How Spring Boot uses Allatori to obfuscate code

This time I will show you how Spring Boot uses Allatori to obfuscate the code. What are the precautions for Spring Boot to use Allatori to obfuscate the code. The following is a practical case, let's take a look.

Introduction to Allatori obfuscation technology

Allatori is a Java obfuscator. It is a second-generation obfuscator, so it can fully protect your intellectual property. Allatori has the following protection methods: name obfuscation, stream obfuscation, debugginginformation obfuscation, string obfuscation, and watermark technology. This obfuscator is free for educational and non-commercial projects. Supports war and jar file formats, and allows adding valid dates for applications that require obfuscated code. There are projects that need to protect the code. A relatively basic solution is to obfuscate the code. After decompiling the packaged files, you can see the effect. In addition, the size of bags made with Allatori will be smaller.

A very ordinary maven project, the difference is that Allatori's jar package is added to the root directory.

Let’s take a look at the pom.xml file:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 <modelVersion>4.0.0</modelVersion>
 <groupId>com.lovnx</groupId>
 <artifactId>confusion</artifactId>
 <version>0.0.1-SNAPSHOT</version>
 <packaging>jar</packaging>
 <build>
 <plugins>
  <plugin>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-maven-plugin</artifactId>
  </plugin>
  <!-- Allatori plugin start -->
  <plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-resources-plugin</artifactId>
  <version>2.6</version>
  <executions>
   <execution>
   <id>copy-and-filter-allatori-config</id>
   <phase>package</phase>
   <goals>
    <goal>copy-resources</goal>
   </goals>
   <configuration>
    <outputDirectory>${basedir}/target</outputDirectory>
    <resources>
    <resource>
     <directory>${basedir}/allatori</directory>
     <includes>
     <include>allatori.xml</include>
     </includes>
     <filtering>true</filtering>
    </resource>
    </resources>
   </configuration>
   </execution>
  </executions>
  </plugin>
  <plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>exec-maven-plugin</artifactId>
  <version>1.2.1</version>
  <executions>
   <execution>
   <id>run-allatori</id>
   <phase>package</phase>
   <goals>
    <goal>exec</goal>
   </goals>
   </execution>
  </executions>
  <configuration>
   <executable>java</executable>
   <arguments>
   <argument>-Xms128m</argument>
   <argument>-Xmx512m</argument>
   <argument>-jar</argument>
   <argument>${basedir}/lib/allatori.jar</argument>
   <argument>${basedir}/target/allatori.xml</argument>
   </arguments>
  </configuration>
  </plugin>
  <!-- Allatori plugin end -->
 </plugins>
 </build>
 <dependencies>
 <!-- Test Begin -->
 <dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <scope>test</scope>
 </dependency>
 <!-- Test End -->
 <!-- springboot启动 -->
 <dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-web</artifactId>
 </dependency>
 </dependencies>
 <parent>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-parent</artifactId>
 <version>1.5.8.RELEASE</version>
 </parent>
</project>

For projects built using maven packaging plug-ins and Spring Boot, the Allatori configuration is also explained above. The more important ones in the Allatori configuration are:

<argument>${basedir}/lib/allatori.jar</argument>
<argument>${basedir}/target/allatori.xml</argument>

Specify the path of Allatori's allatori.jar file. If your project is a pom project, you can put the lib directory in the parent project, and then the sub-project only needs:

<argument>../lib/allatori.jar</argument>

That’s it.

allatori.xml This file is also very important, take a look at its contents:

<config>
  <input>
    <jar in="confusion-0.0.1-SNAPSHOT.jar" out="confusion-0.0.1-SNAPSHOT-obfuscated.jar"/>
  </input>
  <keep-names>
    <class access="protected+">
      <field access="protected+"/>
      <method access="protected+"/>
    </class>
  </keep-names>
  <property name="log-file" value="log.xml"/>
</config>

It is the specific configuration of the Allatori obfuscator. Here you can configure a lot of information, many strategies, and you can also specify which classes are not to be obfuscated. The specific methods can be found in the document attached at the end of the article.
What needs to be explained here is:

 <input>
    <jar in="confusion-0.0.1-SNAPSHOT.jar" out="confusion-0.0.1-SNAPSHOT-obfuscated.jar"/>
 </input>

confusion-0.0.1-SNAPSHOT.jar is the unobfuscated package after packaging, and confusion-0.0.1-SNAPSHOT-obfuscated.jar is the obfuscated package. This is what we need.

