[Tut] Obfuscating Bukkit plugins

Discussion in 'Resources' started by microgeek, Jul 5, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    microgeek

  2. Offline

    kreashenz

    microgeek I am doing it exactly how you're doing it. But I still get this error?
    Code:text
    1. ProGuard, version 4.9
    2. Reading program jar [C:\Users\User\Desktop\obfuscated\CoD.jar]
    3. Reading library jar [C:\Program Files\Java\jre7\lib\rt.jar]
    4. Reading library jar [C:\Users\User\Desktop\obfuscated\TagAPI.jar]
    5. Reading library jar [C:\Users\User\Desktop\obfuscated\craftbukkit.jar]
    6. Reading library jar [C:\Users\User\Desktop\obfuscated\worldedit-5.5.6.jar]
    7. Warning: class [nmsblocks/CBXNmsBlock_145.class] unexpectedly contains class [CBXNmsBlock_145]
    8. Warning: class [nmsblocks/CBXNmsBlock_146.class] unexpectedly contains class [CBXNmsBlock_146]
    9. Warning: class [nmsblocks/CBXNmsBlock_147.class] unexpectedly contains class [CBXNmsBlock_147]
    10. Warning: class [nmsblocks/CBXNmsBlock_15.class] unexpectedly contains class [CBXNmsBlock_15]
    11. Warning: class [nmsblocks/CBXNmsBlock_152.class] unexpectedly contains class [CBXNmsBlock_152]
    12. Warning: class [nmsblocks/CBXNmsBlock_prePackage.class] unexpectedly contains class [CBXNmsBlock_prePackage]
    13. Warning: class [nmsblocks/MCPCPlusXNmsBlock_147.class] unexpectedly contains class [MCPCPlusXNmsBlock_147]
    14. Warning: class [nmsblocks/MCPCPlusXNmsBlock_151dv.class] unexpectedly contains class [MCPCPlusXNmsBlock_151dv]
    15. Warning: there were 8 classes in incorrectly named files.
    16. You should make sure all file names correspond to their class names.
    17. The directory hierarchies must correspond to the package hierarchies.
    18. If you don't mind the mentioned classes not being written out,
    19. you could try your luck using the '-ignorewarnings' option.
    20. Please correct the above warnings first.
    21.  
     
  3. Offline

    chasechocolate

  4. Offline

    CaptainBern Retired Staff

    I don't think it's allowed to obfuscate plugins (if you post them on devbukkit)...
     
  5. Offline

    kreashenz

  6. Offline

    CaptainBern Retired Staff

    I can't watch it because for some reason my Chrome can't play youtube videos, sorry!
     
  7. Offline

    microgeek

    Chrome not playing YouTube? You'd think Google would fix that! xD

    I know there is a way to ignore excluded resources(which is the issue), let me take a look.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 3, 2016
    CaptainBern likes this.
  8. Offline

    CaptainBern Retired Staff

    Yes! It's odd, I mean..On Internet Explorer it works but hey, who uses that crap?
     
    stirante and microgeek like this.
  9. Offline

    microgeek

    Here we go!

    From http://proguard.sourceforge.net/index.html#manual/troubleshooting.html :
    Code:
    If the missing class is referenced from a pre-compiled third-party library, and your original code runs fine without it, then the missing dependency doesn't seem to hurt. The cleanest solution is to filter out the referencing class or classes from the input, with a filter like "-injars myapplication.jar(!somepackage/SomeUnusedReferencingClass.class)". ProGuard will then skip this class entirely in the input, and it will not bump into the problem of its missing reference. However, you may then have to filter out other classes that are in turn referencing the removed class. In practice, this works best if you can filter out entire unused packages at once, with a wildcard filter like "-injars myapplication.jar(!someunusedpackage/**)".
    To achieve this with the GUI version, just save the profile, edit it, and then load it again(unless there is another way to edit profiles without saving and reloading).
     
