Changelog

Product updates, security hardening, payment improvements, and Lua VM changes shipped across Sure Lua Obfuscator.

Project (ZIP) Obfuscation for Premium

Premium and Admin users can now obfuscate a whole FiveM resource at once. Drop in a .zip of the resource, tick which Lua files to protect, and download a ready-to-ship archive — obfuscated files swapped in, everything else copied through untouched.

ObfuscatorFiveMFeatures

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Features
  • Added a Project (ZIP) tab to the console: drag in a FiveM resource archive, review the file list, and tick the .lua files to obfuscate (all eligible Lua files are pre-selected). Non-Lua assets (HTML, JSON, manifests, images) pass through unchanged, and the rebuilt .zip downloads in one click.
  • The archive is unpacked and repacked entirely in your browser — only the Lua files you select are sent to the server for obfuscation, never the whole project. Each obfuscated file counts as one obfuscation against your daily quota; if a project exceeds your remaining quota, the files that fit are obfuscated and the rest keep their originals so the archive stays complete.
  • Files that fail to compile or are skipped keep their original contents and are flagged per file, so a single problem file never blocks the rest of the project.
  • Available on the Premium plan (Admin included); the tab shows an upgrade prompt for free accounts.

Fix: Generic-for Loops With Single-Value Iterators

Fixed a compiler bug where a generic `for ... in` loop whose iterator returns fewer than three values — most commonly `string:gmatch(...)`, an explicit `next, t, nil`, or any stateless one-value iterator — could fail at runtime with “attempt to call a nil value”. Loops over `pairs`/`ipairs` were unaffected, so this surfaced in scripts using pattern iteration (e.g. building a changelog tree).

ObfuscatorCompilerBug FixesLua 5.4

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Bug Fixes
  • The generic-for iterator list is now adjusted to the exact iterator/state/control triple the loop protocol needs, nil-padding when the iterator yields fewer than three values. Previously such iterators left the loop’s internal state misaligned and the VM tried to call a non-function, aborting the loop. Behavior now matches stock Lua for `string:gmatch`, stateless single-value iterators, and explicit `next, t, nil` forms.
  • Added regression coverage for generic-for loops across iterator arities (gmatch with one and two captures, stateless one-value closures, explicit next, and nested gmatch), each verified against stock Lua on both tiers.

Fix: Obfuscated FiveM Scripts Silently Failing to Run

Fixed a regression where obfuscated scripts could load but do nothing — no output, no error — on FiveM. The self-integrity option was auto-enabling and binding decode to a code hash measured under the build server’s Lua, which a different runtime (FiveM’s CfxLua) cannot reproduce, so every decoded byte became garbage and the script silently returned nothing. Self-integrity is now opt-in, and the default build runs correctly on FiveM.

ObfuscatorFiveMBug FixesVM

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Bug Fixes
  • Made self-integrity (the code-hash decode binding) strictly opt-in instead of auto-enabling. It bakes a hash measured under the build host’s Lua and only decodes when the run-time Lua matches that measurement; FiveM’s CfxLua is a different Lua build, so an auto-enabled hash made every obfuscated script decode to garbage and return nothing with no error. Default builds now run on FiveM, and the feature remains available for same-runtime targets via an explicit flag.
  • Default builds keep their cold-extraction resistance: the live-execution decode key (set only inside a real run) still makes exported/sliced decoders produce garbage, so removing the auto code-hash does not weaken protection against static dumping.

Hash-Based Debugger Detection and Deeper Decode Polymorphism

Reworked debugger detection so no detection name is ever shipped, removed the last spoofable detection backdoor, and pushed the per-build decode polymorphism deeper. The known automated deobfuscator still aborts during name discovery on every build, and protected scripts behave identically.

