应客户的需要,公司的整套业务项目要做一个私有化部署,所以涉及到要给客户提供源代码(并非真正的)。最后呢也就是给对方提供一个War包,因为版权和商业机密的问题,最后只能我们这边对代码做一下安全处理。

这里已经做出一些解释 就暂且不再阐述关于Java反编译的深入研究


基于maven使用ProGuard进行混淆,大致分为三个步骤:

  1. 项目pom文件引入ProGuard依赖以及配置
<!-- ProGuard混淆插件-->
			<plugin>
                <groupId>com.github.wvengen</groupId>
                <artifactId>proguard-maven-plugin</artifactId>
                <version>2.0.11</version>
                <executions>
                    <execution>
                        <!-- 混淆时刻,这里是打包的时候混淆-->
                        <phase>package</phase>
                        <goals>
                            <!-- 使用插件的什么功能,当然是混淆-->
                            <goal>proguard</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <!-- 是否将生成的PG文件安装部署-->
                    <attach>true</attach>
                    <!-- 是否混淆-->
                    <obfuscate>true</obfuscate>
                    <!-- 指定生成文件分类 -->
                    <attachArtifactClassifier>pg</attachArtifactClassifier>
                    <proguardInclude>${basedir}/proguard.conf</proguardInclude>
                    <libs>
                        <lib>${java.home}/lib/rt.jar</lib>
                        <lib>${java.home}/lib/jce.jar</lib>
                    </libs>
                    <!-- 对什么东西进行加载,这里仅有classes成功,不可能对配置文件及JSP混淆吧-->
                    <injar>classes</injar>
                    <outjar>${project.build.finalName}-pg.jar</outjar>
                    <!-- 输出目录-->
                    <outputDirectory>${project.build.directory}</outputDirectory>
                </configuration>
            </plugin>

   pom同级目录下添加proguard.conf文件

# 忽略所有警告,否则有警告的时候混淆会停止
-ignorewarnings

# JDK目标版本1.7
-target 1.7

# 不做收缩(删除注释、未被引用代码)
-dontshrink

# 不做优化(变更代码实现逻辑)
-dontoptimize

# 不路过非公用类文件及成员
-dontskipnonpubliclibraryclasses
-dontskipnonpubliclibraryclassmembers

# 优化时允许访问并修改有修饰符的类和类的成员
-allowaccessmodification

# 确定统一的混淆类的成员名称来增加混淆
-useuniqueclassmembernames

# 不混淆所有包名,本人测试混淆后WEB项目问题实在太多,毕竟Spring配置中有大量固定写法的包名
-keeppackagenames

# 不混淆局部变量名
-keepparameternames

# 不混淆所有特殊的类 LocalVariable*Table,
-keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LineNumberTable,*Annotation*,Synthetic,EnclosingMethod

# 不混淆包下的所有类名
-keep class weg.base.** { <methods>; }
-keep class weg.service.** { <methods>; }
-keep class weg.dao.** { <methods>; }
-keep class weg.util.** { <methods>; }