  10. Offline

    kreashenz

    microgeek I got no idea how to do this... I have been trying to do a bunch of things, and yeah.. Just can't get it. Also, I think you copy pasted the wrong warning message, because the one that I get (on the troubleshooting link)
    Code:
    Warning: class file ... unexpectedly contains class ...
    The given class file contains a definition for the given class, but the directory name of the file doesn't correspond to the package name of the class. ProGuard will accept the class definition, but the current implementation will not write out the processed version. Please make sure your input classes are packaged correctly. Notably, class files that are in the WEB-INF/classes directory in a war should be packaged in a jar and put in the WEB-INF/lib directory. If you don't mind these classes not being written to the output, you can specify the -ignorewarnings option, or even the -dontwarn option.
    How do you add those options, I am completely stumped.
     
  11. Offline

    microgeek

  12. Offline

    kreashenz

    microgeek
    New Error (open)
    Code:
    ProGuard, version 4.9
    Reading program jar [C:\Users\User\Desktop\obfuscated\CoD.jar]
    Reading library jar [C:\Program Files\Java\jre7\lib\rt.jar]
    Reading library jar [C:\Users\User\Desktop\obfuscated\TagAPI.jar]
    Reading library jar [C:\Users\User\Desktop\obfuscated\craftbukkit.jar]
    Reading library jar [C:\Users\User\Desktop\obfuscated\worldedit-5.5.6.jar]
    Warning: class [nmsblocks/CBXNmsBlock_145.class] unexpectedly contains class [CBXNmsBlock_145]
    Warning: class [nmsblocks/CBXNmsBlock_146.class] unexpectedly contains class [CBXNmsBlock_146]
    Warning: class [nmsblocks/CBXNmsBlock_147.class] unexpectedly contains class [CBXNmsBlock_147]
    Warning: class [nmsblocks/CBXNmsBlock_15.class] unexpectedly contains class [CBXNmsBlock_15]
    Warning: class [nmsblocks/CBXNmsBlock_152.class] unexpectedly contains class [CBXNmsBlock_152]
    Warning: class [nmsblocks/CBXNmsBlock_prePackage.class] unexpectedly contains class [CBXNmsBlock_prePackage]
    Warning: class [nmsblocks/MCPCPlusXNmsBlock_147.class] unexpectedly contains class [MCPCPlusXNmsBlock_147]
    Warning: class [nmsblocks/MCPCPlusXNmsBlock_151dv.class] unexpectedly contains class [MCPCPlusXNmsBlock_151dv]
    Warning: there were 8 classes in incorrectly named files.
             You should make sure all file names correspond to their class names.
             The directory hierarchies must correspond to the package hierarchies.
    Note: me.kreashenz.cod.metrics.Metrics: can't find dynamically referenced class mineshafter.MineServer
    Note: com.sharesc.caliog.npclib.NPCManager accesses a declared method 'b(net.minecraft.server.v1_5_R3.Entity)' dynamically
          Maybe this is library method 'net.minecraft.server.v1_5_R3.Chunk { void b(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EmptyChunk { void b(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntityHuman { void b(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntityPlayer { void b(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntityTypes { java.lang.String b(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.IWorldAccess { void b(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.World { void b(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.WorldManager { void b(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.WorldServer { void b(net.minecraft.server.v1_5_R3.Entity); }'
    Note: com.sharesc.caliog.npclib.NPCManager accesses a declared method 'a(net.minecraft.server.v1_5_R3.Entity)' dynamically
          Maybe this is library method 'net.minecraft.server.v1_5_R3.Block { float a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.BlockStairs { float a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.Chunk { void a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.DamageSource { net.minecraft.server.v1_5_R3.DamageSource a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EmptyChunk { void a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntitySelectorContainer { boolean a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntitySelectorEquipable { boolean a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntitySelectorLiving { boolean a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntitySelectorMonster { boolean a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntitySelectorNotUndead { boolean a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntitySelectorViewable { boolean a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.EntityTypes { int a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.IEntitySelector { boolean a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.IWorldAccess { void a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.Item { int a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.ItemStack { int a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.ItemSword { int a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.ItemTool { int a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.MobSpawnerAbstract { net.minecraft.server.v1_5_R3.Entity a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.PathEntity { net.minecraft.server.v1_5_R3.Vec3D a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.PlayerInventory { int a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.PortalTravelAgent { boolean a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.World { void a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.WorldManager { void a(net.minecraft.server.v1_5_R3.Entity); }'
          Maybe this is library method 'net.minecraft.server.v1_5_R3.WorldServer { void a(net.minecraft.server.v1_5_R3.Entity); }'
    Note: there were 1 unresolved dynamic references to classes or interfaces.
          You should check if you need to specify additional program jars.
    Note: there were 2 accesses to class members by means of introspection.
          You should consider explicitly keeping the mentioned class members
          (using '-keep' or '-keepclassmembers').
    Note: You're ignoring all warnings!
    The output jar is empty. Did you specify the proper '-keep' options?
    
