep (class|method|field|sourcefile|linenumbertable)*>
  <!--
  NOTE: the nested <sourcefile>,<linenumbertable> and <attribute> sections are only
  supported in the <rename> element.
  -->
  <!ATTLIST keep
  linenumbertable CDATA #IMPLIED
  localvariabletable CDATA #IMPLIED
  localvariabletypetable CDATA #IMPLIED
  runtimeinvisibleannotations CDATA #IMPLIED
  runtimeinvisibletypeannotations CDATA #IMPLIED
  runtimevisibleannotations CDATA #IMPLIED
  runtimevisibletypeannotations CDATA #IMPLIED
  sourcefile CDATA #IMPLIED>

  <!ELEMENT class (patternset)*>
  <!ATTLIST class
  classes CDATA #IMPLIED
  fields CDATA #IMPLIED
  map CDATA #IMPLIED
  methods CDATA #IMPLIED
  name CDATA #IMPLIED>
  <!--
  NOTE: the map attribute is only supported
  if the <class> element is nested inside an <rename> element.
  -->

  <!ELEMENT method (patternset)*>
  <!ATTLIST method
  class CDATA #IMPLIED
  map CDATA #IMPLIED
  name CDATA #IMPLIED>
  <!--
  NOTE: the map attribute is only supported
  if the <method> element is nested inside an <rename> element.
  -->

  <!ELEMENT field (patternset)*>
  <!ATTLIST field
  class CDATA #IMPLIED
  map CDATA #IMPLIED
  name CDATA #IMPLIED>
  <!--
  NOTE: the field attribute is only supported
  if the <method> element is nested inside an <rename> element.
  -->

Attention users of IDEs that "support" the creation of Ant files (e.g. IDEA's IntelliJ): Your IDE may indicate some errors inside your ANT file when you use yGuard specific elements. This is because the IDE does not know about the DTD used by yGuard. However this is not a real problem, since the Ant file should nevertheless work as expected.

The yguard Element

The yguard task contains elements that define basic properties common to the nested and tasks.
Please see the section to learn about common pitfalls when using name obfuscation and shrinking software.

Attributes

The yguard element has no attributes.

Child Elements

The inoutpair Elements

At least one inoutpair element has to be specified in order to run the yguard task. This elements specifies the paths to the input and output jar files.

Attributes

Attribute Description Required in specifies an exisiting jar file, which contains the unshrinked and unobfuscated .class files. Yes out specifies a path to a jar file which will be created and used to put the results of the shrinking and obfuscation process. Yes resources Will only be considered if the element contains a nested element.
Determines how the shrinking engine handles all non-.class files.
Currently the following three resource policies are supported: copy: the default, simply copies all resource files to the output jar. auto: copies only those resource files that reside in a directory that still contains one or more .class files after shrinking. none: discards all resource files. No, defaults to copy.

Child Elements

The inoutpair element has no child elements.

The externalclasses Element

If the jar to be processed by yGuard depends on external classes or libraries, this element can be used to specify classpaths to these entities. These libraries will neither be shrinked nor obfuscated. Use the inoutpair element for this purpose! See later in this document for an example of when to use this element.
In order to achieve a maximum shrinking effect by the shrink task, all external dependencies should be declared in the externalclasses element. Otherwise, all non-private methods of classes that inherit from unresolvable classes will not be shrinked.

The elements attributes and child elements can be seen on the .

The attribute Element

Using the attribute element, you can specify which attributes present in the input classes should be kept in the obfuscated output classes.
See later in this document for an example of when to use this element.

Attributes

Attribute Description Required name A comma-separated list of attribute names that are to be retained in the shrinked and/or obfuscated class files. Yes

Child Elements

An example:

    <attribute name="SourceFile, LineNumberTable, LocalVariableTable">
      <patternset>
        <include name="com.mycompany.mylibrary.**"/>
      </patternset>
    </attribute>

This will retain the attributes named "SourceFile", "LineNumberTable", and "LocalVariableTable" effectively enabling debugging information for all classes in the com.mycompany.mylibaray package and subpackages.

The shrink Element

The shrink task removes all classes, fields and methods that are not reachable from a number of entrypoints given by a nested element.
See the section for explanation of some common use cases. If your code uses reflection, please read the section for information on this topic.

Attributes

Attribute Description Required logfile Determines the name of the logfile that is generated during the shrinking process. The logfile contains information about the entrypoints the shrinking engine uses, the removed classes, methods and fields as well as any warnings.
If the name ends with a ".gz", yGuard will automatically create a gzipped version of the file which potentially saves a lot of disc space. No, defaults to yshrinklog.xml createStubs Instead of removing methods completely, this attribute causes the shrink task to insert a method stub that throws a java.lang.InternalError if it is called. This attribute is very useful if the shrinking process causes your application to break and you are uncertain about which additional code entities you have to include in the element.
Note that classes considered as completely obsolete by the shrinking engine are still removed completely - this attribute only affects obsolete methods of non-obsolete classes. No, defaults to false

Child Elements

The entrypointjar Element

The entrypointjar element can be used for convenience if your application uses libraries that are to be shrinked, but the jarfile using these libraries should be left untouched by the shrinking engine. Such a jarfile could be specified as an entrypointjar.

