ClassGuard is a tool to prevent Java decompiling and for licensing Java applications.
The Java class files are encrypted using a 128Bit AES encryption. The AES key is generated randomly every time you start the encryption tool. The decryption is done transparently by a custom class loader. The main part of this class loader is written in C to prevent decompiling and other tampering.
The current version additionally contains a license manager. The main part of the license manager is also written in C. Java class files are only decrypted if a valid license is found.
As of Version 1.5, ClassGuard supports Tomcat containers.
To use ClassGuard in combination with Tomcat, you have to configure your web application for using the ClassGuard tomcat class loader. This can be set in the context of the web application.
Support for other J2EE containers may be implemented on request, please ask!
Since version 2.0, the encryption of addtional resources (e.g. property files or images) is possible in a transparent way. Encrypted resources may be loaded by getResource() or getResourceAsStream().
There is no way of cracking the used 128Bit AES encryption. As the main part of ClassGuard is written in C, the key can't be extracted using a Java decompiler.
However, it is possible to extract single class files from
memory using a debugger on the assembler level. The effort necessary for this is increasing with
the number of encrypted classes in your application. So ClassGuard is not absolutely secure, but
puts security on a level comparable to software written in a native language.
Some experts state, it would be possible to crack byte code encryption by hacking some class
files of the Java language itsself, e.g. defineClass() in java.lang.ClassLoader. Bytecode encrypted
by ClassGuard is passed through to the virtual machine on the native level. The bytecode never
appears in any Java class. At the moment, no successful attempt on attacking real world applications is known.
The current version 4 supports Sun/Oracle Java 5, 6, 7 and 8 for OSX, Windows and Linux on i386 and x86-64. Solaris support is available on request. Virtual machines besides Oracle Java may work, but are not supported. The release planning for platforms is based on demand, so please tell us which platforms you need!
Currently, there are three ways to implement a Java debugger or profiler:
It is possible to get Java bytecode by all of these ways. Therefor ClassGuard detects Java debuggers and refuses to decrypt any classes in case of any running debugger.
As ClassGuard works on the binary level of class files, it does not iterfere with Java code obfuscation tools.
You may use our debugging agent to test your code encryption tool. Download JSecurityAgent.jar and run your application with the additional parameter -javaagent:JSecurityAgent.jar. The bytecode agent displays all classes of which it can get the bytecode. If you see a line like
BytecodeAgent: Got bytecode of my/encrypted/class
your tool is vulnerable.