JavaObf
Analyze, protect, and ship Java with confidence

Obfuscate, license, and fingerprint your paid Java plugin in 5 minutes.

Drop a JAR. Ship it hardened, watermarked, and license-gated without writing license code. Descriptor-aware, polymorphic per build, traceable per customer.

Start for free
Descriptor-aware Auto-locked per ecosystem
Polymorphic New seed each build
Fingerprinted Per-customer watermark
Anti-patch Remove one branch, the rest fail
javaobf.com / workspace / premium-plugin.jar
Explorer 24
com.example
com.example.license
com.example.util
PluginMain
extends JavaPlugin · 12 methods · 4 fields · locked by plugin.yml
onEnable()V
onDisable()V
verifyLicense(Ljava/lang/String;)Z
com.example.PluginMain 5 nodes · 4 hot edges · fan-in 1 / fan-out 3
1× call 12× calls 3× calls 5× reads License locked com.example.license final · 6 methods Storage store interface · 4 methods load/save (UUID, Map) PluginMain entry extends JavaPlugin 12 methods · 4 fields Commands handler implements CommandExecutor 9 methods Rewards service scheduled task pool 7 methods · 3 fields
entry locked caller callee data store edge weights show call counts
onEnable() : V 5 blocks · 1 branch · 1 back-edge
true false loop block 0 entry onEnable() · load config block 1 if checkLicense(this) brIf z != 0 → b2 block 2 loop body register commands if more → goto b1 block 3 disable log.warn("nag") setEnabled(false) ireturn ireturn
entry branch loop body return path true / false / back-edge labelled
Profile
Hardening
91%
IN premium .jar identifiers 6 / 6 strings 5 / 5 flow 4 / 4 tamper 4 / 4 runtime 1 / 3 OUT a7f3…e9
identifiers
6 / 6
Symbol distortion Layout scramble Package scramble Resource-aware rename Reflection lock Class literal
strings & literals
5 / 5
Concealment invokedynamic Class strings Broad encryption Concat template
control flow
4 / 4
CFG distortion Dispatcher flatten Method split Arithmetic
anti-tamper
4 / 4
Integrity mesh Anti-patch interlock Decoy classes Metadata hygiene
runtime
1 / 3
Resource rewrite Selective Java VM Anti-debug / anti-agent
main: com.example.PluginMain Hard lock · plugin.yml
fabric-entry Soft lock · fabric.mod.json
main com.example.PluginMain
bootstrap com.example.Loader
service META-INF/services/*
L Hard-lock class
H Max-harden method
S Skip rename for class
R Relax this method
Classes24
Locks2
Entrypoints1
Seeda7f3…e9
Deterministic builds Per-build polymorphic seed
Forensic fingerprint Watermarked per customer
Method virtualization Selective Java VM
Validation Paid-tier boot checks

Built for the modern Java mod & plugin stack

Paper Spigot Bukkit BungeeCord Waterfall Velocity Sponge Fabric Forge NeoForge
What you get

An analyst's workspace, a premium transform stack, and traceable builds.

compatibility-first

Ecosystem intelligence

Auto-locks Paper, Bukkit, Bungee, Velocity, Sponge, Fabric, Forge, and NeoForge. Descriptor-aware keep rules generated from day one: plugin.yml, paper-plugin.yml, fabric.mod.json, mods.toml, mixins, access wideners.

forensic-ready

Per-customer fingerprinting

Every protected artifact is watermarked and traceable. Leaked copies identify themselves without degrading runtime performance.

plug and play

DRM & Licensing system

Issue per-customer license keys, bind them to a hardware ID on first run, revoke any of them in under a minute. The check itself is patched into your protected jar at build time, so you never write a line of license code.

deterministic output

Transform pipeline

Symbol distortion, control-flow flattening, encrypted strings, integrity mesh, anti-patch interlocks, and runtime shield injection. Polymorphic per build, anti-diff across builds.

tamper-resistant

Anti-patch interlock

Integrity validators chained across classes. Strip one branch and the decryptors, dispatchers, and checks in every other class quietly refuse to run.

boot-validated

Runtime validation

Optional paid-tier boot checks against real Paper, Velocity, Waterfall, Fabric, Forge, and NeoForge runtimes, with Bukkit and Spigot inferred from Paper where appropriate.

End to end

From upload to protected artifact.

Four steps. No manual keep-rule authoring. No guessing why something broke.

01

Upload

Drop a JAR. The engine parses descriptors, builds the semantic graph, and classifies the ecosystem automatically.

02

Analyze

Browse packages, classes, entrypoints, strings, and locks. Step through the call graph and CFG in real time.

03

Protect

Pick a profile. Toggle modules. Refine rules at class, package, or method level. Queue with a per-build polymorphic seed.

04

Ship

Download the fingerprinted JAR plus mapping, report, and warnings. Paid tiers can also run real boot validation against supported targets.

Ready when you are

Ship Java you actually trust to
leave your build machine.

Two minutes from signup to your first protected JAR. Every build is fingerprinted, every descriptor is respected, and every transform is overridable.

Create free account See pricing
Read the docs See the bounty program
  • Redeem any license code instantly
  • First protected build in under 2 minutes
  • Originals auto-expire in 24 hours
The crown jewels

Where commodity obfuscators stop,
we're just getting started.

Renaming, string encryption, control-flow flattening. Every obfuscator does that. JavaObf stacks two flagship transforms on top that fundamentally change the math for an attacker. The bytecode they're staring at never ran. Or never existed in the JVM at all.

01 Renamers identifier obfuscation
02 Standard packers + string encryption, basic CFG
03 Premium tier + anti-tamper interlocks, watermarking
04 JavaObf + Custom VM, + Native stub lifting
Selective Java VM

Bytecode the JVM never sees.

The methods that matter most get translated into JavaObf's own opcode set and shipped alongside an embedded interpreter that's regenerated per build. The shape, the dispatch table, and the encoding all rotate. The decompiler walks into a maze and finds another maze inside.

  • Custom opcodes, polymorphic per build
  • Method-level granularity, anywhere in the call graph
  • CFR · Procyon · JD-GUI all give up
  • Tied into the integrity mesh, can't be lifted out cleanly
Native stub new

Lift hot methods into machine code.

For the highest-value methods, JavaObf compiles them into a hardened native runtime layer that the Java side calls into. The Java side becomes a thin shell. The actual code lives behind the JVM, behind the call boundary, behind everything a Java reverser knows how to look at.

  • Java → real machine code via the AOT pipeline
  • Per-customer, per-build polymorphic encoding
  • Disassembly resistant, integrity-bound at load
  • Falls back to VM-protected Java where targets are unsupported
The honest read

Learn how to actually protect your binary.

Obfuscation is security through obscurity. That doesn't mean it is worthless. It means you need to know exactly what it gives you, what it doesn't, and where the real attacker leverage lives. We wrote it up, without marketing fog.

  • What obfuscation can and cannot prevent
  • Why config exposed business logic is the real leak
  • License check patterns that get bypassed in ten minutes
  • Security models that actually hold up in the field
Read the full guide ~12 min read · plain English · no fear selling