Branchlock

4.1.6 1 month ago
  • Branchlock now supports Java up to version 24.
  • New member name generation mode: RTL & LTR
  • General maintenance and fixes.
4.1.5 6 months ago
  • Branchlock now supports Java up to version 23.
  • Updated documentation.
  • Hardened number encryption.
4.1.4 7 months ago
  • Fixed root checker throwing exception in some cases.
  • Improved root checker and debug checker task.
  • Added some default exclusions for Android.
4.1.3 7 months ago
  • Fixed Renamer renaming excluded methods in some cases.
  • Renamer now doesn't rename volatile fields by default.
  • Fixed IncompatibleClassChangeError ("overrides final method") caused by Renamer.
  • Fixed Debug information remover not handling SourceDebugExtension annotation correctly.
  • Classes with native methods will now keep their name by default in Renamer.
  • Improved duplicate class handling.
4.1.2 8 months ago
  • Debug information remover now removes information within Kotlin intrinsics.
  • Fixed root checker task throwing an exception.
4.1.1 9 months ago
  • Missing references from library classes are not printed anymore.
  • The amount of references to a missing reference class is now counted.
  • Better format for printing missing references.
  • Fixed a "Malformed class name" error on certain JVMs caused by Renamer.
  • Fixed 500 error for android
4.1.0 9 months ago
  • New member name generation mode: Ideographs (豈 更 車).
  • Fixed multiple differently caused IllegalAccessError exceptions in Renamer.
  • Debug information remover now handles @SourceDebugExtension annotations of kotlin classes.
  • Various optimizations.
4.0.10 10 months ago
  • Fixed an IllegalArgumentException when using Method Merger.
  • Ensured backward compatibility up to Java 11 for the Gradle plugin.
  • build.gradle.kts compatibility for the Gradle plugin.
4.0.9 10 months ago
  • Fixed Crash RE-Tools breaking some applications.
  • Fixed a bug in the Gradle plugin where compileClasspath was not used for libraries.
  • Better output copying mechanism for the Gradle plugin.
  • Improved some log messages.
  • Documentation update.
4.0.8 11 months ago
  • Multiple fixes to ensure Spring-Boot compatibility.
  • Retain metadata information of JAR file entries.
  • JAR entries that used STORE compression are now exported with STORE compression.
  • Fix visibility of classes not updated in various tasks when only referenced by a class constant.
  • Fixed debug detection not working when there are no entry points.
4.0.7 11 months ago
  • Updated Branchlock annotations. They are now available as a maven dependency.
  • Support classes nested inside folders (e.g. Spring-Boot classes in BOOT-INF/classes).
  • Added a setting to read nested jar files inside input files as libraries.
  • Faster loading of input files.
  • Fixed an equivalence class bug in Trimmer.
  • Fixed a StackOverflowError in Trimmer on huge projects.
  • Fixed a reflection detection race condition exception.
4.0.6 11 months ago
  • Fixed generated classes being affected by Ranges.
  • Fixed an IllegalAccessException when using Reference encryption and Renamer together.
  • Fixed a different IllegalAccessException when using Reference encryption only.
  • Print information about classes that failed to load.
4.0.5 11 months ago
  • More information about generated classes when logged.
  • Fixed class export error not being logged.
  • Fixed equivalence class incomplete after remapping a single class.
  • Lowered maximum container size for method merger to prevent exceeding the JVM limit.
  • New Gradle desktop plugin for creating obfuscated jars automatically when running "jar" task. (Experimental)
4.0.4 11 months ago
  • New Android Gradle plugin which supports AGP 8.0.0+ (Experimental).
  • Fixed null byte class names in Renamer causing corrupted resources.
  • Fixed a "Bad access to protected data" verify error caused by Renamer.
  • Improved reflection detection by handling more cases and being more specific.
  • Fix Debug information remover not removing signatures of fields.
4.0.3 11 months ago
  • Renamer now updates class names in various resource types: XML, YAML, .properties, .MF
4.0.2 11 months ago
  • Improved reflection detection.
  • Fixed Logic Scrambler breaking annotations.
  • Fixed Salting breaking annotations.
4.0.1 11 months ago
  • Improved keyword name generation.
  • Added a setting for null byte class names to Renamer.
  • Added a setting for package creation to Renamer.
