Java代码混淆的实现方法

Proguard 是一个用纯 Java 编写的混淆工具，有两种使用 JAR 客户端的方法。可以将程序打包成JAR，然后用工具进行混淆，或者导入PROGUARD插件进行代码混淆。在这种情况下，代码对于普通的 JavaWeb 项目来说是混淆的。Maven配置插件如下：

<! - Proguard Confused Plug ->
<plugin>
   <groupId>com.github.wvengen</groupId>
   <artifactId>proguard-maven-plugin</artifactId>
   <version>2.0.11</version>
   <executions>
      <execution>
         <! - Confused moments, here is confusing when packaging ->
         <phase>package</phase>
         <goals>
            <! - What is the function of using a plugin, of course confused ->
            <goal>proguard</goal>
         </goals>
      </execution>
   </executions>
   <configuration>
      <! - Whether to install the generated PG file ->
      <attach>true</attach>
      <! - Confusion ->
      <obfuscate>true</obfuscate>
      <! - Specify the generated file classification ->
      <attachArtifactClassifier>pg</attachArtifactClassifier>
      <options>
         <! - JDK Target Version 1.8 ->
         <option>-target 1.8</option>
         <! - Do not contraction (delete comments, not referenced code) ->
         <option>-dontshrink</option>
         <! - Not optimization (change code implementation logic) ->
         <option>-dontoptimize</option>
         <! - Do not pass the non-public class files and members ->
         <option>-dontskipnonpubliclibraryclasses</option>
         <option>-dontskipnonpubliclibraryclassmembers</option>
         <! - No casement of hybrid class mechanism ->
         <option>-dontusemixedcaseclassnames</option> 
         <! - Allow access to and modify the members of the modifier and class members ->
         <option>-allowaccessmodification</option>
         <! - Determine a unified confusing member name to increase confusion ->
         <option>-useuniqueclassmembernames</option>
         <! - Not confused all the package name ->
         <!--<option>-keeppackagenames</option>--> 
         <! - Requires the properties: unusual, annotation, etc. ->
         <option>-keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LocalVariable*Table,*Annotation*,Synthetic,EnclosingMethod</option>
         <! - Uncommixed SET / GET Method ->
         <!--<option>-keepclassmembers public class * {void set*(***);*** get*();}</option>--> 
         <! - Unconducted all kinds of names under the package, and the method in the class is not confusing ->
         <option>-keep class com.xxx.xxx.bboss.SystemConfig { <methods>; }</option>
         <option>-keep class com.xxx.xxx.framework.** { *; }</option>
         <option>-keep class com.xxx.xxx.xxx.controller.** { <methods>; }</option>
         <option>-keep class com.xxx.xxx.xxx.dao.** { <methods>; }</option>
         <option>-keep class com.xxx.xxx.xxx.exception { <methods>; }</option>
         <option>-keep class com.xxx.xxx.xxx.model.** { <methods>; }</option> 
      </options>
      <! - Class is confused after the JAR package output ->
      <outjar>classes-autotest.jar</outjar>
      <! - Add dependencies, here you can modify it, here you can test only a JRE Runtime package is available ->
      <libs>
         <lib>${java.home}/lib/rt.jar</lib>
      </libs>
      <! - What to load, only Classes succeed here, after all, you can't confuse the configuration file and JSP ->
      <injar>classes</injar>
      <! - Output Directory ->
      <outputDirectory>${project.build.directory}</outputDirectory>
   </configuration>
</plugin>

运行 MVN Clean Package -dskiptests

混淆结果如图：

Classes-pg.jar 很混乱，包含了完整的项目结构。

ProGuard_map.txt 混淆内容映射

ProGuard_seed.txt 参与混淆类

经过混淆，反编译代码如下：

可以看出，部分包名已经改为简单的字母，不再具有业务意义，变量名也进行了修改，增加了读取代码。

运行服务，项目运行正常。

需要注意：

1.有时有时会配置包名或类名，所以需要更改一些相关的配置文件，所以在ProGuard中并不是随机生成类名，而是先将相同的包按照原来的名字排序，混淆了类名是A .Class, B.Class, C.class .....

那么，当包中的类超过26个时，默认命名为A.Class、B.Class、C.Class，在某些操作系统下，会不区分case case case case，会导致错误(水平限制，没有深入的纪律是相关的;因此

<! - 没有混合类机制的案例 - >
　　<option>-dontusemixedcaseclassnames</option>

配置极其关键，分别命名为aa.class、ab.class、ac.class，而不是原来的大写类，而不是原来的大写类名，避免出错。

2.包部署问题。这个profile中打包的WAR中的classes文件还是正常的代码。需要手动解压，替换Classes-Pg.jar，在工程管理的情况下，可以在Jenkins中配置脚本，自动混淆Classes替换WAR包：

# Change the contents of the WAR package classes as confusing packages
cd /root/.jenkins/workspace/mytest_master/target
jar -xvf classes-pg.jar
rm -rf mytest
mkdir mytest
mv mytest.war mytest
cd mytest/
jar -xvf mytest.war
rm -rf WEB-INF/classes/com/
cd ../
cp -rf com mytest/WEB-INF/classes/
cd mytest
jar -cvfM0 mytest.war ./
mv mytest.war ../

这样Jenkins就是混淆了WAR包，可以直接给客户使用。