Deobfuscating Obfuscated Code With Retroguard
by Mike Melanson (mike at multimedia.cx)
Updated April 28, 2005
RetroGuard is an
extremely competent obfuscator for compiled Java classes. It is also an
open source, extremely competent obfuscator for compiled Java classes.
The source code changes explained here subvert RetroGuard into being a quasi
code deobfuscator, in that it will assign random nouns (animal names, in this
case) to obfuscated Java class field names, and random English verbs to
obfuscated Java class method names. For more background on this experiment,
read the following entries from the
Breaking Eggs and Making Omelettes blog:
I am not that talented with Java development, so this explanation is the
best I can do for those interested in running this experiment:
- download the Java Development Kit From
Sun and install it
- download the Apache Ant distribution and install it
- note that when I did this, I installed the library in c:\ant (under Windows, naturally);
further, I found it necessary to 'jar xf *.jar' all of the .jar library
files for the distribution
- download the
RetroGuard package (either .zip or .tar.gz)
- unpack the RetroGuard package
- unpack the "src-dist" source code package
- change into the src-dist/ directory
- time to apply the changes:
- download the NounNameMaker.java file and
place it in COM/rl/obf
- download the VerbNameMaker.java file and
place it in COM/rl/obf
- edit COM/rl/obf/Cl.java and find the following lines:
// Create new name-makers for the namespace
methodNameMaker = new KeywordNameMaker(methodNames);
fieldNameMaker = new KeywordNameMaker(fieldNames);
replace with:
// Create new name-makers for the namespace
methodNameMaker = new VerbNameMaker(methodNames);
fieldNameMaker = new NounNameMaker(fieldNames);
- recompile; if you are developing under Windows, try this quick batch file:
javac.exe *.java
javac.exe -classpath .;c:\ant\lib COM\rl\ant\*.java
javac.exe COM\rl\obf\*.java
javac.exe COM\rl\obf\classfile\*.java
javac.exe COM\rl\obf\gui\*.java
javac.exe COM\rl\obf\patch\*.java
javac.exe COM\rl\util\*.java
javac.exe COM\rl\util\rfc822\*.java
- run the program as normal against a Java jar archive:
java RetroGuard infile.jar outfile-deobf.jar
After deobfuscation, use the standard jar utility to unpack the archive and
the Jad Java Decompiler to
decompile the individual Java class files. For an example of a production
Java applet that uses such RetroGuard obfuscation, visit
On2's Java technology page, dig
around through the HTML source and find the current .jar file, download it
manually and see what the "before" and "after" deobfuscation looks like.
Some notes about the experiment:
- The NounNameMaker and VerbNameMaker classes both have a constant random
seed ("private static final int randomSeed = 6;"). This ensures that the
classes will generate the same sequence of random identifiers on each run.
Change the seed if you want to change the sequence.
- The driving purpose of this experiment was to rename simple 1- and 2-
character identifiers and nonsense, reserved-word method names with real
nouns and verbs that are easier to work with, psychologically. If English is
not your first language, you may consider substituting the noun or verb lists
with ones from your native language. For verbs, check out
verba.org for extensive lists of verbs in
numerous languages.
I would distribute a compiled Java jar file on this page except that I
cannot figure out how to make a functioning jar file. If any Java ninjas
want to help me with this, please email. If you have any trouble with these
instructions, please send me an email and we will work through them.
Return to the main page