This project aims to deobfuscate most commercially-available obfuscators for Java.
- Download the deobfuscator.
- If you know what obfuscators were used, skip the next two steps
detect.ymlwith the following contents. Replace
input.jarwith the name of the input
input: input.jar detect: true
java -jar deobfuscator.jar --config detect.ymlto determine the obfuscators used
config.ymlwith the following contents. Replace
input.jarwith the name of the input ```yaml input: input.jar output: output.jar transformers:
- … etc ```
java -jar deobfuscator.jar
- Re-run the detection if the JAR was not fully deobfuscated - it’s possible to layer obfuscations
Take a look at USAGE.md for more information.
It didn’t work
If you’re trying to recover the names of classes or methods, tough luck. That information is typically stripped out and there’s no way to recover it.
Otherwise, check out this guide on how to implement your own transformer (also, open a issue/PR so I can add support for it)
SkidSuite2 (dead, some forks are listed here)
List of Transformers
The automagic detection should be able to recommend the transformers you’ll need to use. However, it may not be up to date. If you’re familiar with Java reverse engineering, feel free to take a look around and use what you need.
I got an error that says “Could not locate a class file”
You need to specify all the JARs that the input file references. You’ll almost always need to add
(which contains all the classes used by the Java Runtime)
I got an error that says “A StackOverflowError occurred during deobfuscation”
Increase your stack size. For example,
java -Xss128m -jar deobfuscator.jar
Does this work on Android apps?
Technically, yes, you could use something like dex2jar or enjarify. However, dex -> jar conversion is lossy at best. Try simplify or dex-oracle first. They were written specifically for Android apps.
Java Deobfuscator is licensed under the Apache 2.0 license.