Deobfuscating Obfuscated Code With Retroguard

by Mike Melanson (mike at multimedia.cx)
Updated April 28, 2005

RetroGuard is an extremely competent obfuscator for compiled Java classes. It is also an open source, extremely competent obfuscator for compiled Java classes. The source code changes explained here subvert RetroGuard into being a quasi code deobfuscator, in that it will assign random nouns (animal names, in this case) to obfuscated Java class field names, and random English verbs to obfuscated Java class method names. For more background on this experiment, read the following entries from the Breaking Eggs and Making Omelettes blog:

I am not that talented with Java development, so this explanation is the best I can do for those interested in running this experiment:

  1. download the Java Development Kit From Sun and install it
  2. download the Apache Ant distribution and install it
  3. download the RetroGuard package (either .zip or .tar.gz)
  4. unpack the RetroGuard package
  5. unpack the "src-dist" source code package
  6. change into the src-dist/ directory
  7. time to apply the changes:
    1. download the NounNameMaker.java file and place it in COM/rl/obf
    2. download the VerbNameMaker.java file and place it in COM/rl/obf
    3. edit COM/rl/obf/Cl.java and find the following lines:
                  // Create new name-makers for the namespace
                  methodNameMaker = new KeywordNameMaker(methodNames);
                  fieldNameMaker = new KeywordNameMaker(fieldNames);
      
      replace with:
                  // Create new name-makers for the namespace
                  methodNameMaker = new VerbNameMaker(methodNames);
                  fieldNameMaker = new NounNameMaker(fieldNames);
      
    4. recompile; if you are developing under Windows, try this quick batch file:
      javac.exe *.java
      javac.exe -classpath .;c:\ant\lib COM\rl\ant\*.java
      javac.exe COM\rl\obf\*.java
      javac.exe COM\rl\obf\classfile\*.java
      javac.exe COM\rl\obf\gui\*.java
      javac.exe COM\rl\obf\patch\*.java
      javac.exe COM\rl\util\*.java
      javac.exe COM\rl\util\rfc822\*.java
      
    5. run the program as normal against a Java jar archive:
      java RetroGuard infile.jar outfile-deobf.jar
      
After deobfuscation, use the standard jar utility to unpack the archive and the Jad Java Decompiler to decompile the individual Java class files. For an example of a production Java applet that uses such RetroGuard obfuscation, visit On2's Java technology page, dig around through the HTML source and find the current .jar file, download it manually and see what the "before" and "after" deobfuscation looks like.

Some notes about the experiment:

I would distribute a compiled Java jar file on this page except that I cannot figure out how to make a functioning jar file. If any Java ninjas want to help me with this, please email. If you have any trouble with these instructions, please send me an email and we will work through them.

Return to the main page