Complexicator
Complexicator is a command-line Java obfuscation and release-hardening tool made for Paper and Spigot plugin developers.
It is designed for developers who want to protect their plugin jars without constantly fighting broken plugin.yml files, renamed main classes, config leaks, reflection issues, or unsafe release artifacts.
Important: Complexicator is not a Minecraft server plugin.
Do not place complexicator-cli.jar into your server's plugins folder.
It is a developer tool that you run on your built plugin jar before release.
What Complexicator does
Complexicator helps prepare Java/Paper plugin jars for release by applying a configurable obfuscation and verification pipeline.
Main features:
Why this exists
Generic Java obfuscators can work, but they often need careful configuration for Minecraft plugins.
A normal Java obfuscator may break a plugin if it:
Complexicator focuses specifically on the Minecraft plugin release workflow.
Goal: Make casual copying and decompilation harder while keeping Paper/Spigot compatibility sane.
What Complexicator does not do
Complexicator does not make Java code impossible to reverse engineer.
No Java obfuscator can fully guarantee that. If someone has the jar, they have the bytecode. The goal is to make reverse engineering more annoying, reduce obvious information leaks, and make released jars harder to casually copy or inspect.
Complexicator also does not include:
Basic workflow
Quick start
1. Build your plugin first
Example with Gradle:
This should create your normal plugin jar, for example:
2. Obfuscate the plugin jar
The recommended default config is:
3. Verify the output jar
This checks whether the jar is readable and whether important plugin metadata still looks valid.
4. Scan for leaks
Before releasing, scan the obfuscated jar for private terms such as your original package name, internal class names, domains, or project codenames.
Edit examples/leak-terms.txt before using it.
Example leak terms:
5. Run the full release check
The release check prints one of:
6. Test on a local Paper server
Always test the final obfuscated jar before release.
Put this jar into your test server:
Do not put complexicator-cli.jar into your plugins folder.
Commands
obfuscate
Obfuscates an input jar using a config file or preset.
verify
Checks whether a jar is readable and whether plugin metadata appears valid.
scan-leaks
Scans a jar for configured private terms.
release-check
Runs the main release validation workflow.
inspect
Prints basic metadata about a jar without modifying it.
inspect-watermark
Verifies a configured watermark when given the correct ID/salt.
Watermark IDs and salts are private. Do not publish them.
list-passes
Shows available obfuscation passes and presets.
Presets
safe-paper
Low-risk preset for maximum compatibility.
balanced-paper-release
Recommended default preset. Good balance between protection and compatibility.
aggressive-paper-release
Stronger protection. Use only after testing carefully.
paranoid-release
Maximum stable release preset. Test carefully before public release.
experimental
Unstable features only. Not recommended for production releases.
Reports and mappings
Complexicator separates public and private release data.
Public reports may include:
Private reports may include sensitive data such as:
Private files are usually written to:
Public-safe reports are usually written to:
Important security note
Do not upload or share:
These files can help someone reverse your obfuscation.
Only upload the final obfuscated jar unless you know exactly what you are doing.
Dependencies
No external server-side dependencies are required.
Complexicator is a standalone command-line Java tool.
Users need:
Optional:
Complexicator does not require:
Recommended release workflow
Example full workflow
If everything passes, test MyPlugin-obf.jar on a local Paper server.
Final warning
Complexicator is a developer tool, not magic protection.
It can make your released jar harder to inspect, harder to casually copy, and cleaner for release, but it cannot make Java bytecode impossible to reverse engineer.
Always test your obfuscated plugin before publishing.
Complexicator is a command-line Java obfuscation and release-hardening tool made for Paper and Spigot plugin developers.
It is designed for developers who want to protect their plugin jars without constantly fighting broken plugin.yml files, renamed main classes, config leaks, reflection issues, or unsafe release artifacts.
Important: Complexicator is not a Minecraft server plugin.
Do not place complexicator-cli.jar into your server's plugins folder.