ObfuscatorVMSecurityFiveM

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Security
  • Switched debugger detection to a hash check: the build now ships only per-build salted hashes of the known debugger globals and matches them against the live environment, so no detection name is ever placed in the string pool. Dumping the pool — the one capability every lift has — recovers nothing, where the previous pool-with-indirection approach still leaked every name by construction.
  • Removed the last spoofable detection signal. A bare debug hook with no debugger global is no longer treated as suspicious, so legitimate profilers/instrumentation (including txAdmin) run normally, and there is no FiveM-marker leniency an attacker can present to soften detection.
  • Made the opcode dispatch decode take one of two algebraically-different arithmetic shapes per build (not just a rewrite of one shape), with the build-time handler keys mirroring whichever shape was chosen.
  • Inlined the remaining small operand decoders (operand, jump, local-index, type-tag, string-index) directly at each use site, removing the stable function-definition grammar a build-agnostic tool enumerated to identify them. Behaviour is unchanged; the known deobfuscator now aborts on this step too.

VM Anti-Tamper and Anti-Analysis Hardening

Bound decoding to live VM execution and to a hash of the loader’s own code, then closed the static-analysis footholds around it. Static and cold extraction now yields garbage — exporting the decoders without a real run, or editing/slicing any part of the decode chain, corrupts every decoded byte. Determined dynamic analysis that runs the VM is the residual pure-Lua ceiling; keep true secrets server-side.

ObfuscatorVMSecurityFiveM

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Security
  • Bound the string and bytecode decoders to a live-execution key that is set only inside the running interpreter. Exporting the decoders and calling them without a real run (the slice-and-export attack) now yields garbage, so protected strings and bytecode can no longer be dumped cold.
  • Added self-integrity: the live key self-corrects from a hash of the entire decode chain — the dispatcher plus every consumer decoder (string, block, value), not just the dispatcher — so slicing or editing ANY of them corrupts every decoded byte (a wrong runtime falls back gracefully rather than breaking). Auto-enables where the build toolchain supports it.
  • Randomized the VM key layout: each role’s key now lives in a per-build-permuted slot accessed through computed indices, so there is no fixed `KK[n]` slot→role map to read off. This alone breaks the automated deobfuscator’s name-discovery step, aborting the whole attack before it can export the decoders.
  • Routed every arithmetic/comparison/bitwise operation through a per-build dispatch table, so handler bodies contain no literal operator token (`+`, `..`, `<<`, …). An opcode classifier can no longer label instructions, defeating automated disassembly. Lua metamethods are preserved exactly.
  • Removed the flippable fingerprint/payload-hash equality checks from key derivation; both are folded unconditionally into every key, so there is no `~= <constant>` branch to flip and no payload-hash literal in the output. Tampering is still caught cleanly by the keyed integrity checksum.
  • Folded the integrity-checksum delta directly into the live decode key, so the integrity check is non-flippable key material rather than only a branch. Disabling the abort gate no longer lets a tampered payload decode — decoding itself now depends on the checksum matching (a clean build self-cancels the term, so legitimate output is unaffected).
  • Added inert decoy slots to the per-build operator dispatch tables: extra entries no handler ever calls, so a tool that fingerprints operators by calling every slot must also resolve which slots are genuinely wired into a handler. Real arithmetic and metamethods are untouched.
  • Flattened the dispatcher’s handler clusters toward the √N optimum (4–7 buckets), roughly halving the average comparisons per instruction versus the previous split while keeping the per-build dispatch shape varied — a runtime improvement on hot paths with no behavior change.
  • Removed the spoofable debug-hook source whitelist (`citizen:` / `scheduler.lua`), which let an attacker mark their own hook as benign. Genuine FiveM tolerance is preserved through the resource-global signal, so legitimate scripts are unaffected.
  • Stopped embedding original source line numbers — each instruction carries a random line indistinguishable from decoy rows, so output and branded errors no longer back-reference the source layout.
  • Hid the anti-debug detection API names inside the encrypted string pool, made the opaque-predicate accumulator load-bearing (cannot be sliced as dead state), and deepened per-build handler polymorphism.
  • Made the interpreter’s decoding polymorphic across the board: the per-instruction operand decode, the decoder function signatures, jump dispatch, flag comparisons, and block indexing are each emitted in one of several equivalent shapes per build, so the stable code grammar a build-agnostic devirtualizer keys on to identify the renamed decoders is never present in a fixed form. Verified across many builds that the known automated deobfuscator aborts during name discovery on every one, while output stays semantically identical.
  • Made the decode arithmetic itself per-build. The string pool now decodes through a per-build byte cipher — a shuffled, variable-length sequence of invertible operations (the op SEQUENCE varies per build, not just constants). The bytecode cells and the payload-pack layer each now decode through their own per-build invertible operation program, the core keyed mixer’s multipliers plus its whole xorshift round program (variable length and per-round direction/shift), and the key-schedule transform (a per-build shuffled sequence that still binds the fingerprint and payload hash) are likewise randomized per build, with encode and decode generated from one shared spec so they stay in exact inverse lock-step. Also hardened the live-execution key so its binding to the string decoder can never degenerate, closing a rare case where a string could decode without a live run. An attacker who exports the keys and replays the decode formulas can no longer hardcode them — the per-build op program and constants must be re-extracted from every build. Verified bit-identical round-trips and unchanged behaviour across many builds.
  • Performance, no protection change: the live decode key is load-constant, so it is now computed once on the first interpreter entry instead of re-hashing on every guest function call (the key still starts at zero and is only ever set inside a real run, so the slice-and-export protection is unchanged). The decoded-block window was also enlarged so loops no longer re-decode each iteration, while keeping the resident set bounded.