    I added the '-ignorewarnings' option to the config, but now I get this. This is getting much harder than it should be.
     
  13. Offline

    Ivan

    Nice tutorial, but why would you want to obfuscate a plugin? Bukkit itself is an open-source project, so I think all of the plugins using Bukkit as a library should be too.
     
  14. Offline

    microgeek

    I stated in the video, it's meant for people who are writing paid, private plugins that don't want source leaked.

    kreashenz
    Hmm. I'll see what I can find.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 3, 2016
    bobacadodl likes this.
  15. Offline

    Burnett1

    So obfuscated code is not allowed on bukkit? If it is on bukkit what would happen to it?
     
  16. Offline

    Gravity Retired Staff

    BukkitDev staff work night and day to approve plugins. We're entirely a group of volunteers who put in a lot of work to get your projects approved as quickly as possible. In order to ensure that each file is safe, we must follow the logic of the code to ensure it is working as intended.

    Obfuscation heavily slows down this process, and sometimes prohibits us from doing our job properly. If you choose to obfuscate your plugins, we will try to accommodate you, but we cannot guarantee the same approval time as those who submit plugins around the time you submitted yours. Staff will not linger on your obfuscated code and slow the rest of the queue down; we will instead choose to work on other plugins which are nicely open-sourced and get them approved. We also cannot guarantee that your file will be approved if our staff cannot follow the obfuscated logic; if the obfuscated becomes complex enough that it does not allow us to ensure the integrity of the file, it will be deleted.

    In a nutshell, please think about the staff before uploading an obfuscated file. I have instructed them not to waste too much of their time on deciphering obfuscated code. Most of them are nice enough that they will attempt to accommodate you, but I will not allow the queue to be slowed down by obfuscation.
     
    JOPHESTUS, Icyene, hawkfalcon and 7 others like this.
  17. Offline

    MrTwiggy


    Is there ever going to be the possibility of people being able to upload their plugin un-obfuscated, but check a box so that when an approver is finished, the .jar is automatically obfuscated and then uploaded? Seems like it would solve the problem of people wanting their source to be a bit more private, and also not slowing down the bukkit staff (besides developing the auto-obfusucation)
     
  18. Offline

    Gravity Retired Staff

    We're not going to obfuscate your plugins for you.
     
  19. Offline

    Hoolean Retired Staff

    MrTwiggy

    Why obfuscate your code for Bukkit anyways? One of the points of the approval team is to look for stolen code (so they'll know if your code is stolen, you don't need to obfuscate it for that purpose).

    All you'd really be doing is slowing down approval time (recompiling code takes time and processing power y'know) as well as inhibiting others from learning to be a better programmer from on a rare occasion looking at your code :(
     
    Minecrell, Wingzzz and Gravity like this.
  20. Offline

    MrTwiggy


    I think to imply that the only reason to obfuscate your plugins is to hide stolen code or inhibit other innocent programmers from learning is a bit naive.