Attributes

Attribute Description Required name Path to to the jar file to use as entrypointjar. Yes

Child Elements

The entrypointjar element has no child elements.

Example

      <yguard>
        <inoutpair in="lib-in.jar" out="lib-out.jar" />
        <shrink>
          <entrypointjar name="myApp.jar"/>
        </shrink>
      </yguard>

The rename Element

The basic idea is, that all elements will be renamed by this task. Using the nested element, you have to specify all classes, methods, fields, and attributes that should be excluded from name obfuscation, i.e. that will not be renamed but kept in the API. There are different use cases, where you sometimes want to exclude or simply just have to exclude some elements from name obfuscation. See the section for explanation of some common use cases. If your code uses reflection, please read the section for information on this topic. Excluding elements can be achieved by using both the element and the mainclass attribute of the rename element.

Attributes

Attribute Description Required mainclass Can be used as a shortcut to specify the mainclass of your application. Both the class name and the main method will be excluded from name obfuscation. Alternatively you may want to consider to exclude the main method only. If your jar contains a Main-Class attribute, the rename task will automatically adjust the value to the obfuscated name. No logfile Determines the name of the logfile that is generated during the renaming process. The logfile contains information about the mappings the name obfuscator generates as well as any warnings.
If the name ends with a ".gz", yGuard will automatically create a gzipped version of the file which potentially saves a lot of disc space. No, defaults to yguardlog.xml conservemanifest a boolean attribute (valid values: true/false) that determines whether the manifest file of the jars should be left untouched by the renaming engine. If set to false, the manifest will be modified to reflect the new message digests. No, defaults to false. replaceClassNameStrings a boolean attribute (valid values: true/false) that determines whether the renaming engine should try to replace hardcoded Strings, which are used in conjunction with the MyClass.class construct. If set to false, those Strings will be left untouched and code of the form MyClass.class will break if MyClass gets obfuscated by name. If set to true (the default), yGuard will try to workaround this problem by replacing the hardcoded String with the appropriate obfuscated name. However this will only work if the unobfuscated class file has been generated with the usual compilers ('javac', 'jikes' and 'bjc') or compilers, that produce similar bytecode. This can also have the side-effect of modifying too many Strings, e.g if you have code that looks like System.out.println("com.mycompany.MyClass");, it might get replaced, if MyClass.class resides in the very same class with something like System.out.println("com.A.OoO");. It will most likely fail if the class has been previously obfuscated by another obfuscation tool or a different compiler has been used for compilation. Anyway it is always worth it to give it a try, if you want to have 'full obfuscation'. No, defaults to true

Child Elements

The property Elements

property elements can be used to give hints to the name obfuscation engine. Depending on the exact version of yGuard, the task may use these hints to control the process of obfuscation.

Attributes

Attribute Description Required name specifies a key which may be interpreted by the obfuscation task. Yes value specifies the corresponding value of the property. Yes

The following properties are supported:

Name Description error-checking can be used to tell yGuard to bail out if it detects any problems. Currently this property can be set to the following value: pedantic will make the obfuscation run fail, i.e. the target which uses the rename element will fail, if yGuard detects any problems. naming-scheme Can be used to tell the renaming engine to use a different naming scheme during the obfuscation. Currently this property can be set to one of the following values: smallWill produce very short names, i.e. the resulting jar file will be as small as possible. bestWill produce names, that are very likely to be misunderstood by decompilers and disassemblers. Using this naming-scheme it is even impossible on most filesystems to successfully unjar or unzip the resulting jar file (Windows, Standard Unix, Standard Linux, MacOS). However this scheme takes up a lot of space and the resulting jar is likely to become large (typically roughly double the size). mixIs a mixture of both the other two values, which leads to reasonable small but still hard to decompile jar files. language-conformity Can be used to advise the renaming engine to produce names, that should be decompilable by most decompilers. On the other hand, yGuard can produce class files that should be executable and verifiable by all of todays virtual machines, but produces absolutely nonsense names when decompiled (Ever tried to compile 'int class = false.this super(String$super.init if);' ?!) Currently this property can be set to one of the following values: compatibleWill produce names, that are ok for (most) decompilers, java, jar and manifest files and can be unzipped to most filesystems. legalWill produce names, that are ok for (some) decompilers, java, jar and manifest files. illegalWill produce names, that will crash some tools but usually not the jvm, but JBuilder7 in many occasions for example. overload-enabled Determines whether the renaming engine tries to use the same names for methods with different signatures or whether it always generates unique method names. Setting this property to false eases the analysis of stacktraces but reduces the obfuscation effect. obfuscation-prefix Can be used to instruct the renaming engine to prefix packages, that are fully obfuscated with a given package prefix, e.g. com.mycompany.obf. expose-attributes Can be used to give yGuard a list of attributes yGuard should expose in addition to the standard attributes. By default yGuard removes unneeded attributes like "Deprecated" from methods. The value can be a comma separated list of attributes as defined in . E.g. in order to keep the "Deprecated" attribute one can add the following property:
<property name="expose-attributes" value="Deprecated"/>
Note that this affects all classes which will be obfuscated. For a better control of which attributes should be exposed in what classes use the .

