Consolidation and Decompilation at the SD West Show

tele/scope
February 12, 1998

Norvin Leach
MSDN Online News Editor

Whenever I go to trade shows I ask people what they've seen that's hot, new, zippy. What caught their eye? What made them stop by a booth?

At the Software Development show in San Francisco during February, I got a surprisingly wide range of answers. No one agreed on one specific product or technology, and a lot of what I heard sounded familiar. I couldn't figure out why, until some people put it in perspective for me.

It's a year of consolidation.

Cool becomes mainstream

Jeff Duntemann, editor-in-chief at The Coriolis Group publishers, observed, "This year, the really buzzy stuff has been merged into the mainstream. What you're getting is polished, slick tools."

This is true in several areas.

The number of companies seems to be diminishing because of frequent acquisitions. Rational, once a one-booth company, now has its own Partner Pavilion.

Disparate technologies are merging, and some of the wars are over. Borland, for example, is now licensing and shipping the Microsoft Foundation Classes.

And even last year's "new" languages aren't new any more. Java is no longer the mystery it once was. The tools are becoming mature. And developers are figuring out what they can and can't, should and shouldn't do with the language.

Decompiling Java

I'll spare you any Microsoft marketing rhetoric about Java here, and instead, point out an interesting third-party product that I saw at the show. It's cool, it's fascinating, and like a lot of cutting-edge technology, it's potentially dangerous.

The product is the SourceAgain Professional Java decompiler from Ahpah Software (visit the Ahpah Software Web site at http://www.ahpah.com/). While I've heard of some quick-and-dirty shareware decompilers, this is a professional product that plugs into our developer tools. It can decompile Java executables and provide solid looking source code (not the assembly language that you can get from a debugger).

Beautifying code

How close is the decompiled code to the original? Ahpah claims that, if the code is written clearly, it's almost identical (although, obviously, it lacks the comments). They said that one developer is even using it to "beautify" his code. I'm not a reviewer, so I didn't check this out for myself. It's easy to evaluate for yourself, however. Ahpah's Web site has a running demo—type in the URL of a publicly available class file and it returns the source code.

Prices range from $100 to $300. The product is still in beta, though, and won't be available until the very end of March.

The danger

As I said, though, there's a danger here. If this product makes decompiling Java easy, how do you protect your investment?

I don't know if there's an answer. Ahpah has a license agreement that states that the product should only be used in certain situations, such as assessing an applet from an unknown source, analyzing compilers and optimizers, or retrieving lost source code.

Furthermore, my colleague Dr. GUI points out that this is a known risk. Decompilation is theoretically a simple thing. There's pretty much only one straightforward way to compile Java, and Java class files contain complete type information for the whole class. This means that it's easy to figure out what a Java class is doing.

Open code?

None of this lessens the danger, though. This is the first time I've seen a good, commercially available Java decompiler. And if this becomes a common tool, then it means that Java applets on the client could be considered open code. (On the other hand, it could lead to the development of tools that secure code through processes such as rearranging the byte code.)

I don't have a recommendation here, and perhaps it isn't a problem after all. I mean, you don't see Web-site authors screaming to the World Wide Web Consortium to come up with ways to protect their HTML.

But it certainly is a product to think about.