A production-ready, web-based Lua code obfuscation tool that protects Lua source code by transforming it into functionally equivalent but harder-to-read code. Built with Next.js 15, React 19, and TypeScript, featuring real-time obfuscation, Monaco code editor, and comprehensive test coverage.
Bill's Lua Obfuscator is a fully client-side code protection tool designed for Lua developers working on game mods, addons, and scripts. All obfuscation happens in your browser—your code never leaves your machine, ensuring complete privacy and security.
Live Demo: https://lua-obfuscator-sable.vercel.app/
- 🔒 100% Client-Side Processing - Your code stays on your machine
- ⚡ Real-Time Obfuscation - Instant feedback with Monaco editor
- 🎯 10+ Obfuscation Techniques - Basic to advanced protection methods
- 🛡️ Advanced Security - Custom encryption, anti-debugging, dead code injection
- 📊 Detailed Metrics - Track size, transformations, and processing time
- 📱 Fully Responsive - Works on mobile, tablet, and desktop
- ✅ 1,640 Passing Tests - 446 unit tests + 1,194 E2E tests across 6 browsers
- 🚀 Production Ready - Deployed on Vercel with analytics and monitoring
| Feature | Description | Strength Level |
|---|---|---|
| Name Mangling | Replaces variable/function names with hexadecimal identifiers (_0x0000) |
High |
| String Encoding | Converts strings to byte arrays using string.char() |
Medium |
| Number Encoding | Transforms numeric literals into mathematical expressions | Medium |
| Control Flow Obfuscation | Adds opaque predicates to complicate analysis | High |
| Code Minification | Removes comments, whitespace, and blank lines | Low |
| Feature | Description | Strength Level |
|---|---|---|
| Custom String Encryption | Multiple encryption algorithms (XOR, Base64, Huffman, Chunked) | Very High |
| Dead Code Injection | Injects unreachable code blocks to confuse analysis | High |
| Control Flow Flattening | Transforms code into state machine patterns (CPU intensive) | Very High |
| Anti-Debugging Measures | Runtime checks for debuggers and modified environments | Very High |
| Configurable Formatting | Output styles: Minified, Pretty, Obfuscated, Single-line | Variable |
| Obfuscation Metrics | Detailed statistics on transformations and performance | N/A |
- Monaco Code Editor - Industry-standard editor with Lua syntax highlighting
- Configurable Protection Levels - Slider from 0-100% with progressive feature activation
- Individual Technique Toggles - Fine-grained control over each obfuscation method
- Encryption Algorithm Selector - Choose between XOR, Base64, Huffman, or Chunked encryption
- Output Format Options - Minified, Pretty, Obfuscated, or Single-line formatting
- Real-Time Metrics Display - See size, transformations, and processing time
- Copy to Clipboard - One-click copy with visual feedback
- Download as .lua - Export obfuscated code directly
- Error Handling - Clear error messages with validation
- Smart Defaults - Pre-configured with functional Lua example
| Version | Status | Target Use Cases |
|---|---|---|
| Lua 5.1 | ✅ Full Support | WoW, FiveM, Garry's Mod, Roblox |
| Lua 5.2 | ✅ Supported | General scripting |
| Lua 5.3 | ✅ Supported | Modern applications |
| LuaJIT | ✅ Compatible | High-performance scenarios |
Protected Elements: All Lua keywords, standard library functions (print, pairs, ipairs, etc.), and global tables (math, string, table, etc.) are automatically preserved.
XOR Cipher - Rotating key XOR encryption where each character is XORed with a position-dependent key. Provides strong obfuscation with minimal performance impact.
Base64 Encoding - Custom alphabet base64 encoding with character position scrambling. Makes strings completely unreadable in source.
Huffman Compression - Frequency-based encoding using a custom dictionary. Especially effective for strings with repeated characters.