    Some people want to be able to contribute plugins to the community without having to give up all their source code and have other people modify/sell it. It's no where close to unheard of to see people take Bukkit plugins and modify them to work around things they don't like that the author put in, which is against the intended purpose. That's not to say people shouldn't go open source, it can help a lot. But it seems very restricting that there are probably people out there that would like to contribute plugins for people and servers to use, but don't because they are essentially handing out the source code to anyone.
     
    blablubbabc likes this.
  21. Offline

    Hoolean Retired Staff

    I didn't make myself very clear there, I meant the approval team can easily see if someone has stolen your code, so you don't need to obfuscate to stop people from stealing it. Also, note how I said 'for that purpose'; I wasn't implying that would be the only reason (although for some people it is their primary one).

    If somebody tries hard enough, they can always find/modify your source. Minecraft is a great example of this, as it's obfuscated and people still decompile and mod it (and unfortunately sometimes distribute the full modified version of it for piracy purposes :().

    I personally have no issue in somebody taking my plugin and modifying it to work better with their purposes, however, if you do, firstly ensure the license your plugin is under prohibits the unauthorised distribution of it by anyone other than yourself. That way you have a legitimate case against anyone who redistrubutes it. However, if you're so desperate to stop people from utilising your code for other purposes that you feel the need to obfuscate it, BukkitDev is not the place for your obfuscated plugins.
     
  22. Offline

    stirante

    Gravity What about including mappings with note "please delete mappings"? :D
     
    blablubbabc likes this.
  23. Offline

    Gravity Retired Staff

    There is no solution to this that doesn't make us work more. We're not going to spend extra time unmapping your obfuscated code, deleting files, and rezipping archives just because you want people to be less able to read your code.

    I don't see how any part of that follows
     
  24. Offline

    hatstand

    I find that reasoning flawed, as you're essentially trying to lock your employer into using you for all future work, or treating them with mistrust from the start, neither of which are good policies.
     
    jorisk322 likes this.
  25. Offline

    jorisk322

    I agree, but that's the developer's choice. microgeek is simply showing how to do it. The reason people use it isn't his concern.
     
  26. Offline

    hatstand

    Fair point.
     
  27. Offline

    MrTwiggy


    How does that make any sense at all? If anything, it's helping to protect your employers. If an employer hires you to write a plugin, then they obviously own all the source code that you write for them. Why would an employer need to get your .jar file, decompile it, structure it in an eclipse project, get all the dependencies required, just so they can have it set up.

    I can't really see any reason an employer would need to decompile the .jar file. So if anything, obfuscating helps them because now if someone steals it or it gets leaked somehow, their property has an extra layer of 'security'.
     
    JHalt likes this.
  28. Offline

    hatstand

    My assumption is that not all private plugins are provided with source code, and that the employer themselves are the only realistic way a plugin could be leaked. Additionally, while security through obscurity is, by its nature, an illusion of security, one could argue that it is even less effective in a community where working with obfuscated code is not an uncommon requirement. If stealing is a realistic concern, an employer should be re-evaluating their server's security and/or choice in staff.
     
  29. Offline

    Ultimate_n00b

    I was making a private plugin where I needed to use this, and I liked your tutorial. Good job on it.
     
  30. Offline

    Goblom

    Gravity Hoolean if a plugin is obfuscated and the obfuscation logic is too complex would it be possible for the developer to give the bukkit dev staff member access to a repo where the code is hosted and for the bukkit dev staff member to approve/disprove that plugin based on the link the developer of the plugin gave them ?

    TL;DR if a plugin is obfuscated and we give the dbo staff member access to the repo hosting the code could the project still be approved at relatively the normal speed ?
     
Thread Status:
Not open for further replies.

Share This Page