  • Branchlock annotations are now removed from the output.
4.0.0 11 months ago
  • Complete backend rewrite using new java features.
  • New frontend / webapp.
  • Multiple resolution bugs causing various issues have been fixed.
  • Various fixes and improvements.
  • Flow obfuscation improvements.
  • String encryption strength and efficiency improvements.
  • Fixed a few resolution bugs in Renamer and Reference encryption.
  • Added support for encrypting dynamic string concatenation in modern java versions.
  • Annotations which can be used to control obfuscation.
  • A seed can now be specified for deterministic obfuscation.
  • Kotlin debug information removal.
  • Better Serialization support.
  • New task: Method merger which merges static methods into one.
Good to know:
  • Old stacktrace decryption has been removed.
  • Automatic method splitting has been removed due to instability. Users are now responsible for managing big methods.
  • The config format generally stays the same, but some settings have been deprecated or slightly changed.
  • Reference encryption will not encrypt unresolved references anymore. Make sure to upload all your dependencies.
  • Classes that are provided as a library but are also present in the input file will be excluded automatically.
3.2.5 2 years ago
  • Fixed a NPE caused by debug information remover.
  • Added flow flattening to flow obfuscation.
  • Huge flow obfuscation speed improvements.
  • Fixed a bug that caused a VerifyError in some cases when flow obfuscation is used.
3.2.4 2 years ago
  • More protection against code emulation.
  • Fixed classes requiring a more recent Java version in some cases after obfuscation.
  • More detailed failure messages on stacktrace decryption.
  • Added a setting to remove empty directories from the jar file.
3.2.3 2 years ago
  • The manifest file is now updated if classes that are referenced are renamed.
  • Fixed a rare reference obfuscation bug in reflection mode. (ClassCastException from Method / Field to Number).
  • Fixed stacktrace decryption not working correctly in some cases.
  • After obfuscation, performance loss is estimated.
  • Added a setting to exclude enum field names from Renamer.
3.2.2 2 years ago
  • Improve String obfuscation performance on class initialization.
  • Fixed a cause of ART lock verification failure.
3.2.1 2 years ago
  • Fixed a bug that caused a VerifyError in some occasions when ART is used (Android). It was caused by either string obfuscation or flow obfuscation.
3.2.0 2 years ago
  • Java 19 support.
  • Fixed some Android classes being logged as unresolved, even if they're not needed.
  • Better fallback when a task setting has the wrong type.
  • Added a setting to rename main classes (Renamer).
  • Added a setting to keep method signatures for parameter obfuscation.
  • New extremely faster member link tree generation.
  • Overall speed improvements. 
  • Trimmer: Remove unused methods and fields to reduce the size of the output and give less information away. Scans the application recursively, starting at all entry points. Reflection usage can break this task, and it is advised to mark dynamically called methods with @EntryPoint. Methods are replaced with an error message by default, but can also be removed entirely. To explicitly keep a method or a field, use the @KeepCode annotation.
3.1.2 2 years ago
  • Fixed a flow obfuscation crash during obfuscation.
  • Fixed a flow obfuscation VerifyError.
  • Missing class tree structure now doesn't use non-ascii characters anymore.
3.1.1 2 years ago
  • Missing library classes are now printed in a tree structure.
  • Fixed a stacktrace encryption bug.
3.1.0 2 years ago
  • Improved stacktrace encryption security. The decrypt panel can be used on both encryption versions.
  • Fixed flow obfuscation bugs and improved some techniques.
  • Added a setting to toggle archive crashing for Crash RE-Tools.
  • Runtime coverage is now a bit faster at runtime.
3.0.10 2 years ago
  • Fixed a log output repetition bug.
  • Fixed runtime invisible annotations not being handled sometimes.
3.0.9 2 years ago
  • Fixed a bug with reference obfuscation that caused problems with field set instructions.
  • Fixed that some reference obfuscation internal resolution tests fail which should actually pass.
  • Renamer now keeps the name automatically for Android ViewModel classes.
3.0.8 2 years ago
  • Renamer now keeps the class name untouched for Android classes that are typically linked in AndroidManifest.xml (Instrumentation, ContentProvider, BroadcastReceiver).
  • Fixed some missing library classes not being logged.