Child Elements

The property element has no child elements.

The keep Element

This element is a child of the or element. It can be used to specify elements that are excluded from the parent rename or shrink task. The excluded classes, methods and fields are defined using nested , and elements.
The elements given in the keep element are considered as code entrypoints. All code reachable from these entrypoints will be implicitly excluded from shrinking, too.

Attributes

The keep element provides a number of boolean attributes that determine whether debug information and annotations present in the input class files are to be retained in the output files. The default behavior is to remove all of this information.
Note that a more fine-grained control over which attributes to keep for which class files is possible using the element.

Attribute Description Required sourcefile Determines whether the name of the original source code file should be included in the output class files. No, defaults to 'false', i.e. this information will be removed. linenumbertable Determines whether the line number table, that contains a mapping from each opcode in the class file to the line number in the original source code file should be included in the output class files. No, defaults to 'false', i.e. this information will be removed. localvariabletable Determines whether the local variable table, that contains a mapping from each local variable in the class file to the name that has been used in the original source code file should be included in the output class files. No, defaults to 'false', i.e. this information will be removed. localvariabletypetable Determines whether the local variable type table, that contains a mapping from each local variable in the class file to the name and its generic type signature that has been used in the original source code file should be included in the output class files. No, defaults to 'false', i.e. this information will be removed. runtimevisibleannotations Determines whether annotations with the retention policy RetentionPolicy.RUNTIME should be included in the output class files. No, defaults to 'false', i.e. these annotations will be removed. runtimevisibleparameterannotations Determines whether method paramater annotations with the retention policy RetentionPolicy.RUNTIME should be included in the output class files. No, defaults to 'false', i.e. these annotations will be removed. runtimeinvisibleannotations Determines whether annotations with the retention policy RetentionPolicy.CLASS should be included in the output class files. No, defaults to 'false', i.e. these annotations will be removed. runtimeinvisibleparameterannotations Determines whether method paramater annotations with the retention policy RetentionPolicy.CLASS should be included in the output class files. No, defaults to 'false', i.e. these annotations will be removed.

Common Child Elements

Child Elements only available in the task

The task allows for a special treatment of the linenumbertable and sourcefile attributes. This treatment can be specified in the following child elements:

The class Element

The class element can be used for excluding certain classes and/or their fields and methods from the renaming or shrinking process.
If no name, extends or implements attribute is given and the class element contains no nested patternset, a class element matches all class names.

The classes, methods and fields attributes tell the shrinking and renaming engines which classes, methods and fields to keep based on their visibility. The following table lists the possible values for all of these attributes and shows which elements will be excluded. A '*' denotes, that elements that have the given visibility will be excluded for the specified attribute value. A '-' denotes that the these elements will not be excluded from the process.

Value/Visibility public protected friendly private none - - - - public * - - - protected * * - - friendly * * * - private * * * *

Attributes

Attribute Description Required name The name of the class to be kept. No classes The visibility of the classes to be kept. No, defaults to none methods The visibility of the methods to be kept. No, defaults to none fields The visibility of the fields to be kept. No, defaults to none extends If no name attribute is given, keeps all classes that equal or extend the class defined by the given fully qualified classname.
See for an example usage of this attribute. No implements If no name attribute is given, keeps all classes that equal or implement the class defined by the given fully qualified classname.
See for an example usage of this attribute. No

Child Elements

Explanation

There are three possible ways of specifying which classes will be excluded from the shrinking and obfuscation process:

One can specify a single java class using the fully qualified name in java syntax with the name attribute. For example:

<class name="mypackage.MyClass"/>

One can specify multiple java classes using a modified version of a patternset. The patternset's includes and excludes element should use java syntax, but the usual wildcards are allowed. Some examples:

      <class>
        <patternset>
          <include name="com.mycompany.**.*Bean"/>
          <exclude name="com.mycompany.secretpackage.*"/>
          <exclude name="com.mycompany.myapp.SecretBean"/>
        </patternset>
      </class>

This will expose all classes which reside in the package subtree of com.mycompany and whose name ends with Bean except for those, that reside in the com.mycompany.secretpackage package and the single SecretBean in com.mycompany.myapp.

      <class>
        <patternset>
          <include name="com.mycompany.myapp.MainClass"/>
          <include name="org.w3c.sax?."/>
          <exclude name="org.w3c.sax?.**.*$*"/>
        </patternset>
      </class>

This will expose the MainClass class and all classes, which reside in packages like org.w3c.sax1, org.w3c.sax2, org.w3c.saxb except for inner classes. '$' is used as a separator between outer class names and inner class names. Since Ant uses '$' as an escape character, you have to use two consecutive '$'s ('$$') if you want to pass one as an argument to the task. Finally one can specify classes depending on their visibility, i.e. depending whether they have been declared public, protected, package friendly or private (inner classes). This can be achieved by additionally specifying the classes attribute in the class element.

