Decompiling Java

Richard Rodger writes with a review of Godfrey Nolan's Decompiling Java. "I've just put this book down after reading it right through non-stop for four days. I haven't done that with a technical book since Learning Perl. Most techie book these days are quickie grab-bags, and you end up paying for a lot of dead trees that you aren't interested in." Read on for the rest of his review. Decompiling Java author Godfrey Nolan pages 264 publisher apress rating 8/10 reviewer Richard Rodger ISBN 1590592654 summary Learn how decompilation works in order to properly protect your intellectual property.

If you are interested in Decompiling Java, then this book tell you exactly how to do that. There's no fluff and every chapter counts. I can safely concur that Fiachra's observations are indeed correct. You'd better be prepared for some serious hard core details, but then that's what you'd paid for. It is really great to read a book that doesn't end each chapter with a few links to the real material because the author couldn't be bothered to write it up.

So what do you get? As a battle-hardened Java coder of not a few years programming, I wanted to find out about the gory details of bytecodes and how to get at them. Now it's a subject I always knew I should know about, but never took the time to read up on it. Decompiling Java puts all that knowledge into one place.

Here's a quick run-through of the chapters so you know what you're getting:

Ch.1 Introduction
Decompilation isn't just another coding tool - there are other, real world issues like ending up in jail to think about. Godfrey proposes a sort of code-of-honour for decompilers. This book could so easily have been positioned for the fr33ky kod3r skript kiddie market, and I'm glad that the author and publishers took a mature and sensible approach to the subject. I have had to decompile purchased code because of bugs and I'm glad that someone took the time to think about an ethical framework for doing this.

Ch.2 Ghost in the Machine
A good and solid introduction to the JVM and the classfile format. If you're in the market for this book, you probably already know most of this, but a refresher course is always good. For me, it definitely sorted out a lot on internal hand-waving on the subject. Just remember kids, the only thing to fear is fear itself - it's only binary data after all.

Ch.3 Tools of the Trade
Although the author builds his only decompiler later in the book, it nice to get a chapter devoted to the existing toolset and the Java decompiler scene.

Ch. 4 Protecting your Source
For the honest developer, knowing how to decompile code is more about protecting your own source code than breaking someone else's (who wants to read other people's smelly code anyway!). This chapter is one of the most directly practical. I had always assumed that obfuscation was a magic fix that I could apply if necessary. In reality, good obfuscation is just like good encryption (that is, uncommon, difficult to verify, and still subject to lateral attacks). Even compiled bytecode has relatively low entropy, so the value of obfuscation must be considered carefully.

Ch.5 Decompiler Design
This is were it starts getting a wee bit technical. Decompilation, as you can imagine, is a bit of a black art, and there are many ways of doing it. Some of them involve scary maths and some involve scary coding and the rest both. But that's why you don't meet many people who can write decompilers. Godfrey does a great job of taking you on a practical run through this fog of decompilers. At the end of this chapter you will be able to decide for yourself what approach is best suited to your problem domain. Again, this material can be challenging but it's like boot camp: You just gotta.

Ch.6 Decompiler Implementation
If the previous chapter hurt your brain and scared you silly then this chapter will have you weeping for joy. The author takes a practical, effective, and most importantly, understandable approach to actually implementing a compiler. Now, as he freely admits, his design may encounter difficulties with edge effects and infrequently used idioms, but it will take you to the point where you can solve them yourself. I really had to smile at how simple and effective the approach taken here is - instead of the expected multiple passes and mind bending parse tree manipulation, we have a single-pass, source-generating decompiler for Java. You won't follow it all first time, but it does work and you can verify it for yourself. Like I said at the start, you don't get that empty feeling from this book, and this chapter is pretty much why. I bought a book about decompiling Java, and now I can.

Ch.7 Case Studies
This chapter addresses the "why" of decompiling, returning again to the moral questions raised at the start. It's more food for thought than prescriptive preaching though, which again is refreshing. I have admit to dipping into this chapter while reading the rest of the book - the human interest angle always works a treat!

Of course, no book is perfect. What I think could have helped a bit overall would have been a introductory chapter to bytecode. But it's not a great loss and bytecode is actually pretty simple once you get your head around it. Still it might have lessened the learning curve somewhat.

Decompiling Java is a great addition to that section of your bookshelf dedicated to serious books that will be around for a while. The JVM specification and Java bytecode are not going to change that much, so this book is something you'll be able to use for a long time. Personally the best thing about this book for me was that it took me to the next level. Not many books can do this. As a working coder, I pretty much put things like decompilation into the "too hard, just for academics, and I could never grok it", category. It's great when a book comes along that can can you out of that comfort zone.

You can purchase Decompiling Java from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

no bytecode intro?

[MankyD]

So it's a book about reconstructing bytecode into human interprettable info, but it doesn't have an intro to them? That seems awfully strange. Are you sure you didn't miss something?

Re:no bytecode intro?

[MankyD]

whoops. Sorry, I forgot first post was reserved for trolls.

Re:no bytecode intro?

That's ok, you didn't get FP anyhow.

Re:no bytecode intro?

[gl4ss]

**Ch.2 Ghost in the Machine
A good and solid introduction to the JVM and the classfile format. If you're in the market for this book, you probably already know most of this, but a refresher course is always good. For me, it definitely sorted out a lot on internal hand-waving on the subject. Just remember kids, the only thing to fear is fear itself - it's only binary data after all.**

maybe that one has the bytecode covered in short?

btw.. for everyone thinking that obfuscators do a good job.. THEY DON'T! especially when it's a ridiculously small program(like all j2me midlets tend to be), the program flow is generally very easy to follow even when churned through the usual obfuscators.

Re:no bytecode intro?

[tomhudson]

someone who doesn't have a clue about bytecode (or op codes) would be way out of their depth anyway.

Re:no bytecode intro?

[pjt33]

More details aren't hard to find: the JVM specification is fairly readable and available from the Sun website.

Better Java Book

[Pingular]

I've read both and I have to say Covert Java is slightly more in-depth, but perhaps more for people more familiar with Java.

Re:Better Java Book

[HeaththeGreat]

Can you expound? I'm interested in decompiling and I'm ok at Java, so I'd like to try out one of these.

Re:Better Java Book

[Pingular]

'Fraid I don't have both of the books to hand at the moment, but have a look at these reviews/book descriptions if you like:
Decompiling Java:
Writing for those who want to learn Java by decompilation, Nolan, a specialist in web site optimization, explains how to turn partially compiled Java bytecodes back into source code so that readers can see what the original programmer was thinking. Early chapters unravel the Java classfile format and show how Java code is stored as bytecode and executed by the JVM. Later chapters focus on how to write a Java decompiler, and a final chapter offers case studies.
Both Java and .NET use the idea of a "virtual machine," or VM. And while VMs are useful for some purposes, they undermine the security of your source code, because creation can be reversed, or "decompiled." Which makes this one-of-a-kind book extremely useful: you must understand decompilation, to properly protect your intellectual property.
For example, how secure is your code after you run an obfuscator? The book will answer questions like this, and provide more thorough information about Java byte codes and the Java Virtual Machine (JVM) than any other book on the market. This book redresses the imbalance by providing insights into the features and limitations of today's decompilers and obfuscators, and offering a detailed look at what JVM's actually do.
This is a fantastic in-depth book on decompilers and code obfuscation tools for Java. It covers the structure of Java code files, the opcodes, and the all of the tools required to decompile classes, and to obfuscate existing code. It's an invaluable reference for anyone who has to deploy Java in a non-secure environment, or for those that want to learn how the language really works.
There is a lot of code to pour though, and there are no illustrations. I think the text could have used some illustrations, but that's not a big sticking point for me.
If you are a serious Java gearhead you should have a look at this book. And if you have a specific interest in either de-compiling some Java or obscuring your deployed Java bytecode then this is a must have.
Covert Java:
"Covert Java" provides a fascinating and look at behind the scenes Java development tactics that are usually the domain of seasoned veterans. Definitely a read for those who want to master Java.
--Floyd Marinescu, Author, EJB Design Patterns; General Manager & founder of TheServerSide Communities.
As a Java developer, you may find yourself in a situation where you have to maintain someone else's code or use a third-party's library for your own application without documentation of the original source code. Rather than spend hours feeling like you want to bang your head against the wall, turn to Covert Java: Techniques for Decompiling, Patching, and Reverse Engineering. These techniques will show you how to better understand and work with third-party applications. Each chapter focuses on a technique to solve a specific problem, such as obfuscation in code or scalability vulnerabilities, outlining the issue and demonstrating possible solutions. Summaries at the end of each chapter will help you double check that you understood the crucial points of each lesson. You will also be able to download all code examples and sample applications for future reference from the publisher's website. Let Covert Java help you crack open mysterious codes!

Been decompiling Java for awhile now...

[twoslice]

Everytime I take a piss after my morning cup of joe...

Re:Been decompiling Java for awhile now...

funny????

Re:Been decompiling Java for awhile now...

Little know fact: caffine actually doesn't break down very well, so there is a measurable amount of it in the oceans now.

another alternative = encrypted class files

[ardiri]

in 1999 i wrote a paper on security in set-top boxes (one of my first papers); yay. but, one approach we had was to build a custom class loader that would actually load encrypted classes.

the details of the paper are:

1999 - Security in Set-Top boxes
European Multimedia, Embedded Systems and Electronic Commerce
EMMSEC '99, Stockholm, SWEDEN
June 21-23, 1999

COPY: (pdf)
http://www.ardiri.com/publications/emmsec99 .pdf

there was a lot of interest on this topic back in the time :) i had a number of successful prototypes built - but, unless you build the class loader into hardware (ie: cannot access the .class file), its just another hurdle, nothing more.

Re:another alternative = encrypted class files

[JavaNPerl]

I believe encryption is probably not worth the effort for most people, it's not much of a hurdle to overcome. Ultimately all custom class loader execution paths will lead to a ClassLoader.defineClass call which can either be intercepted by creating a modified system class loader or by creating a JVMPI agent which listens for JVMPI_EVENT_CLASS_LOAD_HOOK events. If you can prevent these methods from being employed then you're probably operating in a secure environment where encryption would be overkill.

Re:another alternative = encrypted class files

[Ryosen]

A noble goal, to be sure, but the custom class loader itself would have to be written in *unencrypted* Java and, therefore, would be subject to decompiling. This is because the custom class loader would be loaded by the VM's native class loader.

Regardless, it is a very trivial matter to insert a proxy between the VM and the custom class loader that can intercept and persist the unencrypted class.

If source code security is really that much of a concern, you would need a custom VM that would natively read the encrypted format.

What ethical problems?

[jmorris42]

Good review, but I have one major nit to pick.

What ethical problems? Decompiling is perfectly moral and ethical. Whether it is illegal is a seperate and, for me, almost irelevant issue. If I legally own a copyrighted work I am allowed to read it, period and end of story. Corporate licences excepted, software is SOLD, not licensed despite the scary words on the box and the dread click through EULA.

Hell, I learned assembly by writing a disassembler (in BASIC) and reading the Microsoft BASIC roms, then later reading the commented listings that ran in Color Computer Magazine. (TO avoid a copyright fight, and because M$ refused to grant them permission, CCM ran only the comments and memory locations, leaving the reader to run their own dissassembly for the opcodes.)

The only ethical problem would be lifting the code and reusing it without permission and I think we all know that is wrong.

Re:What ethical problems?

[Skim123]

What ethical problems? Decompiling is perfectly moral and ethical. ... If I legally own a copyrighted work I am allowed to read it, period and end of story. Corporate licences excepted, software is SOLD, not licensed despite the scary words on the box and the dread click through EULA.

I disagree here. I am a strong believer that people should be able to trade goods/services for prices/conditions they mutually agree upon. If I write software and say I will sell it to you for $x on condition that you do Y (perhaps Y is not decompiling the source), and you agree to these terms, I think it is morally repugnant of you to break our agreement and decompile. You had the choice to not purchase my product, after all.

Re:What ethical problems?

[jmorris42]

> I think it is morally repugnant of you to break our agreement and decompile.

While you are welcome to your delusions, but out here in the real world we have some things called laws. Specifically the Uniform Commercial Code and the Copyright laws.

You will note that I excepted commercial licenses, since those are actual signed contracts and are legally binding.

