Obfuscating your processing code on your own

I know that anything a machine runs can be decompiled, that’s not what I’m asking.

I’d like to find out what could be some good ways to obfuscate the sketch class in the jar file.

I’ve searched the forum and found ProGuard and some other obfuscators but the users don’t seem to be happy with those tools, probably because they’re more suited for regular Java apps.

I’m planning to release a commercial plug-in and I don’t want the code to be this easy to get and manipulate. When you decompile the file, you get the source code of the sketch and it’s very easy to alter.

There must be some ways to deter hackers from cracking your software albeit not fully prevent them.

There are many good Javascript uglifiers online, that’s sort of the same effect I’m trying to achieve with the Processing code. Yet, Processing code strictly requires to be in order, doesn’t let you write things in one line as in the code below:

void draw() {background(0);frameRate(30);stroke(255);}

Changing variable and class names to complicated alphanumeric values like TP09X5U8HC7 etc is one thing. What else would you suggest?

Not an area I have thought a lot about - others can probably make better suggestions

Probably not a good idea since it would make code maintenance and bug reporting difficult to manage.

You could remove the source code (.java) files from the jar file as they are not needed for the plug-in to work.

Hi,

This line works perfectly in Processing :

void draw() {background(0);frameRate(30);stroke(255);}

Since it’s Java based, there’s no Processing special syntax and grammar rule.

In fact, renaming variables to complex names or with one letter names can prevent people from reading your code but with a simple tool, you can replace and read easily the code.

For example minifying Processing code :

// Pretty code

void setup(){
  size(500, 500);
  
  background(255);
}

void draw(){
  noStroke();
  
  float r = random(255);
  float g = random(255);
  float b = random(255);
  
  fill(r, g, b);
  
  float diameter = random(10, 50);
  float radius = diameter / 2;
  
  float x = random(radius, width - radius);
  float y = random(radius, height - radius);
  
  circle(x, y, diameter);
}

Which is equivalent to (without spaces, newlines and variable renaming) :

// Minified (but not obfuscated) code
void setup(){size(500, 500);background(255);}void draw(){noStroke();fill(random(255),random(255),random(255));float d=random(10,50);float r=d/2;circle(random(r,width-r),random(r,height-r),d);}

(This was done by hand but there’s tools to do this)

Also some tools appear to affect the bytecode in order to prevent people from doing reverse engineering and decompiling your binary.

This website clearly explain the different types of obfuscation :

Usually, obfuscation is used for production code to make it unreadable or smaller, developers are not working with obfuscated code

Don’t bother, code is cheap, no-one cares!

And, commercial plugin for what exactly? May want to consider code licensing concerns here too.

Hi @neilcsmith

It’s an animation plug-in.
Well, as far as I’m concerned, Processing seems totally free to use commercially. Is there any restriction to redistributing it along with your compiled program?

I really need to do some good obfuscation and I’m still open to suggestions. It seems reasonable to me to minimize the possibility of it being cracked. If the research and development part costs you, you might want to earn and improve the tool, or create other tools. It wouldn’t really mean you’re hungry for your money in my opinion. And no, code is really not cheap.

Processing core libs are LGPL, which is mostly free to use in commercial projects, but there are still conditions you have to follow. Lots of literature on the license. As long as you keep the libraries intact and replaceable by the end user in the process of obfuscation, you should be OK. yada, yada, yada, IANAL.

Processing IDE is GPL licensed, hence asking what a plugin for?

Any other third party libraries you bring in may have constraints of their own.

I’ve been coding professionally for almost 20 years - I stand by that comment!

Is the plugin a library or tool for Processing?

If it is then the Processing Foundation say they will only promote the library or tool on their website if the source code is included in the distribution. You can read their statement here
Libraries
Tools

I also agree with @neilcsmith and @quark , Processing is an open community driven by open source so I would make no sense to make a non free plugin with the intent of obfuscating it so people can’t access it…

If you put a lot of effort in the development of this plugin, it’s common to ask for donations from users and to promote your plugin by making a nice documentation and involving users in the development.

I apologize for the ambiguity, the plug-in I’m making is not for Processing, it’s for a commercial software.

As far as I know, LGPL license means that I must keep the core libs open source, but I can restrict the access to the sketch classes/codes, which I write. Am I right?

I think I’ll have to come up with a good way of obfuscation myself. Don’t know where to start, though. A commercial service would also be OK by me if it’s easy to use. Any help would be much appreciated.

Yes, to an extent. There is not really any such thing as just “open source” - licenses give rights. With LGPL, you have to give the end user the ability to replace the Processing libs in your plugin with a different or modified version. Obfuscation can interfere with that, so you have to do it with that in mind.

An often used Java obfuscation tool (as you mentioned) is ProGuard. You can probably get it to work with the output of Processing, but you have to ensure you exclude the libs from the process or you’ll be breaking the license terms. Google ProGuard and LGPL and you’ll find more info.

I still find the whole effort pointless, and think you’ll spend more time investigating and trying to get it to work than you’ll get benefit from it.

EDIT - you’ll also probably get in a load of issues with use of reflection across Processing to look up classes, methods and fields by name.

Thanks @neilcsmith

It’s a tool that gets user info and password from a server and licensed with a subscription model, yet it strictly must be a desktop app rather than a web-app, hence the obfuscation.

I’m not atempting to obfuscate the core libs or third-party libs I’m using within the app. I can mention them and their libs, and of course donate a percentage of what I’d be earning to the owners of those libs.

I just want to obfuscate my own code and get a code-signing service to get the rights under my name. If a person wants it free, he still can but that must cost him time and effort, or he can create something similar from the scratch. I really want creative coding to be a part of my job and need to improve what I’ll be doing and create other tools as I mentioned earlier. Keeping the tool as cheap as possible, which means making it accessible to more people doesn’t sound bad, does it? I’m not expecting a fortune out of it.

I’ve checked ProGuard but I think it needs a Java IDE and I heard a few complaints from those who used it with Processing. There’s no tutorial on their websites involving Processing, that’s pity.

You don’t have to obfuscate the code to do anything else you mention. You should be able to run ProGuard over the output of Processing somehow - it’s all Java bytecode! However, you have to make sure to specifically exclude the Processing libs from the process - your users have the right to take apart your plugin and change the Processing and other libraries it’s using. If you don’t like that fact, use something else! All obfuscation is likely to do for you is make problems that you don’t need for your use case.