      <class classes="protected">
        <patternset>
          <include name="com.mycompany.myapi."/>
        </patternset>
      </class>

This will keep all class names, that are either public or protected and which reside in one of the subpackages of com.mycompany.myapi (note the abbreviation: the trailing dot behaves like the trailing '/' in the usual patternset, i.e. it could be rewritten as com.mycompany.myapi.**.*)

      <class classes="protected"
        methods="protected"
        fields="protected">
        <patternset>
          <include name="**.*"/>
        </patternset>
      </class>

This example shows the very common use case of excluding a complete public API from the shrinking and obfuscation process. There is an abbreviation for this use case: you can omit the patternset element, since in the case where the classes attribute is specified and there is no patternset child element used, the task will automatically apply this rule. In this example all classes will be exposed, that are either public or protected. Their methods and fields will be exposed as long as they are declared public or protected. If a class is package friendly or private (inner classes), neither itself nor its methods or fields will be exposed.

The last example shows how to keep the public methods of certain classes only, but neither field names nor the class names themselves.

      <class classes="none" methods="public" fields="none">
        <patternset>
          <include name="com.mycompany.myapi."/>
        </patternset>
      </class>

The method Element

Using the method element you can specify methods by signature which should be excluded from shrinking or name obfuscation.

Attributes

Attribute Description Required name Specifies the method to keep. Use the complete signature using fully qualified class names and the return type! Yes class Specifies the class which contains the method. Use the normal java syntax, i.e. the fully qualified name. This attribute can be omitted, if the patternset element is used as a child element, in which case all classes matching the patternset will be searched and their corresponding methods will be kept. No

Child Elements

Examples

    <method class="com.mycompany.myapp.MyClass"
      name="void main(java.lang.String[])"/>
    <method class="com.mycompany.myapp.MyClass"
      name="int foo(double[][], java.lang.Object)"/>
    <method name="void writeObject(java.io.ObjectOutputStream)">
      <patternset>
        <include name="com.mycompany.myapp.data.*"/>
      </patternset>
    </method>
    <method name="void readObject(java.io.ObjectInputStream)">
      <patternset>
        <include name="com.mycompany.myapp.data.*"/>
      </patternset>
    </method>

This will keep the main method of the MyClass class and the foo method. Additionally all readObject and writeObject methods (used for Serialization) will be kept in all classes of the com.mycompany.myapp.data package. Note that you have to specify the return argument's type, even if it is void and that you have to use the fully qualified name for all classes, even those, that are in the java.lang package.

The field Element

Using the field element you can specify fields by name which should be excluded from shrinking or name obfuscation.

Attributes

Attribute Description Required name specifies the field to keep. Use the name of the field only, do not include its type! Yes class Specifies the class which contains the field. Use the normal java syntax, i.e. the fully qualified name. This attribute can be omitted, if the patternset element is used as a child element, in which case the all classes matching the patternset will be searched and their corresponding fields will be kept. No

Child Elements

Examples

    <field class="com.mycompany.myapp.MyClass" name="field"/>
    <field name="serialVersionUID">
      <patternset>
        <include name="com.mycompany.myapp.data.*"/>
      </patternset>
    </field>

This will keep the field named 'field' of the MyClass class. Additionally all the serialVersionUID fields (used for Serialization) will be kept in all classes of the com.mycompany.myapp.data package.

The sourcefile Element

The sourcefile element allows for a special treatment of the sourceFile attribute by the element.
Using nested property elements, the mapping of sourceFile elements in obfuscated class files can be adjusted.

The following properties are supported:

Name Description mapping the value of this property determines the name all sourceFile attributes matched by the sourcefile element are mapped to.

Child Elements

property

Examples

<!-- <pre class="programlisting"> &lt;sourcefile> &lt;patternset> &lt;include name="com.mycompany.myapp.**" /> &lt;/patternset> &lt;/sourcefile> </pre> <p> This will expose source file names of all the classes in the com.mycompany.myapp packages and subpackages. Note that this will prevent proper obfuscation, since the name of the source file is normally strongly coupled with the unobfuscated name of the class (e.g. "<code>MySecretAlgorithm.java</code>". The following example shows how to overcome this. </p> -->

    <sourcefile>
      <property name="mapping" value="y"/>
      <patternset>
        <include name="com.mycompany.myapp.**"/>
      </patternset>
    </sourcefile>

This will map all of the source file attributes in the packages below com.mycompany.myapp to " y", which is small and generally a nice letter.

The linenumbertable Element

The linenumbertable element allows for a special treatment of the linenumbertable attribute by the .
Using nested property elements, the mapping of linenumbertable elements in obfuscated class files can be adjusted.

The following properties are supported:

Name Description mapping-scheme can be used with the following two values: scramble: this will use a non-trivial algorithm to scramble the line numbers in the existing file. The algorithm implemented uses for each class a different scrambling scheme. The optional scrambling-salt property can be used to provide an integer value that will be used to "salt" the algorithm's random seed for the scrambling. The size of the (uncompressed) .class file will not change using this mapping scheme. squeeze: this will use a simple algorithm that virtually puts all of a methods code into the first line of code of the method. It will appear as if each method had been written in a single line of code. The advantage of this scheme is drastically reduced size requirements and thus smaller .class files, while at the same time it will be possible to unambiguously determine the exact method from a stacktrace. scrambling-salt can be used in conjunction with mapping-scheme to provide an integer value that will be used to "salt" the algorithm's random seed for the scrambling.