Chunked Strings - Splits strings into multiple segments stored in separate variables, then concatenates at runtime. Defeats simple string search patterns.
| Level | Active Techniques | Use Case |
|---|---|---|
| 0% | None | Development/testing |
| 20% | Minify, Mangle Names | Light protection |
| 40% | + Encode Strings | Standard protection |
| 60% | + Encode Numbers, Control Flow | Strong protection |
| 70% | + XOR Encryption | Advanced protection |
| 80% | + Dead Code Injection | Very strong protection |
| 90% | + Control Flow Flattening, Anti-Debugging | Maximum protection |
- Node.js 18+ (20+ recommended)
- npm, yarn, or pnpm package manager
# Clone the repository
git clone https://github.com/yourusername/LUA-Obfuscator.git
cd LUA-Obfuscator/web
# Install dependencies
npm install
# Start development server
npm run devOpen http://localhost:3000 to see the application.
# Create optimized production build
npm run build
# Start production server
npm start- Paste or type your Lua code in the left editor
- Configure settings using the right sidebar:
- Toggle individual techniques (Name Mangling, String Encoding, etc.)
- Adjust Protection Level slider (0-100%)
- Click Obfuscate to generate protected code
- Copy or download the obfuscated result
Original Code:
local function calculateScore(basePoints, multiplier)
local maxScore = 1000
local result = basePoints * multiplier
if result > maxScore then
result = maxScore
end
print("Score: " .. result)
return result
endObfuscated Code (Name Mangling + String Encoding + Minification):
local function _0x0001(_0x0002,_0x0003)local _0x0004=1000;local _0x0005=_0x0002*_0x0003;if _0x0005>_0x0004 then _0x0005=_0x0004 end;print(string.char(83,99,111,114,101,58,32).._0x0005)return _0x0005 end- Next.js 15.5.4 - React framework with App Router
- React 19.2.0 - UI library with concurrent features
- TypeScript 5.9.3 - Type-safe development
- Tailwind CSS 4.1.14 - Utility-first styling
- shadcn/ui - Radix UI primitives
- Lucide React 0.545.0 - Icon library
- Monaco Editor 4.7.0 - VS Code's editor component
- luaparse 0.3.1 - Lua AST parser and validator
- Custom Transformation Engine - AST-based obfuscation system
- Jest 29.7.0 - Unit testing framework
- Playwright 1.56.0 - E2E browser testing
- ESLint 9.37.0 - Code linting
- Prettier - Code formatting
- Vercel Analytics 1.5.0 - User analytics
- Vercel Speed Insights 1.2.0 - Performance monitoring
- Google Analytics - Comprehensive tracking
LUA-Obfuscator/
├── web/ # Next.js web application
│ ├── app/ # Next.js App Router
│ │ ├── page.tsx # Main obfuscator interface
│ │ ├── layout.tsx # Root layout with metadata
│ │ └── api/analytics/ # Analytics tracking endpoints
│ ├── components/ # React components
│ │ ├── CodeEditor.tsx # Monaco editor wrapper
│ │ ├── BackgroundGradient.tsx # Animated background
│ │ └── ui/ # shadcn components
│ ├── lib/ # Core obfuscation logic
│ │ ├── parser.ts # Lua AST parser wrapper
│ │ ├── obfuscator.ts # Main obfuscation engine
│ │ ├── obfuscator-simple.ts # Simplified API
│ │ ├── generator.ts # AST to Lua code generator
│ │ └── analytics-*.ts # Analytics utilities
│ ├── __tests__/ # Test suites
│ │ ├── unit/ # Unit tests (446 tests across 14 suites)
│ │ ├── integration/ # Integration tests
│ │ ├── e2e/ # E2E tests (1,194 tests across 12 files × 6 browsers)
│ │ └── fixtures/ # Test data and samples
│ ├── playwright.config.ts # Playwright configuration
│ ├── jest.config.js # Jest configuration
│ └── .prettierrc.json # Code formatting rules
├── CLAUDE.md # AI assistant documentation
├── LICENSE # MIT license
└── README.md # This file
- Uses luaparse library for AST generation
- Supports Lua 5.1, 5.2, 5.3 syntax
- Validates code structure and provides error messages
- Exports:
parseLua(),validateLua()
- Applies multiple obfuscation techniques:
- Variable/function name mangling (hexadecimal identifiers)
- String encoding (byte array transformation)
- Number encoding (mathematical expressions)
- Control flow obfuscation (opaque predicates)