3.0.7 2 years ago
  • Fixed a bug in Scrambler that caused an "invoke-customs are only supported starting with Android O" error when certain lambdas are used on Android with the minimum API version set to 25 or lower.
3.0.6 2 years ago
  • The user is now warned if they try to layer obfuscation.
  • Fixed an out of memory bug that could cause a website crash while writing the output jar.
  • Method exclusion now also excludes the overriding method(s) in parent classes and warns if no member has been found.
 
3.0.5 2 years ago
  • Improved number obfuscation.
  • Fixed a rare case where Scrambler caused a calculation bug.
  • Fixed a Runtime coverage bug that could lead to illegal code when used in combination with Reference encryption.
  • Fixed an AbstractMethodError when Scrambler, Renamer and certain interface lambdas are used in combination.
  • Field exclusion is now possible.
3.0.4 2 years ago
  • Makes reference obfuscation Java 17+ compatible (changes on the reflection api security).
3.0.3 2 years ago
  • Improved Renamer speed.
  • Fixed a rare bug that caused infinite execution time.
  • Excluded classes now aren't referenced by other classes anymore.
3.0.2 3 years ago
  • More error details on a class load failure.
  • A corrupt class file doesn't stop the loading process anymore.
  • Corrupt classes are now left in the archive unchanged instead of being removed.
3.0.1 3 years ago
  • Fixed a bug where some library classes are not resolved which should be.
3.0.0 (Backend) 3 years ago
  • Unresolved classes / libraries are now printed at the end of obfuscation.
  • Fixed an exception that happened while obfuscating a single class with Renamer.
  • Sped up Renamer and descriptor obfuscation.
  • Renamer now excludes custom android.app.Application classes by default.
  • Runtime coverage now also covers static runtime methods.
  • Escaping can now be done using "/" or "." as separator.
  • Inner classes now have to be separated by "$".
  • Fixed "UnsupportedOperationException: null" sometimes happening on Android.
2.6.2 3 years ago
  • Classes or members of classes can now be excluded using an annotation filter. "**@Deprecated" e.g. excludes all deprecated classes,
    "Main#*@Subscribe" excludes all methods in the class "Main" with an "@Subscribe" annotation.
  • Fixed a frame generation bug.
  • Fixed an unresolved class error that happened when flow obfuscation in combination with references is used and dynamic libraries are loaded by the application.
    Flow obfuscation now also uses descriptor obfuscation inheritance.
2.6.1 3 years ago
  • All reference encryption modes now test their encrypted references for right resolution to avoid rare hash collisions.
  • More stability.
2.6.0 3 years ago
  • Savable configurations now make obfuscation easier.
  • Huge security update. Descriptor obfuscation does now add integer values passed onwards for each function. This makes de-obfuscating a real horror.

This function was obfuscated with the new descriptor obfuscation and reference obfuscation (reflection mode):

     public static void registerCustomDefaults(Object var0, int var1 /* inserted by descriptor obfuscation */) {
      Object[] var3 = Np;
      File var4 = (File)var0;
      if ((List)((Object)1.qz(Laf.class, var3, var1 ^ 54)) == null) {  // encrypted reference
         1.rA(new ArrayList(), Laf.class, var3, var1 ^ 73); // encrypted reference
      }

      (Boolean)1.cA((List)((Object)1.qz(Laf.class, var3, var1 ^ 12)), var4, var3, var1 ^ 121);  // encrypted references
   }
   

If you were to decrypt the encrypted references (which was extremely difficult until now anyway), the parameter "var1" would be needed. This parameter is passed onwards through multiple functions.
To trace that passthrough, you would need to know the original references (or else you wouldn't know where calls come from or lead to), which is not possible without decrypting all encrypted references.
Those two tasks converge extremely well, and now force a potential attacker to simulate a custom JVM that records calls or bruteforce "var1", which is extremely hard to do.
This new descriptor obfuscation method will also be used with string obfuscation, number obfuscation and flow obfuscation.

2.5.2 3 years ago
  • Overall performance increase.
  • Strengthened flow obfuscation.
  • Renamer does now work with more swing look and feels.
  • Renamer will now raise the min API level to Java 5 to avoid verification problems caused by old verifying algorithms (Java 1.4 and lower).
  • Fixed a rare bug that only occured with extremely huge jars.