According to the Uniform Commercial Code if goods are exchanged in regular trade there can't be strings attached; i.e. if it looks like a sale it IS a sale. If I buy a copy of Microsoft Windows from Newegg.com I did just that, I BOUGHT a copy of Windows. That means I can do anything with that copy, including read it. I can even copy it in whole or in part so long as such activity falls under the backup exception written into the law or by Fair Use. Of course any other reproduction is forbidden by the artifical monopoly rights granted to the author by copyright. While I have a lot of problems with how copyrights are currently operated (eternal instead of "limited times" as prescribed by the Constituition) I don't have a major problem with that limitation.

But think about it, what you are saying is that you can sell me a copyrighted work that I am forbidden to read myself. What a load of fetid dingos kidneys! Ford can't forbid me from taking apart a Caddy and not only making, but SELLING plans; but you think your algorithms are so freaking special that you want the government to put me in jail for the crime of reading them? What are you smoking?

Re:What ethical problems?

[YoJ]

It's that mutually agreed condition part that is problematic. When I buy hardware or software, I don't normally agree to any conditions on it. If I did, your philosophy would have merit. There are even good examples of things you buy where you must agree to conditions (like cell phones); you read a contract and sign your name. Software and hardware companies want to have it both ways. They want an enforceable contract that users agree to, but they also want to present their wares in a friendly way that makes people think they are buying something normally.

Re:What ethical problems?

[Skim123]

But think about it, what you are saying is that you can sell me a copyrighted work that I am forbidden to read myself

Sure. I was thinking of this as an example when I wrote my last post. I could write a book, and say to you, "Here's my book, it's $5, but if you buy it you can't read chapters 3, 7, or 9." And I'd have no problem with that. If you don't want to pay money for a book whose full contents I say you can't read, then fine - don't buy it. But don't buy it, knowing what terms I've laid out, and then whine later on down the road.

As I stated before, I am 100% for allowing folks to make transactions that they mutually agree upon. If you want to decompile software, buy software that doesn't contain such provisions against decompilation. What's wrong with that?

Re:What ethical problems?

[l1gunman]

Ahem. Last time I checked Ford didn't make Caddys. So I doubt they'd have any qualms about your taking one apart and selling the plans. They might even encourage it!

Re:What ethical problems?

[Skim123]

Software and hardware companies want to have it both ways. They want an enforceable contract that users agree to, but they also want to present their wares in a friendly way that makes people think they are buying something normally.

I agree with you fully. Burying what you can and can't do in a EULA, one that you can't read until you take the software home and start installing it, is not what I have in mind. If they wanted to impose such conditions on the software's use, it would behoove them to have on the packaging in big red letters: "BY PURCAHSING THIS SOFTWARE YOU AGREE NOT TO DO X"

Re:What ethical problems?

[yamla]

(I wasn't the author of the grandparent post) What if I buy some software but do not get to see the EULA until after I have purchased it (say, it isn't available online) and, after purchasing it and reading the EULA, I am not permitted to return the product for a refund? Am I still obligated to follow the EULA in that case?

Re:What ethical problems?

[AviLazar]

When you think about it - you can overwrite most laws (non-criminal laws) with a contract - so long as the contract is not illegal (i.e. a contract that between groups to rob a bank is not legal). A good example is contracts that break the "employment at will" clause that many states use.
So if I write some material and I state that part of our agreement is that you cannot read certain sections of it - by purchasing it you are agreeing to my terms and can be held liable in a civil court. Remember - in terms of software - your pursuit to life liberty and eternal happiness is not void if you do not own the software. So by putting those clauses in the EULA - there is nothing hurting you except for maybe your ego. That is not a valid reason to break the agreed upon contract. Now you -and many other folks- are working on the basis of anonymity and the fact that the company is not able to inspect your computer.
Now I do not think the makers of Cadillac (not Ford) ever put a stipulation that you could not disassemble your car - so I do not think that is a valid point.

Actually - you want a better point. If you think you are correct - go decompile Windows XP to its core level. Then head on over to M$ and tell them (making sure they know who you are) that you did this and show them proof that you did it. Then go to your friends computer and log onto /. to write the post how M$ bankrupted you to the stone age with one of their intern lawyers who was using you as part of his 1st year law school term projects. You need to use your friends computer because M$ now owns everything you did own.

Re:What ethical problems?

[badfish99]

If you've got any copyright or patent on your product, you've got a monopoly on it: if I need such a thing, I've got no choice but to buy it from you. So I've got no way of bargaining over conditions of sale: you can force me to sign up to any conditions you like. Why should I feel any moral responsibility for an agrement that has been forced on me like that?

Re:What ethical problems?

[Waffle+Iron]

If you don't want to pay money for a book whose full contents I say you can't read, then fine - don't buy it.

You can certainly restrict your customers such terms -- as long as you convince the buyer to read and sign a legally binding contract prior to the sale.

If you don't get a signature, you can't expect any restrictions.

Re:What ethical problems?

[Roxton]

Your approach is perfectly consistent and reasonable.

I don't like it, however. I prefer having standard terms for goods that are sold. No special shrink wrap agreements for mass-produced hammers. No special shrink wrap agreements for software. No unusual "metaphysically ethereal" constraints following around something I've, ostensibly, purchased.

I like that special terms need to be deliberate and targeted, rather than mass produced.

Re:What ethical problems?

[Skim123]

Personally I don't think a EULA that is hidden like that should be binding. I'm not pro-tricking consumers. If a seller wants to place limitations on how his product is used, he needs to make the limitations crystal clear to the potential buyer before any money changes hands. The buyer should then think about whether the goods/conditions are worth the price being asked, and make their decision based on that balance.

Re:What ethical problems?

[cakoose]

First you imply that the actual laws are irrelevant to your views on morality:

What ethical problems? Decompiling is perfectly moral and ethical. Whether it is illegal is a seperate and, for me, almost irelevant issue.

Then when someone argues on moral grounds:

If I write software and say I will sell it to you for $x on condition that you do Y (perhaps Y is not decompiling the source), and you agree to these terms, I think it is morally repugnant of you to break our agreement and decompile.

You go back to the law.

While you are welcome to your delusions, but out here in the real world we have some things called laws.

If you don't like the conditions of the offer, don't buy the product. But if you do buy the product, don't you think it is immoral to break the agreement you made with the seller (whether it is a signed commercial agreement or not)?

Ford can't forbid me from taking apart a Caddy and not only making, but SELLING plans;

So if you buy a copy of MS Office and figure out how to break the copy protection, you think it's OK to sell copies of the cracked version?

Re:What ethical problems?

[selderrr]

What about EULAs that are deliberately written in a style/technical language unreadable to the majority of the buyers ? Or written with intent to discourage complete reading (a EULA of 125 pages for instance, with 75% of its scentences longer than 10 lines and each one containing 15 buzwords that you have to go lookup online. NOBODY should be asked to read and accept all that. It's just plain stupid)

Re:What ethical problems?

[yamla]

That sounds reasonable to me. Unfortunately, with the exception of EULAs that are available online, I do not know of a single local software store here that would allow you to return software because you did not accept the EULA (but had opened the software). Granted, I live in Edmonton, Alberta, Canada, so it may be different in the U.S., or even in other cities in Canada. But I have tried returning software before when I did not accept the EULA, to CompuSmart and to FutureShop, and neither place would accept the return.

Next time I try, I should bring in a document for them to sign that acknowledges that they refuse to honour the EULA. That should be good for a laugh. :)

Re:What ethical problems?

So as a manufacturer, I should just attach an EULA to whatever I sell.

This baby garment may not be worn by an actual baby, it is for display only.

Now when it turns out to be flammable, I'm covered, right? You violated the EULA by putting it on your kid. What's special about software that makes you think you can attach conditions like "not responsible for bugs"? Or: "you can't decompile"?

Re:What ethical problems?

The problem is that you are not asked to click through the EULA until after you purchase the software. This is like paying for a new car, and then being told afterward that you cannot drive it unless you agree to only make left turns.

Anyway, it's all pretty silly.

Re:What ethical problems?

Not true. The terms of the deals are exactly whatever the parties agree to. From the tone of your posting it is clear that the only cure to your misunderstadning is a bullet to the head; that might be illegal but in youre case not unethical.

Re:What ethical problems?

[Saeger]

"Here's my book, it's $5, but if you buy it you can't read chapters 3, 7, or 9." And I'd have no problem with that.

You're serious, aren't you? I just don't understand people with your greedy, assbackwards, mindset. You really think that that kind of unenforcable agreement for artificial restriction on your "Intellectual Property" is morally correct and promotes innovation? (Don't answer that.)

(It's not moral or legal to sign yourself into slavery; the same will one day be said of "IP" artificial scarcity too, IMO.)

--

Re:What ethical problems?

[Skim123]

If the EULA is clearly presented and the consumer can understand it, then why not. I just know that I wouldn't buy clothes packaged in a label that said: "NOT TO BE WORN BY ACTUAL PEOPLE. HIGHLY FLAMABLE. IF YOU BURN AND DIE, WE ARE NOT RESPONSIBLE."

Why do you think I am for hiding or "tricking" people? I said in my original post, in very clear terms, that conditions are only valid if the buyer understands and agrees to them.

Re:What ethical problems?

[prowley]

IANAL but it seems to me that these arguments for click through EULAs fail on the basis of what I understand contract law to be. That is, there is no contract unless both sides recieve something of value. Now lets looks at software: I buy some software from a store, I pay the store money, they give me a box that contains a product. At this point a contract has been excercised - the store gets money, I get the the full use of the product I have purchased so everybopdy gets what they deserve. I then open the box and attempt to use the product I have purchased, now whether a slip of paper drops out of the box advising me of further restrictions on my use of the product or I have to click through an EULA, nothing of value has been conferred to me in exchange for giving up rights to do what I will with what I own. Ergo, no second contract has been entered into.
Now look at the book example. Books are covered by copyright only. That is, you may stop me from copying your work, but there is nothing that you can do to stop me reading it. For instance, I can read your book without purchasing it, just by standing in the book store or going to the library. Again no contract, no ability to limit my rights. If I purchase your book I own that book and I can do as I will bar re-distributing the work and it would be some really funky kangaroo court that would disagree.
Of course, business contracts often have stipulations like these. The important point being that both parties know what those stipulations are prior to sale - or they are unenforceable. In every case of EULA I have ever seen, you are not informed of these additional restrictions until after you have purchased the product i.e. until after the contract has been executed.
It seems to me that if the EULA is legal enforceable, then it ought to be legal for me to purchase software, and upon finalizing the purchase for me to hand the store owner my additional restrictions on the use of the money I just gave him e.g. to be used as a charitable donation only, or perhaps that he must throw me a birthday party this year.

Re:What ethical problems?

[Skim123]

You're serious, aren't you?

Very.

I just don't understand people with your greedy, assbackwards, mindset.

I don't understand people with your mindset, a mindset that strips individuals of their rights. Listen, if I have created something, and want to sell it to you with conditions, why shouldn't I be able to do that? If you don't want to abide by those conditions: DON'T FREAKING BUY WHAT I'M SELLING. Have a little restraint, Mr. Consumer. Jebus.

I am 100% for free trade between people. You, on the other hand, are against that, since you don't think a seller should be able to make a condition, and a buyer free to choose to accept or deny the sale based on that condition.

Finally, capitalism works. In a true capitalistic marketplace, having unnecessary, artificial conditions wouldn't be benefitial to the seller, since other sellers could enter the market without such fluff conditions and make the sale. Going back to the author denying readers to read certain chapters, who would buy those books? Rather, the authors who granted full access would far outsell those who did not.

Re:What ethical problems?

[Skim123]

I agree with you wholeheartedly - trickly EULAs should not be enforceable. As I said in my post you replied to: "I'm not pro-tricking consumers."

Re:What ethical problems?

[jmorris42]

> First you imply that the actual laws are irrelevant to your views on
> morality:

When a society is correctly operating, laws codify morals. In our current dystopia of the Law divorced from Truth and Justice that isn't always the case. It is the Right, nay it is the Duty, of every citizen in a free society to violate an unjust law as an act of civil disobiedience.

And yes, I have done so publicly, specifically by confessing to violating the DMCA by viewing DVDs on my laptop in a letter to President Bush in support of releasing Dmitry Sklyarov, in the vein of "Lets leave the Russians out of this, if you guys need a DMCA test case, try me."

> If you don't like the conditions of the offer, don't buy the product.

That is exactly what the Uniform Commercial Code is about, ensuring everyone knows and can agree in a meaningful way to the terms of the transaction. Without a signed contract specifying different terms though, the UCC says that a sale of goods transfers a clear title to those goods, meaning there can't be any conditions attached.

There is no way I or any other sane person would engage in trade if the terms of the transaction were unknown until after the deal was inrevokable, which is exactly the case the commercial software industry deludes itself into thinking is happening each time a shrinkwraped product is sold with a EULA inside or even worse, in the installer.

