A comprehensive list of Java obfuscators, including both free/open-source and commercial options. Contributions welcome!
⭐ marks an obfuscator that is a solid, recommended choice.
| Name | Description |
|---|---|
| J2CC | Flexible transpiler with a wide feature set and good compatibility. |
| MyJ2C | A Chinese-developed obfuscator. Reuses some components from the leaked Allatori v3 (such as string encryption) alongside its own additions. Generally only worth using as a fallback. Parts can be deobfuscated with the Allatori deobfuscator. Notable for its "Confusing CallSites" feature. |
| Native/Radioegor146 | Java .class to .cpp converter for use with JNI. |
| Native+ | A fork of Native/Radioegor146. |
| Name | Description |
|---|---|
| JarShield | A relatively new hybrid solution functioning as a native obfuscator, packer, and virtualizer. Offers a free plan that includes the native packer and a native HWID API. Protection features include static C++ string encryption, fully native InvokeDynamic (indy), and code virtualization. On the Java side it provides multiple obfuscation modes, control-flow flattening, and MBA. It also integrates active defenses such as anti-agent, integrity checks, and crashers targeting popular decompilers. Documentation is on the website, with samples on their Discord. One downside is that obfuscation runs in the cloud rather than locally, which may raise trust concerns for some users. |
| JNIC | A native transpiler rather than a conventional bytecode obfuscator. It translates compiled Java methods into C, compiles them, and relinks the result into the original program through the Java Native Interface (JNI), so the original method no longer exists in the .class file and is hidden from Java decompilers. It works on Java 8 bytecode and newer and supports all Java language features, including lambdas, method references, and streams. Protection is applied at the native level and includes optional string encryption, reference obfuscation, and control-flow flattening with an encrypted dispatch table. Those options raise the bar for reverse engineering but increase compile time and file size and reduce runtime performance, so they are usually applied to the most sensitive methods rather than the whole application. JNIC can also be run over the output of another obfuscator such as ZKM or Stringer for layered protection. Its string encryption is not truly irreversible, since the decryption keys must be embedded in the native library. Seen in production tools such as the RusherHack loader. Note: do not run a name obfuscator after JNIC, as that breaks the links to the native code. |
| JNT | An upcoming transpiler that was promoted as surpassing JNIC and others on performance, protection, compatibility, and price, with features such as a renamer, call-graph integrity, polymorphic string encryption, strong flow obfuscation, number encryption, method inlining, and native virtualization. These claims came largely from the developers and were never independently confirmed. The project was never publicly released and now appears dead and unmaintained. |
| Skidfuscator Enterprises | The paid, cloud-based version of Skidfuscator Community, with additional features beyond the free version. Native obfuscation is planned/in development. As with other cloud services, obfuscation runs remotely rather than locally, which may raise trust concerns for some users. |
| Virbox Protector | A native obfuscator with code virtualization, developed in China. It is quite different from the GitHub-based native obfuscators and is notably expensive (roughly 10,000 CNY per year). |
| Name | Description |
|---|---|
| Abonasera | Lightweight, since it only encrypts strings. Should not be used on its own, as it will not stop a reverse engineer. |
| AckerRun | A lightweight-to-heavy obfuscator depending on configuration. Has some uncommon features. Possibly derived from XenonGuard, though this is unconfirmed. (Currently only distributed via leaked re-uploads, so no official source is linked here.) |
| Alpheratzteam | An older obfuscator using dated techniques. Very outdated and not suitable for any layer. |
| ⭐ AidsFuscator | Combines decent flow obfuscation with string and integer encryption reminiscent of Zelix KlassMaster, though it does not reach the same strength or complexity. Still provides a reasonable protective layer that can slow down casual reverse engineers, and is still under active development. |