- Code minification (whitespace removal)
- Configurable protection levels (0-100%)
- Preserves Lua standard library globals
- Exports:
obfuscateLua()withObfuscationOptions
- Converts transformed AST back to valid Lua source
- Handles 20+ Lua node types
- Maintains functional equivalence
- Supports minification mode
- Exports:
generateCode()
Bill's Lua Obfuscator includes comprehensive test coverage across multiple levels:
| Test Suite | Tests | Coverage | Framework |
|---|---|---|---|
| Unit Tests | 446 | 90%+ lines, 85%+ branches | Jest |
| Integration Tests | Included in unit suite | Full pipeline | Jest |
| E2E Tests | 1,194 tests in 12 files × 6 browsers | Full UI workflows | Playwright |
V1.1 Test Coverage:
- 157 new unit tests for encryption, dead-code, formatter, metrics, and anti-debug modules
- 12 E2E test files including v1.1 additions:
advanced-features-v11.spec.ts,metrics-display.spec.ts,protection-level-v11.spec.ts - Total test count: 446 unit tests + 1,194 E2E tests = 1,640 total tests
- Recent improvements: Enhanced test reliability, optimized timeouts, improved page load state handling
# Run unit tests
npm test
# Run with coverage report
npm run test:coverage
# Run E2E tests
npm run test:e2e
# Run E2E tests with UI
npm run test:e2e:ui
# Run all tests (unit + E2E)
npm run test:all- Parser validation and error handling
- Obfuscation technique verification
- Code generation accuracy
- Edge case handling
- End-to-end obfuscation pipeline
- Round-trip validation (obfuscate → parse → verify)
- Real-world Lua scripts (fibonacci, factorial, quicksort)
- Option combination testing
1,194 comprehensive tests across 12 test files:
- obfuscation-workflow.spec.ts - Complete user workflow testing
- responsive.spec.ts - Mobile, tablet, and desktop layouts
- error-handling.spec.ts - Error states and recovery scenarios
- advanced-features-v11.spec.ts - v1.1 encryption and advanced features
- metrics-display.spec.ts - Real-time metrics validation
- protection-level-v11.spec.ts - Protection level slider functionality
- accessibility.spec.ts - WCAG compliance and keyboard navigation
- analytics-tracking.spec.ts - Analytics integration testing
- performance.spec.ts - Performance benchmarking
- edge-cases.spec.ts - Edge case handling
- advanced-workflow.spec.ts - Complex workflow scenarios
- protection-level.spec.ts - Core protection level features
Test Coverage Areas:
- Application loading and initialization
- Code input and obfuscation with all techniques
- Copy to clipboard and download functionality
- Settings configuration and persistence
- Mobile viewport (375px, 390px)
- Tablet viewport (768px, 1024px)
- Desktop viewport (1920px+)
- Orientation changes and touch interactions
- Invalid Lua code detection and error display
- Recovery after errors and empty input handling
- Performance benchmarks and optimization validation
Tests run automatically on:
- ✅ Desktop Chrome
- ✅ Desktop Firefox
- ✅ Desktop Safari
- ✅ Mobile Chrome (Pixel 5)
- ✅ Mobile Safari (iPhone 12)
- ✅ iPad Pro
The project uses Prettier for consistent code formatting:
# Format all files
npm run format
# Check formatting without changes
npm run format:checkPrettier Configuration:
- Tab width: 2 spaces (using tabs)
- Print width: 120 characters
- Single quotes: false (double quotes)
- Semicolons: always
- Trailing commas: ES5
- Arrow parens: avoid
# Run ESLint
npm run lint# Install Vercel CLI
npm i -g vercel
# Deploy to production
vercel --prodCreate a .env.local file:
# Site Configuration
NEXT_PUBLIC_SITE_URL=https://yourdomain.com
# Google Analytics (optional)
NEXT_PUBLIC_GA_MEASUREMENT_ID=G-XXXXXXXXXXFROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:20-alpine AS runner
WORKDIR /app
ENV NODE_ENV production
COPY --from=builder /app/next.config.ts ./
COPY --from=builder /app/public ./public
COPY --from=builder /app/.next/standalone ./
COPY --from=builder /app/.next/static ./.next/static
EXPOSE 3000
CMD ["node", "server.js"]# Build and run
docker build -t lua-obfuscator .