If you want your world, spend the money to make it happen. Pay Walmart enough for them to train their clerks to execute a proper contract (with legally required presales disclosures, etc.) each and every time a customer tries to buy your product, execute the proper legal paperwork so that Walmart and their minion has the legal power to engage in a contract in yoru name, etc. Otherwise deal with reality.

> So if you buy a copy of MS Office and figure out how to break the
> copy protection, you think it's OK to sell copies of the cracked
> version?

Of course not, it is a copyrighted work and outside a few defined exceptions, reproduction is a legal monopoly granted to the author. However I would consider myself free to DISCUSS the method of protection in use, up to and including disclosing how to defeat it.

Re:What ethical problems?

[AviLazar]

The trade of value occurs at purchase (you gave money for the box and its contents). Since it is not feasible to sit down with a lawyer at a retail store for each purchase - there is a delay from when you purchase the product to when you see the EULA. You can return the product to the store if you are not happy with the EULA. TO say that since the EULA was not presented in visible writing prior to the purchase is not valid BECAUSE you have the option for a full refund. You have the option to read that EULA for -30- days. Again the exchange is your money for the box - the contract is valid on this point.

When you purchase the book - if there is a contract "you buy this book but are forbidden to read chapter 2" then again - you exchanged money for the book and its contract. Now the bookstore purchased the book from the publisher and they (thusly) agreed to its contract. You standing in the bookstore reading it is violating the contract that the bookstore agreed to when buying the books....obviously the person who gave the original book example was just using it as a general argument and something like that is tough to enforce (just like its tough to prevent you from decompiling some code).

Again, as above since you can return the product (30 days) to the store - you have plenty of time to agree to the EULA. As for you giving the money to the store and restricting their use of the money - I have never heard of such a situation. It could be feasibly possible - but I think the store would tell you to take your $49.95 and go run back to Never Never Land :D

Re:What ethical problems?

[ReconRich]

Finally, capitalism works. In a true capitalistic marketplace, having unnecessary, artificial conditions wouldn't be benefitial to the seller, since other sellers could enter the market without such fluff conditions and make the sale.

Wow. Your talking about copyright law, which is an artificial monopoly. Your 100% free trade would work just fine if copyright did not create an artificial monopoly which is why there are laws spelling out what can and can't be done with copyrighted works If people enter into contracts (Real contracts that are signed) then other conditions can be imposed, so long as that contract is entered into with the copyright holder. But if I go and buy a copy of M$ Office at Best Buy, both the quid pro quo, and the contract is only between myself and Best Buy - not M$ - thus they can impose no coditions because I have entered into no contract with them THIS IS WHY THERE ARE LAWS THAT DEFINE WHAT CAN AND CANNOT BE DONE WITH COPYRIGHTED WORKS.

-- Rich

Re:What ethical problems?

[boodaman]

All well and good, but when you "buy" Windows XP in a store, you aren't buying Windows XP, you're buying a LICENSE to use Windows XP in binary form. Huge difference.

I haven't looked at my Windows XP box in a couple years, and the shrinkwrap is long gone, but as a I recall, the stipulation that you are buying a license to use the software application in binary form and NOT the software application itself (in which case you'd be getting the source) is clearly stated on the box/wrapper. Before you purchase it.

If it isn't, it is clearly stated on the disk sleeve inside the package. If you don't agree, don't open the disk. If the disk sleeve is unopened, you can return it to the store, no harm done. Thus, by breaking the seal on the disk, you are agreeing to the terms. If you don't agree to the terms, do not break the seal.

Compiling source code and selling it isn't a way to keep you from using it as you wish, it is a way to protect one's intellectual property. An algorithm is intellectual property...if you decompile a company's code, determine one of their algorithms, and then broadcast it (you said "discuss") to the world, you're diluting their intellectual property. Thus, you're diluting the value of their asset, and that is definitely something you can't do without repercussions, UCC or not.

I am not required to give you every detail of a product when I sell or license it to you. If you want every detail, you are welcome to contact me to negotiate a special license or contract for yourself (MSFT will show you their source if you pay them and agree to their terms). If I was, you'd get the driver code when you bought an ATi card, or the ROM code for every chip inside when you bought a TV. That doesn't happen, because a company isn't required to give it to you just because you bought a product that uses it from them. You don't own the technology inside the TV, you own the IMPLEMENTATION of the technology in that TV.

There's a huge difference between purchasing a product and licensing a product. Purchasing a copy of Windows XP would probably cost a couple billion dollars or more. Licensing a copy of Windows XP costs about $150 and comes with restrictions.

Not to mention the taint factor...if you decompile your copy of Windows XP and read the results, and you are a developer, your future work is forever tainted by Microsoft's intellectual property.

Go ahead, decompile whatever you like. To me, considering the unencumbered alternatives to something like Windows XP that are available, it isn't worth it.

Re:What ethical problems?

[cakoose]

If you don't like the conditions of the offer, don't buy the product.

That is exactly what the Uniform Commercial Code is about, ensuring everyone knows and can agree in a meaningful way to the terms of the transaction. Without a signed contract specifying different terms though, the UCC says that a sale of goods transfers a clear title to those goods, meaning there can't be any conditions attached.

You're talking about specific laws here. The grandparent post was merely saying that violating an agreement is immoral. Why you you assume that the agreement wasn't in writing? Even if it isn't, the point is that violating an agreement is immoral (since you, at the time, were talking about morals and not the specifics of certain laws).

Re:What ethical problems?

First you imply that the actual laws are irrelevant to your views on morality

Laws should be irrelevant to your views on morality. Morality is supposed to dictate law, to provide predictable, uniform enforcement and to clearly state the expectations of a moral code already in existance. Do things the other way around and you're gonna have a bad time. He isn't saying that laws and morality are unrelated, only that the relationship ought to be associated with a clear, unidirectional causality, and therefore that moral decisions are not dictated by the law.

Re:What ethical problems?

[jmorris42]

> All well and good, but when you "buy" Windows XP in a store, you aren't
> buying Windows XP, you're buying a LICENSE to use Windows XP in binary
> form. Huge difference.

Still hung up on that misconception. No, a license is only in effect if I sign a contract changing the sale into a limited license. They can print "By buying this hammer you agree you will ONLY drive our brand of nails and strike no other object with this tool." on the side, stock the shelves of Home Depot with them and get exactly nowhere when they attempt to enforce their EULA. Because a sale is a sale unless there are signed contracts and consideration given and received.

> Compiling source code and selling it isn't a way to keep you from using
> it as you wish, it is a way to protect one's intellectual property.

"Intellectual Property" doesn't exist. I think this is where you are going off the reality track. What does exist are four related monopolies governments grant, in our case (USA for me, you might not be though) it is expressly "to promote the progress of Science and the useful Arts." Your code is NOT your property, only the Copyright, which is a grant of a monopoly in exchange for you creating and publishing (i.e. disclosing for all to see) the work. Keeping it secret does nothing to promote the progress of Science or the Usefull Arts.

We also have Patents which can protect your algorithm if it passes muster at the Patent Office but a Patent explicitly requires full disclosure of the patented invention, again to promote the progress of Science by allowing others to learn from your creation. The third option is the Trade Secret, which gets almost no government protection outside enforcing the contracts you enter into with those you disclose the secret to. The final item covered under the poorly named class called "Intellectual Property" is Trademarks, but that doesn't partain here.

> I am not required to give you every detail of a product when I sell
> or license it to you.

No you aren't, but if you are foolish enough to SELL me a copy of your product I am free to discover it's workings. It is called reverse engineering and it is a perfectly valid and ethical practice.

> If I was, you'd get the driver code when you bought an ATi card

Not at all, nothing requires ATI supply source unless the driver incorporated GPL code or something. However nothing stops the purchasers of ATI cards from reverse engineering them and writing their own, which happens to be the case for several of their cards, moreso for certain less open vendors.

> if you decompile a company's code, determine one of their algorithms,
> and then broadcast it (you said "discuss") to the world

Again, you mistake a grant of a limited monopoly with property. If I do not reproduce their copyrighted code I violate no law unless I signed a confidentiality agreement swearing to preserve their Trade Secrets. If the algorithm is patented it was already fully disclosed, otherwise their patent would be subject to being invalidated. You can't own an idea. In the interest of providing incentives to create new art and science we collectively, through our governments, grant limited monopolies.

Re:What ethical problems?

[jmorris42]

> The grandparent post was merely saying that violating an agreement is
> immoral.

True enough but this whole matter revolves around whether an agreement exists. When people disagree on such matters, that is where the Law comes into the discussion and it is very clear on the point.

The original poster holds that as the creator and owner of a work he has absolute power to dictate the terms and conditions it can be USED under, and that by purchasing his work I MUST agree to those terms. I hold that he doesn't own the work, only the limited power of the Copyright and that unless he can convince me to sign a contract stating otherwise, by purchasing a copy of his work I am free to read it, there being no agreement between us to the contrary.

Re:What ethical problems?

[Jonboy+X]

Ford can't forbid me from taking apart a Caddy and not only making, but SELLING plans

Especially seeing how Cadillac is a GM brand.

Re:What ethical problems?

[achbed]

There is one problem with this - try returning an opened box of software to any store. Almost all retailers these days have a clause on the reciept that you recieved at the time of purchase that they will not accept any returns of opened software. You can only exchange it for the exact same product (ie, if the media is defective). This effectively kills any remedy you have under the EULA. Remember, boys and girls, the software giants sell to the wholesalers, big retailers, and big corporations (who have lawyers to negotiate their own EULA terms before purchase) not to itty-bitty consumers!

Re:What ethical problems?

[Kyosuke77]

You know, when I bought a boxed copy of Windows XP Professional, I don't remember signing anything. In fact, it wasn't until I was installing it on my computer in order to use it that I was presented with a legal contract to which I was asked to affix my 'digital signature' to agree to certain conditions for its use.

Now what if I bought the CD, took it home, and set about decompiling or reverse engineering this copy of Windows I just bought. Well, there's this clause in that EULA that says I can't do that, but wait, I haven't signed that agreement yet , and heck, since I bought this copy of Windows only so I could reverse engineer it and not to use it I may just not agree to its terms at all.

The point I'm trying to make is that while the EULA may be a contract, it's only required that I agree to its terms before installing and using it, not at the point of sale before purchasing it. Now naturally, IANAL, but tell me, am I wrong?

Re:What ethical problems?

[boodaman]

I'm on the reality track. No doubt.

You can own an idea, just not exclusively. But you can exclusively own the particular implementation of an idea.

YOU'RE confusing a sale of property with a license to use the implementation of an idea.

Your hammer example only works if I sell you a hammer, or a TV, or a car. Hammers, TVs, and cars aren't copyrighted. Software vendors aren't selling you their products...they're selling you a LICENSE to use their products. Fundamental difference.

"No, a license is only in effect if I sign a contract changing the sale into a limited license."

Then the GPL, the MPL, and every other open source license, is invalid. That makes WhiteBox Linux illegal.

Because a sale is a sale unless there are signed contracts and consideration given and received.

Take the GPL, for example. Consideration is given and received. No signed agreement (and no transaction of money) necessary. For more info, read clause #1. The consideration given is the right to "copy and distribute verbatim copies of the Program's source code as you receive it, in any medium.". One of the considerations received by the FSF is the agreement that "you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program."

If something is published (according to the 1976 Copyright Act):

"Publication" is the distribution of copies or phonorecords of a work to the public by sale or other transfer of ownership, or by rental, lease, or lending.

Note the clause "by sale or other transfer of ownership or by rental, lease, or lending."

A software license is not a transfer of ownership.

You're hung up on the phrase "buying a copy" and that isn't what you do when you "buy" (most) software.

Let's see...looking at the box for Intuit's TurboTax (its just what I have handy):

"Copyright 2003 Intuit Inc. All rights reserved. This software product is provided under a limited warranty, and your use of this software is governed by the terms of the Software License and Services Agreement presented during installation. You may obtain an advance copy of the Software License and Services Agreement at [URL]."

They're not "selling you a copy of TurboTax"...they're letting you use (license) TurboTax, which they own, and they're specifying the terms, one of which is you paying for the owner's distribution costs. The fact that there's a disk in the box with a copy of TurboTax on it is just a convenience, not a transfer of ownership. Even the GPL allows you to charge for distribution.

If you don't like the terms of their license, don't accept the license. There's no requirement on you to complete a transaction, either, since you can get the license without any transaction. There's no bait and switch. It's no different than the GPL or any other license. When you buy a license, you are buying the license, not the thing being licensed.