Compiler Correctness: Mixed Assignment and Label Scoping

Fixed two Lua semantic bugs in the bytecode compiler so protected scripts behave exactly like the original source, and made the custom identifier prefix actually shape generated output.

ObfuscatorCompilerLua 5.4

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Bug Fixes
  • Fixed mixed identifier/table assignment (e.g. `i, t[i] = 2, 9`) to match Lua semantics: the whole right-hand side is evaluated first, then each left-hand table base/key, then the stores run right-to-left. This preserves side-effect ordering (`t.a, x = f(), t.a`) and same-key precedence (`t[key()], t.a = 7, 8`), which previously diverged from native Lua.
  • Fixed `goto`/label scoping so labels are private to each function. Reused label names in sibling functions (e.g. `::done::` in two functions) no longer cross-resolve and corrupt control flow.
  • Trailing multi-return calls now expand correctly into mixed assignment targets (e.g. `o.a, o.b = f()`).
Features
  • The custom identifier prefix now actually leads every renamed VM helper in the generated output instead of being silently ignored.

Homepage Console Hardening

Tightened the homepage around the Lua VM workflow with clearer copy, stronger accessibility, and completion controls for generated output.

UIAccessibilityWorkflow

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Features
  • Reworked homepage copy to describe packed VM obfuscation for FiveM scripts instead of generic AI security language.
  • Added output actions for copying, downloading a .lua file, and clearing generated output.
  • Added a source reset action, Ctrl+Enter submit shortcut, source-size guidance, and inline source limit handling.
Bug Fixes
  • Improved modal dialog semantics, keyboard focus handling, icon-button labels, and editor textarea labels.
  • Removed bounce motion from drag-and-drop feedback and made usage progress animation respect reduced motion.
  • Fixed a duplicated Premium plan support label.

Deeper VM Hardening and Float Literal Fix

Added several per-build VM hardening passes that keep runtime cost flat, plus a correctness fix for float and large-integer literals.