Child Elements

property patternset

Examples

  <linenumbertable>
    <patternset>
      <include name="com.mycompany.myapp.**"/>
    </patternset>
  </linenumbertable>

This will keep the line numbers of all the classes in the com.mycompany.myapp packages and subpackages. Note that in order to see the line numbers in stacktraces, the attribute has to be retained for those files, too, since otherwise the JDK will display "Unknown source. " for the stack elements.

  <linenumbertable>
    <property name="mapping-scheme" value="scramble"/>
    <property name="scrambling-salt" value="1234"/>
    <patternset id="CompanyPatternSet">
      <include name="com.mycompany.myapp.**"/>
    </patternset>
  </linenumbertable>
  <sourcefile>
    <property name="mapping" value="y"/>
    <patternset refid="CompanyPatternSet"/>
  </sourcefile>

This will keep scrambled line numbers for all classes found in and below the com.mycompany.myapp packages. The scrambling algorithm will use the given "salt" value to use a predefined scrambling scheme. In order to see the scrambled line numbers, a element is used on the same patternset, which is referenced by its previously declared reference id, to rename the source files to "y".

The adjust Element

Using the adjust element one can specify resource files whose names and/or contents should be adjusted by the rename engine to reflect the obfuscated class names.
Note: This will only adjust files that are part of the inoutpair jars! I.e. the fileset's root directory is the combined root of all jars that are passed to yGuard via the inoutpair elements. yGuard will not modify any of the files on disk, except for the out-jar!

Attributes

Attribute Description Required replaceName specifies whether or not the names of the specified resources should be adjusted. No, defaults to false replaceContent specifies whether or not the contents of resource files should be adjusted. No, defaults to false replacePath specifies whether or not the paths to the resource files should be adjusted. No, defaults to true

Child Elements

The adjust element can be used just like the standard Ant element.

Some examples:

    <!-- adjust the names of all java property files in the jars -->
    <adjust replaceName="true">
      <include name="**/*.properties"/>
    </adjust>

    <!-- adjust the classnames specified within a single XML file in the jar -->
    <adjust file="plugins.xml" replaceContent="true" />

    <!-- suppress the adjustment of the resource path
    com/mycompany/myapp/resource in the jar. -->
    <!-- the package com.mycompany.myapp still gets obfuscated. -->
    <adjust replacePath="false">
      <include name="com/mycompany/myapp/resource/*"/>
    </adjust>

The map Element

The map element is an immediate optional child of the element. It can be used to specify the mapping for the renaming process directly. This is an advanced topic.

Child Elements

package class method field

All of these elements use the name attribute to specify the specific element. The method and field element need the class attribute in order to function properly. Neither wildcards nor nested patternset elements are allowed. Use the map attribute to specify the new name (subpackage, classname, methodname and fieldname respectively).
Some examples:

    <map>
      <package name="com" map="etc"/>
      <package name="com.mycompany" map="nocompany"/>
      <package name="com.mycompany.myapp" map="asdf"/>
      <class name="com.mycompany.myapp.MainApp" map="foo"/>
      <method class="com.mycompany.myapp.MainApp"
        name="void main(java.lang.String[])" map="bar"/>
      <field class="com.mycompany.myapp.MainApp" name="field" map="a"/>
    </map>

In this example the package structure 'com.mycompany.myapp' will be obfuscated to 'etc.nocompany.asdf'. The MainApp class will be called 'foo' and its main method will be remapped to 'bar' (and can therefor not be executed from commandline anymore). The field called 'field' will be renamed to 'a'.

Generating Patch Jars

The true power of the map element lies in its use together with the patch element, which itself is a child element of the rename top level element.

Attributes

The yguard element has no attributes.

Child Elements

Using the patch element one can generate jars, that can be used to serve as patches for versions of an application that have already been deployed in obfuscated form. During the main obfuscation run, yGuard produces an xml-logfile, in which the mapping between the unobfuscated and obfuscated names is contained. The patch element is used to declare a set of classes, that need to be patched. During the obfuscation, yGuard will include those files in the obfuscated jars only, that are declared inside this element.
For example:

    <patch>
      <class name="com.mycompany.myapp.MainClass"/>
      <class>
        <patternset>
          <include name="com.mycompany.myapp.bugs.*"/>
        </patternset>
      </class>
    </patch>
    <map logfile="yguardlog.xml"/>

This will only include the MainClass class and all classes that belong to the bugs package in a patch jar. In order to work with the previously delivered obfuscated version, it is important to use the map element to specify the mapping of the elements from the previous run. This can most conveniently be achieved by specifying the log file from the corresponding run in the map's logfile attribute.

Complete Examples

There will be some examples given, that represent common use cases.

