This project aims to deobfuscate most commercially-available obfuscators for Java.
- Download the deobfuscator.
- If you know what obfuscators were used, skip the next two steps
- Create
detect.yml
with the following contents. Replaceinput.jar
with the name of the input
input: input.jar
detect: true
- Run
java -jar deobfuscator.jar --config detect.yml
to determine the obfuscators used - Create
config.yml
with the following contents. Replaceinput.jar
with the name of the input
input: input.jar
output: output.jar
transformers:
- [fully-qualified-name-of-transformer]
- [fully-qualified-name-of-transformer]
- [fully-qualified-name-of-transformer]
- ... etc
- Run
java -jar deobfuscator.jar
- Re-run the detection if the JAR was not fully deobfuscated - it's possible to layer obfuscations
Take a look at USAGE.md for more information.
If you're trying to recover the names of classes or methods, tough luck. That information is typically stripped out and there's no way to recover it.
Otherwise, check out this guide on how to implement your own transformer (also, open a issue/PR so I can add support for it)
Zelix Klassmaster
Stringer
Allatori
DashO
DexGuard
ClassGuard
Smoke
SkidSuite2 (dead, some forks are listed here)
The automagic detection should be able to recommend the transformers you'll need to use. However, it may not be up to date. If you're familiar with Java reverse engineering, feel free to take a look around and use what you need.
You need to specify all the JARs that the input file references. You'll almost always need to add rt.jar
(which contains all the classes used by the Java Runtime)
Increase your stack size. For example, java -Xss128m -jar deobfuscator.jar
Technically, yes, you could use something like dex2jar or enjarify. However, dex -> jar conversion is lossy at best. Try simplify or dex-oracle first. They were written specifically for Android apps.
Java Deobfuscator is licensed under the Apache 2.0 license.