  • Fixed a bug in Descriptor obfuscation that could cause unintentional method overriding.
2.5.1 3 years ago
  • Added a Crasher setting to keep class debug information from being modified.
  • Task specific exclusion makes it easier to handle obfuscation incompatibilities.
  • Member name exclusion is now also matched (e.g: "foo/bar/MainClass#*ain" excludes method "main" and "gain")
2.5.0 3 years ago
  • More debug remover settings
  • Renamer now renames local variables to used class names instead of deleting local variable names
  • Descriptor obfuscation: Changes method parameters and field types to generic types to make it harder to identify what a members function is
2.4.1 3 years ago
  • Don't override jar file comment if already present.
  • "No compression" setting for spring boot jars.
  • Fix for "Malformed class name" error caused by Renamer.
Android plugin: 1.1.4 3 years ago
  • More detailed error logging.
  • Fixed "Invalid JSON near position: 0" bug when using the Android API.
2.4.0 3 years ago
  • Huge website look and functionality update.
  • Implementation of a few task specific settings.
  • Fixed a very rare bug in the flow obfuscation that caused an illegal exception table range error.
  • Fixed a small bug in the flow obfuscation that caused a VerifyError.
  • Flow obfuscation is now harder to reverse or decompile.
2.3.3 3 years ago
  • Renamer now handles special metafactory lambdas. In some cases it now also keeps package names instead of keeping the full name (e.g. when getResource is used).
2.3.2 3 years ago
  • Fixed that in a special case a class was replaced with a newly generated one.
  • Fixed reflection reference obfuscation not obfuscating important classes on very small jars.
  • Instantiation coverage now also covers virtual method invocations and was renamed to "Runtime coverage".
  • Updated copyright notice of the Branchlock runtime.
2.3.1 3 years ago
  • Sped up obfuscation process (mostly flow obfuscation).
  • Renamer now handles custom annotations with values.
2.3.0 3 years ago
  • Lib exclusion is now done before re-including.
  • New Renamer algorithm, which fixes some AbstractMethodErrors, but takes a bit longer than the old one.
2.2.3 3 years ago
  • Fixed a rare bug when Flow obfuscation, Renamer and Reflection reference obfuscation are used resulting in a ClassNotFoundException.
  • Improved reflection handling for Renamer.
  • Improved loading and saving speed.
2.2.2 3 years ago
  • Fixed a bug in reference reflection obfuscation that threw the NoClassDefFoundError caused by unresolved class references in the static initializer instead of the method that contains the reference.
2.2.1 3 years ago
  • Fixed a bug in yesterdays update that caused some tasks not to function together. Apologies from our side.
2.2.0 3 years ago
  • Small changes to the reflection reference obfuscation which makes it a bit more lightweight and flexible.
  • Fixed reflection obfuscation sometimes ignoring @CallerSensitive annotation.
  • Fixed reflection obfuscation throwing NullPointerException instead of NoSuchMethodError / NoSuchFieldError on unresolved references.
  • Demo now only obfuscates 2 methods per class instead of excluding 40% of all classes.
  • Exclude methods with #: **#main would e.g. exclude all main methods. ?javax/swing/JPanel#paint would exclude all paint methods of all JPanel classes. Use const for constructors and static for static initializers.
  • Updated Renamer to support method exclusion and improved exclusion handling.
2.1.4 3 years ago
  • Fixed reflection reference obfuscation for java 1.4 or lower classes (including Groovy runtime classes).
  • Improved flow obfuscation in strength and performance and fixed a bug that caused an IllegalAccessError.
  • Stacktrace encryption now cuts the file type (eg. MyMainClass.java -> MyMainClass) to save unnecessary file size.
2.1.3 3 years ago
  • Fixed a bug in the obfuscation panel that prevented licensed users from obfuscating
  • Keep Renamer from renaming fields, methods or classes if they have a @KeepName annotation.
  • Fixed a bug in reflection reference obfuscation that caused the application to crash in a certain case.
2.1.2 3 years ago
  • Added a separate debug information remover task instead of letting Scrambler remove debug information.
  • Improved performance of the reflection reference obfuscation.
2.1.0 3 years ago
  • Fixes Branchlock creating version 52 classes in certain cases instead of supporting lower versions.
