Obfuscation: hide hardcoded values in java
Solution 1
For one, you shouldn't just write
String FROM_CHAR2=new String(new char[]{102,114,111,109,95,99,104,97,114,115,95,50});
It's a dead give-away that the char array is actually a String.
You can do a combination of the followings:
- put your "String" in an int[] array
- or even better, break your String into several int arrays
- calculate/manipulate the array's values at various stage of the application, so its value will only become valid at a certain interval during a runtime, guaranteeing that it won't be deciphered at a curious glance by decompiling your code
- passes the array(s) back and forth, through local variables, back to instance variables, etc, before finally converting the arrays to a single array to be passed to the String constructor
- immediately set the String to null after use, just to reduce the amount of time the actual String exist at runtime
Solution 2
I would prefer to set the value in the static (class) initializer using an decryption algo Something like
class ...
String CONCAT;
static {
CONCAT = uncrypt ("ahgsdhagcf");
}
where uncrypt might be really a good unencryption algo or somewhat weaker a base64 decode.
In any case you need a simple program to encode your string first.
Related videos on Youtube
06 : 05
09 : 59
![[Advanced Programming Concepts] Obfuscation](https://i.ytimg.com/vi/w6ZeNnwLGi8/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCBO0DipbixG--RyWpnBNcn7umO4w)
14 : 59
04 : 06
18 : 08
05 : 09
31 : 52
08 : 54
03 : 52
03 : 57
02 : 29
Comments
-
Addev almost 2 years
Possible Duplicate:
hiding strings in Obfuscated codeI'm trying to hide a little some static Strings of my app in order to make it harder to decompile, this way like the constants like cipher algorithms names are harder to find in the obfuscated code.
I've considered things like:
String CONCAT= "concat"+"string"; String RAW_STRING= "raw_string"; String FROM_BYTES=new String("from_bytes".getBytes()); String FROM_CHARS=new String(new char[]{'f','r','o','m','_','c','h','a','r','s'}); String FROM_CHAR2=new String(new char[]{102,114,111,109,95,99,104,97,114,115,95,50});And the last two options seems to be "darker" than the raw option but I imagine there are better ways for doing this.
How can I improve this? Thanks
-
ignis over 11 yearsI've never programmed for Android, however I can't see the point of the question. If the user does not know how to decompile, is only able to read the code through the Notepad, you just put some unused algorithm names, and s/he won't know which one is really involved. If s/he knows how to decompile, then there's no obfuscation that can prevent s/he from replacing the library call (I guess you use a well-known library with a well-known method name to instantiate the cipher) with a System.out.println.
-