Example 1: Getting started with Ant and yGuard (for Ant newbies)

Following are the contents of a complete build.xml file. Just copy the following lines to a new document named build.xml, put the file into your project's root directory and edit the file to suit your needs.

  <?xml version="1.0" encoding="UTF-8"?>
  <!-- file build.xml in your project root directory -->
  <!-- Ant build script for yfiles -->
  <!-- The java based Ant tool is available from -->
  <!-- http://jakarta.apache.org/ant -->
  <!-- This file demonstrates the use of the yGuard byte -->
  <!-- code obfuscator from yWorks Gmbh -->
  <!-- yGuard can be downloaded from -->
  <!--- http://www.yworks.com/products/yguard -->

  <project name="project" default="yguard" basedir=".">

    <!-- edit the following lines to your needs -->
    <target name="init">
    <property name="project_name" value="DemoProject"/>
    <property name="srcDir" value="."/>
    <property name="classDir" value="classes"/>
    <property name="jar" value="${project_name}.jar"/>
    <property name="obfjar" value="${project_name}_obf.jar"/>
    <property name="renamelog" value="${project_name}_renamelog.xml"/>
    <property name="shrinklog" value="${project_name}_shrinklog.xml"/>
    <property name="mainclass" value="com.mycompany.myapp.Main"/>
    <mkdir dir="${classDir}" />
    </target>


    <target depends="jar" name="yguard">
      <taskdef name="yguard" classname="com.yworks.yguard.YGuardTask"
      classpath="yguard.jar"/>
      <!-- the following can be adjusted to your needs -->
      <yguard>

        <inoutpair in="${jar}" out="${obfjar}"/>

        <shrink logfile="${shrinklog}">

          <keep>
            <class classes="protected"
            methods="protected" fields="protected">
              <patternset>
                <include name="com.mycompany.publicapi.**.*"/>
                <exclude name="com.mycompany.publicapi.private.*"/>
                <include name="com.mycompany.menu.reflection.**.*"/>
              </patternset>
            </class>
          </keep>
        </shrink>

        <rename mainclass="${mainclass}" logfile="${renamelog}">
          <property name="error-checking" value="pedantic"/>

          <keep>
            <class classes="protected"
            methods="protected" fields="protected">
              <patternset>
                <include name="com.mycompany.publicapi.**.*"/>
                <exclude name="com.mycompany.publicapi.private.*"/>
              </patternset>
            </class>
          </keep>
        </rename>

      </yguard>

    </target>

    <!-- compile -->
    <target name="compile" depends="init">
      <javac srcdir="${srcDir}" includes="com/mycompany/**/*.java"
        destdir="${classDir}">
      </javac>
    </target>

    <!-- create .jar -->
    <target name="jar" depends="compile">
      <jar jarfile="${jar}"
        basedir="${classDir}"
        includes="com/mycompany/**">
        <fileset dir="${srcDir}">
          <include name="com/mycompany/resources/*.properties"/>
        </fileset>
      </jar>
    </target>

    <!-- run project -->
    <target name="run" depends="yguard">
      <java classname="${mainclass}" fork="true">
      <classpath>
        <pathelement location="${obfjar}"/>
      </classpath>
      </java>
    </target>

    <!-- removes all that has been built -->
    <target name="clean" depends="init">
      <delete dir="${classDir}" includeEmptyDirs="true" />
    </target>
  </project>

  <!-- end file build.xml -->

Example 2: A Public API

An alternative yguard section could look like this:

  <yguard>

    <inoutpair in="classes.jar" out="classes_obf.jar"/>
    <inoutpair in="utils.jar" out="utils_obf.jar"/>

    <!-- don't let the obfuscator remove the "Deprecated" -->
    <!-- attributes from the .class file entries -->
    <attribute name="Deprecated"/>

    <shrink
      logfile="shrinklog.xml">
      <keep>
        <class classes="protected"
        methods="protected"
        fields="protected"/>
      </keep>
    </shrink>

    <rename mainclass="com.mycompany.myapp.Main"
      logfile="obflog.xml">
      <keep>
        <class classes="protected"
        methods="protected"
        fields="protected"/>
      </keep>
    </rename>

  </yguard>

This case is especially useful when you want to provide and expose a public API. All the classes, methods and fields, that can be seen in a javadoc generated API will be excluded from the shrinking and renaming tasks. Package friendly and private classes, methods and fields will be shrinked or obfuscated whenever possible.
This example also displays the use of the "attribute" element. In this case it prevents the yguard task from removing the "Deprecated" flag from the entities in the .class files.

