I am trying to protect one java program. I am using CodeGuard but when i use a decompiler as CAJAV I can see all the code of my program. I am using maven2.
I use this pom.xml in MAVEN:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.templaries</groupId>
<artifactId>CISExtractor</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>jar</packaging>
<name>CISExtractor</name>
<url>http://maven.apache.org</url>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.0.2</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifest>
<mainClass>${project.build.mainClass}</mainClass>
<addClasspath>true</addClasspath>
</manifest>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>1.1</version>
<executions>
<execution>
<goals>
<goal>java</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>${project.build.mainClass}</mainClass>
</configuration>
</plugin>
<plugin>
<groupId>com.pyx4me</groupId>
<artifactId>proguard-maven-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals><goal>proguard</goal></goals>
</execution>
</executions>
<configuration>
<obfuscate>true</obfuscate>
<options>
<option>-allowaccessmodification</option>
<option>-keep class ${project.build.mainClass} { *; }</option>
</options>
<!--<injar>${project.build.finalName}.jar</injar>-->
<outjar>${project.build.finalName}-obfuscated.jar</outjar>
<libs>
<lib>${java.home}/lib/rt.jar</lib>
</libs>
</configuration>
</plugin>
</plugins>
</build>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.build.mainClass>com.templaries.corteinglessupermarketextractor.App</project.build.mainClass>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.6.1</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>net.sf.opencsv</groupId>
<artifactId>opencsv</artifactId>
<version>2.3</version>
</dependency>
</dependencies>
</project>
Obfuscation does not prevent people from decompiling... it just makes it harder to infer what the original source code was, by, e.g. renaming methods, fields, etc
Which is easier to understand
public long f1(List<Long> v1) { long v2=0; for (Long v3: v1) v2+=v3; return v2; }
or
public long calculateTotal(List<Long> values) {
long runningTotal = 0;
for (Long value: values) {
runningTotal += value;
return runningTotal;
}
You can figure out what the first one does with a small amount of effort. The lack of line number information does not overly hamper understanding until you are dealing with less simple methods.
But it is easier to infer that calculateTotal does just what it says while f1 needs some comprehension.
All that the obfuscators can really do is strip the method names where they are not required as part of interface or super class contracts, strip the debug info (line numbers) and strip the local symbol tables (local variable names). It could also strip unused methods and change package names, etc.
You will only mildly hamper somebody from copying your code.
The next thing is all this tweaking could mean that the external contracts of your classes will be broken. At the most basic form there is one external contract you cannot break: your code's entry point.
You are passing the parameter: <option>-keep class ${project.build.mainClass} { *; }</option> in order to tell the obfuscator that your project's entry point is an external facing entry point. Therefore the obfuscator honors that request and retains the entry point.
If you have a lot of code in your main class, this means that the obfuscator can do less hiding of that code.
The solution is to refactor your code so that your fixed entry point is just a shim. That leaves the obfuscator free to move everything else.
Here is an example
public class ShimMain {
public static void main(String[] args) {
RealMain.main(args);
}
}
The above is so small that you don't have to worry about it not being obfuscated and leaves the obfuscator free to move everything else.
Just don't think that it will stop... or even depending on your coding style, slow down, somebody determined to reverse your code.