How Spring Boot uses Allatori to obfuscate code-JS Tutorial-php.cn

This time I will show you how Spring Boot uses Allatori to obfuscate the code. What are the precautions for Spring Boot to use Allatori to obfuscate the code. The following is a practical case, let's take a look.

Introduction to Allatori obfuscation technology

Allatori is a Java obfuscator. It is a second-generation obfuscator, so it can fully protect your intellectual property. Allatori has the following protection methods: name obfuscation, stream obfuscation, debugginginformation obfuscation, string obfuscation, and watermark technology. This obfuscator is free for educational and non-commercial projects. Supports war and jar file formats, and allows adding valid dates for applications that require obfuscated code. There are projects that need to protect the code. A relatively basic solution is to obfuscate the code. After decompiling the packaged files, you can see the effect. In addition, the size of bags made with Allatori will be smaller.

A very ordinary maven project, the difference is that Allatori's jar package is added to the root directory.

Let’s take a look at the pom.xml file:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 <modelVersion>4.0.0</modelVersion>
 <groupId>com.lovnx</groupId>
 <artifactId>confusion</artifactId>
 <version>0.0.1-SNAPSHOT</version>
 <packaging>jar</packaging>
 <build>
 <plugins>
  <plugin>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-maven-plugin</artifactId>
  </plugin>
  <!-- Allatori plugin start -->
  <plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-resources-plugin</artifactId>
  <version>2.6</version>
  <executions>
   <execution>
   <id>copy-and-filter-allatori-config</id>
   <phase>package</phase>
   <goals>
    <goal>copy-resources</goal>
   </goals>
   <configuration>
    <outputDirectory>${basedir}/target</outputDirectory>
    <resources>
    <resource>
     <directory>${basedir}/allatori</directory>
     <includes>
     <include>allatori.xml</include>
     </includes>
     <filtering>true</filtering>
    </resource>
    </resources>
   </configuration>
   </execution>
  </executions>
  </plugin>
  <plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>exec-maven-plugin</artifactId>
  <version>1.2.1</version>
  <executions>
   <execution>
   <id>run-allatori</id>
   <phase>package</phase>
   <goals>
    <goal>exec</goal>
   </goals>
   </execution>
  </executions>
  <configuration>
   <executable>java</executable>
   <arguments>
   <argument>-Xms128m</argument>
   <argument>-Xmx512m</argument>
   <argument>-jar</argument>
   <argument>${basedir}/lib/allatori.jar</argument>
   <argument>${basedir}/target/allatori.xml</argument>
   </arguments>
  </configuration>
  </plugin>
  <!-- Allatori plugin end -->
 </plugins>
 </build>
 <dependencies>
 <!-- Test Begin -->
 <dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <scope>test</scope>
 </dependency>
 <!-- Test End -->
 <!-- springboot启动 -->
 <dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-web</artifactId>
 </dependency>
 </dependencies>
 <parent>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-parent</artifactId>
 <version>1.5.8.RELEASE</version>
 </parent>
</project>

Copy after login

For projects built using maven packaging plug-ins and Spring Boot, the Allatori configuration is also explained above. The more important ones in the Allatori configuration are:

<argument>${basedir}/lib/allatori.jar</argument>
<argument>${basedir}/target/allatori.xml</argument>

Copy after login

Specify the path of Allatori's allatori.jar file. If your project is a pom project, you can put the lib directory in the parent project, and then the sub-project only needs:

<argument>../lib/allatori.jar</argument>

Copy after login

That’s it.

allatori.xml This file is also very important, take a look at its contents:

<config>
  <input>
    <jar in="confusion-0.0.1-SNAPSHOT.jar" out="confusion-0.0.1-SNAPSHOT-obfuscated.jar"/>
  </input>
  <keep-names>
    <class access="protected+">
      <field access="protected+"/>
      <method access="protected+"/>
    </class>
  </keep-names>
  <property name="log-file" value="log.xml"/>
</config>

Copy after login

It is the specific configuration of the Allatori obfuscator. Here you can configure a lot of information, many strategies, and you can also specify which classes are not to be obfuscated. The specific methods can be found in the document attached at the end of the article.
What needs to be explained here is:

 <input>
    <jar in="confusion-0.0.1-SNAPSHOT.jar" out="confusion-0.0.1-SNAPSHOT-obfuscated.jar"/>
 </input>

Copy after login

confusion-0.0.1-SNAPSHOT.jar is the unobfuscated package after packaging, and confusion-0.0.1-SNAPSHOT-obfuscated.jar is the obfuscated package. This is what we need.

