MEETINGS

DJUG LINKS

WIKI QUICK LINKS

Book Reviews

This book review was submitted by a DenverJUG member as part of the Book Review Program.

BOOK DETAILS

REVIEWER

Bill Simons

REVIEW

Most Java programmers know that class files can be easily converted into Java source code. When you ship Java class files, you are giving away your source code. In Decompiling Java, author Godfrey Nolan looks at Java decompilation both from the perspective of developers seeking to protect their source code and hackers interested in reverse-engineering an application.

Nolan has a hands-on approach rather than a theoretical one. The book is filled with code listings for turning the raw bytes in a class file into Java source code. Along the way, he also discusses the legal and ethical ramifications of decompiling as well as tools available for protecting and decompiling code.

For a quick introduction to the Java virtual machine, Decompiling Java can hardly be beat. The book gives a concise description of the virtual machine architecture, the instruction set, and the class file format. The class file format is dissected in precise detail as the author creates a class-file-to-XML disassembler.

Nolan also does a fine job describing source protection techniques and their limitations. Each technique is evaluated for its power to confuse decompilers, its resilience to attack, and its effect on performance. Unfortunately, it is too risky to use the most aggressive obfuscation techniques because not all virtual machine implementations can handle them and, in the case of applets, because the byte-code verifier will reject them.

Although hackers have the upper hand in the source-protection arms race, a selection of case studies suggests strategies for protecting code. Suggestions such as running code on a protected server or selling the source code up front expand the thinking beyond simply defeating decompilation.

The centerpiece of the book -- and nearly half its pages -- is the design and implementation of a basic Java decompiler. The surprising insight is that writing a Java decompiler is nearly identical to writing a compiler. The author reviews several approaches to designing a decompiler based on existing products and published literature. He then dives into creating a simple decompiler from scratch.

While the design review is informative, the subsequent 80 pages of implementation details is tedious. For the dedicated student, however, these pages may be gold. They include brief tutorials on JLex and CUP (Java equivalents to Lex and Yacc, C-based tools to generate lexical analyzers and parsers). and examples of turning series of Java byte codes into production rules that generate Java statements.

Another disappointment is the book's coverage of tools for disassembly, decompilation, and obfuscation tools. Too many of the listed tools have disappeared or are obsolete, and a few minutes of web searching would discover most of the rest.

Despite these few shortcomings, Decompiling Java is a worthwhile guide to this exotic niche in the Java landscape. It explains why Java is susceptible to reverse engineering, how to reverse engineer Java class files, and how to make it more difficult -- if only slightly -- for others to do the same to your class files. It is filled with technical details presented in a well-organized and friendly way.

Sample chapter

Chapter 4, "Protecting Your Source: Strategies for Defeating Decompilers," is available in PDF format (327 KB) from the publisher.