| Ambien | No longer actively developed. Has some notable packaging features aimed at Recaf 2.x, including a "RedHerring" feature that prepends a fake JAR before the real one. Since most RE tools do not read archives backwards like the JVM does, they parse the fake JAR first. Also includes a crasher transformer that confuses various decompilers and other RE tools. Still has some lingering bugs. |
| Avaj | Generates decryption subroutines for string constants. Also includes some CFG flattening. |
| Black | Android APK/DEX obfuscator. Uses control-flow flattening to make the actual program flow harder to analyze. |
| BranchLock | A web-based obfuscator for Java and Android. It started as a paid, commercial SaaS (around €64 and up) and has since published its full source on GitHub, which is the official repository linked here. Primarily known for its anti-debugging features. It markets itself as "modern, lightweight, but powerful," which is now a stretch, as it no longer competes with modern obfuscators. Appears occasionally in the Minecraft community. Being web-based, it has suffered downtime from DDoS attacks, and its output is relatively easy to read. Minecraft clients such as Monsoon v2 and Prestige used it and were cracked multiple times. It has also been reported in the wild obfuscating malicious Java, including a 2024 phishing campaign that delivered remote-access trojans and a keylogger. |
| Bozar | Some inexpensive tricks plus a GUI. Seen in the Minecraft community. Worth a look. Can be deobfuscated with Narumii. |
| Bruhfuscator | Based on Ambien and reuses code from several FOSS obfuscators (GOTO, MyJ2C, Colonial, Souvenir), so little of it is original. Buggy, with "experimental" implementations of even the most basic transformers. Was a usable base for further development, but not production-ready (for example, it lacks a local-variable remover). |
| Caesium | Includes a transformer that injects well-known HTML into Java RE tools that parse HTML tags. Common in the Minecraft community. Can be deobfuscated with Narumii. |
| CafeVault (FORK) | A basic JAR-file crypter with a lot of room for improvement. Could be used as a lightweight top layer. |
| CheatBreaker | Decent obfuscation, similar to Caesium's but not as strong. Seen in the Minecraft community. Can be deobfuscated with JavaDeobfuscator. |
| ClassCloak | Basic obfuscator with string encryption. |
| CodeEncryptor+ | Uses JNI to encrypt bytecode and JVMTI to decrypt it at runtime. Encrypted class files become malformed and cannot be parsed normally. |
| Colonial | A rename of Simple Obfuscator, with additions from JObf/SB27. Its hard-coded switch-case string decryption is loosely reminiscent of ZKM (Zelix KlassMaster), though far weaker. Commonly seen in Minecraft client development. Can be deobfuscated with Colonial-Deobfuscator. |
| Crater | Basic Java obfuscator. |
| dProtect | Built on ProGuard with additional flow obfuscation, mixed-boolean-arithmetic transformations, and string encryption. Definitely worth a try. |
| GOTO / GOTO | A Chinese-developed obfuscator written in Kotlin. Has interesting features, though some are buggy. |
| Grunt | Another obfuscator written in Kotlin. Best used as a lightweight layer. Its features compose well together. Known in the Minecraft community for mixin support, a renamer, and compatibility with obfuscating Forge mods/plugins. |
| Herbst | A light obfuscator made for a Minecraft client. Mainly useful for its flow obfuscation and possibly its string encryption. |
| HsGuard | A Chinese-developed obfuscator and a weak derivative of Scuti with minimal additions. Can be deobfuscated with Narumii. |
| InDy | A simple project that obfuscates Java method calls by replacing them with invokedynamic instructions. |
| JarObfuscator | An obfuscator with simple bytecode transformers such as XOR encryption. Includes a class encryptor that encrypts class contents and decrypts them at runtime via a Java agent. |
| Javari | A simple obfuscator with a nice GUI but weak obfuscation techniques. |
| JBCO | Some flow-obfuscation techniques that still work on modern Java. Built on the Soot library, which is also worth checking out. |
| JObf/SB27 | Fairly outdated. Because of the generic name, it is more commonly referred to by the author's handle (superblaubeere27 / sb27). Has basic features plus a GUI. Still common in the Minecraft community (notably Asian anarchy clients and Hypixel cheats). Easily deobfuscated with Narumii / JavaDeobfuscator. |
| Masxinlingvonta | Compiles Java bytecode to LLVM IR (for obfuscation purposes). |
