Obfuze
Java Bytecode Obfuscator โ Spring Boot 100% Compatible
Protect your Java applications from reverse engineering. Method-level bytecode transformation with guaranteed Spring Boot, JPA, and MyBatis compatibility.
v1.0.0
Version
Java 17+
Platform
Apache 2.0
License
Your Java Code Is an Open Book
Anyone with a decompiler can read your business logic, API keys, and proprietary algorithms in minutes. Standard JAR files offer zero protection.
Fully Readable
Java bytecode decompiles almost perfectly. Class names, method logic, string constants โ all exposed.
IP at Risk
Competitors can clone your algorithms. Attackers can find vulnerabilities and hardcoded secrets.
Compliance Gaps
Shipping unprotected code fails security audits. Enterprise clients demand code protection.
Why Obfuze?
Built for real-world Spring Boot applications
Spring Boot 100% Compatible
Method-level transformation only. Never modifies signatures, annotations, or class names. Works perfectly with Spring DI, AOP, CGLIB proxies, and JPA.
7-Level Protection
String encryption, number obfuscation, flow obfuscation, control flow flattening, debug stripping, name obfuscation, and self-protecting decryptor โ all in one pass.
Gradle & Maven & CLI
Free plugins for Gradle and Maven that integrate seamlessly into your build pipeline. Or use the CLI for standalone JAR/WAR processing.
Enterprise Ready
Tested with 100+ class Spring Boot projects including eGovFrame. Supports Fat JAR, WAR, CI/CD environments with offline grace period.
7-Level Protection
Each level adds another layer of defense
String Encryption
All string constants encrypted with XOR + runtime decryption. Per-string random key from full 32-bit key space. 3 encryption algorithm variants per build.
Number Obfuscation
Integer and long constants transformed into multi-stage XOR chains (2-5 stages randomly generated).
Flow Obfuscation
Opaque predicates (4 variants), dead code injection, and bogus branches inserted to confuse decompilers.
Control Flow Flattening
Transforms method bodies into XOR-keyed switch-based state machines with shuffled basic blocks. Enable with flatten=true.
Debug Stripping
Removes LineNumberTable, LocalVariableTable, and SourceFile attributes from all classes.
Name Obfuscation
Private classes, methods, and fields renamed with Spring-safe keep rules. Inheritance-aware renaming. Preserves Spring, JPA, Jackson, MyBatis annotations.
Self-Protection
Decryptor class generated with unique structure per build โ random field/method names, XOR masks, bogus branches, and encryption variants.
Before & After
See the transformation in action
public class PaymentService {
private final String API_KEY = "sk_live_abc123";
private final String ENDPOINT = "/api/v2/charge";
public Receipt charge(String cardToken, int amount) {
log.info("Charging " + amount + " won");
HttpResponse res = http.post(ENDPOINT,
Map.of("token", cardToken, "amount", amount));
if (res.statusCode() != 200) {
throw new PaymentException("Payment failed");
}
return new Receipt(res.body(), amount);
}
}public class PaymentService {
private final String ma = D.s("7f2a9b", 1839274);
private final String mb = D.s("3c1e8d", 4729103);
public Receipt charge(String O0OO, int lI1l) {
if (System.nanoTime() * System.nanoTime() >= -1L) {
log.info(new StringBuilder()
.append(D.s("a3f1", 82741))
.append(1928374 ^ 7261035 ^ 5332661)
.append(D.s("f2c9", 39201)).toString());
HttpResponse O00l = http.post(mb,
Map.of(D.s("9e3a", 57281), O0OO,
D.s("b1c4", 92837), lI1l));
if (O00l.statusCode() != (3847 ^ 3647)) {
throw new PaymentException(
D.s("d4e2a1", 1029384));
}
return new Receipt(O00l.body(), lI1l);
} else { int a = 9382 ^ 4721; }
return null;
}
}Easy Integration
Choose your preferred workflow
plugins {
id 'io.obfuze' version '1.0.0'
}
obfuze {
licenseKey = 'XXXX-XXXX-XXXX-XXXX'
jpaSafe = true
rename = false
flatten = false
flowSkip = ['/config/', '/filter/', '/interceptor/']
skip = ['/generated/', '/proto/']
}Compatibility
Tested and verified with major frameworks
Full Feature List
Simple, One-Time Pricing
Pay once, use forever. Free updates included.
Personal
For individual developers
One-time payment ยท Lifetime license
Get Personal- โAll 7 obfuscation levels
- โCLI, Gradle & Maven support
- โJPA auto-detection
- โJSON obfuscation report
- โProGuard-format mapping file
- โ1 machine activation
- โLifetime license + updates
1 machine
Professional
For teams & small companies
One-time payment ยท Lifetime license
Get Professional- โEverything in Personal
- โ3 machine activations
- โCI/CD offline grace period (7 days)
- โPriority support
- โTeam license management
3 machines
Enterprise
For large enterprises & SI vendors
One-time payment ยท Lifetime license
Get Enterprise- โEverything in Professional
- โUnlimited machine activations
- โExtended offline grace period
- โDedicated support channel
- โCustom obfuscation profiles
- โVolume licensing available
Unlimited
All plans include Gradle & Maven plugin (free). Payments secured by Lemon Squeezy.
Frequently Asked Questions
Does Obfuze break Spring Boot applications?
No. Obfuze works at the method-level only โ it never modifies method signatures, annotations, class names, or constructors. Spring DI, AOP, CGLIB proxies, and JPA all continue to work exactly as before.
What Java versions are supported?
Obfuze requires Java 17 or higher. It supports JAR, WAR, and Spring Boot Fat JAR formats. Build system support includes Gradle 8+ and Maven 3.9.6+.
Is this a subscription?
No. All plans are one-time payments with lifetime licenses. You get free updates for as long as the product exists. No recurring charges, no hidden fees.
How does machine activation work?
When you first run Obfuze, it activates on that machine using your license key via Lemon Squeezy. Personal allows 1 machine, Professional allows 3, and Enterprise is unlimited.
Can I use it in CI/CD pipelines?
Yes. Professional and Enterprise plans include an offline grace period (7 days) specifically designed for CI/CD environments where network access may be limited.
What if obfuscation breaks something?
Obfuze has a built-in safety mechanism โ if any error occurs during a class transformation, it falls back to the original bytecode. You also get a detailed JSON report showing exactly what was obfuscated.
How do I read obfuscated stack traces?
When name obfuscation (rename=true) is enabled, Obfuze generates an obfuze-mapping.txt file in ProGuard format alongside the output JAR. Use this mapping file to decode obfuscated class, method, and field names in stack traces.
What happens if my license cache expires?
License is cached locally for 30 days at ~/.obfuze/license.json. When the cache expires, Obfuze re-validates with Lemon Squeezy. If the network is unavailable, a 7-day grace period allows continued usage (ideal for CI/CD).
What about refunds?
Refunds are handled by Lemon Squeezy. If a refund is issued, your license key is automatically deactivated. Contact support@dklib.dev for any licensing issues.
Protect Your Code Today
Stop worrying about reverse engineering. Get Obfuze and ship with confidence.
Get Obfuze Now