16 comments

[ 0.28 ms ] story [ 43.0 ms ] thread
Recently here at yWorks we have refactored yGuard to be distributed under MIT licensed. As a goodie for new year, we'll share it with you!
Not going to use yGuard anywhere, but thanks for opensourcing it. On the other hand, I stumbled upon yEd some time ago and it has been my go-to tool for diagrams ever since. Thanks to all the folks at yWorks that work on yEd !
It's not obvious to me, unfortunately - what exactly is being obfuscated here, the source code?
The java byte code residing inside your JAR(s). It will be disassembled using ASM7, then obfuscated and reassembled.
As someone also working in the Java obfuscation space, it's cool to see old obfuscators becoming open-source.

yGuard seems to only provide shrinking and remapping at this moment in time, however. Heavier-duty obfuscators will also incorporate various other transforms (like concealing string constants) to make the code harder to read.

Does it affect performance?
A little, but you can balance the obfuscation's complexity so that the HotSpot JIT is able to inline the transform.

Of course, this comes with a trade-off that custom deobfuscation transformers will also be able to inline these, but that's theoretically possible for every transform, anyway, since you can try some symbolic execution until you get the string values back out.

What is the modern use case for byte code obfuscation? It cannot provide any strong protection against reverse engineering, so what's the point?
Some people feel it discourages unskilled reversers from poking around.
I'm sure it does but that isn't very valuable IMHO.
It can be - if you have client side code that you do not wish people to mess around with it's all about adding resistance to convince the person who attempts that it's not worth the time and effort.

Some examples:

- Licensing logic

- Anti-cheating for games and similar

Most likely it will be breached eventually, but no reason to leave the door unlocked.

yGuard seems to focus mainly on removing dead code and emitting small names, so this looks like size optimization.
Perhaps it's being open sourced because there's no longer a market for this sort of thing.
It's been free before. It's not that we made money with it.
I thought people use spring for that :)
It's kind of ironic that code used for proprietary purposes is open-sourced.

Thank you for open-sourcing it.

However, I hope I will never use this (or any such similar) piece of code.