# ShieldX > Enterprise-grade Java JAR obfuscation and bytecode protection tool. Runs 100% locally. Zero cloud, zero upload. ShieldX is a developer security tool that protects Java bytecode (JAR files) from reverse engineering and decompilation. It applies a 16-pass pipeline of transformations including AES-256 string encryption, control flow obfuscation, class/method/field renaming, and more — all entirely offline on the developer's machine. ## What ShieldX does - Obfuscates Java JAR files to prevent reverse engineering - Encrypts string literals with AES-256 (per-class keys) - Rewrites control flow into irreducible graphs that defeat Procyon, CFR, and Fernflower decompilers - Renames classes, methods, and fields to opaque tokens - Supports Smart Safe Mode: auto-reads plugin manifests (plugin.yml, fabric.mod.json, velocity-plugin.json, etc.) and excludes critical entrypoints from renaming - Generates a mapping.txt file per job for deobfuscating production stack traces - All files stored locally in ~/.config/shieldx/ — never uploaded anywhere ## Installation macOS / Linux: ``` curl -fsSL https://shieldx.zoniexlabs.xyz/install.sh | sh ``` Windows (PowerShell as Admin): ``` iwr -useb https://shieldx.zoniexlabs.xyz/install.ps1 | iex ``` npm: ``` npm install -g shieldx-cli ``` Requires Node.js 18+. Installer sets up Node.js automatically via nvm (macOS/Linux) or winget (Windows). ## Key CLI commands - `shieldx panel` — interactive TUI menu (alias: `shieldx p`) - `shieldx obfuscate ` — one-liner obfuscation (alias: `shieldx o`) - `shieldx obfuscate --profile paper-safe` — use a specific profile - `shieldx serve` — launch web dashboard at localhost:3001 - `shieldx jobs` — list all local job history - `shieldx doctor` — system health check - `shieldx config show` — view current configuration ## Protection methods (16 passes) **Naming** - Class Renaming — rewrites class identifiers to opaque tokens - Method Renaming — mangles method names, preserves API surfaces - Field Renaming — renames internal fields to unprintable identifiers - Package Remapping — flattens or rewrites package paths **Strings & Data** - AES String Encryption — AES-256 per-class key encryption of string literals - Memory-Safe Strings — strings stored as char[] cleared after use - Enhanced Encryption — multi-layer XOR + AES with runtime-derived keys - Integer Encryption — replaces constants with runtime arithmetic expressions **Control Flow** - Flow Obfuscation — irreducible control flow graph - Opaque Predicates — always-true injected conditions - Arithmetic Transformer — rewrites operations as algebraic identities - Switch → If Conversion — lowers tableswitch/lookupswitch to chained conditionals - If Trapping — converts branches to exception-driven jumps **Cleanup & Hardening** - Dead Code Removal — strips debug attributes, source filenames, synthetic bridges - Useless Try/Catch — synthetic exception handlers as no-ops - Integrity Watermark — cryptographic fingerprint in META-INF ## Protection profiles (9 total) | Profile | Target | Key feature | |---|---|---| | paper-safe | Paper / Spigot plugins | Reads plugin.yml, Smart Safe | | fabric-safe | Fabric mods | Mixin-aware, reads fabric.mod.json | | forge-safe | Forge / NeoForge mods | Preserves @Mod, EventBus | | velocity-safe | Velocity proxy plugins | Reads velocity-plugin.json | | bungee-safe | BungeeCord plugins | Reads bungee.yml | | library-safe | Shared libraries | Public API preserved, internals obfuscated | | enterprise-safe | Spring Boot / enterprise apps | Reflection-safe, heavy encryption | | smart-safe | Unknown / auto-detect | Reads all manifests, safest auto-settings | | aggressive | Self-contained apps | All transforms enabled simultaneously | ## Privacy & Security - 100% offline — no internet required after install - No telemetry, no analytics, no crash reporting - No cloud upload of any kind - Air-gap compatible - All job files stored in ~/.config/shieldx/jobs// - input.jar (original) - output.jar (protected) - mapping.txt (deobfuscation map) - report.json (job metadata) ## Optional: Web Dashboard `shieldx serve` launches a local web UI at http://localhost:3001. Upload JARs, pick profiles, view protection scores, and download output — all local, no account needed. ## Links - Homepage: https://shieldx.zoniexlabs.xyz/ - npm: https://www.npmjs.com/package/shieldx-cli - GitHub: https://github.com/shieldx - Sitemap: https://shieldx.zoniexlabs.xyz/sitemap.xml