If I do not reproduce their copyrighted code I violate no law unless I signed a confidentiality agreement swearing to preserve their Trade Secrets.

By accepting their license, you accept the terms of their license. One of those terms can be "you cannot reverse engineer the binary code". If a license requires a signed contract, then groups like the FSF wouldn't be able to sue GPL infringers, because there'd be no signed contract. Yet by downloading, installing, and using GNU Linux, I am bound by the GPL. But I never signed anything! So I'm not bound by the license, right?

You don't "buy a copy of software". You license a copy of software, and licenses have terms. Whether you are ever penalized for violating those terms is up to the licensor.

Most software licenses are limited licenses...the GPL, Creative Commons, Intuit's license, etc. There's no special requirement that you "sign a contract changing the sale into a limited license".

Re:What ethical problems?

[cakoose]

He isn't saying that laws and morality are unrelated, only that the relationship ought to be associated with a clear, unidirectional causality, and therefore that moral decisions are not dictated by the law.

If it's a unidirectional causality, then a moral assessment should never depend on any particular laws. The original poster claimed that unapproved decompilation was immoral. Then jmorris42 came around and started citing specific laws to prove that he had the legal right to do so.

What's worse is he assumed that hypothetical agreement wasn't in writing and proceeded to draw further conclusions from that assumption, sounding very much like someone who is used to exploiting another's lack of knowledge about specific laws.

Re:What ethical problems?

[PIBM]

The point I'm trying to make is that while the EULA may be a contract, it's only required that I agree to its terms before installing and using it, not at the point of sale before purchasing it. Now naturally, IANAL, but tell me, am I wrong?

You said that you need to agree to the term to continue the installation... BUT... What is freaking forcing you to agree to the terms to continue the installation ? If you don't agree to the term, nothing stop you from installing this program, since you don't agree with the term that require you to agree with the term to install it .. and so, you are ok to install it!

Well, dunno if I said that one right in english .. I might have to write it again =)

The terms state that you need to agree with them to start the installation and leave if you disagree. If I disgree, I am not bound by those terms and then nothing stops me from installing it. Guess that's better stated. So, they can't stop me from installing it except by not selling me the product in the first place and I will NEVER be bound by any EULA except if I chose to be.

Re:What ethical problems?

[jmorris42]

> Software vendors aren't selling you their products...they're selling
> you a LICENSE to use their products.

Nope. on the rare occasion I buy software, I BUY it. You do not need a license to use software anymore than you need one to read a book, or even to check one out of a public library.

> Then the GPL, the MPL, and every other open source license, is invalid.
> That makes WhiteBox Linux illegal.

Again, you are quite mistaken. You may download as many copies of WhiteBox from whereever you please with nary a license to worry about from me, Red Hat, Inc, RMS, Linus, etc. However most of the components are copyrighted works and you have no legal right to reproduce them without permission from their authors. That is what the GPL provides, a LICENSE to copy; i.e. to do something you wouldn't legally be able to do. Go read the GPL again, it is a real work of art.

> Let's see...looking at the box for Intuit's TurboTax (its just what I
> have handy):

It is typical, but meaningless. They can print whatever they want to on the side of the box, the manual, a clickwrap, whatever. It isn't actually a legally binding agreement. Only a contract binds and there are rules that must be followed to have a binding contract. You must have an informed buyer and seller, you must have disclosure, a signature and most important an exchange of value between both parties. A EULA meets none of those tests.

Re:What ethical problems?

[Kyosuke77]

Actually any installer program that has a licence agreement step in it will generally cancel installation if you don't accept the agreement. So, you have to accept the agreement to go through with installation of the software, or the installer stops you from installing it. ;)

What I was getting at originally was that if you never even run the installer but rather just skip ahead to decompiling the software, you've never agreed to the licence terms, including the part about not decompiling it.

Re:What ethical problems?

[PIBM]

What I mean is that if you don't agree to the agreement, nothing stop you from clicking on the I accept button, since it means nothing because you haven't agreed to it and nothing force you not to click on that button.. Is that clearer now ??

Re:What ethical problems?

[Kyosuke77]

Um, yeah, I guess it's clearer. The thing is, though, that the licence agreement is a contract and if you click the accept button you're bound by its terms.

Re:What ethical problems?

[PIBM]

What binds the actual button as being an acceptance of the contract ? The contract itself.. and if you don't accept it, I don't see any law anywhere that would force it down on you ;) this is just like clicking next ..

If you think I'm bad, then just get a program that click randomly on the screen for you, and launch it until it get the install right =)

Re:What ethical problems?

[aminorex]

You can't impose unlawful conditions. Freedom is nothing without laws. The fundamental principle here is that no one can freely contract to contravene the law. Does that help?

Re:What ethical problems?

[boodaman]

Strange...you say one thing, but then you say another.

First, licenses don't mean anything, they're not binding, because you haven't signed anything.

But then you say the GPL provides a license, yet nobody has to sign anything to use GPL'd software, or copy it, or distribute it, as long as they meet its conditions. So if I don't have to sign anything, then the GPL isn't binding.

Which is it?

If the GPL can say that distributing a GPL'd work constitutes acceptance of the license, and the license is binding, how can that be? There's no contract.

Which is it?

Re:What ethical problems?

[number]

> If the GPL can say that distributing a GPL'd work constitutes acceptance of the license, and the license is binding, how can that be? There's no contract.

Er, because if you distribute it, you're distributing someone else's copyrighted works. *DISTRIBUTING*. Not copying/modifying/studying for your own private use, *DISTRIBUTING*. The only way you could do that is with the copyright holder's permission, which happens to be spelled out in the GPL. That's how copyright law works, and that's the whole point of it. If someone else was allowed to distribute it at will, I wouldn't have an artifical monopoly on it.

I'm not sure why you don't see the difference - in the proprietary case, someone is receiving a copyrighted work and experimenting on it in their own privacy. At no point do they *DISTRIBUTE* that work to anyone else, all they could do is describe it to a third party. If they wanted to distribute it, they would need the express permission of the copyright holder. Well, GPL software comes with just that express permission, which is why you're allowed to distribute it.

Re:What ethical problems?

[boodaman]

The other poster keeps repeating, over and over, that if there's "no signed contract" the agreement is not binding. That if he doesn't sign a contract with the software company, he can do whatever he wants. I disagree.

My point is that the GPL does not require such a signed contract, only an action on the part of the licensee, to be binding. Right?

If the GPL is binding without a signed contract, by virtue of an action taken by the licensee (in this case distribution), why is another license (such as the Intuit license I mentioned previously) not binding as well based on an action taken by the licensee (in this case opening the sleeve containing the CD after the licensee has been warned that doing so constitutes acceptance of the license)?

GPL: no signed contract, prospective licensee warned ahead of time that taking action constitutes acceptance of the license, binding license if the licensee takes such action

Other license: no signed contract, prospective licensee warned ahead of time that taking action constitutes acceptance of the license, but NOT binding if the licensee takes such action

Either licenses can be binding without requiring a signed contract, or they can't. Which?

Re:What ethical problems?

[jmorris42]

> But then you say the GPL provides a license, yet nobody has to sign
> anything to use GPL'd software, or copy it, or distribute it, as long
> as they meet its conditions. So if I don't have to sign anything, then
> the GPL isn't binding.

Exactly correct. If you copy a GNU program and distribute it you do not have to accept the GPL. However when RMS and his squadron of elite attack lawyer ninjas descend upon you for violating their copyright, smiting thee with their rightous fury, only saying "I accept the GPL and have followed all of it's conditions" will make them stop, because otherwise that have you dead to rights on copyright infringement. See the difference? The GPL is a LICENSE to perform an action otherwise forbidden by law. You don't have to sign it, but if you want to take advantage of the additional freedoms it grants you must accept it in whole, both the THOU SHALL and the THOU SHALL NOT parts, because nothing else gives you the right to distribute a copy of a GPL licensed work.

All the GPL is, in essence the following statement. "This program is copyrighted. This means that by law you may not copy it. However, because we are good hoopy froods and want software to be Free, we grant you the right to copy and redistribute it under the following conditions. By distributing copies it is presumed that you accepted the limitations of this license since nothing else gives you permission to distribute copies so any copies made under terms and conditions not covered by this license are by definition not permitted by this license. QED."

Now take the typical EULA, it removes rights the end user already has, offers nothing of value in exchange and expects to be taken sight unseen in most cases. Where is the implied consent as in the GPL? By ignoring it I still have the right to run the program because I purchased it, I can reverse engineer it because I I bought the copy and have as much of a right to read it as my computer does.

Re:What ethical problems?

[jmorris42]

> What's worse is he assumed that hypothetical agreement wasn't in writing
> and proceeded to draw further conclusions from that assumption

No, read up the thread, in the very first post I excluded the case of corporate site licensing and other such real signed contract sort of software licensing it should be clear I am discussing consumer EULAs.

I assert that since EULAs are wrong on both moral and legal grounds, either of which alone is cause for ignoring them. I claim that I have as much right to read my software as my processor does.

Re:What ethical problems?

[dvdeug]

But if you do buy the product, don't you think it is immoral to break the agreement you made with the seller (whether it is a signed commercial agreement or not)?

I made no agreement with the seller. If the seller wants an agreement, he can give me the forms to sign and I will put my John Hancock on the line if I am willing to make that agreement. Just because I clicked past some text to get the program to install doesn't mean I agreed to it.

You would give the sellers all the power. You can't return the programs, no matter what they say. Presenting a unilateral contract and claiming I agreed to it, after we've completed the transaction and you've taken my money is almost fraud.

Re:What ethical problems?

[BillyBlaze]

My biggest problem with that is that I think the freedom to do stuff like decompiling or reverse engineering code is extremely important, both to me personally and to the industry as a whole. However, the people in the market for most software doesn't give a flying shit. Market forces are insufficient to ensure us that freedom, so I think the government ought to, and to some degree does. The other problem is that the "contract" has no consideration, is not available at the time of sale, typically isn't read, isn't signed, and can be clicked-thru by minors, shell scripts, etc. - but others have covered that angle.

Re:What ethical problems?

[BillyBlaze]

The GPL doesn't say distributing a GPL'd work constitutes acceptance of the license. Rather, the GPL can grant you the right, which you wouldn't otherwise have had, to distribute the work, provided you comply with the provisions. So when you distribute a GPL'd work, you haven't implicitly agreed to the GPL - it's just that if you don't, you're infringing copyright law. (If you get sued, you can choose whether it's a copyright or a contract violation.)

A EULA is different because it isn't granting you distribution rights, instead, it's trying to limit rights you do have. So if you didn't agree, you can still use the work, because that's allowed by copyright. In a similar vein, just using a GPL work doesn't force you to do anything, because you can just not accept the GPL, and the GPL acknowledges that copyright allows you to use it anyway.

Re:What ethical problems?

[BillyBlaze]

With EULAs, the "trigger," installing the software, would be legal if you don't agree to the EULA.

With the GPL, the "trigger," distributing the software, would be illegal if you don't agree to the GPL.

Re:What ethical problems?

If you don't like the conditions of the offer, don't buy the product. But if you do buy the product, don't you think it is immoral to break the agreement you made with the seller (whether it is a signed commercial agreement or not)?

That depends on the agreement.

For instance, I have no problem with being morally held to any agreement that I make before exchanging money or otherwise valuable commodity in exchange for a product. However, once the transaction has taken place, any further attempt to modify the previous agreement (like a pop-up filled with restrictions and an "I Agree"/"I Disagree" option) has no moral basis for being honored.

Re:What ethical problems?

[number]

> My point is that the GPL does not require such a signed contract, only an action on the part of the licensee, to be binding. Right?

No, wrong. You don't have to accept the terms of the GPL to distribute the works, but in that case, you would be infringing the copyright of the author. Copyright is infringed when you distribute their work without their permission. That's what copyright is - a monopoly on *distribution*.

> If the GPL is binding without a signed contract, by virtue of an action taken by the licensee (in this case distribution), why is another license (such as the Intuit license I mentioned previously) not binding as well based on an action taken by the licensee (in this case opening the sleeve containing the CD after the licensee has been warned that doing so constitutes acceptance of the license)?

The "actions" however are completely different and you refuse to acknowledge this. In one case, you're REDISTRIBUTING A COPYRIGHTED WORK, which is the sole thing copyright law exists to govern! You're committing a crime by redistributing the GPL'ed work, and the only way you can "get away with it" is because there's a license attached that says "don't worry, you're doing something illegal, but the copyright owners hereby swear they won't act against you as long as you agree to X,Y,Z." It's not a license, it's a reprieve! Do you see the difference yet?