| Mosey | Outdated and mainly written in Scala. Its obfuscation is light and easy to deobfuscate, so it is only useful as a secondary layer. Can be deobfuscated with Narumii. |
| NeonObf | Made up of easier-to-defeat obfuscation techniques. Its name was the inspiration for Radon. |
| Ob | An older obfuscator from 2011 with string encryption, branching, and a renamer. |
| Obsidian | A control-flow obfuscator that appears to be actively worked on. Looks interesting and fairly unique compared to typical options. |
| ObzcureVM | A Java virtual machine implemented in Java. |
| Radon | An abandoned experimental open-source obfuscator by ItzSomebody (who also contributed to parts of this list). Has a UI visually similar to Skidfuscator/ProGuard and is intuitive to use. Easily deobfuscated with JavaDeobfuscator. |
| Reflow | A Java bytecode obfuscator. |
| Retype | A Java bytecode obfuscator. |
| Sandmark | An old obfuscation research project led by Christian Collberg at the University of Arizona. Notable for its ideas in static and dynamic watermarking (embedder and recognizer), and some of its flow-obfuscation ideas are good. |
| Scuti | Outdated obfuscator. Can pack classes into binary blobs and load them via a classloader. The blob names are the original class names with simple XOR encryption, and the blob contents are the original class files with simple XOR encryption. Can be deobfuscated with Narumii. |
| Sentinel | Dead, and mainly known in the Minecraft community. Has some basic features. There are no public transformers for it, so it can still be used. If you run it, the required key is sentinelisback. (Historically distributed only as a raw JAR via Discord, so no download link is included here.) |
| Skidfuscator Community | A well-known obfuscator valued for its simplicity, ease of use, and effective protection. The free (Community) version offers strong obfuscation, while the paid (Enterprises) version adds in-progress native obfuscation and other features not in Community. Built on the Maple IR framework using SSA/CFG-based transformations, with a GUI, 10+ configurable transformers, automatic dependency resolution, and an error-recovery system. Its author now describes it as feature-complete and actively maintained, with third-generation control-flow obfuscation (Flow GEN3). The latest release is 2.0.11, followed by an emergency patch (2.0.11-EMERGENCY) addressing CVE-2025-0104. The free version has a slightly broken matcher and requires libraries (no max depth). Common in the Minecraft community. Has its own documentation site. |
| Souvenir | Lightweight obfuscation with nothing special. Has only three transformers (Light Flow, String, Number). |
| StarLock OR StarLock Original | Fairly solid obfuscation techniques and a good layering candidate. Includes an interesting flow technique called reverseJump, which inverts jumps with antonyms to create "else" blocks. |
| W-Tap Fuscator | A relatively new Java obfuscator with roughly half of its transformers copied from elsewhere. Notably includes a joker watermark and anti-RE text. Effectiveness is uncertain. |
| XenonGuard | A decent obfuscator based on CheatBreaker that resembles a free version of ZKM. Has useful, uncommon features. There are no public deobfuscation transformers, but layering is recommended since it is CheatBreaker-based and may still contain some CheatBreaker transformers. Overall a solid option. |
| XiaoShadiao | A Chinese-developed Java bytecode obfuscator. |
| yGuard | Functionally comparable to ProGuard as far as I can tell. |
| Name | Description |
|---|---|
| Allatori | A commercial second-generation Java obfuscator by Smardec, in development since 2006 (current version is around 9.x). Provides name, flow, and debug-info obfuscation, string encryption, and watermarking. Its v3 source leaked a long time ago, though it was nothing special. Has historically been observed in Java-based malware. |
| Binscure | A former commercial Java obfuscator known for a running feud with Recaf. Its headline features were decompiler/RE-tool crashers, ZIP tricks, and intense flow/indy obfuscation. As with most cat-and-mouse games, one side eventually gave up, hence the past tense. The crashers it relied on are now fully patched in current Recaf, though its flow and indy obfuscation is still reasonable for the current market. Can be deobfuscated with Narumii / JavaDeobfuscator. |
| ClassGuard | Relies mostly on class encryption with hard-coded AES keys in native libraries. A fairly easy IDA/Binary Ninja/Ghidra exercise. Can be deobfuscated with JavaDeobfuscator. |
