CodeMask
Real register-VM · FiveM & Roblox

Make your code uncrackable.

CodeMask compiles your code into a real virtual machine, encrypts it, and produces a different result every time. Lua, JavaScript and web — one click, hardened against cracking.

script.lua → obfuscated
-- CodeMask - https://codemask.io

return((function(...) local a,b,c,d = ... local g = { 0x1f, 0x4c, 0x75 }
local h = "\x1f\x4c…«packed vm blob»…"
-- 41,000 lines of source → one line, unreadable bytecode
end)(...))

Why CodeMask?

Not just minification — real virtualization and multi-layered hardening.

Real Register-VM

Your code compiles to our own register-based virtual machine — not luac bytecode. Safe for FiveM & Roblox.

Multi-Language

Lua (FiveM · Roblox · Luau · 5.1–5.4), JavaScript / TypeScript / JSX and CSS/HTML — all from one panel.

Polymorphic

Every build produces completely different output. Diffing, signature detection and 'crack once, apply to all' attacks die.

Packed + Self-Obfuscated

Bytecode + constants are packed into one encrypted byte-blob; the interpreter itself is obfuscated (rename + CFF). No readable ISA remains.

VM-in-VM

Nested virtualization: peel one layer and you get another VM's bytecode, not readable code.

Anti-Tamper

Runtime integrity self-hash, anti-hook (peel detection) and decoy handlers. Tamper with it and it breaks.

Anti-LLM

Built to survive AI reverse engineering

Today people don't crack obfuscators by hand — they paste the file into an LLM and ask it to deobfuscate. CodeMask is built to defeat exactly that.

claude — deobfuscate.js

Reverse engineer this file and restore the original source

● Let me start by reading the file…

— 6 hours later —

● I tried everything — static analysis, runtime instrumentation, hooking, sandboxed execution, custom tooling. I couldn't even decode the bytecode: the decoding key is computed inside the runtime, but every attempt to observe the runtime trips a code-integrity check and the program corrupts its own state or refuses to run.

Classic chicken-and-egg — I can't read the bytecode without the runtime, and I can't watch the runtime without breaking it.

● I'm calling it. From the file alone, I can't recover the source.

Runtime-derived key
The constant key is never in the file — it's rebuilt from a rolling hash of the instruction stream at execution.
Integrity guard
Tampering or single-stepping changes the hash → wrong key → garbage. Observing it breaks it.
Anti-hook / anti-debug
Detects replaced load / debug hooks; peel attacks dump zero bytes.
VM-in-VM + self-obfuscated bootstrap
Peel one layer and you get another VM's bytecode — the interpreter itself is obfuscated.

Honest note: runtime memory inspection is always possible in a JS/Lua environment — our defenses raise the cost of reaching it far beyond what an LLM (or most humans) will pay.

FiveM

FiveM asset protection — beyond FXAP

Upload a resource .zip, protect every file, and attach an automatic IP-based license. Not another escrow format for dumpers to crack — a real per-resource VM.

 FXAP / escrowCodeMask
ProtectionOne shared escrow schemePer-resource register VM
Dumpers / unlockersPublic tools defeat it & dump sourceNo standard format to target
LicensingTied to your keymaster assetBuilt-in IP allow-list per script
Revoke a leakRe-issue / not reallyOne click — kills every copy remotely
LanguagesLuaLua + JS + CSS/HTML, all at once

The dumpers that peel FXAP have nothing to grab — there's no known container, and the license check lives inside the VM. Lock scripts to your customers' server IPs and revoke leaks instantly.

Mask your code now.

Create an account, upload your file, and download uncrackable output in seconds.

Get started free
Pricing

Simple, prepaid plans

Buy with your email — your account is set up right after payment.

Basic
$10/mo
500 obfuscations
  • ✓ 500 obfuscations — any language, any type
  • ✓ Prepaid access via a monthly subscription
  • ⨉ No access to our exclusive Premium settings
  • ⨉ No access to our obfuscation API (even with tokens)
  • ⨉ Obfuscating scripts on behalf of other users is not permitted
Most popular
Premium
$25/mo
1,000 obfuscations
  • ✓ 1000 included obfuscations
  • ✓ Prepaid access via a monthly subscription
  • ✓ Access to our exclusive Premium settings — higher security
  • ✓ Obfuscation API, ratelimited to 1 concurrent script
  • ⨉ Obfuscating scripts on behalf of other users is not permitted
Commercial
$40/mo
2,000 obfuscations
  • ✓ 2000 included obfuscations ($10/mo per 1000 extra)
  • ✓ Prepaid access via a monthly subscription
  • ✓ Access to our exclusive Premium settings — higher security
  • ✓ Unlimited access to our obfuscation API
  • ⨉ Obfuscating scripts on behalf of other users is not permitted
Enterprise
$80/mo
5,000 obfuscations
  • ✓ Specially curated obfuscation limits & pricing for your use case
  • ✓ Exclusive private features tailored to your needs
  • ✓ Access to our exclusive Premium settings — higher security
  • ✓ Unlimited access to our obfuscation API
  • ✓ Priority support queue
  • ✓ Obfuscating on behalf of others allowed for value-added services (approval required)

Secure checkout via Creem · cancel anytime

Already have an account? Sign in