ObfuscatorVMFiveMLua 5.4

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Security
  • Split the interpreter dispatch into per-build handler clusters instead of one flat branch chain.
  • Added more equivalent per-build shapes for arithmetic, comparison, and table handlers.
  • Added a runtime-keyed XOR layer to integer constants.
  • Bounded the set of decoded bytecode blocks resident in memory via a sliding window with re-decode on revisit (anti-dump).
  • Added a second, independently-phased anti-debug checkpoint.
Bug Fixes
  • Fixed float literals (and integers beyond 2^31) being truncated or silently halting; numeric literals now preserve the Lua int/float subtype, which matters for subtype-sensitive FiveM natives (coordinates, scales).

Per-Build Handler Polymorphism and Multi-Return Fixes

Each build now emits structurally different VM handlers to resist template-based devirtualization, and several latent correctness bugs around multi-return values were fixed.

ObfuscatorVMCompilerFiveM

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Security
  • Added per-build handler polymorphism: arithmetic, comparison, and stack handlers are emitted in one of several equivalent code shapes each build.
  • Randomized the dispatch handler order per build so the interpreter chain cannot be pattern-matched across outputs.
  • Randomized the VM scaffolding (helper functions, decoders, key locals) to fresh names each build, removing the stable name signature devirtualizers rely on.
  • Added an opt-in second VM layer (VM-in-VM) for small, protection-critical scripts; off by default due to runtime cost.
  • Chained bytecode block decoding to a running checksum of prior blocks, so blocks must be decoded strictly in order and cannot be dumped individually.
  • Tied string/literal decoding to a runtime-derived key, so protected strings cannot be recovered without passing the fingerprint and integrity gate.
Bug Fixes
  • Fixed trailing calls and varargs not expanding to all results in call arguments, returns, and table constructors (e.g. f(g()), print(table.unpack(t)), return native(), { GetEntityCoords(ped) }).
  • Fixed array indices in table constructors that mix positional and keyed fields ({ x = 1, 10, 20 }).
  • Fixed _ENV resolving to a global lookup instead of the environment table.
  • Fixed string literals larger than ~4 KB (embedded JSON, base64, config) silently producing empty output.

Correct Closure Capture and FiveM Syntax Support

Fixed obfuscated scripts that ran but silently misbehaved on common FiveM patterns, and added native support for CfX compound assignment and safe-navigation syntax.

ObfuscatorCompilerFiveMLua 5.4

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Bug Fixes
  • Fixed closures created inside loops (numeric, generic/ipairs, and while) capturing only the final iteration value — a per-iteration cell binding now mirrors standard Lua, so patterns like one CreateThread per shop/zone work correctly.
  • Fixed locals declared in do/if/loop blocks leaking out of scope and clobbering an outer variable of the same name.
  • Reworked local variable allocation to use lexical block scoping with unique, never-reused VM slots.
Features
  • Added CfX compound assignment operators (+=, -=, *=, /=, //=, %=, ^=, ..=, &=, |=, <<=, >>=).
  • Added CfX safe navigation (a?.b and a?[k]), including chained access such as a?.b?.c.
  • Made PREMIUM materially stronger than FREE: more decoy states and more frequent runtime integrity/anti-debug checks.

Single Packed VM and QR Top-Up Flow

FiveM scripts now use one compact packed-VM backend by default, hiding source logic while cutting output size dramatically.

ObfuscatorVMFiveMPayments

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

await fetch("/api/payment/slip")