# 不混淆quartz包下的所有类名,且类中的方法也不混淆
-keep class weg.quartz.** { <methods>; }

# 不混淆model包中的所有类以及类的属性及方法,实体包,混淆了会导致ORM框架及前端无法识别
-keep class weg.model.** {*;}

# 不混淆所有的set/get方法,毕竟项目中使用的部分第三方框架(例如Shiro)会用到大量的set/get映射
-keepclassmembers public class * {void set*(***);*** get*();}

# 保持类protected不被混淆
-keep public class * { public protected <fields>;public protected <methods>; }

2.maven package过程

maven打包过程是一个很崩溃的环节,尤其项目初期代码没有考虑优化 项目臃肿的话,就是一个漫长的过程

D:\PC_gomeet\*****>mvn package
[WARNING]
[WARNING] Some problems were encountered while building the effective settings
[WARNING] expected START_TAG or END_TAG not TEXT (position: TEXT seen ...</mirror>\n\t<mirror>\n\ua0\ua0\ua0\ua0\ua0\ua0\ua0 <i... @166:11)  @ C:\SoftWare\Maven\apache-maven-3.5.3-bin\apache-maven-3.5.3\bin\..\conf\settings.xml, line 166, column 11
[WARNING]
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for com.rionsoft:gomeetpc:war:1.0.1-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: org.apache.poi:poi:jar -> version ${poi.version} vs 3.9 @ line 502, column 15
[WARNING] 'build.plugins.plugin.version' for org.apache.tomcat.maven:tomcat7-maven-plugin is missing. @ line 734, column 12
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] -----------------------< com.rionsoft:****** >------------------------
[INFO] Building **** 1.0.1-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[WARNING] The POM for opensymphony:quartz-all:jar:1.6.1 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The artifact javax.xml:jaxrpc:jar:1.1 has been relocated to javax.xml:jaxrpc-api:jar:1.1
[WARNING] The artifact xerces:xerces:jar:2.4.0 has been relocated to xerces:xercesImpl:jar:2.4.0
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ **** ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 1032 resources
[INFO] Copying 95 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.0:compile (default-compile) @ **** ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 1032 source files to D:\PC_gomeet\****\target\classes
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/utils/tools/MyUtils.java:[603,11] catch 子句无法访问
  已捕获到抛出的类型java.io.FileNotFoundException
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/gomeet/api/wechat/mp/api/WxHttpClient.java: 某些输入文件使用或覆盖了已过时的 API。
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/gomeet/api/wechat/mp/api/WxHttpClient.java: 有关详细信息, 请使用 -Xlint:deprecation 重新编译。
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/gomeet/api/worker/biz/impl/WorkerBizImpl.java: 某些输入文件使用了未经检查或不安全的操作。
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/gomeet/api/worker/biz/impl/WorkerBizImpl.java: 有关详细信息, 请使用 -Xlint:unchecked 重新编译。
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ ****---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory D:\PC_gomeet\gomeetpc\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.0:testCompile (default-testCompile) @ ****---
[INFO] Changes detected - recompiling the module!
[INFO]
[INFO] --- maven-surefire-plugin:2.10:test (default-test) @ ****---
[INFO] Tests are skipped.
[INFO]
[INFO] --- maven-war-plugin:2.2:war (default-war) @ *****---
[INFO] Packaging webapp
[INFO] Assembling webapp [****] in [D:\PC_gomeet\****\target\****-1.0.1-SNAPSHOT]
[INFO] Processing war project
[INFO] Copying webapp resources [D:\PC_gomeet\****\src\main\webapp]
[INFO] Webapp assembled in [65154 msecs]
[INFO] Building war: D:\PC_gomeet\****\target\****-1.0.1-SNAPSHOT.war
[INFO] WEB-INF\web.xml already added, skipping
[INFO]
[INFO] --- maven-dependency-plugin:2.8:copy (copy) @ gomeetpc ---
[INFO] Configured Artifact: com.rionsoft:*****:1.0.1-SNAPSHOT:war
[INFO] Copying gomeetpc-1.0.1-SNAPSHOT.war to D:\PC_gomeet\release\war\com.rionsoft.gomeetpc.war
[INFO]
[INFO] --- maven-resources-plugin:2.6:copy-resources (copy-resources) @ ****---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 9 resources
[INFO] skip non existing resourceDirectory D:\PC_gomeet\****\src\main\resources\profile\${jdbc.environment}
[INFO]
[INFO] --- proguard-maven-plugin:2.0.11:proguard (default) @ *****---
[proguard] Preparing output jar [D:\PC_gomeet\gomeetpc\target\classes-pg.jar]
 [proguard]   Copying resources from program directory [D:\PC_gomeet\****\target\classes] (filtered)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 02:30 min
[INFO] Finished at: 2018-12-04T10:21:39+08:00
[INFO] ------------------------------------------------------------------------

 项目打包成功的话,文件目录如下:

maven代码混淆具体步骤 maven 混淆_maven

  • classes-pg.jar 混淆后的classes文件,里面包含完整的项目结构
  • proguard_map.txt 混淆内容的映射
  • proguard_seed.txt 参与混淆的类

3.反编译 代码运行测试

工具:

Java反编译器JD 

Java反编译器luyten(卢伊藤)https://github.com/deathmarine/Luyten

Java反编译器jadx https://github.com/skylot/jadx

结果:

maven代码混淆具体步骤 maven 混淆_maven_02

 

maven代码混淆具体步骤 maven 混淆_maven_03

终于告一段落了

总结呢 鉴于之前根本没接触过代码混淆,过程虽然繁琐,但是也有很多收获 总之呢不要害怕要敢于去尝试