It is a developer tool that you run on your built plugin jar before release.
What Complexicator does
Complexicator helps prepare Java/Paper plugin jars for release by applying a configurable obfuscation and verification pipeline.
Main features:
- Paper/Spigot-aware obfuscation pipeline
- plugin.yml and paper-plugin.yml metadata patching
- Class, method, field, and package renaming
- Package flattening to hide original project structure
- String and URL protection
- Manifest sanitizing
- Config/comment sanitizing for release builds
- Watermarking for build/customer traceability
- Leak scanner for private names, packages, domains, and strings
- verify and release-check commands
- Public/private release report separation
- Private mapping and reverse-mapping output
Why this exists
Generic Java obfuscators can work, but they often need careful configuration for Minecraft plugins.
A normal Java obfuscator may break a plugin if it:
- Renames the main class without updating plugin.yml
- Renames classes used by reflection
- Breaks enum/config serialization
- Touches Bukkit/Paper lifecycle methods
- Obfuscates command names or permission nodes incorrectly
- Leaves private package names, internal URLs, or build metadata behind
Complexicator focuses specifically on the Minecraft plugin release workflow.
Goal: Make casual copying and decompilation harder while keeping Paper/Spigot compatibility sane.
What Complexicator does not do
Complexicator does not make Java code impossible to reverse engineer.
No Java obfuscator can fully guarantee that. If someone has the jar, they have the bytecode. The goal is to make reverse engineering more annoying, reduce obvious information leaks, and make released jars harder to casually copy or inspect.
Complexicator also does not include:
- Hidden online activation
- Remote license checks
- Automatic downloads
- Hidden telemetry
- Remote command execution
- Destructive anti-tamper behavior
Basic workflow
- Build your normal plugin jar.
- Run Complexicator on the built jar.
- Verify the obfuscated output jar.
- Scan the jar for leftover private terms.
- Run the release check.
- Test the obfuscated jar on a local Paper server.
- Save mappings/private reports securely.
- Upload only the final obfuscated jar.
Quick start
1. Build your plugin first
Example with Gradle:
Code:
./gradlew buildThis should create your normal plugin jar, for example:
Code:
build/libs/MyPlugin.jar2. Obfuscate the plugin jar
Code:
java -jar complexicator-cli.jar obfuscate --input build/libs/MyPlugin.jar --output build/libs/MyPlugin-obf.jar --config examples/balanced-paper-release.ymlThe recommended default config is:
Code:
examples/balanced-paper-release.yml3. Verify the output jar
Code:
java -jar complexicator-cli.jar verify --input build/libs/MyPlugin-obf.jarThis checks whether the jar is readable and whether important plugin metadata still looks valid.
4. Scan for leaks
Before releasing, scan the obfuscated jar for private terms such as your original package name, internal class names, domains, or project codenames.
Code:
java -jar complexicator-cli.jar scan-leaks --input build/libs/MyPlugin-obf.jar --terms examples/leak-terms.txtEdit examples/leak-terms.txt before using it.
Example leak terms:
Code:
com.example.myplugin.internal
ExampleSecretClass
PRIVATE_INTERNAL_DOMAIN
OriginalProjectCodename5. Run the full release check
Code:
java -jar complexicator-cli.jar release-check --input build/libs/MyPlugin-obf.jar --config examples/balanced-paper-release.yml --terms examples/leak-terms.txtThe release check prints one of:
Code:
PASS
PASS_WITH_WARNINGS
FAIL6. Test on a local Paper server
Always test the final obfuscated jar before release.
Put this jar into your test server:
Code:
MyPlugin-obf.jarDo not put complexicator-cli.jar into your plugins folder.
Commands
obfuscate
Obfuscates an input jar using a config file or preset.
Code:
java -jar complexicator-cli.jar obfuscate --input MyPlugin.jar --output MyPlugin-obf.jar --config examples/balanced-paper-release.ymlverify
Checks whether a jar is readable and whether plugin metadata appears valid.