  • New reference encryption mode: "Reflection mode". Supports java versions below 8, is Android compatible and has low impact on the file size (~17%). Equally secure as dynamic mode.
2.1.1 3 years ago
  • Hotfix for the enhanced string encryption mode.
  • Small optimization in the compatibility string encrypton.
2.0.1 3 years ago
  • Increased performance of compatibility string encryption and fixed a rare "UTF-8 vector too large" bug.
  • Improved illegibility of number encryption.
  • Moved switch encryption to number encryption.
  • "serialVersionUID" fields are not inlined by number encryption anymore.
2.0.2 3 years ago
  • Fixed another rare "UTF-8 vector too large" bug in compatibility string encryption.
  • Number obfuscation now extracts often occurring numbers to variables to save file size and performance.
Android plugin: 1.0.2 - 1.1.1 3 years ago
  • Fixed a bug that was caused when multiple libraries had overlapping classes.
  • Library classes are now converted to stubs to save upload time. (fullLibCode = true can disable that)
  • Using own exceptions now for better handling.
2.0.0 (Android update) 3 years ago

We are happy and proud to introduce Android support, which was not easy to implement, because Android behaves very differently from the desktop JVM, but we managed to make most of Branchlock compatible with Android, including Android 11. You may encounter some bugs at the beginning, but we would be glad if you tested it on your Android applications, if you are developing some currently. Branchlock is the first obfuscator to use a gradle plugin to do the work for you. You also can use Branchlock in combination with ProGuard, for even more protection.

  • Android support introduction, including most tasks.
  • Anti root task for android, which checks for root and suspends the app if it is detected.
  • Obfuscator performance improvements.
1.9.0 3 years ago
  • Fixed a bug in Scrambler that caused a crash when using custom annotations.
  • New string encryption mode "compatibility" that is faster than the current enhanced mode and compatible with old java versions, as well as android.
  • Removed heavy reference encryption mode.
1.8.2 3 years ago
  • More android compatibility preparation.
  • Fixed a bug that caused a NPE when a program obfuscated with references that contained a class in the root package which is referenced, is run with java 8.
1.8.1 3 years ago
  • Made (enhanced) reference encryption android compatible and a bit more secure. Heavy reference encryption will be removed soon, as it won't be updated anymore.
  • Number encryption is now even more illegible for byte range terms.
1.8.0 3 years ago
  • Partial android support (in-dev).
  • Fixes a rare bug that crashes the obfuscator without leaving any log or output file.
1.7.3 4 years ago
  • Exclude classes that are assignable to certain class by using the ? operator. Example: ?javax/swing/** will exclude all classes that are assignable to a class in the package javax/swing/. ?java/lang/Object would for example exclude everything. This operator can also be used for reincluding.
1.7.4 4 years ago
  • Non-printable name generation mode: Messes up decompilers with new-line indicators and low ascii characters.
  • Option to exclude libraries from obfuscation automatically.
1.7.2 4 years ago
  • Generalize access also removes synthetic modifiers now
  • Renamer now only updates the access of members that need to be updated to avoid access errors instead of making all members public
1.7.1 4 years ago
  • Method references to methods with a @CallerSensitive annotation are not getting encrypted anymore in reference obfuscation.
  • Fixes a bug in light reference obfuscation that caused some extremely rare cases to get resolved incorrectly (reference wrongly points to a method in a parent class with the same name of the actual method).
  • Heavy reference encryption is now deprecated, as light reference obfuscation is now out of the experimental stage.
1.6.3 4 years ago
  • Fixes an enhanced reference obfuscation bug that is caused when a static method with the same name as a non-static method exists in a parent class of the owner class containing the non-static method. (java.lang.invoke.WrongMethodTypeException: cannot explicitly cast MethodHandle... to (Object,...))
1.6.1 4 years ago
  • Huge flow obfuscation improvements. Monitor instructions and ugly try catch blocks now make your code really hard to read. It also doesn't process as long as it did before.
1.6.2 4 years ago
  • Fixes constant tag error caused by string obfuscation.
  • Fixes analyzer errors in the output log when using flow obfuscation.
1.6.0 4 years ago
  • Stacktrace encryption for better analysis of crashes without the need for ReTrace. The stacktraces of your users can be decrypted in the stacktrace panel right next to the obfuscator using your secret key. This makes crash analysis much easier.
