#obfuscation help

Hey how can i obfuscation my own plugin? Anyone can help me? (I mean minecraft plugin idk i asked in good platform)

<@&987246652869971988> please have a look, thanks.

Before you go down the path of obfuscating your plugin, you have to ask yourself why. Obfuscating java code won't prevent someone from decompiling your code, they just have to figure out names themselves. There are very few good reasons to obfuscate a plugin

But this would be necessary for me, since I am giving this to a person for testing who would like to buy it, but I don't want him to copy the code.

And that would be important to me.

Buy it for $10k? or buy it for $10? There's really no way to stop someone that is determined. Best you can do is probably have a runtime request from a site you control for class files that get loaded at runtime. Lock that behind a one time password. Just doing that, it better be worth more than $10k. Other option is to just make crippleware, only give them a taste of functionality that is hardcoded to a one single scenario.

I just wish it couldn't be decrypted. Isn't there a free way to do this? Just because ProGuard and yGuard don't want to work for me, I don't want a lot of hassle.

I used to have an obfuscation program, I just forgot the name. You just had to drag the file in and it was already protected.

If you don't trust people to do business with them then don't do business with them. It's pretty simple. If this is something they want bespoke then they are paying for the software and should get the code.

I understand, there is only a license system in my code, which has its own API code, and I don't want them to get the API key anyway, with which they can generate any number of license keys.

Just don't do this..

If you give someone your plugin, they have your plugin

Obfuscated or not

to give you an answer though, https://github.com/Guardsquare/proguard and friends

If you have code that people want (more than one person) but don't want to market it yourself, then you need to negotiate that partnership of the person who does want to do that. They have to be reachable though, meaning your lawyer has to be able to legally affect them.

but yeah. very much worth interrograting if its worth your time

Plugins are not worth the obfuscation

Unless you've made something revolutionary

in which case, if you release it open source, and host it on modrinth for example you still get credit and money for that

People copy shit and rehost all the time. Unless it's moderated it's still pointless.

People are becoming more hesitant to use non-open source plugins anyway

It's really a bad practice in this field

Guys, I'm not trying to beat people up, but if I've written my own code, let me protect it

.

then use this

it won't protect you tho

we aren't letting you are not letting you do anything

I didn't ask for a debate, I don't want to argue about whether this is a good thing or not. I just don't want my development server to have access to all my projects

I just don't want my development server to have access to all my projects
well there's no full solution for that in Java

we are just pointing out that there really isn't a way to do exactly what you want

If someone wants to reverse engineer a minecraft plugin, do it, only then they won't find out my API key.

I don't think you can hide an api key that easily if its bundled in the plugin

so why are you obfuscating in the first place lol

But there is. Because many plugins are protected, for example lazarus

I understand that it's not a good thing, of course you buy the plugin, but at least it's protected, a simple field person won't care about what the source code is

thank you

Obfuscation is not protection

A common person won't touch your code anyways

and a person who wants to can do so easily anyways

but do as you wish

So you plan to embed your api key to some other service that costs you money?

No. I just wish they couldn't hack it so easily.

Okay well that is what obfuscation does do

Still sounds like a yes.

That is all. if you look at the source code of the plugin, you won't be able to find out so easily

find out so easily

find out about what?

just how it works?

But I don't want to pay for it, I just want to make the code so that a normal person who doesn't understand it can't understand

No

?

If it has a value and that will self evident if it uses X service that requires an apikey, that that key will be stolen and then sold (multiple times.)

I have a license system, and in order to prevent anyone from using it, there is an API key that, if found out, anyone can create a license or whatever.

right

obfuscation will add 2 minutes of extra time to extract that

if it's even obfuscated with that

depends on where the key is

But if I remove it, the API key will also be protected, and it is not certain that they will be able to read its exact value

In the main class

as a string??

Yes ik it's javascript but i already write in here

Yea

in that case

this will be the same mechanics in my Java plugin

obfuscation won't help

the literal string will still be there

I've found over the years that you should never underestimate the resourcefullness of Russians.

Nevermind

I mean the tool mccue shared won't hide that at all

it will only hide code elements like field names and such

you could do some math that results in your string to hide it

e.g. run it through an encryption algorithm, store that in the variable, and when it's accessed decrypt it

that way people would have to do the same thing which would take 1 minute or so

okay nvm

btw

an actual solution to the API problem is

make them input the api key on their end

and give them a key that expires

they'll have to buy a new key

(obviously, you can still decompile the code, remove the part that checks the api key, and have a working version)

I already have this under the license key, but I don't want to always change the api key of my license server because then I have to do this in everyone's project

oh you only have 1 key?

yeah then it's a bit difficult

ye

bc this key check all license key

right

well a lot of people have tried to protect their plugin like this

and no one has really succeeded

final thoughts before I go to bed
In the plugin space, you should make people pay for updating your product, not the product download itself

Open source works best rn

Say smth like "donate to fund development"

So far, all my projects are only on BuiltByBit, not on Blackspigot or anywhere else

btw in proguard i got these warnings

and i can't obf my code

jar*

ModRinth will pay you advertising money ¯_(ツ)_/¯

(I don't have that much proguard experience so that's on someone else, sorry)

ty

the other thing to know is that even compile c code can and has been reverse engineered, guitar hero 3 is a good example of this, that game was obfuscated to an extreme degree and was still reverse engineered, if someones determined you simply cannot stop that

ofc theres also stuff software which you buy a license for and that has protections in other ways but cracking software is entirely possible and common in software that is needlessly expensive to own

so unless youre a big company who has the power to enforce liscencing, it isnt worth the trouble

there are other ways to go about presenting a program without giving it to the user

yeah having the actual data be server through an API