const formData = new FormData()
formData.append("file", slipImage)
Payments
  • Changed the Premium plan button into a top-up flow that opens a dedicated bank QR modal.
  • Shows the server-configured receiver display name, exact amount, and masked transfer target before slip upload.
  • Moved slip image selection below the QR/account details so users know where to transfer before submitting proof.
Features
  • Replaced the hybrid backend selector with a single optimized FiveM Lua 5.4 packed VM path for every obfuscation build.
  • Moved source logic into a dense numeric instruction tape interpreted by one compact loader instead of exposing native Lua control flow.
  • Randomized virtual opcode IDs per build so decoded tape rows no longer map to one stable VM instruction table.
  • Encoded dispatch comparisons behind a per-build dispatch tag decoder instead of exposing raw VM opcode constants in if/elseif branches.
  • Hid the visible bytecode block table behind shuffled-alphabet payload blobs that the VM unpacks internally at runtime.
  • Packed the string pool into shuffled-alphabet payload blobs as well, removing the predictable nested literal table shape.
  • Packed bytecode into lazily decoded encrypted blocks with row masks tied to block key, PC, cell index, and a per-build row key.
  • Encoded stored opcodes, operands, local indexes, literal indexes, and PC targets with per-build numeric keys decoded inside the VM loop.
  • Added lazy string-pool decoding with instruction-carried decode tokens and a second lightweight arithmetic pass while keeping generated source free of decimal escaped bootstrap strings.
  • Added a compact bytecode and string-pool checksum guard that verifies before execution and periodically during dispatch.
  • Added target-safe superinstructions for direct local constants, global field reads, local field reads, and encoded field lookups without breaking Lua short-circuit jumps or closure exits.
  • Changed generated output to start with a packed return loader and randomized method-chain entrypoint.
  • Reduced the shop resource Premium sample from the old hundreds-of-KiB VM shape to roughly tens of KiB while keeping callbacks and coroutine lifecycle behavior working.
  • Removed decimal escaped runtime bootstrap strings such as "\\99\\104..." from generated output.
  • Added a safe payment configuration response on GET /api/payment/slip for client payment instructions.
Security
  • Replaced the raw packed-VM key table with encoded key-fragment payload blobs tied to stable Lua 5.4 fingerprint checks.
  • Mixed bytecode-payload and string-payload checksums into runtime key derivation so decoded key fragments are tied to the generated payload.
  • Moved global access behind an encoded environment resolver instead of a visually obvious direct _G binding.
  • Added controlled VM-local dispatch noise and decoy rows to raise static reconstruction cost without bloating FiveM output.
  • Relaxed runtime key fingerprinting for FiveM Lua 5.4 version-string variants so valid FX runtimes do not silently stop at loader startup.
  • Changed bytecode row masking from linear PC arithmetic to a compact nonlinear xorshift/FNV-style mixer.
  • Added encoded virtual line metadata so runtime failures can report VM lines without emitting source maps or source text.
  • Randomized selected operand layouts for string operands and call metadata to reduce stable static reconstruction paths.
  • Wrapped VM execution and virtual closures with branded Sure Lua Script errors while suppressing generated-loader line noise.
  • Prevented nested virtual closures from repeating the Sure Lua Script error prefix multiple times.
  • Moved anti-debug marker constants into the encoded string pool instead of leaving them as plaintext runtime literals.
  • Added FiveM-tolerant anti-debug checks that reject known Lua debugger hooks/globals without blocking normal FXServer scheduler/runtime hooks.
Bug Fixes
  • Fixed a Premium dispatcher termination path that could decode a nil state after FiveM thread registration chunks finished.
  • Fixed Lua call result adjustment so single-value require assignments keep the module table and trailing varargs forward the correct runtime argument count.
  • Fixed simultaneous identifier assignments so SHA/HMAC working-variable swaps preserve native Lua behavior inside obfuscated server scripts.
  • Fixed dynamic table assignments from call returns, including SHA schedule writes such as w[i] = string.unpack(...).
  • Fixed generic-for loops with member function declarations so point:nearby assignments do not leave table values on the VM stack.

Admin Prefix Controls and Oxfmt Tooling

This minor alpha release adds ADMIN-only build prefix customization and standardizes repository formatting with Oxfmt.