In the other case, you're in an intuitively ambiguous land of contracts being "agreed" to without the contracter being present to witness it! What if a minor "agreed" to it? Or some third party that disposed of the license and passed it on? This brutalisation of contract law (at least two informed parties mutually agreeing to and signing a document detailing restrictions, assignations and penalties, with copies kept by all) into some bastard child where no one bar the package opener is present, no copies are retained and no negotiations possible is completely unlike anything before it.

That is the difference and I don't know why you won't comment on it. In one case you've distributed a copyrighted work, in the other you've done the same to one of your possessions as you can with ANY OTHER POSSESSION, bar things the government has outlawed or you have SIGNED A CONTRACT SAYING SO. You're trying to fundamentally change contract law. That's a big hurdle to a lot of people.

Re:What ethical problems?

[DrSkwid]

"NOT TO BE WORN BY ACTUAL PEOPLE. HIGHLY FLAMABLE. IF YOU BURN AND DIE, WE ARE NOT RESPONSIBLE."

this is a disclaimer, not a licence agreeement

it is very much different from :

"NOT TO BE WORN BY ACTUAL PEOPLE. YOU WILL GO TO JAIL IF YOU WEAR THIS GARMENT. NO EXCUSES."

Re:What ethical problems?

If the EULA is clearly presented and the consumer can understand it, then why not. I just know that I wouldn't buy clothes packaged in a label that said: "NOT TO BE WORN BY ACTUAL PEOPLE. HIGHLY FLAMABLE. IF YOU BURN AND DIE, WE ARE NOT RESPONSIBLE."

Not a good example -- you do realise, I take it, that if someone did buy clothes labelled that way, and they were horribly injured in a fire as a result, they WOULD sue and they WOULD win. Because contracts are not allowed to contain blatantly unreasonable terms (you are not allowed to sign away your firstborn, even if you want to), and therefore all the contract proves in that case is that the manufacturer knew there was a risk... which means bigger damages.

Re:What ethical problems?

[juhaz]

I don't understand people with your mindset, a mindset that strips individuals of their rights.

*YOUR* mindset is the one that strips inviduals of their rights.

Listen, if I have created something, and want to sell it to you with conditions, why shouldn't I be able to do that?

You should, and you are able to do that. Make a sales contract with me. If you want to take away some of my rights, you need to give me the agreement on a paper and then we go over it, agree that those restrictions are valid ones and both sign it. Deal done. Very easy, right?

But you should NOT expect that I'm bound by your conditions on a second I pick a package from store shell. Or find the note hidden within the box I haven't legally agreed to. It's either or, you either sell your stuff from shelves easily, or you deal with your customers personally if you want to impose restrictions on them. You can't have it both ways.

Re:What ethical problems?

[AviLazar]

That clause - in all reality - means dick. You would be surprised what a few carefully laid out words will do to a store clerk. Something along the lines of - you can take this product or I am calling my credit card company who will then refuse to pay you AND you will have to come to my home at MY convenience to pick it up. But for those who do not use credit cards the following words work well "If you do not accept the return of this product with its receipt - which is within the 30 day LEGAL return period - then I will call the police and then a lawyer." Every single store clerk that gave me problems on the return (and there have been a number) has called their manager and then they accepted the product back.
A store will tell you whatever they can to keep your money - you just need to know your rights. In terms of returning store goods - you have 30 days on MOST items (houses, and cars are an exception, and probably perishable goods or items you have worn-out).
So next time you are in a computer store - laugh at their bogus return policy - because it really holds no water.

Re:What ethical problems?

[mrchaotica]

So, you're saying we should know our rights regarding contract law when it's between us and the store, but not when it's between us and you? You want us to buy your product, then go through all kinds of hassle to return it when we don't accept your EULA which isn't valid anyway?! That's the most asinine thing I've ever heard!

Copyright and Fair Use applies to YOU TOO, ASSHOLE! If you don't like it it is your fucking responsibility not to sell your software if you don't want people to use it -- once I buy it it is MINE!

Re:What ethical problems?

[selderrr]

but where would you draw the line ???

Re:What ethical problems?

[AviLazar]

What on gods green earth are you babbling about? Did someone hit you over the head with a retarded stick? Would someone mod this person flame/idiot?
Where in my post do I say *I* am selling a product.
Where in my post do I say that *I* post a EULA.

Once you buy software it is yours to use so long as you obey the EULA. Again - if you want to test the waters on this - break the EULA go to the company and admit to them you broke the EULA and then make a post from your friends computer informing us that you have just been p0wn3d by their lawyers.
And yes, *I* am saying that you should know your consumer rights - because if you do not - you will be taken advantage. I learned the hard way - at the expense of my wallet - be thankful someone is informing that you have better choices.
God damn idiot

Re:What ethical problems?

Please don't post using monospaced font (unless you're posting code, ASCII art, etc.).
It's very annoying.

Re:What ethical problems?

To make your anology more accurate, the label would have to be inside the garment, where it's not visible from the outside, and the garment would have to be sealed in shrink-wrap that, when opened, would make the garment non-returnable.

Re:What ethical problems?

Your talking about copyright law

"You're".

Re:What ethical problems?

you can overwrite most laws

"override".

Re:What ethical problems?

[jimthev]

You have done a fantastic job of explaining exactly what the current situation is and why the "well my box says..." arguments are incorrect. Cheers to you! Anybody that has confusions about the issues should read your thread. I owe you one beer.

Re:What ethical problems?

[cakoose]

I made no agreement with the seller. If the seller wants an agreement, he can give me the forms to sign and I will put my John Hancock on the line if I am willing to make that agreement. Just because I clicked past some text to get the program to install doesn't mean I agreed to it.

There's some confusion here... I (and some other people) were saying that decompilation is immoral if the agreement you had doesn't allow it. You (and others) are arguing that a post-purchase EULA doesn't constitute a mutual agreement. I'm not exactly how those two issues got mixed up in this thread, but it was probably when jmorris42 implied that there are never any ethical issues involved in decompilation:

What ethical problems? Decompiling is perfectly moral and ethical.

Re:What ethical problems?

[achbed]

An EULA is only valid if both parites agree to it. However, it can also be valid if one party can litigate the other into oblivion without even going to trial. Like the other poster says: Break EULA, get pummeled into nothingness by the company's lawyers.

Re:What ethical problems?

[mrchaotica]

That's a good point. It makes me wish I had the cash to join the EFF and ACLU...

Re:What ethical problems?

[dvdeug]

I (and some other people) were saying that decompilation is immoral if the agreement you had doesn't allow it. You (and others) are arguing that a post-purchase EULA doesn't constitute a mutual agreement. I'm not exactly how those two issues got mixed up in this thread,

The person you replied to said:

You will note that I excepted commercial licenses, since those are actual signed contracts and are legally binding.

So signed contracts were excluded from this subbranch of the thread, at least.

jmorris42 implied that there are never any ethical issues involved in decompilation

But you're overcomplicating the matter. A signed contract can add ethical issues to anything. When it is acceptable to break a promise is a philosophical question of long standing, but generally philosophers would agree that it should not be done casually. So that's not an interesting question to debate.

You can either argue it's never ethical to decompile, or that in the common case, where a program has an EULA prohibiting you from decompiling a program, that it's not ethical to decompile. Those are really the only two issues that anyone cares about debating.

Re:What ethical problems?

[Paradise+Pete]

Wow. Your[sic] talking about copyright law, which is an artificial monopoly.

He actually didn't start out talking about the law at all. He simply said that if two parties agree to something, then morally they should do what they said they would do. That's all. A simple and reasonable idea. And he's saying that if one party doesn't want to do what they say, then morally they shouldn't enter into the agreement in the first place.

Re:What ethical problems?

[cakoose]

But you're overcomplicating the matter. A signed contract can add ethical issues to anything.

True... What I *meant* to convey was that the intent of "anti-decompilation" clause might be to hide proprietary company secrets -- to protect an R&D investment. Maybe the seller doesn't really mind if you decompile to interoperate, but can't figure out a safe way to say that in the contract. In such a situation, there are ethical issues related to how much of the decompiled source code can you look at without "stealing" the company's ideas.

Re:What ethical problems?

OK, if I sould you a peice of software, and deep
in the EULA I have a clause saying that you had
to suck my dick after using the software, would
you do it? Would it even be legaly enforceable?

deconstructing java

[BeannieBrewer]

I had been looking through this book just the other day. Glad to see a review.

This is one of the features of Java

[coolsva]

It has always been the case with Java (and in general many other interpretted/pcode generating languages) that enable them to be decompiled. I remember, back in old VB days, you could take a VB (pre 3.0) executable and decompile to get the original source. Of course, variable names were changed (since VB compiler changed them when converting to pcode).
As systems get more open/advanced, the sources are more difficult to hide. In case of web apps, there is no need to decompile anything, the javascripts are available for all to see in plain text. Even more advanced applications that use ASP pages that execute on the server, can be seen by changing the URL to list the source rather than execute them (I dont remember the exact syntax, but I think it is related to the alternate data stream in NTFS)
That is the reason, we have copyright. On a more personal note, I think it serves the community if someone can see your implementation in code, get inspiration and either correct mistakes or expand on the code.

Re:This is one of the features of Java

[Malc]

I didn't think it was possible to view the source of an ASP. So I did a search and came up with this.

I'm not sure why you think of NTFS file streams. That's a complete different issue. How would your trick work if the ASP pages are on a FAT file system? NTFS streams are interesting: I once used them in a pratical joke to consume all of somebody's disk space. They couldn't see in Explorer where it went! Incidentally, it's too bad that Macs can't make use of them for their resource forks when browsing the networks. They seem to leave .ds_store files all over the place.

Re:This is one of the features of Java

[coolsva]

My bad, didn't do research fully on the ASP issue. Here is the URL describing the problem.
That said, the alternate data stream issue can be found here

Re:This is one of the features of Java

Java doesn't really have to be that vulnerable. Perhaps code compiled with javac is weak, but it could easily be made much stronger.

Why? Well, Java bytecode is a lot more flexible than the Java language. Take exceptions for example. In the language we handle exceptions with try-catch-finally grammar productions. But in the bytecode we have a table that specifes ranges of bytecode addresses that mapped via an exception to a exception handler. The cute thing is that a "range of bytecodes" has nothing to do with control flow; control flow and weave in and out of the range, no restrictions. The handler can even be in the range. And yes, I have seen this happen as a cosmetic bug from a java compiler. But the decompiler has to produce a set of nicely nested grammar productions. Anyway, a range != a try-catch ... Big difference!

So even a little automatic tweaking could defeat most of the decompilers out there.

Lots of languages produce Java bytecode on back end as well. Some of the output from these are pretty bizzare.

Re:This is one of the features of Java

[airConditionedGypsy]

As systems get more open/advanced, the sources are more difficult to hide. In case of web apps, there is no need to decompile anything, the javascripts are available for all to see in plain text. Even more advanced applications that use ASP pages ...

Web applications are typically implemented server-side. Javascript is client-side code.

Javascript != web applications

Perhaps what you are referring to is the source for ASP and JSP/servlets. There have been bugs in servlet containers (specifically, I believe the issue was that the web server in front of a servlet container wasn't configured correctly, and thus instead of passing the request to the SC for handling, just retrieved the file and returned the content to the user's browser), but the code in a JSP or ASP is executed on the server before it ever reaches the client -- this means that it is not possible in the normal course of events for a client to see the "source" contents of such a server-side object.

This constraint can of course break down when web application servers are not built and/or configured correctly.

Re:This is one of the features of Java

[almaw]

How can the parent be modded +3 insightful?!?

Even more advanced applications that use ASP pages that execute on the server, can be seen by changing the URL to list the source rather than execute them

Are you smoking crack?

You can't arbitrarily get at source code on someone's web server. Do you think eBay would want you seeing the passwords to their database servers?

Web apps aren't written in JavaScript. Sure, there might be some to drive calendar selection or something, but pretty much all real apps (shopping carts, etc.) are done server side.

Please get a clue and stop spreading your FUD around.

Additionally, this isn't a "feature" of Java. It's just a side-effect of its machine-independent bytecode. You could argue that it's not all that hard to reverse engineer compiled C - if you step it through a debugger you can see what it does fairly easily.

