保護Java程式之研究

Abstract

一個Java程式首先必須經由Java編譯器編譯成位元碼，以類別檔的格式存在，才能被Java虛擬機器所執行。由於Java程式採用兩段式編譯，使中間碼反組譯的程式碼和原始碼相當接近，容易被反編譯，因此容易被破解。

為了保護類別檔不被反編譯，我們常用混淆器或者自定類別載入器來達到保護的目的。但混淆器只能增加反編譯的困難度，混淆後的類別檔還是以位元碼的形式存在，並無法保護類別檔的執行。自定類別載入器能夠載入我們所定義的類別檔，譬如只能載入加密過的類別檔，但自定的類別載入器依然是以位元碼的形式存在，同樣有被反編譯的風險。

本論文針對此問題，提出另一個方法，那就是將Java所有的類別檔，用加密以及簽章的方式保護，不但可以保護類別檔難以被反編譯，而且可以保護類別檔的執行。

A Java program must be compiled to byte code first, stored as a class file format, and then executed by a Java Virtual Machine. Since Java programs use 2-phase compilation, the byte code can be deassembled to a Java program that would look very close to the right, so it is easy to be compromised.

To protect class file not to be compromised, we usually use obfuscation or customization classloader. But obfuscation only can increase some difficulty. After obfuscating, hacker still can attack by tracing code from some standard APIs, such as java.net.Scoket. Customization classloader can load the class file which can be identified. For example, let JVM only be able to load the class file which already be encrypted. But customization classloader still is a byte code. There has the risk to be de-compiled.

This thesis focuses on above problems to provide another solution that is using encryption or signature in all class files. Protect class file not only de-compiled but also be executed.