Analysis updated 2026-06-24
Study how Zelix KlassMaster obfuscation can be unwound with LLM assistance
Read source for a Minecraft Forge client mod that was previously a binary blob
Audit the reported login-time screenshot backdoor in the original Zen client
Use the project as a reference for building your own Enigma-driven deobfuscation pipeline
| margele/openzen | happynewyear1995/uba-x | lywnl/ai-app-generation | |
|---|---|---|---|
| Stars | 56 | 47 | 34 |
| Language | Java | Java | Java |
| Setup difficulty | hard | hard | hard |
| Complexity | 5/5 | 4/5 | 5/5 |
| Audience | researcher | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Project is early, README is mostly Chinese, many features may not work, and original Zen contains documented backdoors so the upstream binary should not be run.
Open Zen is a work-in-progress, reverse-engineered open source version of a Minecraft client called Zen. Zen is a cheat client, the kind of modified Minecraft client that adds unsanctioned features for use against game servers. The target environment is Minecraft 1.20.1 with Forge 47.4.20. The README opens with a warning that the project is in an early stage and many features may not work yet, asking users to file issues or pull requests when they hit gaps. It is written almost entirely in Chinese. The original Zen jar was heavily obfuscated using Zelix KlassMaster: classes, fields, and methods were renamed to meaningless tokens, control flow was flattened, strings were encrypted, and invoke-dynamic calls were used to hide method references. The author describes using Anthropic's Claude Opus 4.7 to analyze the obfuscation, write a custom deobfuscator for the parts existing tools could not handle, and then guess sensible names for classes and methods with the help of an Enigma MCP server and Claude Sonnet 4.6. After about six hours of automated repair plus a small amount of manual fixing, the result is a buildable Gradle project rather than a binary blob. A portion of the cleanup involved the invoke-dynamic and string-encryption layers, whose master key is protected by a native library. The author found that the native library still loads and registers classes even without passing client authentication, which let the deobfuscation cover those parts of the code as well. The README spends a section on backdoors found in the original Zen. The analysis shows that on login, the client triggers a screenshot, and the Zen developer can request screenshots, scan and upload local files, or run remote commands. There is a linked BACKDOOR.md with details. Because of this, the project advises against running the original Zen at all. A standalone screenshot of an in-game click GUI is included for reference. Licensing is explicit: the original obfuscated bytecode has no license, and this repository's deobfuscated source, build scripts, and docs are released for study and research only. The author notes that some recovered symbol names are reconstructed from context and may not match the original developer's intent. Credits go to Claude, the Java Deobfuscator project, references to Themida and Zelix as the obfuscation tools, and the author's own Enigma MCP server.
A work-in-progress reverse-engineered open-source version of the Zen Minecraft cheat client for 1.20.1 Forge, recovered from a Zelix-obfuscated jar using LLM-assisted deobfuscation.
Mainly Java. The stack also includes Java, Gradle, Forge.
Released for study and research only, the original obfuscated bytecode has no license and recovered names may not match original intent.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.