Systems being more "advanced" (let's wave our hands a little bit more) won't make it any more difficult to hide the source. Many many people run Java on the server side of web apps. It will always be impossible to view the source for such applications (unless the developers put it up for the world to see, of course). As for being "open", what do you mean? If you mean, "open source" then, well, duh... :)

Re:This is one of the features of Java

[coolsva]

Are you smoking crack?
Nope

You can't arbitrarily get at source code on someone's web server
Like I said, this is more a bug of the IIS server

Web apps aren't written in JavaScript
I understand web apps are server side, but most of the UI logic is in JS. These may be simple navigational or more complex XSL which would expose a lot more. Plus with more 'richer' applications, a lot of processing is done on the client side. I have seen many a system with JS for dynamic navigation, badly designed for sure, but the code exposes the URLs which are not to be used by the user directly

Please get a clue and stop spreading your FUD around.
I'm not. These are facts. Some are still valid, some are fixed. Even now, I can get any java applet, decompile and see how it was done.

It's not all that hard to reverse engineer compiled C - if you step it through a debugger
You miss the main point. Decompiling the .class file gives me a very readable .java file. Stepping through debugger is not something average programmer can do

As for being "open", what do you mean?
By open, I mean open to the world. I'm an architect and I would never keep my appserver exposed. I would have the HTTP server outside of the firewall, but all rest stays within the DMZ

Re:This is one of the features of Java

Like I said, this is more a bug of the IIS server

The bug you referenced was a problem discovered in 1997, and patched immediately.

Re:This is one of the features of Java

[johnmckeon]

You can't arbitrarily get at source code on someone's web server. Do you think eBay would want you seeing the passwords to their database servers?

I think he's referring to an old bug on IIS that would allow you to view the contents of a file on the server. I believe it was a sample ASP that MS included to demonstrate come capability of ASPs.

I'm sure there are a few servers around that still have that enabled, but I'm sure most had that thing fixed 3-4 years ago.

Re:This is one of the features of Java

[Malc]

Oooh, those are nasty bugs! Pretty old though.

DJ Decompiler and JAD

No Java developer should be without DJ Decompiler (which sits on top of JAD, the actual decompiler, command line only). Seriously, this book may be useful, but most people are way below needing to know any of this. If you do need to know it or are just curious, fine.

Oh, and obfuscation, blah, any good IDE (like IntelliJ IDEA) is able to help you work around this junk.

Being able to decompile code....

[tcopeland]

...can be handy when trying to figure out the advantage of one coding idiom over another. On the PMD project (a Java static analysis tool) there was a discussion yesterday about code like this:

if(logger.isLoggable(Level.FINEST) == true){
// etc
}

which can be changed to

if(logger.isLoggable(Level.FINEST)){
// etc
}

to make it read (to me, anyway) a bit clearer.

Anyhow, decompiling the classfile with "javap -c" shows that a couple of instructions get eliminated by dropping the explicit comparison to "true". So the classfile gets smaller, it loads faster, and (unless the JIT compiler is smart enough to do constant propagation on that conditional) it'll run faster, too.

Re:Being able to decompile code....

It's really surprising to me that the compiler doesn't catch onto that optimization. Is there a good reason why it doesn't? It's not like java lets you overload "if".

Re:Being able to decompile code....

[tcopeland]

> Is there a good reason why it doesn't?

The Java compiler does some optimization - for example, when given this code:

class Test {
int x = 2 + 2;
}

it does algebraic simplification to reduce that assignment to an aload followed by a iconst_4 instruction. And it does some constant propagation so that this:

class Test {
private static final int X = 2;
int y = X + X;
}

also gets simplified to the aload/const sequence. I guess it's just some choices the compile designers made on which things were more feasible to attack.

Re:Being able to decompile code....

[Bill+Dog]

...can be handy when trying to figure out the advantage of one coding idiom over another.

Isn't this beside the point of Java? Java's strengths are security, runs on different OS's, high-level OO abstraction, etc. Performance is not one of them, so isn't this like tweaking the engine in your Civic? If it makes you happy, fine, but if performance is the goal, you should start out with something where performance is already one of its strengths. Choosing idioms based on how they're translated to byte codes seems inappropriate for the platform -- they should be chosen for things like readability, extensibility, decoupling, etc. I.e. all high-level things, as you're using a high-level language.

Re:Being able to decompile code....

[AuMatar]

While I hate defending Java in any form, the two should be equivalent on a machine level. To see if a value is true (non-zero), you can do two things- subtract 0 and see if the result is 0, or AND it with 0xFFFF... To see if two things are both the same value, you subtract the two and check if the result is 0. The two are an equal number of instructions (and both test and cmp are quick instructions). On an asm level:

mov eax, isLoggable
cmp eax, 0 ;could also use test eax, 0xFFFFFFFF
jnz skip_if ;if using test, do a jz skip_if ;etc
skip_if: ;both branches continue here

A check to true only changes the cmp to 1 instead of 0. It won't run any faster.

Re:Being able to decompile code....

That first if statement should not be considered a valid idiom. It is simply stupid.

Re:Being able to decompile code....

[tcopeland]

> the two should be equivalent on a
> machine level.

Yup, for assembler, that makes sense. But for Java bytecode, the explicit comparison is resulting in this:

10: iconst_1
11: if_icmpne 14

vs

10: ifeq 13

So there's a least one extra instruction in there. Of course, again, what the JIT compiler might do with this is something else entirely.

Re:Being able to decompile code....

[UOZaphod]

My guess is that in the first example, the byte code first evaluates the value of the expression (IsLoggable == true), and then tests whether the result is true. The question then becomes, why didn't the compiler optimize the expression (boolean-value == true), since it is equivalent to (boolean-value)?

In the second example, there is no intermediate expression to evaluate so the value can be tested directly.

Could this also mean that the compiler will fail to optimize an expression such as (boolean-value == false) to (!boolean-value), or in the case of the if statement, would the statement

if (!boolean-value)

be optimized such that a different compare or branch is used instead of performing a NOT first?

Regarding your assembly example, what I have found from looking at compiled C programs is that a boolean test looks more like this:

mov eax, isLoggable
test eax, eax
jz skip_if

test eax,eax runs faster than comparing against an absolute value and of course the machine code uses less bytes.

Re:Being able to decompile code....

[CustomDesigned]

Anyhow, decompiling the classfile with "javap -c" shows that a couple of instructions get eliminated by dropping the explicit comparison to "true". So the classfile gets smaller, it loads faster, and (unless the JIT compiler is smart enough to do constant propagation on that conditional) it'll run faster, too.

The Java Language spec requires that a conforming compiler (not JIT, but source to bytecode compiler) do constant propagation.

Re:Being able to decompile code....

[pjt33]

javap does disassembly, not decompilation.

Re:Being able to decompile code....

[tcopeland]

> JLS requires [...] constant propagation

Hm. I knew that the JLS required that in some circumstances - i.e., so that a switch statement can switch on a static final. What's the actual requirement, though? For example:

int x = 2;
int y = 4 * x; // can be int y = 4 * 2;
int z = f(x, y);

Is a conforming compiler also required to make that transformation?

Re:Being able to decompile code....

[CustomDesigned]

No, lifetime analysis is not required. Only direct operations on constants. FOr instance:

int DAYSECS = 24 * 60 * 60;

is required to be a simple integer assignment and

if (false) {
...
}

is required to completed remove the enclosed code. It might take a language lawyer, however, to determine whether

if (a)

is required to be equivalent to

if (a == true)

(and I don't recall the exact wording) but my intuition strongly wants that to be the case.

Re:Being able to decompile code....

[tcopeland]

> remove the enclosed code.

Hm. It's odd that we see this:

[tom@hal tmp]$ cat Test.java && javac Test.java
class Test {
void foo() {
final int x = 3;
if (false) {
x = 2;
}
}
}
Test.java:5: cannot assign a value to final variable x
x = 2;
^
1 error
[tom@hal tmp]$

If the code in the "if" body is going to be dropped, why complain about the assignment?

Re:Being able to decompile code....

[CustomDesigned]

Because the enclosed code must still meet all syntax and semantic requirements. This is a feature - it ensures (unlike

#if 0

) that the disabled code will always compile.

Re:Being able to decompile code....

[tcopeland]

Hm. Yup, that makes sense. Thanks much!

Tom

You didn't sell it.

[eddy]

>knowing how to decompile code is more about protecting your own source code.

There are many reasons to learn about, implement and use decompilers, but I don't think "to properly protect your intellectual property" should be one of them.

I'm got somewhat interested in this book (never heard about it before), but I think I'm going to pass. Sounds like the decompiling described is too much of a one-trick pony -- which is fine, it's about decompiling java after all -- but I'd really like something like an extension and update of Cifuentes work in book form, with the lessons from the IDA team too.

You know, from the beginning; starting with machine descriptions and disassembly for a generic front-end, efficent IR, and on up through the back end.

Now that'd be a tome [worth paying for].

But what about a real link to a real java decomp?

I guess we got a review of that book just as an occasion to discuss real java decompilation, did not we?

Obligatory DMCA threats

Next time you will see entertainment industry trying to sue Sun for built-in circumvention system.

In Soviet Russia...

[kkovach]

the decompiler compiles you!

Er... um...

the compiler decompiles you!

Er...

the java decompiles itself!

Ah, whatever.

- Kevin

Maintainance nightmare

[RealProgrammer]

I had always assumed that obfuscation was a magic fix that I could apply if necessary.

Let me get this straight: the author recommends that 'honest' developers obfuscate their code?

I've read programs that I thought were obfuscated, but later found out were just poorly written. Other times I've run into programmers who, tin hats firmly affixed, went to great lengths to make sure no one learned their Merlinesque techniques for getting the most out of BASIC.

In context, the author seems to be talking about obfuscating object code. Yikes! What's the opposite of debugging? Buggery?

Encrypting object code to make it harder to reverse engineer is a giant waste of time. Here are more productive ways to spend the the same amount of energy:

• Making your programs work better
• Asking other people to look over your code for bugs
• Commenting the source so you (and others) can find bugs better
• Replying to 'frist p0sts' on Slashdot

In fact, I can't think of many worse wastes of time than making a compiled program hard to understand.

Re:Maintainance nightmare

[jjgm]

I'm sure he's talking about obfuscating the bytecode, not the source code.

Re:Maintainance nightmare

[nganju]

You've misunderstood. Java obfuscation is an automated process done with a third-party tool that rearranges Java BYTECODE, not source code. The idea being that someone that tries to decompile the BYTECODE will get a bunch of spaghetti. It doesn't take any extra time or energy by the developer, just 5 seconds to run the tool on your .class files.

Re:Maintainance nightmare

[mark-t]

It's not really a waste of time because the source code remains entirely untouched... it's just one extra step in the build process, and it'd probably even be right there in the buildfile for the project, so it'd happen automatically whenever the source gets changed.

Re:Maintainance nightmare

Mod the parent down. Insightful? Apparently RealProgrammer knows nothing about the java language platfrom.

Re:Maintainance nightmare

[RealProgrammer]

>you've misunderstood...
>byte code, not source code
>feature of the language...

My comments were intended to be more general than the Java language. Whether done with a command line switch, on an IDE checkbox at packaging time, or by writing a quickie program to do it yourself (which amortized is on the same order of time), doing anything to seal up your object code is counterproductive.

Work to improve the code by revealing it, not by hiding it.

Unstated and implicit was: what if you lose the source? How do you fix it? How does the poor sap to whom you've sold this prize code debug it when you're hit by a bus and aren't around to sell him the source?

Obfuscation is shortsighted, and a waste.

Re:Maintainance nightmare

[owlstead]

Besides that it removes the meta information in classes. Or renames actually. In Java, all class and member names are available (for reflection) after compilation. This makes the design rather obvious, even without decompilation. Renaming them to counters (a, b, c etc.) makes it pretty hard to see the design straight away. As long as you don't use these classes from outside, this does not do anything to functionality of the program.

Normally, you would only do this after debugging your code. Obviously, it might make your nice, readable stack traces after an exception pretty hard to read. I've got some Java applications and even libraries that have been obfuscated. I could decompile them but it certainly would take time. In the case of the libraries, the classes used as interface to the user are kept unobfuscated, obviously.

Re:Maintainance nightmare

[cant_get_a_good_nick]

I've read programs that I thought were obfuscated, but later found out were just poorly written.
Some user has in their .signature here:
"That's not encrypted - that's a perl script I'm
working on." from crObar's now defunct matrix parody.

Re:Maintainance nightmare

[shmert]

What's fun about decompiling obfuscated code is when you end up with variables and classes that have reserved names, e.g. a class called "if".

