A comprehensive list of Java obfuscators, including both free/open-source and commercial options. Contributions welcome!
| Name | Description |
|---|---|
| J2CC | Flexible transpiler with lots of cool features and high compatibility. |
| MyJ2C | Obfuscator made by chinese people that managed to skid some of Allatori's-V3 parts such as String Encryption and some other things into their project. Overall only recommend using it when u have nothing else to use. Can be partially deobfuscated using Allatori deobfuscator. Has a interesting feature called "Confusing CallSites". |
| Native/Radioegor146 | Java .class to .cpp converter for use with JNI. |
| Native+ | Modification of Native/Radioegor146. |
| Name | Description |
|---|---|
| JNIC | One of not so many transpilers that offers String Encryption, Control Flow with Flattening and their famous Native compiler. This obfuscator is mainly used for the Native compiling and does a really good job doing so. You can see JNIC as an example in RusherHack Loader. Be aware that the Native obfuscation could cause lag or slow down the processes made in the application. If you would decide to use JNIC for obfuscation then make sure to not use it on it's own and instead use something with it. |
| JNT | A new upcoming transpiler that overthrows JNIC and other transpilers in every aspect. Performance, protection, compatiblity, price and more. Some of the components like renamer, call graph integrity, polymorphic string encryption, strong flow, traversing number encryption, integer table encoding, method inlining and most importantly, native virtualization which is something that JNIC does not have. One of the downsides might be the fact that they obfuscate your JAR on Cloud, essentially not obfuscating locally on your device which could create some trust issues. This might change over time. Althought if we ignore the cloud part, there is a chance that JNT will one day become the standart transpiler, replacing JNIC, given the fact that JNT has already managed to be faster than JNIC. PS: This has been reported by the devs, there have been few samples out there but I can not 100% confirm all of this, it is in development and not released yet. Also has raw bytecode obfuscation, not just native. |
| Skidfuscator Enterprises | Commercial. Skidfuscator Enterprises is a paid, cloud based, better version of Skidfusctor Community, which offers more and better features and in the future will possibly even have Native obfuscation. One of the downsides might be the fact that they obfuscate your JAR on Cloud, essentially not obfuscating locally on your device which could create some trust issues. |
| Virbox Protector | A native obfuscator, has a code virtualization made by chinese people. It's very different from native obfuscators from github and it's very expensive, almost 10k CNY per year. |
| Name | Description |
|---|---|
| Abonasera | Pretty lightweight because it only encrypts strings. Should not be used on its own, as it wont stop any reverse-engineer. |
| AckerRun | Lightweight/Heavy obfuscator depanding on your config. Has some interesting features that not every other obfuscator has. Looks like XenonGuard skid but I can't confirm that. |
| Alpheratzteam | Older obfuscator using older tricks—Very outdated. Not adequate for use in any layer. |
| Ambien | Obfuscator that is not getting actively developed anymore. Has some cool packaging features mainly targeting Recaf 2.x with a great succeed since their RedHerring feature adds a fake jar before the real one. Most RE tools don't read backwards like the JVM, so they will read the fake jar. Also has a decent Crasher transformer that confuses various decompilers & other reverse engineering tools. Still contain some bugs/issue to this day. |
| Avaj | Has a nice way of generating decryption subroutines on string constants. Also has some CFG flattening which is always nice to see. |
| Black | Android APK DexFile, it can help developer to protect source code by control flow flattening, and make it difficult to analyze the actual program control flow. |
| Bozar | Has some cheap tricks along with GUI that I have seen being used in the Minecraft Community. Definitely a look worth. Can be deobfuscated using Narumii. |
| Bruhfuscator | Based on Ambien, is a skid of multiple FOSS obfuscators, therefore nothing in it is selfmade or special, it's horribly broken and has "experiemental" features on the most basic of transformers. Skidded transformers from GOTO, MyJ2C, Colonial and Souvenir. It was a nice obfuscator base (Not ready-for-use because it still doesn't contains features like local variable remover) for skids. |
| Caesium | Has a transformer that implements a well-known HTML injection into any Java reverse-engineering tool that parses HTML tags. Shows alot in Minecraft Community. Can be deobfuscated using Narumii. |
| CafeVault | Basic Jar-File Crypter, therefore has a lot of room for improvements. Could be used as lightweight top-layer. |
| CheatBreaker | Decent obfuscation that looks similar to Caesium's, but not as strong. Obfuscation is overall decent. Shows in Minecraft Community. Can be deobfuscated using JavaDeobfuscator. |
| ClassCloak | Basic obfuscator with string encryption. |
| CodeEncryptor+ | Uses JNI to encrypt bytecode and JVMTI to decrypt bytecode in order to protect code. The encrypted Class files becomes malformed and cannot be parsed. |
