String Encryption Tutorial
This tutorial is divided into the following sections:
When you use Zelix KlassMaster™'s String Encryption functionality, it will replace String literals in your bytecode with lightly encrypted equivalents and add instructions to your bytecode that will decrypt those Strings back to the originals at runtime.
Note that because the encryption "key" must be available at runtime, String Encryption cannot be 100% irreversible. Don't rely on it to protect highly sensitive data.
public static void method0() {
System.out.println("HelloWorld");
}
private static final long a = test.n.a(-6988621542635325209L, 7195782317132729740L, MethodHandles.lookup().lookupClass()).a(29323127650775L);
public static void method0(long var0) {
var0 ^= a;
-1266232702660827338L.ý(-1266232702660827338L, var0).Û(-1266232702660827338L.ý(-1266232702660827338L, var0),
true.e(32096, 1913912090056950416L ^ var0), -1266178821949706891L, var0);
}
You switch on the String Encryption functionality by setting the encryptStringLiterals parameter of the obfuscate statement to a value other than none.
The allowable settings are none, normal, aggressive, flowObfuscate and enhanced.
It will default to enhanced.
The normal, aggressive and flowObfuscate settings have less impact on the size of your bytecode but they are easier to reverse.
The aggressive setting differs from the normal setting in that it goes further by removing any static final String constants that can be left unencrypted when the normal setting is used.
The flowObfuscate setting is the same as the aggressive setting except that it flow obfuscates the decryption instructions automatically inserted into your bytecode. This makes the decryption methods a little harder to decompile.
The enhanced setting adds a second layer of encryption. When used in conjunction with the Method Parameter Changes functionality,
the enhanced setting is much more resistent to being reversed.
You can manage which String literals are encrypted by using the stringEncryptionExclude and
stringEncryptionUnexclude statements.
You can use the stringEncryptionExclude statement to exclude String fields from have their values encrypted or complete classes from any String encryption.
The stringEncryptionUnexclude statement can be used to remove fields or classes from the set of excluded objects specified by an
stringEncryptionExclude statement
Also, when used in conjunction with the Method Parameter Changes functionality, the String Encryption functionality may make use of
the invokedynamic instruction and the DES encryption algorithm if you bytecode is Java 7 or better.
If you don't want the invokedynamic and DES algorithm to be used then you can set the ZKM_STRING_ENCRYPT_INDY configuration option to false.
If you don't want just the DES algorithm to be used then you can set the ZKM_STRING_ENCRYPT_DES configuration option to false.
The compatibility of Zelix KlassMaster™'s String Encryption functionality depends upon the compiler that generated the bytecode. We have found no problems with any of the Oracle and IBM compilers that we have tested.
If you use the enhanced String Encryption setting then Zelix KlassMaster™'s Method Parameter Changes functionality can significantly "harden" the encryption from attack.
The downside is that the Method Parameter Changes functionality can interlink your classes such that it can become impractical to release changes to your obfuscated classes in the form of patches which are just a subset of your classes.
It is a trade-off between protection and flexibility.
|
