Issues with virtualization protection solutions
Obfuscation can enhance the difficulty of static analysis, but cannot effectively prevent dynamic analysis. The purpose of code virtualization is to increase the difficulty of dynamic analysis.
Java code virtualization is achieved by building custom virtualization engines, allowing bytecodes that could be executed directly to be executed through these virtualization engines. Since it is a custom virtualization engine, the external world cannot directly access its execution method, instruction format, and other information. Moreover, it results in significant code expansion, making it difficult to reverse engineer the code containing its original semantic information.
Virtualization protection is an extremely strong code protection solution, but the biggest problem with virtualization protection is performance. Custom virtualization engines are difficult to adopt numerous performance optimization measures like JVM and cannot apply performance optimization techniques such as JIT. You can try using the JVM engine we mentioned before to execute the same code as a regular JVM and compare the performance, which may result in a performance difference of over 100 times.
Virtualization protection is the most secure code protection method, but due to its significant impact on performance, it cannot be applied to all code in a program. It can only protect critical code, while other code still carries the risk of exposure. By targeting other parts of the code, one can obtain functional information about the virtualized portion of the code.