Packaging steps
1. Clean maven project.
2. Copy the allatori.xml file under resources to the target directory.
3. Install the maven project. It means success after seeing the following information:

################################################
#                       #
#    ## #  #  ## ### ### ## ###    #
#    # # #  #  # # # # # # # #     #
#    ### #  #  ### # # # ##  #     #
#    # # ### ### # # # ### # # ###    #
#                       #
#        DEMO VERSION!         #
#      NOT FOR COMMERCIAL USE!      #
#                       #
#    Demo version adds System.out's     #
#    and gives 'ALLATORI_DEMO' name     #
#    to some fields and methods.      #
#                       #
#                       #
# Obfuscation by Allatori Obfuscator v6.4 DEMO #
#                       #
#      http://www.allatori.com      #
#                       #
################################################

Copy after login

4. Project after success:

Spring Boot使用Allatori代码混淆的方法

The arrow points to the package we need, and the code of this package has been obfuscated.

Effect View

Here, a decompilation tool is used to view the obfuscated package. I use the jd-gui software, which is small and practical.

TestApplication.java before obfuscation:

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class TestApplication {
 
 public static void main(String[] args) {
    SpringApplication.run(TestApplication.class, args);
 }
}

Copy after login

After TestApplication.java is obfuscated:

import java.io.PrintStream;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class TestApplication
{
 public static String ALLATORIxDEMO(String a)
 {
  int tmp4_3 = 4;
  int tmp7_6 = 1;
  int tmp21_18 = a.length();
  int tmp25_24 = 1;
  tmp25_24;
  int j;
  int ? = tmp25_24;
  int k = tmp21_18;
  int tmp35_31 = (j = new char[tmp21_18] - 1);
  tmp35_31;
  int i = 5 << 4 ^ (0x2 ^ 0x5);
  (tmp4_3 << tmp4_3 ^ tmp7_6 << tmp7_6);
  if (tmp35_31 >= 0)
  {
   int tmp45_44 = j;
   j--;
   ?[tmp45_44] = ((char)(a.charAt(tmp45_44) ^ i));
   int tmp66_63 = (j--);
   ?[tmp66_63] = ((char)(a.charAt(tmp66_63) ^ k));
  }
  return new String(?);
 }
 public static void main(String[] a)
 {
  System.out.println("\n################################################\n#                       #\n#    ## #  #  ## ### ### ## ###    #\n#    # # #  #  # # # # # # # #     #\n#    ### #  #  ### # # # ##  #     #\n#    # # ### ### # # # ### # # ###    #\n#                       #\n# Obfuscation by Allatori Obfuscator v6.4 DEMO #\n#                       #\n#      http://www.allatori.com      #\n#                       #\n################################################\n"); SpringApplication.run(TestApplication.class, a);
 }
}

Copy after login

TestController.java before obfuscation:

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestController {
 @GetMapping("/test")
 public String test(){
 return "88888888888888888";
 }
}

Copy after login

After TestController.java is confused:

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestController
{
 @GetMapping({"/test"})
 public String test()
 {
  return ALLATORIxDEMO("*]*]*]*]*]*]*]*]*");
 }
 public static String ALLATORIxDEMO(String a)
 {
  int tmp27_24 = a.length();
  int tmp31_30 = 1;
  tmp31_30;
  int j;
  int ? = tmp31_30;
  int k = tmp27_24;
  int tmp41_37 = (j = new char[tmp27_24] - 1);
  tmp41_37;
  int i = (0x3 ^ 0x5) << 4 ^ 0x5;
  (2 << 3 ^ 0x2);
  if (tmp41_37 >= 0)
  {
   int tmp51_50 = j;
   j--;
   ?[tmp51_50] = ((char)(a.charAt(tmp51_50) ^ i));
   int tmp72_69 = (j--);
   ?[tmp72_69] = ((char)(a.charAt(tmp72_69) ^ k));
  }
  return new String(?);
 }
}

Copy after login

I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the PHP Chinese website!