Hacking FernFlower: Java反编译对抗技术详解<\/h1>

前言<\/h2>
本文详细讲解如何对抗Java反编译工具FernFlower（IDEA内置反编译器）的技术，通过字节码混淆和反编译工具特性利用，实现代码隐藏、混淆和反制效果。所有技术基于JDK8环境测试。<\/p>

基础知识<\/h2>

ASM框架核心用法<\/h3>
ASM是Java字节码操作框架，有两种API：<\/p>
Core API：适合基础字节码操作<\/li>
Tree API：适合复杂工具开发<\/li> <\/ul>
关键类：<\/p>
ClassWriter<\/code>：用于生成类文件<\/li>
ClassVisitor<\/code>：用于转换现有类<\/li>
MethodVisitor<\/code>：用于处理方法字节码<\/li>
<\/ul>
类生成基础<\/h3>
\/\/ 创建ClassWriter，推荐使用COMPUTE_FRAMES自动计算栈帧
<\/span><\/span><\/span><\/span>ClassWriter classWriter =<\/span> new<\/span> ClassWriter(<\/span>ClassWriter.<\/span>COMPUTE_FRAMES<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 定义类结构
<\/span><\/span><\/span><\/span>classWriter.<\/span>visit<\/span>(<\/span>V1_8,<\/span> ACC_PUBLIC |<\/span> ACC_SUPER,<\/span> "Test"<\/span>,<\/span> null<\/span>,<\/span> "java\/lang\/Object"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 添加字段
<\/span><\/span><\/span><\/span>FieldVisitor fieldVisitor =<\/span> classWriter.<\/span>visitField<\/span>(<\/span>ACC_PUBLIC |<\/span> ACC_STATIC,<\/span> "abc"<\/span>,<\/span> "Ljava\/lang\/String;"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>fieldVisitor.<\/span>visitEnd<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 添加方法
<\/span><\/span><\/span><\/span>MethodVisitor methodVisitor =<\/span> classWriter.<\/span>visitMethod<\/span>(<\/span>ACC_PUBLIC |<\/span> ACC_STATIC,<\/span> "test"<\/span>,<\/span> "()V"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitCode<\/span>();<\/span>
<\/span><\/span>methodVisitor.<\/span>visitFieldInsn<\/span>(<\/span>GETSTATIC,<\/span> "java\/lang\/System"<\/span>,<\/span> "out"<\/span>,<\/span> "Ljava\/io\/PrintStream;"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitInsn<\/span>(<\/span>ICONST_1);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitMethodInsn<\/span>(<\/span>INVOKEVIRTUAL,<\/span> "java\/io\/PrintStream"<\/span>,<\/span> "println"<\/span>,<\/span> "(I)V"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitInsn<\/span>(<\/span>RETURN);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitMaxs<\/span>(<\/span>2<\/span>,<\/span> 0<\/span>);<\/span> \/\/ 自动计算时可省略
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitEnd<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>命名混淆技术<\/h2>
突破Java命名限制<\/h3>
Java编译器的命名限制不适用于运行时：<\/p>

可使用Unicode字符、控制字符、特殊符号<\/li>
可包含换行、退格等特殊字符<\/li>
可重复使用关键字<\/li>
<\/ul>
\/\/ 合法但极具混淆效果的字段名
<\/span><\/span><\/span><\/span>fieldVisitor =<\/span> classWriter.<\/span>visitField<\/span>(<\/span>ACC_PUBLIC,<\/span> "abc{\nsuper man\n}"<\/span>,<\/span> "Ljava\/lang\/String;"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用退格字符(\r)导致IDEA无法反编译
<\/span><\/span><\/span><\/span>fieldVisitor =<\/span> classWriter.<\/span>visitField<\/span>(<\/span>ACC_PUBLIC,<\/span> "abc\rdef"<\/span>,<\/span> "Ljava\/lang\/String;"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>隐藏方法与字段<\/h2>
利用FernFlower配置特性<\/h3>
关键配置项（默认启用）：<\/p>

REMOVE_BRIDGE=1<\/code>：隐藏桥接方法<\/li>
REMOVE_SYNTHETIC=0<\/code>：但IDEA仍会隐藏synthetic方法<\/li>
<\/ul>
隐藏方法技术<\/h3>


标记为synthetic方法<\/strong>：<\/p>
cw.<\/span>visitMethod<\/span>(<\/span>ACC_PUBLIC |<\/span> ACC_SYNTHETIC,<\/span> "hiddenMethod"<\/span>,<\/span> "()V"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>\/\/ 或添加Synthetic属性
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitAttribute<\/span>(<\/span>new<\/span> SyntheticAttribute());<\/span>
<\/span><\/span><\/code><\/pre><\/li>

