How does it work?
ClassGuard is a tool to prevent Java decompiling and for licensing Java applications.
The Java class files are encrypted using a 128Bit AES encryption. The AES key is generated randomly every time you start the encryption tool. The decryption is done transparently by a custom class loader. The main part of this class loader is written in C to prevent decompiling and other tampering.
The current version additionally contains a license manager. The main part of the license manager is also written in C. Java class files are only decrypted if a valid license is found.
How does Tomcat support work?
To use ClassGuard in combination with Tomcat, you have to configure your web application for using the ClassGuard tomcat class loader. This can be set in the context of the web application.
Support for other J2EE containers may be implemented on request, please ask!
Is there a way of encrypting additional resources?
Since version 2.0, the encryption of addtional resources (e.g. property files or images) is possible in a transparent way. Encrypted resources may be loaded by getResource() or getResourceAsStream().
How secure is it really?
There is no way of cracking the used 128Bit AES encryption. As the main part of ClassGuard is written in C, the key can’t be extracted using a Java decompiler. However, it is possible to extract single class files from memory using a debugger on the assembler level. The effort necessary for this is increasing with the number of encrypted classes in your application. So ClassGuard is not absolutely secure, but puts security on a level comparable to software written in a native language.
Some experts state, it would be possible to crack byte code encryption by hacking some class files of the Java language itsself, e.g. defineClass() in java.lang.ClassLoader. Bytecode encrypted by ClassGuard is passed through to the virtual machine on the native level. The bytecode never appears in any Java class. At the moment, no successful attempt on attacking real world applications is known.
What platforms are supported?
The current version 5 supports Oracle JDK 7 to 11 for OSX, Windows and Linux on i386 and x86-64. OpenJDK is supported on the same platforms in version 8 and 11. Solaris support is available on request. Virtual machines besides Oracle Java and OpenJDK may work, but are not supported. The release planning for platforms is based on demand, so please tell us which platforms you need!
When I debug my encrypted project, I get a java.lang.NoClassDefFoundError
Currently, there are three ways to implement a Java debugger or profiler:
- java.lang.instrument (-javaagent)
- jvmti (-agentlib/-agentpath)
- jvmpi (-Xrun)
It is possible to get Java bytecode by all of these ways. Therefor ClassGuard detects Java debuggers and refuses to decrypt any classes in case of any running debugger.
Can I combine ClassGuard and Code Obfuscation?
As ClassGuard works on the binary level of class files, it does not iterfere with Java code obfuscation tools.