Packaging steps
1. Clean maven project.
2. Copy the allatori.xml file under resources to the target directory.
3. Install the maven project. It means success after seeing the following information:

################################################
#                       #
#    ## #  #  ## ### ### ## ###    #
#    # # #  #  # # # # # # # #     #
#    ### #  #  ### # # # ##  #     #
#    # # ### ### # # # ### # # ###    #
#                       #
#        DEMO VERSION!         #
#      NOT FOR COMMERCIAL USE!      #
#                       #
#    Demo version adds System.out's     #
#    and gives 'ALLATORI_DEMO' name     #
#    to some fields and methods.      #
#                       #
#                       #
# Obfuscation by Allatori Obfuscator v6.4 DEMO #
#                       #
#      http://www.allatori.com      #
#                       #
################################################

4. Project after success:

The arrow points to the package we need, and the code of this package has been obfuscated.

Effect View

Here, a decompilation tool is used to view the obfuscated package. I use the jd-gui software, which is small and practical.

TestApplication.java before obfuscation:

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class TestApplication {
 
 public static void main(String[] args) {
    SpringApplication.run(TestApplication.class, args);
 }
}

After TestApplication.java is obfuscated:

import java.io.PrintStream;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class TestApplication
{
 public static String ALLATORIxDEMO(String a)
 {
  int tmp4_3 = 4;
  int tmp7_6 = 1;
  int tmp21_18 = a.length();
  int tmp25_24 = 1;
  tmp25_24;
  int j;
  int ? = tmp25_24;
  int k = tmp21_18;
  int tmp35_31 = (j = new char[tmp21_18] - 1);
  tmp35_31;
  int i = 5 << 4 ^ (0x2 ^ 0x5);
  (tmp4_3 << tmp4_3 ^ tmp7_6 << tmp7_6);
  if (tmp35_31 >= 0)
  {
   int tmp45_44 = j;
   j--;
   ?[tmp45_44] = ((char)(a.charAt(tmp45_44) ^ i));
   int tmp66_63 = (j--);
   ?[tmp66_63] = ((char)(a.charAt(tmp66_63) ^ k));
  }
  return new String(?);
 }
 public static void main(String[] a)
 {
  System.out.println("\n################################################\n#                       #\n#    ## #  #  ## ### ### ## ###    #\n#    # # #  #  # # # # # # # #     #\n#    ### #  #  ### # # # ##  #     #\n#    # # ### ### # # # ### # # ###    #\n#                       #\n# Obfuscation by Allatori Obfuscator v6.4 DEMO #\n#                       #\n#      http://www.allatori.com      #\n#                       #\n################################################\n"); SpringApplication.run(TestApplication.class, a);
 }
}

TestController.java before obfuscation:

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestController {
 @GetMapping("/test")
 public String test(){
 return "88888888888888888";
 }
}

After TestController.java is confused:

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestController
{
 @GetMapping({"/test"})
 public String test()
 {
  return ALLATORIxDEMO("*]*]*]*]*]*]*]*]*");
 }
 public static String ALLATORIxDEMO(String a)
 {
  int tmp27_24 = a.length();
  int tmp31_30 = 1;
  tmp31_30;
  int j;
  int ? = tmp31_30;
  int k = tmp27_24;
  int tmp41_37 = (j = new char[tmp27_24] - 1);
  tmp41_37;
  int i = (0x3 ^ 0x5) << 4 ^ 0x5;
  (2 << 3 ^ 0x2);
  if (tmp41_37 >= 0)
  {
   int tmp51_50 = j;
   j--;
   ?[tmp51_50] = ((char)(a.charAt(tmp51_50) ^ i));
   int tmp72_69 = (j--);
   ?[tmp72_69] = ((char)(a.charAt(tmp72_69) ^ k));
  }
  return new String(?);
 }
}

I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the PHP Chinese website!

Recommended reading:

AjaxUpLoad.js for file upload

JS summary of binary data operation methods

The above is the detailed content of How Spring Boot uses Allatori to obfuscate code. For more information, please follow other related articles on the PHP Chinese website!