| DashO | A mature commercial obfuscator and app-hardening tool by PreEmptive for Java, Kotlin, and Android, in development for over two decades and now around version 12. It applies layered protection (Overload Induction renaming, control flow, string and resource encryption, watermarking) plus active Android runtime checks such as root, emulator, hooking, tamper, and debug detection, and is kept up to date with current Java and Android releases. How strong it is against modern reverse engineering is hard to judge from the outside, since there is little public sample analysis. An older community reimplementation of its string encryption is available here. |
| DexGuard | Mainly used for obfuscating Android apps. No samples seen. Can be deobfuscated with JavaDeobfuscator. |
| Eskid | A decent obfuscator based on HsGuard and Scuti. Common in the Minecraft community. Possibly deobfuscatable via AckerRun's Eskid deobfuscator transformer. Was cracked by PlutoSolutions. |
| JObfuscator | A Java source-code obfuscator (AST-based) by PeLock. Renames variables and methods, makes control flow non-linear, and encrypts strings with a polymorphic engine. Selective per-class or per-method obfuscation is available via annotations. The desktop app and CLI are sold on pelock.com, with SDK packages for several languages (Rust, JS, Python, PHP, C#). Note: the public SDK packages on GitHub are at v1.0.4 (2021). Higher version numbers advertised on the site refer to the commercial desktop product, not the open-source SDKs. |
| Obzcure | A web-based obfuscation service with inspiration from Radon and SkidSuite2. It was formerly named "SpigotProtect," so some Spigot plugins may use its obfuscation if you look around. Can be deobfuscated with JavaDeobfuscator. |
| Paramorphism | Was one of the more unusual and unique obfuscators during its active period, relying heavily on the JVM's unusual handling of JAR archives, including zip entries with duplicated names and the fake-directory trick. It was more widely used before others started adopting its ideas. Can be deobfuscated with JavaDeobfuscator. |
| Phantom Shield X | A Chinese-developed Java bytecode obfuscator. |
| Protector4J | A "crypter" that leverages a customized JDK by removing features useful for reverse engineering while keeping the JDK functional. It also encrypts the JAR so the JDK cannot simply be swapped out. |
| ⭐ qProtect | The current, next-generation version, in beta at the time of writing (2.0.0-beta22). Advertised as a Java and Android bytecode obfuscator built around a custom virtualizer with native execution, polymorphic encryption, and advanced control-flow obfuscation. Sold as a monthly or yearly subscription. Still in beta, but it looks promising. |
| qProtect Legacy | The older version of qProtect (1.14.0), now offered as a one-time lifetime license for around $35. A budget bytecode obfuscator whose modest price is a fair reflection of the protection it offers. The developer has been controversial in the past, but the project appears to be in a better place now. Can be deobfuscated with Narumii. |
| Stringer | Known for its complex AES-based encryption/decryption routines and its price. Offers limited overall protection, but occasionally appears in industry. Older versions can be deobfuscated with JavaDeobfuscator, and it has been cracked a few times. |
| ⭐ ZKM (Zelix KlassMaster) | Widely regarded as the most robust commercial Java obfuscator, used by many companies to protect their applications from reverse engineering and tampering. It is also extremely stable, and you can throw almost any project at it and reliably get working obfuscated output. Actively maintained by Zelix Pty Ltd, with frequent updates that track new Java releases (current version 26.0, March 2026, validating Java 26 support) and patches whenever public deobfuscation transformers appear. |
| zProtect | A weak Binscure derivative that is not recommended. Its source has leaked, and its obfuscation can reportedly be (semi-)deobfuscated using darklol's zProtect deobfuscator, or partially with the Binscure deobfuscator. |
| Zortfuscator | Dead and relatively unknown. Samples on its Discord server, and a short clip in a video by akita, suggest it has decent obfuscation techniques. |
For performance and effectiveness comparisons from external sources:
- Fork the repository
- Add new obfuscators with complete information
- Keep descriptions factual and unbiased
- Submit a pull request