Code:
java -jar complexicator-cli.jar verify --input MyPlugin-obf.jarscan-leaks
Scans a jar for configured private terms.
Code:
java -jar complexicator-cli.jar scan-leaks --input MyPlugin-obf.jar --terms examples/leak-terms.txtrelease-check
Runs the main release validation workflow.
Code:
java -jar complexicator-cli.jar release-check --input MyPlugin-obf.jar --config examples/balanced-paper-release.yml --terms examples/leak-terms.txtinspect
Prints basic metadata about a jar without modifying it.
Code:
java -jar complexicator-cli.jar inspect --input MyPlugin.jarinspect-watermark
Verifies a configured watermark when given the correct ID/salt.
Code:
java -jar complexicator-cli.jar inspect-watermark --input MyPlugin-obf.jar --id PRIVATE-BUILD-ID --salt replace-with-private-project-saltWatermark IDs and salts are private. Do not publish them.
list-passes
Shows available obfuscation passes and presets.
Code:
java -jar complexicator-cli.jar list-passesPresets
safe-paper
Low-risk preset for maximum compatibility.
balanced-paper-release
Recommended default preset. Good balance between protection and compatibility.
aggressive-paper-release
Stronger protection. Use only after testing carefully.
paranoid-release
Maximum stable release preset. Test carefully before public release.
experimental
Unstable features only. Not recommended for production releases.
Reports and mappings
Complexicator separates public and private release data.
Public reports may include:
- Input/output jar names
- SHA256 hashes
- Enabled passes
- Verification result
- Leak scan summary
- Final release verdict
Private reports may include sensitive data such as:
- Mappings
- Reverse mappings
- Original class names
- Detailed leak information
- Debug information
Private files are usually written to:
Code:
build/complexicator-private/Public-safe reports are usually written to:
Code:
build/complexicator-public-report/Important security note
Do not upload or share:
- mappings.txt
- reverse-mappings.txt
- Raw seeds
- Salts
- Watermark IDs
- Private reports
- Debug dumps
- Private configs
These files can help someone reverse your obfuscation.
Only upload the final obfuscated jar unless you know exactly what you are doing.
Dependencies
No external server-side dependencies are required.
Complexicator is a standalone command-line Java tool.
Users need:
- A compatible Java runtime
- Their built plugin jar
Optional:
- Paper/Spigot API jars or other dependency jars for dependency-aware verification
- A local Paper test server for testing the final obfuscated jar
Complexicator does not require:
- License-key activation
- Online validation
- Remote downloads
- Paid third-party services
Recommended release workflow
- Build your normal plugin jar.
- Run Complexicator with balanced-paper-release.yml.
- Run verify.
- Run scan-leaks.
- Run release-check.
- Decompile the output manually if you want to inspect it.
- Test the obfuscated jar on a local Paper server.
- Save mappings and private reports securely.
- Upload only the final obfuscated plugin jar.
Example full workflow
Code:
./gradlew build
java -jar complexicator-cli.jar obfuscate --input build/libs/MyPlugin.jar --output build/libs/MyPlugin-obf.jar --config examples/balanced-paper-release.yml
java -jar complexicator-cli.jar verify --input build/libs/MyPlugin-obf.jar
java -jar complexicator-cli.jar scan-leaks --input build/libs/MyPlugin-obf.jar --terms examples/leak-terms.txt
java -jar complexicator-cli.jar release-check --input build/libs/MyPlugin-obf.jar --config examples/balanced-paper-release.yml --terms examples/leak-terms.txtIf everything passes, test MyPlugin-obf.jar on a local Paper server.
Final warning
Complexicator is a developer tool, not magic protection.
It can make your released jar harder to inspect, harder to casually copy, and cleaner for release, but it cannot make Java bytecode impossible to reverse engineer.
Always test your obfuscated plugin before publishing.
