Meme (Dumb) Ideas for Java Bytecode Constant Obfuscation
Published:
Not too long ago, I took a quick look at some of the activity that has been going on in the Java bytecode obfuscation/deobfuscation communities. So far, I have noticed that most of the same ideas since I have went inactive have remained the same:
- Flow obfuscation:
- opaque predicates;
- reordering blocks through
goto; - weird try-catch block flow;
- callstack-sensitive keys used for branching;
- CFG flattening;
- complicate existing jumps;
- etc.
- Constant obfuscation:
- encrypt strings via context-sensitive keys;
- split numerical constants into a ton of arithmetic;
- abuse constantdynamic;
- etc.
- Reference obfuscation:
- abuse the Reflection API;
- abuse invokedynamics;
- proxying of method and field invocations;
- changing all parameter types to
java.lang.Object; - etc.
- Exploits:
- HTML-injection of vulnerable tools;
- fake directories;
- tool-specific crashers;
- etc.
- And the usual other stuff like class encryption and math obfuscation and whatnot.