Example 3: A Demo Program

  <yguard>

    <inoutpair in="demo.jar" out="demo_obf.jar"/>

    <shrink logfile="shrinklog.xml">

      <keep>

        <!-- main method -->
        <method name="void main(String[])" class="com.mycompany.myapp.Main" />

        <!-- needed for reflection -->
        <class name="com.mycompany.myapp.data.DataObject"
        methods="public" fields="none"/>
        <!-- needed for reflection (name only) -->
        <class name="com.mycompany.myapp.data.InnerDataObject"/>
        <!-- needed for serialization -->
        <method name="void writeObject(java.io.ObjectOutputStream)">
          <patternset id="datapatternset">
            <include name="com.mycompany.myapp.data.*"/>
          </patternset>
        </method>
        <method name="void readObject(java.io.ObjectInputStream)">
          <patternset refid="datapatternset"/>
        </method>
        <field name="serialVersionUID">
          <patternset refid="datapatternset"/>
        </field>
      </keep>
    </shrink>

    <rename mainclass="com.mycompany.myapp.Main" logfile="renamelog.xml">

      <property name="language-conformity" value="illegal"/>
      <property name="naming-scheme" value="mix"/>
      <keep>
        <class name="com.mycompany.myapp.data.DataObject"
        methods="public" fields="none"/>
        <class name="com.mycompany.myapp.data.InnerDataObject"/>
        <method name="void writeObject(java.io.ObjectOutputStream)">
          <patternset refid="datapatternset" />
        </method>
        <method name="void readObject(java.io.ObjectInputStream)">
          <patternset refid="datapatternset"/>
        </method>
        <field name="serialVersionUID">
          <patternset refid="datapatternset"/>
        </field>
      </keep>
    </rename>

  </yguard>

This example demonstrates the common use case of a demo program. The keep sections of both the shrink and rename elements contain code entities that will often have to be excluded from the shrinking and renaming process. These are the main code entrypoints (the main method), classes that are loaded per reflection and fields and methods needed for serialization. Note how the same patternsets can be reused using the id and refid attributes.

Example 4: A Program Using an External Library

  <yguard>

    <inoutpair in="mydemo.jar" out="mydemo_obf.jar"/>

    <externalclasses>
      <pathelement location="lib/external.jar"/>
      <pathelement location="lib/additional/classes/"/>
    </externalclasses>

    <shrink logfile="shrinklog.xml">
      <property name="error-checking" value="pedantic"/>
      <keep>
        <method name="void main(String[])" class="com.mycompany.myapp.Main" />
        <class classes="public"/>
      </keep>
    </shrink>

    <rename mainclass="com.mycompany.myapp.Main" logfile="renamelog.xml">
      <property name="error-checking" value="pedantic"/>
      <keep>
        <class classes="public"/>
      </keep>
    </rename>

  </yguard>

This example demonstrates full method and field obfuscation for a program, that has external dependencies. The dependencies are specified in the externalclasses element using standard Ant path specification mechanisms. Classes residing in lib/external.jar and underneath the lib/additional/classes/ directory (note the trailing slash), will be used to resolve external dependencies during the obfuscation run. This is necessary if external classes want to access obfuscated classes directly using an externally defined interface or superclass. yGuard automatically detects externally declared methods and prevents renaming and shrinking of these items. As a result, the shrinked and obfuscated jar file can be used together with unmodified versions of external libraries without causing any problems.
This example also demonstrates the use of the error-checking property. In this case the Ant target fails if any problem is detected during the obfuscation run.

Example 5: A Program with .properties Files and Other Resource Files

  <yguard>

    <inoutpair in="myapp.jar" out="myapp_obf.jar"/>

    <shrink logfile="shrinklog.xml">
      <keep>
        <!-- single entrypoint: main method -->
        <method name="void main(String[])" class="com.mycompany.myapp.Main" />
      </keep>
    </shrink>

    <rename mainclass="com.mycompany.myapp.Main" logfile="renamelog.xml">

      <adjust replaceContent="true">
        <!-- plain-text class names in the config files will -->
        <!-- be replaced with the obfuscated name versions -->
        <include name="**/*.config"/>
        <include name="com/mycompany/myapp/init/Main.properties"/>
      </adjust>
      <adjust replacePath="false">
        <!-- keep the complete path to the resources, (gifs...) even if -->
        <!-- package com.mycompany.myapp gets obfuscated by name -->
        <include name="com/mycompany/myapp/resources/*"/>
      </adjust>
      <adjust replaceName="true">
        <!-- Replace the .properties files' names with the obfuscated -->
        <!-- versions if the corresponding .class files get obfuscated -->
        <include name="**/*.properties"/>
        </adjust>
    </rename>

  </yguard>

This example, too, demonstrates full method and field obfuscation for a program, that uses .properties files and other resources files. Some configuration files are used that contain fully qualified classnames for plugins that are going to be obfuscated. Therefore yGuard is instructed to automatically replace the plain-text entries in those files with the obfuscated name versions.
Additionally some resources are hardcoded into the classes (image locations and html files, e.g.). yGuard gets instructed not to move these resource files even if they reside in a package structure that is obfuscated.
Since the property files have been created with the same name as the classes that make use of them and they are being loaded using this.getClass().getName(), yGuard is configured to rename the .properties files according to the obfuscated names of the corresponding .class files.

