-4

Is it possible to make my own Custom Class Loader In java. If Yes Then Please Guide me. Instead of class obfuscation I want to change in class file so that it cant be reversed by any tool

NaN
  • 683
  • 1
  • 8
  • 15
  • 2
    Please do your research before asking for solution. – Sotirios Delimanolis Oct 11 '13 at 18:02
  • If the bytecode can't be understood by "any tool" then the JVM won't be able to read it either so it won't run – dkatzel Oct 11 '13 at 18:03
  • 3
    All your attacker needs to do is read the bytecode that your custom classloader gives the JVM. – SLaks Oct 11 '13 at 18:04
  • OK I know my point was not clear but i did research before asking this question I just wanted to know how can i protect my java application from being reversed. because there is no answer in internet that how to encrypt class/Jar, and i don't want to obfuscation class files. So the answer is basically there is no way to protect Java application please correct me If i am wrong. – NaN Oct 14 '13 at 05:09

2 Answers2

6
import java.io.BufferedInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Map;

/**
 * 
 * Simple custom class loader implementation
 * 
 */
public class CustomClassLoader extends ClassLoader {

    /**
     * The HashMap where the classes will be cached
     */
    private Map<String, Class<?>> classes = new HashMap<String, Class<?>>();

    @Override
    public String toString() {
        return CustomClassLoader.class.getName();
    }

    @Override
    protected Class<?> findClass(String name) throws ClassNotFoundException {

        if (classes.containsKey(name)) {
            return classes.get(name);
        }

        byte[] classData;

        try {
            classData = loadClassData(name);
        } catch (IOException e) {
            throw new ClassNotFoundException("Class [" + name
                    + "] could not be found", e);
        }

        Class<?> c = defineClass(name, classData, 0, classData.length);
        resolveClass(c);
        classes.put(name, c);

        return c;
    }

    /**
     * Load the class file into byte array
     * 
     * @param name
     *            The name of the class e.g. com.codeslices.test.TestClass}
     * @return The class file as byte array
     * @throws IOException
     */
    private byte[] loadClassData(String name) throws IOException {
        BufferedInputStream in = new BufferedInputStream(
                ClassLoader.getSystemResourceAsStream(name.replace(".", "/")
                        + ".class"));
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        int i;

        while ((i = in.read()) != -1) {
            out.write(i);
        }

        in.close();
        byte[] classData = out.toByteArray();
        out.close();

        return classData;
    }

    /**
     * Simple usage of the CustomClassLoader implementation
     * 
     * @param args
     * @throws ClassNotFoundException
     * @throws IllegalAccessException
     * @throws InstantiationException
     * @throws SecurityException
     * @throws NoSuchMethodException
     * @throws InvocationTargetException
     * @throws IllegalArgumentException
     */
    public static void main(String[] args) throws ClassNotFoundException,
            InstantiationException, IllegalAccessException,
            NoSuchMethodException, SecurityException, IllegalArgumentException,
            InvocationTargetException
    {
        CustomClassLoader loader = new CustomClassLoader();
        // This class should be in your application class path
        Class<?> c = loader.findClass("net.codeslices.test.TestClass");
        Object o = c.newInstance();
        Method m = c.getMethod("toString");
        System.out.println(m.invoke(o));
    }

}
Scientist
  • 1,458
  • 2
  • 15
  • 31
2

You can use some obfuscation tools, like ProGuard.

A self written ClassLoader, must be placed in a standard .class file, that the JVM can load it. And then you secure loader can be reverse engineered.

Don't do it by yourself. Writing "secure" code without knowing cryptographic algorithms will lead to error-prone an insecure code

Christian Kuetbach
  • 15,850
  • 5
  • 43
  • 79
  • 3
    That's not an issue here, because cryptography can't help anyway. (There is no way to keep a secret key) – SLaks Oct 11 '13 at 18:13
  • 1
    I just wanted to explain, that the most developer who think they make something more secure by adding obfuscation or "security by obscurity" make the program more error prone and less secure. – Christian Kuetbach Oct 11 '13 at 18:16
  • You're certainly correct, but in this situation, obscurity is the only choice. If he's a small enough target, attackers may even be too lazy to put in the work needed to reverse-engineer a hand-built system. – SLaks Oct 11 '13 at 18:21
  • I think I would use encryption and decryption methods like the following to encrypt the jar-file: http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/ But the problem would be the unencrypted encryption classloader with the secret inside. – Christian Kuetbach Oct 11 '13 at 18:33
  • Please check: https://stackoverflow.com/questions/68380968/java-11-issue-with-adding-dependency-jars-at-runtime – Valsaraj Viswanathan Sep 17 '21 at 13:31