I had to decompile and patch a ridiculously buggy JDBC driver for a commercial database which had been run through an obfuscator, and ran into that issue. Renaming was rather a hassle, I must say.

I came to the conclusion that they had obfuscated their driver out of shame at the embarrasingly bad code, rather than to protect any intellectual property therein.

Re:Maintainance nightmare

[nganju]

You have a valid point. However, the risk of someone decompiling and then doing something illegal (taking out the need for registration key, making slight modifications and then re-selling it) far outweighs the risk of losing the source. Any halfway competent developer has source control, disaster recovery etc. If you're depending on the ability to decompile the binary as a contingency plan if you lose the source, you really don't deserve to be doing software development.

Yea right.

[Kenja]

"I've just put this book down after reading it right through non-stop for four days."

Did you then pass out from lack of food and sleep? the most I cna manage is two days before geting mighty uncomfertable.

java obfuscation

It's useful but not very effective at actually making your code unreadable.

I find that since everything resolves to a native call you can usually figure out what a coder is doing pretty easily.

In my experience most obfuscation programs are actually used more often then not for reducing code/class sizes and improving efficiency slightly.

Consti-what?

non-stop reading for 4 days and the first thing he does is post on /.?

I might have gone the bathroom, or perhaps had a snack. Maybe a nap.

Books online

[truthsearch]

Most techie book these days are quickie grab-bags, and you end up paying for a lot of dead trees that you aren't interested in.

And so I suggest a service like O'Reilly's Safari Bookshelf. It includes the full text of over 2,000 technical books, many not published by them. No killing trees, far less money than buying books, plus full text search.

Re:Books online

[sonofagunn]

Killing trees keeps millions of acres of habitat available in the Southern US. If we quit killing trees for paper, these tree FARMS will be sold to developers and permanently cut down.

Re:Books online

[ThousandStars]

Downsides: I spend all day staring at a computer monitor. Sometimes it's nice to have 600+ dpi on nice, plain paper. Sometimes I'm not connected to the internet. Sometimes I want to read a book I bought ten years ago.

Obviously, the pros/cons of e-books have been hashed out before, and to each his own. But I still like the tangible thing.

Jad...

[david.given]

...is pretty much the standard decompiler where I work. Alas, it's no longer free, as I've just found out when I searched for it's home page, but it works really well. I have, on occasion, used it as a pretty-printer for other people's code. It undoes obfuscation with ease.

I have yet to try it on byte-code produced by non-Java languages, but I'd be interested to see the results...

(It sucks that it's no longer free. The version I've got I installed through Debian, for goodness sake, years ago. Does anyone know any free alternatives that work as well?)

Re:Jad...

[cpereda_yahoo.com]

I use it too and it's still free, you just can't include it in your own product without his permission.

Re:Jad...

[Thrakkerzog]

if you use windows, try DJ.
It's the best java decompiler I have found.

Re:Jad...

[posisoft]

DJ is 'only' a JAD front-end

Re:Jad...

[Armatich_Defiant]

JAD is easy. 1) Download it at http://kpdus.tripod.com/jad.html#download 2) unzip your jar files you want to decompile 3) jad -o -r -sjava -dsrc 'tree/**/*.class' Done! Defiant

Re:Jad...

[pjt33]

It's actually surprisingly bad at handling try/catch blocks. They're fine if the try block starts at the beginning of the method, but it's rare that I decompile a class and can then compile it without fixing up a few catches. The bit which surprises me is that I can fix them on autopilot - if I used jad regularly, I'd write a Perl script to fix them.

Sun has this info for free...

[frankvl]

Sun has put the Java bytecode specification online for free..

Reverse engineering in Java is as simple as the compile process itself. Besides there are already free tools available so why bother??

Re:Sun has this info for free...

[Anarioch]

It sounds to me like the book is talking about decompiling to Java code rather than just getting readable bytecode from class files. javap is the tool that comes with the JDK to get readable bytecode from class files, but this in no way resembles actual java code, and is not very useful as a reverse engineering tool

This is news?

[pcal]

Mocha was available in 1996. Any half-serious java developer understands what decompilers and obfuscators are. They've read the JLS and the VM spec. They've probably reluctantly had to use JAD to debug some 3rdparty library. They can read license files which tell them what they can and can't do with those libraries without getting into legal trouble.

Why is this topic worthy of 280 slashdotted pages? Color me mystified.

Opposite of debugging

[BitwizeGHC]

The opposite of debugging is, of course, "embuggening".

Hat tip to Jebediah Springfield.

Re:Decompiling Java?

Sounds interesting.

No, wait, the other thing - tedious.

Links to books on Amazon

[ddent]

Decompiling Java by Godfrey Nolan on Amazon.

Another book on the subject is Covert Java : Techniques for Decompiling, Patching, and Reverse Engineering by Alex Kalinovsky... probably more targetted at those who are already pretty familiar with things and want a more in-depth look.

(Yes, Slashbots, those are affiliate links... that doesn't make them any less useful though, does it?)

Re:Links to books on Amazon

[sjasja]

(Yes, Slashbots, those are affiliate links... that doesn't make them any less useful though, does it?)

Yes, it does make them less useful. Because now it is impossible to tell whether you are saying things like "a more in-depth look" because you really mean it, or because you stand to make a quick buck by making bogus claims about the book.

Nothing personal, of course; you can probably see yourself why the rest of us simply can't know if you are being honest or running an astroturf con.

-1, Parent's author is an uninformative tool

Jesus fucking christ, stop with the Amazon affiliate links already.. as if we couldn't already search for the book on Amazon our own damn selves.

No, they aren't!

Yes, you could search, but the grandparent did the work for you, so now you don't have to.

But seriously, whether they are affiliate links or not, they work exactly the same way. You don't get charged more because its an affiliate link, it doesn't harm you in any way. Furthermore, they were upfront about the fact those are affiliate links.

I could see your point if they were just random links, but both of them happen to be very on-topic to the conversation.

Re:No, they aren't!

You don't get charged more because its an affiliate link, it doesn't harm you in any way.

Except for the constant flood of troll posts, spamming up Slashdot with Amazon affiliate ads so they can get a few cents. Really, you're no better than the usual riff-raff who make all of those "fr1st p0st" messages. Pathetic, omegasphere.

Which is really surprising to me

[devphil]

who, as a compiler hacker, would have expected an optimization pass to transform the first form into the second form before generating the bytecode.

Or more precisely, to understand that both forms are testing for the same thing, and to produce identical simplified bytecode.

Re:Which is really surprising to me

[tcopeland]

> to produce identical simplified bytecode.

Yeah. Another result - this code results in the "if" statement body being optimized away:

class Test {
void foo() {
if (false) {
System.out.println("boo!");
}
}
}

but this doesn't:

class Test {
void foo() {
boolean b = false;
if (b) {
System.out.println("boo!");
}
}
}

But who knows - the JIT compiler may discard those bytecodes at runtime. Hard to say...

Re:Which is really surprising to me

[Clueless+Moron]

I'm astounded that Sun javac doesn't do the obvious optimization. I wrote a test program with and without the "== true" part, and here's the diffs (the test prog just println's the result). What the hell?

< 15: iconst_1
< 16: if_icmpne 23
< 19: iconst_1
< 20: goto 24
< 23: iconst_0
< 24: invokevirtual #6; //Method java/io/PrintStream.println:(Z)V
< 27: return
---
> 15: invokevirtual #6; //Method java/io/PrintStream.println:(Z)V
> 18: return

Re:Which is really surprising to me

[rreyelts]

who, as a compiler hacker, would have expected an optimization pass to transform the first form into the second form before generating the bytecode

Almost all of the Java compilers out there do little to no optimizations while generating bytecode. Rather, the focus of the compilers is to generate bytecode that is easily understood and optimized by the virtual machine.

Since the bytecode for Java is a well-defined standard, there are many more bytecode processors for Java compared to say object-code processors for C or C++. So, a non-optimizing compiler also has the side-effect of making it easier for all of the people writing bytecode processors.

Re:Which is really surprising to me

[Pseudonym]

On the other hand, also speaking as a compiler hacker, I should point out that just because an optimisation is possible, doesn't mean it's a good idea. When you add more optimisation, it costs. It's extra code that you have to write, test and maintain over the life of the compiler. If its entire purpose is to make the rare case of badly written code go faster, then you could quite legitimately turn around to the compiler user and say "don't do that".

As an example, a compiler could quite easily optimise sin(x)*sin(x) + cos(x)*cos(x) to 1.0 (modulo floating-point roundoff error) wherever it occurs. But if you write expressions like that, surely you deserve the generated code that you get.

Re:Which is really surprising to me

I thought javac was purely a "reference" compiler, and as such isn't actually meant to be used for anything? Maybe give jikes a go?

Decompiling fun

The only experience with java decompilers I've had, was my first year of CS study. My teacher was bitching about my coding style, so I downloaded hbd for the next assignment, and decompiled the .class file, fixed up the code to the point that it actually compiled again, and handed it in.

Doesn't work

[lycono]

This approach to "security" in Java is so trivially easy to circumvent that its worthless.

There are a number of papers and articles detailing why this type of approach to "IP security" is so misguided. One such article is here: http://www.javaworld.com/javaworld/javaqa/2003-05/ 01-qa-0509-jcrypt.html

The crux is that at some point in time, you have to deliver the encrypted class to the JVM in an unencrypted format. Intercepting this delivery is incredibly easy (no expert knowledge required, the details for doing so are detailed in the article above), at which time someone can just write the unecrypted class file out to disk (or wherever they wish). Voila! All your IP are belong to us.

Re:Doesn't work

[r7]

> "security" in Java is so trivially easy to circumvent

Are you confusing encryption with obfuscation? If not I agree that class-level encryption has no ROI.

Obfuscation, on the other hand, is an excellent tool for protecting IP. I use Proguard http://proguard.sourceforge.net/ via Ant and am happy with the result, having tried to grok the resulting byte code (using jad...) Good luck trying to work with that!

R7

Re:Doesn't work

[lycono]

Nope, I'm not confusing encryption with obfuscation. In fact, I don't know where you could get that idea, since neither my post nor the one I replied to mentions obfuscation at all.... Both are quite clearly about class file encryption.

To your unrelated point however, yes, there are some obfuscators that do make it difficult, though not impossible, to comprehend decompiled byte code. Though obfuscation comes with its own array of potential issues, especially in remote applications or those that rely on reflection.

Re:Doesn't work

[adiposity]

I have implemented an encrypted class loader that never delivers the unencrypted bytes to the java class. The author of this article is mostly correct, and I have read this article before. He states the following:

until JVM architecture changes to, say, support class decoding inside native code...

This is already possible and I have implemented it. It involves making direct calls to the jvm libraries from JNI rather than callbacks to java from JNI. There is still a way to get the bytes, but it involves hacking native code...a much harder task.

-Dan

Re:Doesn't work

Why go to all the trouble of modifying ClassLoader in the JVM?

You've got a perfectly good and unencrypted class file (EncryptedClassLoader) which will tell you everything you need to know to decrypt all those encrypted class files. Simply decompile the EncryptedClassLoader and extract the decryption routine.

So long as there's an execution path that the JVM can take that starts with unencrypted bytecode, someone can follow that path to figure out what instructions the JVM is executing.

Nothing beats decompiling hacker code...

[RZ-1]

that was aimed to foil decompilers.

Its starts off with public variable names like:
public int YOU_DECOMPILING_NOOB =-1;
public int NO_SKILLZ_4U=100;

and then the obfusticator kicks in:
where a1 and al(with an L) are switched around.
The variable and method names look similar.

if (a1.b1.x.y == al.b1.xl.y2){
a1.v1.x.y &= al.b1.x1.y2 >> 0x4c;
a1.b1.x( al.b1.x2 );
}

Ouch! Also, I think every decompiler has some weaknesses and isn't able to undo all code. I know Jad has some limitations. Unfortunately, I wasn't able to get the source of the code that broke the decompilers ;)

Re:Nothing beats decompiling hacker code...

[sipy]

I have used Ahpah Software's SourceAgain Java decompiler for years, and I've never run up against any Java source code that it could not decompile. I've even challenged people on IRC to send me obfuscated files - each time, I returned them their original code (variable name changes, notwithstanding). They were always blown away.

I think I bought this product when it first came out, some time around 1998. Their site still appears up and running - http://www.ahpah.com

Their website even has a way to let you upload a class file, and it'll decompile the first five methods of your class, online, just to show you how good it is!

Go have a look. This thing blew everyone out of the water in 1998. I can't imagine it's any less capable 6 years later.

Regardless of the ethics...