AdminFormatterRelease

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

{
  "tabWidth": 2,
  "semi": false,
  "singleQuote": true
}
Features
  • Added an ADMIN-tier prefix field on the obfuscation page for per-build VM identifier customization.
  • The UI obfuscation API now validates and honors custom prefixes only after confirming the user is ADMIN tier.
Tooling
  • Added Oxfmt as a local dev dependency with format and format:check scripts.
  • Configured Oxfmt for 2-space indentation, no semicolons, and single-quoted JavaScript and TypeScript strings.

RDCW Slip Payments and FiveM Runtime Coverage

Premium upgrades now use RDCW slip verification with receiver validation, transaction history, and an upload-first payment flow.

PaymentsAdminFiveMLua 5.4
RDCW Slip
verified
Amount299 THB
ReceiverMatched
TierPREMIUM
const formData = new FormData()
formData.append("file", slipImage)

await fetch("/api/payment/slip", {
  method: "POST",
  body: formData,
})
Payments
  • Replaced the placeholder Beam checkout webhook with authenticated RDCW slip verification.
  • Added JPG/PNG slip image upload from the Premium plan card with multipart verification.
  • Verified receiver display name, account name, proxy type, proxy value, and expected Premium amount from environment settings.
Features
  • Added persistent payment transaction logs for pending, completed, and failed slip attempts.
  • Added an admin Transactions tab with status filtering, search, pagination, and a detail modal.
  • Added FiveM optional chaining normalization so code like test?.hello compiles as (test or {}).hello.
Bug Fixes
  • Fixed Lua long bracket string and escape sequence handling in the bytecode compiler.
  • Expanded the sample runner to handle FiveM resource-style files without requiring a live game runtime.

Premium Obfuscator Hardening

A deeper compiler and VM pass raised Premium resistance with stronger state encoding, runtime guards, and Lua syntax coverage.

VMSecurityCompilerTesting

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

local output = Sure.obfuscate(source, {
  tier = "PREMIUM",
  target = "FiveM",
  vm = "cps-chain",
})
Security
  • Refactored the Lua backend into typed config, compiler, VM generation, random source, and post-processing stages.
  • Premium builds now use salted string-pool decoding, salted numeric constants, unique decoy states, and randomized dispatcher archetypes.
  • Strengthened startup anti-tamper checks with native function snapshots, debug hook detection, and stricter C-source validation.
Features
  • Expanded Lua coverage for recursive locals, table method declarations, floor division, bitwise operators, shifts, and unary bitwise NOT.
  • Added FiveM-friendly bit fallback resolution across bit, bit32, and pure Lua XOR runtimes.
Bug Fixes
  • Replaced silent unsupported compiler fallthroughs with structured Lua syntax diagnostics.
  • Expanded backend tests for premium variance, plaintext literal protection, table loop execution, and unsupported syntax errors.

Security and UI Overhaul

A platform stability release with hashed API keys, soft deletion, audit logging, OAuth expansion, and a full interface refresh.

AuthDashboardAuditAPI

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Security
  • Implemented SHA256 hashed API key storage and soft-delete support across primary models.
  • Introduced detailed system audit logging for critical user and admin actions.
Features
  • Added code redemption for instant account tier upgrades.
  • Expanded authentication with Google OAuth alongside GitHub.
  • Integrated drag-and-drop file support in the obfuscation interface.
Bug Fixes
  • Resolved atomic usage increment race conditions in MongoDB.
  • Fixed remote pattern configuration for Google profile images.
  • Disabled API caching and added frontend cache-busting for real-time Admin data.

Initial Alpha Release

The first public alpha introduced the CPS-chain virtualization engine, user dashboard, and GitHub OAuth sign-in.

AlphaCPSFiveM

$ sure build --tier premium

dispatcher: randomized

literals: protected

status: complete

Features
  • Initial release of the CPS-chain based virtualization engine.
  • Added a basic user dashboard and GitHub OAuth integration.
  • Shipped the first FiveM FXVM compatibility layer.

Build history stays transparent

Follow release notes here for obfuscator engine changes, payment verification updates, API behavior, and administrative tooling.

Join Discord