Example 6: A Program Linked Against a Library That Needs to be Obfuscated

  <yguard>

    <inoutpair in="myapp.jar" out="myapp_obf.jar"/>
    <inoutpair in="lib/thirdpartylib.jar" out="lib/thirdpartylib_obf.jar"/>

    <externalclasses>
      <pathelement location="lib/external.jar"/>
    </externalclasses>

    <!-- Keep all of the attributes for debugging, e.g. -->
    <attribute name="Deprecated, SourceFile, LineNumberTable, LocalVariableTable>
      <patternset refid="myopenapp"/>
    </attribute>

    <rename mainclass="org.myorg.myapp.Main" logfile="renamelog.xml">

      <property name="error-checking" value="pedantic"/>

      <keep>
      <!-- Tell the obfuscator to only adjust my classes -->
      <!-- to work with the obfuscated 3rd party library -->
      <!-- but leave them virtually unmodified otherwise -->
      <!-- The libconnector package however will be -->
      <!-- obfuscated as much as possible -->
      <class classes="private" methods="private" fields="private">
        <patternset id="myopenapp">
          <include name="org.myorg.myapp.**"/>
          <exclude name="org.myorg.myapp.mylibconnector.**"/>
        </patternset>
      </class>

      </keep>
    </rename>

  </yguard>

This example demonstrates almost no method, class, and field obfuscation for a program, that has external dependencies and additionally depends on a third party library jar which has to be obfuscated before deployment. Only those parts that actually interface with the third party jar in the mylibconnector package are being obfuscated. Nothing in the third party library jar will be exposed in the final application, everything will be obfuscated and the code in the open application that makes use of the third party jar will be adjusted. Note that the public part of the application will still be debuggable since all of the crucial attributes will be exposed for the open application part.
The dependencies are specified in the externalclasses element using standard Ant path specification mechanisms. Classes residing in lib/external.jar will be used to resolve external dependencies during the obfuscation run. This is not strictly necessary in this case since the public API will be fully exposed, i.e. no methods which have been declared by interfaces or super class in external classes will be renamed.

Example 7: Using the extends and implements attributes (Serializable exclusion)

  <yguard>

    <inoutpair in="myapp.jar" out="myapp_obf.jar"/>

    <shrink>
      <keep>
        <!-- main method -->
        <method name="void main(java.lang.String[])" class="org.myorg.myapp.Main" />
        <!-- serializable classes -->
        <class implements="java.io.Serializable" classes="private" methods="private" fields="private" />
        <!-- menu items loaded per reflection -->
        <class extends="org.myorg.myapp.MyMenuItem" classes="friendly" methods="public" fields="public" />
      </keep>
    </shrink>

    <rename mainclass="org.myorg.myapp.Main" logfile="renamelog.xml">

      <keep>
        <method name="void readObject(java.io.ObjectInputStream)" />
        <method name="void writeObject(java.io.ObjectOutputStream)" />
        <field name="serialVersionUID" />
        <class extends="org.myorg.myapp.MyMenuItem" classes="friendly" methods="public" fields="public" />
      </keep>
    </rename>

  </yguard>

This example demonstrates the usage of the new and attributes of the element. All Serializable classes are excluded from shrinking by using the attribute of the element. Additionally, all classes that extend the base class for menu items, org.myorg.myapp.MyMenuItem, are defined as entrypoints for the shrinking engine using the attribute of the element. The readObject and writeObject methods and the field serialVersionUID needed for serialization are excluded from name obfuscation as well.

Deobfuscating Stacktraces Etc.

yGuard provides a simple tool that makes it easy for the obfuscating party to deobfuscate stacktraces which have been obfuscated using yGuard. During the obfuscation yGuard produces an xml logfile which can automatically be gzipped for convenient storage. You should always keep those logfiles in order to be able to deobfuscate fully qualified classnames or methods or fields for debugging purposes e.g.
In order to run the yGuard deobfuscation tool do the following:

      Console> java -jar yguard.jar mylogfile.xml

A tiny GUI will popup that will enable you to easily deobfuscate stacktraces and fully qualified classnames as well as provide a convenient way to browse the mapping generated by yGuard.
In the main window a tree view displays the package, class, and classmember hierarchy using the unobfuscated names. For each entry that has been obfuscated (classes, packages, methods, and fields that have not been obfuscated at all may not always be shown in the tree) the corresponding mapped/obfuscated name is displayed.
The two buttons at the top of the window allow to change the sorting of the items in the tree structure, so that they are either sorted according to their names before or after the obfuscation. Items will always be sorted by type first: packages, classes, innerclasses, methods, and fields. Small icons provide a convenient way to quickly find the corresponding items.

The lower part of the window contains an editable text area that can be used to enter text or paste stacktraces in. Pressing the button at the bottom of the window labelled "Deobfuscate" will trigger the deobfuscation of the contents in the text area. The tool will try to identify fully qualified class names (separated by dots) and use the mapping information to reconstruct the original names. If the tool identifies a stack trace element, it will try to deobfuscate scrambled line numbers, too, if they have been scrambled during the obfuscation process.

Problems and Bug Reports

If you experience any problems or think you have found a bug feel free to send an email to but please make sure you have read the documentation thoroughly before. We will do our best and try to answer your questions.

Copyright © 2002-2006 yWorks. All Rights Reserved.

<!-- EOF -->

===================================================================================