标记为bridge方法<\/strong>：<\/p>
cw.<\/span>visitMethod<\/span>(<\/span>ACC_PUBLIC |<\/span> ACC_BRIDGE,<\/span> "hiddenMethod"<\/span>,<\/span> "()V"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

利用hiddenMembers机制<\/strong>：<\/p>

EnumProcessor会隐藏values()<\/code>和valueOf()<\/code>方法<\/li>
可构造同名方法迷惑分析者<\/li>
<\/ul>
<\/li>
<\/ol>
隐藏字段技术<\/h3>


标记为synthetic字段<\/strong>：<\/p>
cw.<\/span>visitField<\/span>(<\/span>ACC_PUBLIC |<\/span> ACC_STATIC |<\/span> ACC_FINAL |<\/span> ACC_SYNTHETIC,<\/span> "hiddenField"<\/span>,<\/span> "Ljava\/lang\/String;"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

利用AssertProcessor<\/strong>：<\/p>

静态final字段会被隐藏<\/li>
<\/ul>
cw.<\/span>visitField<\/span>(<\/span>ACC_PUBLIC |<\/span> ACC_STATIC |<\/span> ACC_FINAL,<\/span> "$assertionsDisabled"<\/span>,<\/span> "Z"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
方法参数混淆<\/h2>
METHOD_PARAMETERS属性<\/h3>
\/\/ 自定义MethodParameters属性
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> MethodParameterAttribute<\/span> extends<\/span> Attribute {<\/span>
<\/span><\/span>    public<\/span> MethodParameterAttribute<\/span>(<\/span>int<\/span> paramsCount,<\/span> int<\/span> nameIndex)<\/span> {<\/span>
<\/span><\/span>        super<\/span>(<\/span>"MethodParameters"<\/span>);<\/span>
<\/span><\/span>        \/\/ 自定义实现write方法
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用方法
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitAttribute<\/span>(<\/span>new<\/span> MethodParameterAttribute(<\/span>3<\/span>,<\/span> 5<\/span>));<\/span> \/\/ 伪造参数个数和名称索引
<\/span><\/span><\/span><\/code><\/pre>效果：<\/p>

所有参数显示相同名称<\/li>
可设置非法参数个数导致反编译失败<\/li>
可构造特殊参数名增加阅读难度<\/li>
<\/ul>
方法描述符攻击<\/h3>
构造非法方法描述符使解析进入无限循环：<\/p>
\/\/ 缺少结尾分号
<\/span><\/span><\/span><\/span>cw.<\/span>visitMethod<\/span>(<\/span>ACC_PUBLIC,<\/span> "test"<\/span>,<\/span> "(Ljava\/lang\/String"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>字节码混淆技术<\/h2>
JSR\/RET指令混淆<\/h3>
JSR(跳转子程序)\/RET(返回)指令本用于实现finally块，可被滥用：<\/p>
Label label1 =<\/span> new<\/span> Label();<\/span>
<\/span><\/span>Label label2 =<\/span> new<\/span> Label();<\/span>
<\/span><\/span>Label label3 =<\/span> new<\/span> Label();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 真实逻辑
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitLabel<\/span>(<\/span>label1);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitMethodInsn<\/span>(<\/span>INVOKESTATIC,<\/span> "java\/lang\/Runtime"<\/span>,<\/span> "getRuntime"<\/span>,<\/span> "()Ljava\/lang\/Runtime;"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitLdcInsn<\/span>(<\/span>"open \/Applications\/Calculator.app"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitMethodInsn<\/span>(<\/span>INVOKEVIRTUAL,<\/span> "java\/lang\/Runtime"<\/span>,<\/span> "exec"<\/span>,<\/span> "(Ljava\/lang\/String;)Ljava\/lang\/Process;"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitInsn<\/span>(<\/span>POP);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 混淆逻辑
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitLabel<\/span>(<\/span>label2);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitJsrInsn<\/span>(<\/span>label1);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitJsrInsn<\/span>(<\/span>label3);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitInsn<\/span>(<\/span>POP);<\/span>  \/\/ 弹出返回地址
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitInsn<\/span>(<\/span>RET);<\/span>  \/\/ 执行真实逻辑
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 虚假显示逻辑
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitLabel<\/span>(<\/span>label3);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitFieldInsn<\/span>(<\/span>GETSTATIC,<\/span> "java\/lang\/System"<\/span>,<\/span> "out"<\/span>,<\/span> "Ljava\/io\/PrintStream;"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitLdcInsn<\/span>(<\/span>"Hello World"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitMethodInsn<\/span>(<\/span>INVOKEVIRTUAL,<\/span> "java\/io\/PrintStream"<\/span>,<\/span> "println"<\/span>,<\/span> "(Ljava\/lang\/String;)V"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitInsn<\/span>(<\/span>RETURN);<\/span>
<\/span><\/span><\/code><\/pre>原理：<\/p>