| Colonial | Rename of Simple Obfuscator, with some additions of JObf/SB27. The string decryption with its hard-coded switch-case slightly reminds of ZKM (Zelix Klass Master), tho not nearly as strong. Is beloved by kids who develop their "own" Minecraft HvH clients, mainly russians. Can be deobfuscated using Colonial-Deobfuscator. |
| Crater | Basic java obfuscator. |
| dProtect | Build on ProGuard with additional flow-obfuscation, mixed-boolean-arithmetics-transformations and string-encryption. Definitely worth a try. |
| GOTO / GOTO | An obfuscator made by chinese people written in Kotlin. Has interesting features but are kind of broken. |
| Grunt | Another ofuscator written in Kotlin. Should be used as a lightweight layer of obfuscation. Overall has very based features that are compatible with each other. Mainly known in Minecraft Comunity for it's mixin support renamer and compatibilty with obfuscating Forge mods/Plugins. |
| Herbst | Light obfuscator made for some mc client. Only good for its flow and maybe its String encryption. |
| HsGuard | An obfuscator developed by chinese people. Bad skid of Scuti with minimal additions. Can be deobfuscated using Narumii. |
| InDy | A simple project that provides an implementation to obfuscate method calls in Java Bytecode by replacing them with invokedynamic instructions. |
| JarObfucator | A obfuscator with simple Bytecode transformers such as XOR encryption. Has a Class Encryptor which encrypts the contents of classes and allows you to decrypt them at runtime by using a Java Agent with their decryptor. |
| Javari | A simple obfuscator with a nice GUI and not so nice obfuscation-techniques. |
| JBCO | Some interesting flow obfuscation techniques that still work in modern Java. Based on the Soot library which is also something worthwhile checking out. |
| JObf/SB27 | Pretty outdated. Due to the generic name is more commonly referred to by the author's name superblaubeere27 / sb27. Has some basic features along with a GUI. Still shows allot in the Minecraft Community (Mainly in Asian Anarchy Clients and hypixel cheats). Can be easily deobfuscated with no effort using Narumii/JavaDeobfuscator. |
| Masxinlingvonta | Compiles Java ByteCode to LLVM IR (for obfuscation purposes). |
| Mosey | Outdated obfuscator mainly coded in Scala. Overall is no recommended for use since the obfuscation is very light and is easy to deobfuscate. Mainly used for 2+. layer obfuscation. Can be deobfuscated using Narumii. |
| NeonObf | Made up of the easier to defeat obfuscation techniques. NeonObf is also the name inspiration for Radon. |
| Ob | Older obfuscator from 2011 with string encryption, branching, and a renamer. |
| Obsidian | Control flow obfuscator that looks like it's being worked on. Looks interesting and definitely unique compared to what you might see normally. |
| ObzucureVM | Java Virtual Machine made in Java. |
| Radon | Abandoned experimental obfuscator by ItsSomebody (The person that made some of the parts of this Obfuscator list). Radon is an open-source free obfuscator. It has a UI that's visually similar to Skidfuscator/ProGuard and it is very intuitive to use. Easy to deobfuscate using JavaDeobfuscator. |
| Reflow | A Java Bytecode Obfuscator. |
| Retype | A Java Bytecode Obfuscator. |
| Sandmark | Really old obfuscator research project led by Christian Collberg at the University of Arizona. Has some interesting ideas in static and dynamic watermarking (Embeder & Recognizer) are some of the flow obfuscation ideas are good. |
| Scuti | Outdated obfuscator. Has an option to pack classes into binary blobs, and load them via a classloader. The binary blob names are just the original class names with simple XOR encryption, and the blob contents are the original class file with simple XOR encryption. Can be deobfuscated using Narumii. |
| Sentinel | Dead, Obfuscator mainly known in Minecraft community. Has some basic features. Currently there are no public transformers for it and still can be used. If you decide to use it, make sure to use key "sentinelisback" once you run it in cmd. |
| Skidfuscator Community | Skidfuscator is known obfuscator for its simplicity, ease of use, and effectiveness in protecting Java applications from reverse engineering and tampering. You can get free (community) version having overall strong obfuscation. Paid (Enterprises) version has (Unfinished) Native obfuscation with some other features that aren't included in the Community version. Has its own documentary website. Requires libraries (Doesn't have max depth). Free version has slightly broken Matcher. Uses Maple IR framework which is something worth checking out. Shows a lot in Minecraft community. |
| Souvenir | Lightweight obfuscation that doesn't have anything special. Has only 3 transformers (Light Flow, String, Number). |
| StarLock OR StarLock Original | Pretty solid obfuscation techniques; it is a good canidate for a layer. It has an interesting flow technique called reverseJump which inverts jumps with antonyms to create "else" blocks. |
| W-Tap Fuscator | Relatively new java obfuscator with ≈1/2 of transformers skidded. Interestingly, there is a joker watermark and text prayers against RE. Might defend your code, who knows... |
| XenonGuard | Decent obfuscator based off CheatBreaker. Kind of looks like free version of ZKM. Has a very good and useful features that not every obfuscator has these days. Even tho there are no public deobfuscation transformers, I still recommend layering it since it's based off CheatBreaker and I am unsure if some transformer are still from CheatBreaker. Overall I really like this one. |