  • Flow encryption is now processed faster and encrypts instanceof statements.
1.5.3 4 years ago
  • Number encryption now also encrypts floating point constants.
  • Fixes a duplicate method definition bug in enhanced reference encryption.
  • Scrambler now makes lambdas harder to decompile.
1.5.2 4 years ago
  • Branchlock classes are now also placed in random packages.
  • String encryption now takes a bit less file size and also encrypts static final String fields.
  • Number encryption now also encrypts static final int / long fields.
1.5.0 4 years ago
  • Demo now only excludes 60% of the classes if more than 25 classes are obfuscated instead of 5.
  • Instantiation coverage: Hide runtime instantiations like new IllegalStateException(). Lightweight but effective.
1.5.1 4 years ago
  • Fixes a bug that caused an "Illegal class name" exception.
  • Fixes a bug that left callsite methods and fields unobfuscated.
  • Let the user choose if branchlock should adapt their class and method names to the provided class and method names (Adaptive mode) or use weird characters instead (that could crash decompilers / tools).
1.4.5 4 years ago
  • Fixes a way to bypass anti-debug.
  • Scrambler now also makes switch statements harder to read. Can be combined with number obfuscation.
1.4.4 4 years ago
  • Fixes a static method resolvation bug in enhanced reference encryption.
Interface update 4 years ago
  • The function "Import from pom.xml" was added. You can now upload your pom.xml file and Branchlock will automatically download the libraries from the repositories via maven.
1.4.3 4 years ago
  • New execution order to ensure more encryption with certain execution combinations.
  • Number obfuscation is now more dynamic and the impact on the file size is less divergent.
  • Enhanced reference obfuscation is now harder to decompile, but may be a bit slower at initialization.
1.4.2 4 years ago
  • Hardens number obfuscation even more, which also makes reference and string encryption more difficult to decrypt, especially when used in a combination.
  • Fixes a NullPointerException during string obfuscation.
1.4.0 4 years ago
  • Number obfuscation: Obfuscates whole number constants (ints and longs). Unusual constants like -1880695587 are protected more than more occuring ones like 256.
  • The JVM-argument -noverify was removed from the anti-debug check, as some programs depend on it.
  • Other executions now make use of the number obfuscation for even more protection.
1.4.1 4 years ago
  • Fixes a bug that causes a ClassCastException due to the reference obfuscation of 
    ClassLoader.registerAsParallelCapable();
1.3.5 4 years ago
  • Anti-debug: Disables certain debugging methods that could be useful for potential attackers. Should be used in combination with reference obfuscation, as it makes it harder to remove.
1.3.4 4 years ago
  • Fixed a bug that caused the obfuscator to crash when everything is excluded.
  • Count of excluded / re-included classes is now logged again.
  • Scrambler now scrambles integer / long multiplications and divisions with one constant.
1.3.3 4 years ago
  • Improved string obfuscation. Faster and safer.
  • General optimizations.
1.3.2 4 years ago
  • Access generalizer: Removes all access modifiers that could help a possible reverse engineer. Makes it harder to identify which fields are changed and which remain unchanged.
1.3.1 4 years ago
  • Improved flow obfuscation, while keeping file size.
  • A demo version is now available for all registered users.
1.3.0 4 years ago
  • Added a feature to shuffle class members.
  • Scrambler now affects fields too.
  • Rewrote the whole class loading, excluding and execution process. This lead to an increasage of obfuscation speed.
  • Several things were optimized for a better performance of the output file.
1.2.3 4 years ago
  • Fixed some minimal typing mistakes.
  • Increased performance and decreased size of reference obfuscation by a small bit (heavy mode).
  • Crasher now also confuses zip-extraction programs.
  • Better logging messages at exporting.
1.2.2 4 years ago
  • Fixed a bug that caused both reference obfuscation modes to throw an AssertionError sometimes (but very unlikely)
  • Fixed a bug that caused some field references to get resolved wrongly in the experimental mode. This required to increase the output file size percentage a bit (by 5 - 10 percent), but makes it more stable.
1.2.1 4 years ago
  • Obfuscation tasks now check for compatibility before obfuscating a class.
  • Fixed a bug in experimental reference obfuscation that caused field references to resolve wrongly.
  • Improved performance of output files a little.