docker run -p 3000:3000 lua-obfuscator# Build static site
npm run build
# Deploy the .next folder to any static hosting
# (Vercel, Netlify, Cloudflare Pages, etc.)- World of Warcraft Addons - Protect addon code from theft and modification
- FiveM/RedM Scripts - Secure server-side resources and client scripts
- Garry's Mod - Protect Lua gamemodes and addons
- Roblox - Obfuscate game scripts (Lua 5.1 compatible)
- Code Protection - Secure proprietary Lua implementations
- Anti-Piracy - Make code harder to copy and redistribute
- Learning Tool - Study obfuscation techniques and AST manipulation
- Security Research - Test deobfuscation resistance
- Real-time obfuscation with Monaco editor
- Name mangling with hexadecimal identifiers
- String encoding using byte arrays
- Number encoding with mathematical expressions
- Control flow obfuscation with opaque predicates
- Code minification
- Configurable protection levels (0-100%)
- Responsive design (mobile, tablet, desktop)
- Comprehensive test coverage (446 unit tests + extensive E2E testing)
- Production deployment with analytics
- Custom encryption algorithms (XOR, Base64, Huffman, Chunked)
- Advanced control flow flattening with state machines
- Dead code injection with realistic patterns
- Anti-debugging measures (debug detection, timing checks)
- Configurable output formatting (4 styles)
- Real-time obfuscation metrics and statistics
- Progressive feature activation via protection slider
- 100% client-side processing (no server dependencies)
- Batch file processing
- CLI version for automation
- API endpoints for integration
- Custom obfuscation profiles
- Deobfuscation resistance testing
- Lua 5.4 full support
- Team collaboration features
- Version history and rollback
- Advanced analytics dashboard
- Premium obfuscation techniques
- Self-hosted deployment options
- Small Files (<100 lines): <100ms
- Medium Files (100-1000 lines): 100-500ms
- Large Files (1000+ lines): 500ms-2s
- Initial Load: ~500KB (gzipped)
- Monaco Editor: Lazy loaded on demand
- Runtime: 100% client-side, no server dependencies
- Chrome/Edge 90+
- Firefox 88+
- Safari 14+
- Mobile browsers (iOS Safari, Chrome Mobile)
Contributions are welcome! This project follows standard open-source practices.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes (follow code style guidelines)
- Write tests for new functionality
- Run all tests (
npm run test:all) - Format code (
npm run format) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow TypeScript strict mode conventions
- Use Tailwind CSS for all styling (no custom CSS)
- Maintain component modularity
- Add JSDoc comments for complex functions
- Include unit tests for new obfuscation techniques
- Add E2E tests for UI changes
- Run Prettier before committing
- Ensure all tests pass locally
- Unit test coverage: Maintain 85%+ branch coverage
- Add E2E tests for new user-facing features
- Test across multiple Lua code samples
- Verify responsive behavior on mobile
| Issue | Solution |
|---|---|
| Monaco editor not loading | Clear browser cache, check network tab |
| Obfuscation fails silently | Check browser console for errors |
| Tests failing locally | Run npm install to update dependencies |
| Prettier formatting conflicts | Run npm run format to auto-fix |
If experiencing issues:
- Update to the latest browser version
- Disable browser extensions that modify JavaScript
- Check browser console for error messages
- Try incognito/private mode to rule out extensions
This project is licensed under the MIT License - see the LICENSE file for details.
- luaparse - Lua AST parser by Oskar Schöldström
- Monaco Editor - Microsoft's VS Code editor component
- Next.js - Vercel's React framework
- Tailwind CSS - Utility-first CSS framework
- shadcn/ui - Beautiful component library
- Radix UI - Accessible component primitives
- Lucide - Icon library
- Prometheus Obfuscator
- LuaSrcDiet
- IronBrew2
- Issues: GitHub Issues
- Documentation: See CLAUDE.md for development details
- Web Interface Docs: See web/README.md for specific implementation details
This tool is designed for legitimate code protection purposes. Please use responsibly and in accordance with applicable laws and platform terms of service.
- 100% Client-Side: All code processing happens in your browser
- No Server Storage: Code is never uploaded or stored
- Optional Analytics: Google Analytics can be disabled
- Open Source: Full transparency - review the code yourself
Built with ❤️ for the Lua community by Bill Chirico
Star ⭐ this repository if you find it helpful!