| XiaoShadiao | Java bytecode obfuscator made by Chinese people. |
| yGuard | Functionally equivalent to ProGuard as far as I can tell. |
| Name | Description |
|---|---|
| Allatori | Was a somewhat popular choice in industry. The v3 has been leaked a long time ago Allatori-V3, tho not nothing special. Can be mainly found on Java based Malware. |
| Binscure | Binscure was a commercial Java obfuscator that had a running spat with Recaf. Its primary advertised features were its crasher and zipping abilities and intense flow/indy obfuscation. However as with most cat-and-mouse games, one side would give up. Since we're using past tense here, its Binscure if you haven't caught on. The ASM/RE tool crashers are now fully patched in Recaf with current versions. The flow and indy obfuscation still is fair for the current market. Can be deobfuscated using Narumii/JavaDeobfuscator. |
| BranchLock | An online, web-based obfuscator primarily known for its AntiDebugging features. It advertises itself as 'modern, lightweight, but powerful,' which is now untrue, considering that it can't compete with modern obfuscators anymore. It appears somewhat in the Minecraft Community. Due to it being web-based, it had some DDoS attacks lately, which caused the site to be down. Also is known to be easy to read though. Minecraft clients like Monsoon v2 or Prestige used this and got cracked many times. |
| ClassGuard | Relies mostly on class encryption with hardcoded AES keys in native libs. Pretty easy IDA/Binary Ninja/Ghidra exercise if you want to flex on your blog on something. Can be deobfuscated using JavaDeobfuscator. |
| DashO | Shows up a bit in industry and has some interesting ideas (albeit probably outdated) in flow obfuscation. You can skid their string encryption code right here. Can be deobfuscated using JavaDeobfuscator. |
| DexGuard | Mainly used for obfuscating Android apps. Never saw any samples. Can be deobfuscated using JavaDeobfuscator. |
| Eskid | Decent obfuscator based on HsGuard and Scuti. Shows alot in Minecraft Community. Could be possibly deobfuscated using AckeRun's Eskid deobfuscator trasnformer. Got cracked by PlutoSolution. |
| JObfuscator | Most of the obfuscated code are just int/double arrays with some light flow obfuscation (Based off sample). Uses polymorphic algorithm for strings encryption. Has only few features. Last update was made on 09.08.2022 which is a version 1.10. |
| Obzcure | Web-based obfuscation service with some inspiration taken from Radon and SkidSuite2. Used to go by the name "SpigotProtect" so you might see some Spigot plugins using the obfuscation from this product if you look around hard enough. Can be deobfuscated using JavaDeobfuscator. |
| Paramorphism | Was one of the most unusual and unique obfuscators at the time it was an active project in that relied a lot more on the JVM's unusual way of loading JAR archives including zip entries with duplicated names and the fake directory trick. Used to be more commonly used before people started ripping ideas from Paramorphism. Can be deobfuscated using JavaDeobfuscator. |
| Phantom Shield X | Java bytecode obfuscator made by Chinese people. |
| Protector4J | This "crypter" uses a JDK to It's advantage by removing as much critical features useful for reverse engineering while keeping the JDK functionable. It also encrypts your Jar so the JDK just simply can't be replaced. |
| qProtect | Got cracked millions of times, Devs and Admin only care about money, promotion and like to d0x people that don't like qProtect and possibly harass them or try to scare them. Their transformers are 1 big pattern and can be easily deobfuscated, not even mentioning the pain people have to go through to even make a working obfuscated jar. String obfuscation sometimes breaks actual strings, failing to correctly encrypt/decrypt them or chunks of code simply getting removed. Horrible scam for $70 (Skidfuscator FOSS is better than this). |
| Stringer | Pretty infamous for its complicated AES-based encryption/decryption routines and price. Does not really offer a whole lot of protection, but sometimes does show up in industry. Older versions can be deobfuscated using JavaDeobfuscator and got cracked few times. |
| ZKM (Zelix Klass Master) | Zelix KlassMaster Obfuscator is known for its robust obfuscation techniques and strong obfuscation capabilities and is used by many companies to protect their Java applications from reverse engineering and tampering. Currently the best obfuscator for Java right now and always updates their compatiblities for newer or even older Java versions with bug fixes or patches whenever there are public deobfuscation transformers. |
| zProtect | Stupid Binscure skid. Not recomended for use. SRC of it has been leaked and their obfuscation could be possibly deobfuscated using darklols zProtect deobfuscator or using Binscure deobfuscator to semi deobfuscate it. |
| Zortfuscator | Dead, not so known obfuscator. Can tell that it has good obfuscation techniques from the look at the samples they have on their discord server and some small sample in a video made by akita. |
For performance and effectiveness comparisons from external sources:
- Fork the repository
- Add new obfuscators with complete information
- Keep descriptions factual and unbiased
- Submit a pull request