[Ungrounded+Lightning]

Hell, I learned assembly by writing a disassembler (in BASIC) and reading the Microsoft BASIC roms, then later reading the commented listings that ran in Color Computer Magazine. (TO avoid a copyright fight, and because M$ refused to grant them permission, CCM ran only the comments and memory locations, leaving the reader to run their own dissassembly for the opcodes.)

Regardless of the ethics, reading other people's code is, IMHO, the single best way to learn how coding works. And decompiling from object gives you a DAMNED throough understanding of the guts.

I too cut my programming teeth reverse engineering other people's code. And desipte having had an excelent formal programming education from some of the best in the field (Galler, Riddle, Blue, ...) I still put the formal instruction third in the list of activities that taught me how to code well, with reverse-engineering from object (sometimes accompanied by very distantly related source code) first and "playing" (writing and using my own software and experimenting with the machines' behavior) second. (Fourth, and still important, was trade journals and other publications.)

You're getting it wrong

[Quattro+Vezina]

It should be ``Java bytecode decompiles YOU!''.

Re:You're getting it wrong

[kkovach]

Yes, I know what it "should have been", but then it would have been the same old boring "In Soviet Russia" joke.

- KEvin

Why read a book. Just download Jode

[JPyObjC+Dude]

I have been decompiling Java regularily. Just get Jode Jode Its very simple and effective. As long as the writers are not using ubfuscation tools, the code is fully readable in it's original form sans commenting.

on this topic, does anyone know how to:

[Surt]

Capture a java applet?

By which I mean, there is a java applet running in my web browser. I'd like to decompile it and look over the source code. It's small enough I believe this would be informative. Is there a good way to do this?

Re:on this topic, does anyone know how to:

[pcal]

• View source of the html page that contains the applet
• Find the <applet> tag for the applet. This will tell you how the classfiles are getting loaded.
• In the typical case, the applet will be packaged in a jar which is referenced in the 'archive' attribute of the tag. Download this and decompile away.
• If the tag only specifies a 'codebase', you may have to download individual classfiles from the webserver yourself.
• For more info, details on the applet tag are at:

http://java.sun.com/docs/books/tutorial/applet/app letsonly/html.html

Re:on this topic, does anyone know how to:

[bunratty]

Look at the source of the web page that contains the applet. The URL of the applet is right there.

hmm

[Easy2RememberNick]

System.out.println ("I'll give it a read ");

Re:hmm

Didn't you mean

0: getstatic #2; //Field java/lang/System.out:Ljava/io/PrintStream;
3:&nbs p; ldc #3; //String I'll give it a read
5: invokevirtual #4; //Method java/io/PrintStream.println:(Ljava/lang/String;)V

Re:hmm

[Easy2RememberNick]

lol not me...not yet

Comment removed

[account_deleted]

Comment removed based on user account deletion

Good obfuscation WORKS

[JavaRob]

The simplest version of cracking a Java program is using JAD to decompile the source, making a few changes in source (like changing the license check to always return "full enterprise version" instead of "time-limited demo"), compiling your altered class, replacing it the JAR, and running the app.

Most obfuscators will make this track impossible, by doing things like using language keywords (while, for, if, and so on) for class/method/variable names, so that when you decompile the thing it cannot be recompiled. They also mix stuff around in the classfile enough so that figuring out what method is doing what becomes non-trivial -- stupid things mostly (like naming methods l1(), ll(), I1(), Il(), etc.), plus a few tricks to stop JAD from fully decompiling the class.

Enough of these little things add up to make the work involved in altering the decompiled class excessive and difficult.

The more sophisticated Java cracker doesn't bother. They decompile enough source to get their bearings, then edit the appropriate bytecode directly, with a classfile editor. Fortunately, most people with this level of experience can just pay for the frickin software they want.

I'm actually not obfuscating my Java code yet, but I'm going to start... it's just too easy to crack Java code without it. yGuard obfuscator is pretty decent LGPL one, that can run as an Ant task.

Re:Good obfuscation WORKS

[mrchaotica]

How ironic... you're going to use an open-source app to try to prevent people from getting your source!

Want to keep your code to yourself? Use C++.

[Futurepower(R)]

The books about decompiling Java are excellent advertisements for C++.

Re:Want to keep your code to yourself? Use C++.

[TheLink]

Use Perl. Then you can keep the code to yourself. Heck how many people do you think will claim it's theirs? :)

Re:Want to keep your code to yourself? Use C++.

[kaffiene]

C++ can be decompiled well enough.

Besides, GCJ compiles Java to native executables, so if you think that being native is some kind of "defence" against decompilation / reverse engineering then you can be just as "safe" using Java and GCJ as with C++ and GCC.

Or, another way to say it:

[Futurepower(R)]

Advertisement: Want J. Random Hacker to fiddle with your code? Use Java.

no thanx i'll stick with perl ;-)

well i was going to post an example, but the server said:
Lameness filter encountered. Post aborted!
Reason: Please use fewer 'junk' characters.

Enough obfuscation is equivalent to encryption.

[Futurepower(R)]

The answer to Java decompilation is a write-once, read-whaaa? language.

obfuscators don't work?

[JavaRob]

Obfuscators DO work. They're certainly not foolproof, but they definitely make it more difficult to crack a program of any size.

I'm not talking about tiny programs; but who even bothers decompiling tiny midlets? Isn't it obvious what they're doing? With tiny programs, if you know enough to be cracking Java programs, you might as well just write the thing out yourself. It's not magic.

But for larger applications, any decent obfuscator can make it very time-consuming to decompile and edit the programs. I posted more on this in another thread, so let me just say you really have to try it out before you say obfuscators don't work. They definitely DO work at foiling the average cracker who won't spend hours and hours reconstructing a $100 piece of software.

By reading this post you agree to... NOTHING!

The mere fact that you've written a contract does not impose any obligations on others. The affected parties have to agree to it. Without agreement, it's just words on paper with no legal weight. It can't in any way prevent people from buying the book or reading certain chapters. Nor can it magicly cause one action (buying the book) to carry other obligations (agreement to the terms). Without agreement it may as well not exist at all.

Better watch it...

[Ieshan]

You'd better watch it, that's probably enough evidence for Dunkin Donuts to get it's DMCA lawyers out after you.

Re:Better watch it...

get it's DMCA lawyers

"its".

Correcting myself...

Correcting myself here... When I said "the affected parties have to agree", I really meant "the parties bound by the contract have to agree". If you were to require all the book stores to agree to a contract that would require them to get the customer to agree to a contract or refuse to sell the book, and refuse to give them any books to sell if they don't agree, that would work. But if anyone gets a book without agreeing to the terms (and without the law being broken) then they would not be bound by those terms. This is pretty much how NDAs work. Good luck publishing your book under an NDA. ;)

With EULAs, in theory you could hack the installer to proceed without requiring you to click "I agree", and you'd be doing nothing wrong. Except in countries like the U.S. where there is the DMCA, which makes it illegal to circumvent technological measures that protect access to a copyrighted work (which the EULA screen seems to do).

But don't listen to me. I'm not a lawyer.

Obfuscation issues

[JavaRob]

I'd agree with you that no obfuscator could really make it impossible to recreate a piece of software from the bytecode... but of course the only real aim is to make it hard enough so that it would be easier to simply purchase the software.

Though obfuscation comes with its own array of potential issues, especially in remote applications or those that rely on reflection

Obfuscators pretty much all offer you enough flexibility to exclude classes that will need to be used via reflection or with RMI... or to even save the map of random method names, etc. so that you can make updates to the source then come out with an obfuscated result that is compatible. I'd usually handle this just by NOT obfuscating method names in public interfaces... you can still obfuscate everything else, including instance variables, local variables, and all method code.

the last book I have been...

[_Qiang_]

yes. the last book i read non-stop is Advanced PHP Programming. Lucky it's not a book on php syntax etc . instead it focus on how to design/maintain web application written in php. php is merely being used as example.

decompiling java..what for ?

Disagree

[TheLink]

The opposite of debugging is coding.

Compiling Java

[hisstory+student]

Hmm. Sounds like an oxymoron to me.

Decompiling?

As if we didn't have enough fun with Gentoo...

Re:Decompiling?

[maxwell+demon]

Well, combine it! Whenever you install a program which comes as binary, have it automatically decompiled, and then recompiled with machine-specific optimization!

Astro-turfing.

[MythMoth]

This book may well be perfectly good, but I've been put off it by Fiachra's astroturfing of it. He's a friend of the authors.

The mention of his name in the above review (for no apparent reason) makes me suspicious.

Dave.

WTF???

[kaffiene]

You miss the main point. Decompiling the .class file gives me a very readable .java file. Stepping through debugger is not something average programmer can do

What????!!!!

Stepping. Through code. With a debugger. THAT is something you think the average programmer can't do????

Remind me never to hire any programmers you know! :o)

Re:WTF???

[coolsva]

All good programmers can step through code compiled with debugging option. Commercial executables are stripped of all symbols, so debugging is limited to assembly debugging. I have been in this industry for over 15 years and havent met too many people who can debug in assembly.

Re:WTF???

[kaffiene]

I've been in industry for about the same length of time. My comment about the programmer's you know stands.

This is not true

[andyfaeglasgow]

There are many sites who use server side java script to power their web applications. Try viewing the source at .

Don't see much do you? And those functions are not included in separate files either.

Here's a guide on server side js

Re:This is not true

[airConditionedGypsy]

At first I thought you meant .js libraries that the user couldn't see by telling the browser to view the source.

I see your point, thanks for the education. My main point is that Javascript is primarily a browser (e.g., client-side) extension. Server-side JS was not part of the original JS technology.

Any serious web applications are probably not going to be written in server-side JS. I doubt that any web servers other than Netscape's Enterprise Server actually supports interpreting JS on the server side.

higher percentage of mistakes in C++ decompilation

[Futurepower(R)]

C++ can be decompiled, but it is missing a layer of information that is present in byte-code decompilation. There is a higher percentage of mistakes in C++ decompilation. Those who are smart enough to find the mistakes are smart enough to earn a good living programming, they don't need to hack someone else's code.

GCJ produces easily identifiable structures?

[Futurepower(R)]

I haven't tried to do it, but I suspect that GCJ produces easily identifiable structures. Compiled C++ is much harder do decompile.

Yeah, yeah

[JavaRob]

Are you sure that's "irony"?

There's definitely a place in this world for both open and closed source software, and I work on both. I get different rewards out of open vs. closed source projects... though at the moment I pay my rent with closed source work. Because I need to be able to do that, I feel pretty strongly that I should be able to make the choice of whether my work will be open or closed.

Interestingly, a good obfuscator is a pretty obvious open source project (and there are more than the one I mentioned). Why? Because it's a fairly common need for many professional developers using Java, and a major part of open source development is scratching that itch. When enough people have the same itch, it makes more sense for them to work together and make it open source, than it does for them to work separately, then try to sell many competing (and lower-quality) implementations.

Re:higher percentage of mistakes in C++ decompilat

[kaffiene]

True enough, my point is that if someone wants to hack your code, the fact that it's a native executable is hardly a giant barrier (and if you really think it is, you can native compile your java code anyway)

Business rules are too numerous to dis-assemble.

[Futurepower(R)]

There are two kinds of programs, basically. There are those that implement some programming or mathematical algorithm. If you have the assembly language, it is not very difficult to discover the algorithim.

Most Java, however, doesn't deal with protocols or fundamental algorithms. Most Java implements business rules. Each rule is not worth much, but the entire manner of operation of Amazon's web site, for example (which may not be written in Java), contains literally thousands of business rules which would be very valuable for a competitor to know. As a practical matter, it is very difficult to turn thousands of anything in assembly language back into higher level code.

--
100 Facts and 1 Opinion -- The Non-Arguable Case Against the Bush Administration

I agree! Also, UI code is not worth dis-assembling

[aclidiere]

I agree.

Also, code for user interfaces (UI) is not worth dis-assembling, because most of the intellectual property is visible on screen anyway.
Good UI is the easiest thing to steal in a piece of software.

Re:I agree! Also, UI code is not worth dis-assembl

[Futurepower(R)]

Hey, Adrien!

"ethical problems"=all about $$

If I were to take the code and *sell* it, or
a product derived from it, that's one thing.

I have no problem disassembling any product for
my own education or enjoyment otherwise.

I'm tired of all of this "moral snafu" crap when it really boils down to fear by the company/programmer about threats to their
profit margins.

Re:I agree! Also, UI code is not worth dis-assembl

[SirTalon42]

Correction: Bad UI is the easiest thing to steal in a piece of software.