通过JSR压入返回地址<\/li>
用POP\/SWAP修改返回地址<\/li>
导致反编译显示与实际执行不一致<\/li>
<\/ul>
try-catch结构混淆<\/h3>
Label startLabel =<\/span> new<\/span> Label();<\/span>
<\/span><\/span>Label endLabel =<\/span> new<\/span> Label();<\/span>
<\/span><\/span>Label handlerLabel =<\/span> new<\/span> Label();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 移除endLabel的RETURN
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitTryCatchBlock<\/span>(<\/span>startLabel,<\/span> endLabel,<\/span> handlerLabel,<\/span> "java\/lang\/Exception"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>methodVisitor.<\/span>visitLabel<\/span>(<\/span>startLabel);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitFieldInsn<\/span>(<\/span>GETSTATIC,<\/span> "java\/lang\/System"<\/span>,<\/span> "out"<\/span>,<\/span> "Ljava\/io\/PrintStream;"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitLdcInsn<\/span>(<\/span>"Normal execution"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitMethodInsn<\/span>(<\/span>INVOKEVIRTUAL,<\/span> "java\/io\/PrintStream"<\/span>,<\/span> "println"<\/span>,<\/span> "(Ljava\/lang\/String;)V"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitLabel<\/span>(<\/span>endLabel);<\/span>
<\/span><\/span>\/\/ 故意不写RETURN
<\/span><\/span><\/span><\/span>
<\/span><\/span>methodVisitor.<\/span>visitLabel<\/span>(<\/span>handlerLabel);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitVarInsn<\/span>(<\/span>ASTORE,<\/span> 1<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitFieldInsn<\/span>(<\/span>GETSTATIC,<\/span> "java\/lang\/System"<\/span>,<\/span> "out"<\/span>,<\/span> "Ljava\/io\/PrintStream;"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitLdcInsn<\/span>(<\/span>"Exception occurred"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitMethodInsn<\/span>(<\/span>INVOKEVIRTUAL,<\/span> "java\/io\/PrintStream"<\/span>,<\/span> "println"<\/span>,<\/span> "(Ljava\/lang\/String;)V"<\/span>);<\/span>
<\/span><\/span>methodVisitor.<\/span>visitInsn<\/span>(<\/span>RETURN);<\/span>
<\/span><\/span><\/code><\/pre>解决验证错误：<\/p>
\/\/ 添加帧栈平衡指令
<\/span><\/span><\/span><\/span>methodVisitor.<\/span>visitFrame<\/span>(<\/span>F_SAME,<\/span> 0<\/span>,<\/span> null<\/span>,<\/span> 0<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>反制技术<\/h2>


构造非法属性<\/strong>：<\/p>

添加不匹配的MethodParameters属性<\/li>
添加超大属性导致内存耗尽<\/li>
<\/ul>
<\/li>

触发解析错误<\/strong>：<\/p>

构造非法字节码序列<\/li>
利用特殊字符导致解析失败<\/li>
<\/ul>
<\/li>

DOS攻击<\/strong>：<\/p>

在JAR中放置多个问题类<\/li>
当反编译工具尝试解析时崩溃<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

使用最新版反编译工具<\/li>
对反编译结果进行验证执行<\/li>
结合多种反编译工具交叉验证<\/li>
直接分析字节码而非依赖反编译结果<\/li>
<\/ol>
总结<\/h2>
本文详细介绍了多种对抗Java反编译的技术：<\/p>

利用命名规则突破视觉混淆<\/li>
隐藏关键方法和字段<\/li>
方法参数和描述符混淆<\/li>
JSR\/RET和try-catch字节码混淆<\/li>
反编译工具反制技术<\/li>
<\/ol>
这些技术可有效增加代码分析难度，但应注意合理使用场景。<\/p>
Hacking FernFlower: Java反编译对抗技术详解<\/h1>

前言<\/h2> 本文详细讲解如何对抗Java反编译工具FernFlower（IDEA内置反编译器）的技术，通过字节码混淆和反编译工具特性利用，实现代码隐藏、混淆和反制效果。所有技术基于JDK8环境测试。<\/p>

基础知识<\/h2>

命名混淆技术<\/h2>

隐藏方法与字段<\/h2>

方法参数混淆<\/h2>

字节码混淆技术<\/h2>

前言<\/h2>
本文详细讲解如何对抗Java反编译工具FernFlower（IDEA内置反编译器）的技术，通过字节码混淆和反编译工具特性利用，实现代码隐藏、混淆和反制效果。所有技术基于JDK8环境测试。<\/p>
