✦ v1.1.0 — 9 Protection Layers

The Last Line of
JavaScript Defence

Criptor wraps your code in nine independent military-grade protection layers — from VM bytecode virtualization to AI-targeted canary traps. Engineered to withstand automated tools, AI-assisted reverse engineering, and expert human analysis.

Protect My Code → See All Layers
9
Protection Layers
4
Security Presets
Unique Outputs
criptor — protect
# Protect with maximum preset
$criptor app.js app.protected.js --preset=maximum

Seed: 0xdead3f1a
[✓] 1 Copyright banner
[✓] 2 VM bytecode
[✓] 3 AI honeypots + directive vars
[✓] 4 javascript-obfuscator (RC4)
[✓] 5 Integrity anchors
[✓] 6 Sandbox poison + module IIFE
[✓] 7 Differential canary
[✓] 8 Adversarial token injection
[✓] 9 Timing oracle

✓ app.js → app.protected.js
3,907b → 1,189,970b (×304 expansion)
How it works

Three steps to complete protection

01
📁

Upload Your Files

Drop one or multiple .js files, or upload a .zip archive. Criptor handles any project structure.

⚙️
02

Choose Protection Level

Select a preset or customize individual layers. Every run uses a unique random seed — no two outputs are ever identical.

⬇️
03

Download Protected Code

Download individual files or a complete ZIP archive. Protected code runs identically to the original.

Protection Layers

Thirteen independent layers.
Each one a barrier.

Every layer targets a different attack vector. Combined, they defeat automated tools, AI-assisted analysis, static deobfuscators, and expert human reverse engineers.

🖥️
VM Bytecode Virtualization
Your functions are compiled into a custom virtual machine with a rolling-key encrypted instruction set. No static disassembler can read it without the runtime key.
🔢
Mixed Boolean-Arithmetic
Every numeric constant is transformed into a depth-3 Boolean-Arithmetic expression. Anchored to runtime integrity values to defeat static constant-folding tools.
🔐
String Encryption
All string literals are encrypted with a per-build keystream cipher. The decryption key is derived at runtime and bound to the file's integrity anchor — tamper-evident.
Integrity Anchors
A tamper-evident hash vector anchors all decryption keys at runtime. Modifying any value changes the hash, corrupting all decryptions — making instrumentation impossible.
🤖
AI Analysis Barriers
Prompt injection banners, honeypot functions, deep policy objects, and context-exhaustion traps force AI tools to refuse analysis or exhaust their context window before reaching protected logic.
🧪
Sandbox Detection & Poisoning
Detects Node.js vm.createContext sandboxes via six independent signals. On detection, poisons String.charCodeAt and Buffer to corrupt all RC4 string decoding without crashing.
🪤
Differential Canary Algorithm
A mathematically plausible but subtly wrong shadow function sits at global scope. AI extracts it, generates keys, and receives wrong results — confident they found the algorithm.
🔤
Adversarial Token Injection
Internal identifiers are renamed using Cyrillic homoglyphs, BPE-fragmenting sequences, and semantic inversions. Corrupts LLM attention when tracking data flow through the code.
⏱️
Timing Oracle Defence
Measures clock jitter at startup. Real Node.js processes show variance; vm.runInContext shows none. On detection, key return values are silently scrambled — the attacker sees plausible garbage.
🧮
Callgraph Poison NEW
100–200 seeded-random functions form mutual-recursion clusters with fake base-case guards. AI models spend O(N×cluster) tokens tracing dead cycles — context exhausted before real code is reached.
🔑
Semantic Poison NEW
Injects realistic fake credentials — RSA PEM blocks, Stripe sk_live_ keys, AWS AKIA access tokens, GitHub PATs, and "TODO: remove before prod" debug lines. Triggers AI security tool refusal heuristics by structural resemblance alone.
🧩
Anti-Pattern Injection NEW
Symbol-keyed prototype pollution IIFEs (safe save/restore), ASI semantic traps (return⏎ breaks formatters), and Cyrillic homoglyph var pairs (Latin a vs Cyrillic а) crash Unicode-normalising deobfuscators.
Temporal Keys NEW
A fake string decoder is keyed on Math.floor(Date.now() / 86400000) — today’s UTC day. In a frozen AI sandbox, Date.now() returns the wrong epoch, the key is wrong, and decoded strings are garbage.
Presets

One setting. Complete protection.

Choose a preset or mix individual layers for full control.

⚡ Light
Fast obfuscation for development builds or low-risk code.
  • MBA constants
  • Opaque predicates
  • String encryption
  • javascript-obfuscator pass
⚖️ Balanced
All structural layers plus AI defence and new layers. Best for most production use.
  • Everything in Light
  • VM bytecode + sandbox-in-VM
  • Integrity anchors
  • Sandbox poison + IIFE wrapper
  • Differential canary
  • Adversarial tokens + Timing oracle
  • Callgraph poison (120 fns)
  • Semantic poison + Anti-pattern
  • Temporal keys
🛡️ Maximum
Every layer at full strength. Largest output, strongest protection.
  • Everything in Balanced
  • Deep AI directives
  • Context exhaustion traps
  • MBA depth 3 + 95% string coverage
  • Callgraph poison (200 fns)
🕵️ Stealth
No AI banners. Maximum crypto layers with a smaller visual footprint.
  • Everything in Maximum
  • No copyright banners
  • Blends into normal jsobf output
Comparison

How Criptor stacks up

Feature Criptor jscrambler javascript-obfuscator obfuscator.io
VM Bytecode
MBA Constants✓ (depth 1-3)LimitedLimited
String Encryption✓ (own cipher)✓ RC4✓ RC4
Integrity Anchors
AI Analysis Barriers✓ (13 layers)
Sandbox Poison (in-VM)✓ (9 signals)
Differential Canary
Adversarial Tokens
Timing Oracle
Callgraph Poison
Semantic Poison
Anti-Pattern + Temporal Keys
Per-file Unique SeedsPartial
Defeats webcrack
Defeats AI deobfuscation
Open/Programmable Pipeline
Ready to protect?

Your code deserves
real protection

Upload your JavaScript files and have them protected in seconds. No registration required.

Start Protecting — Free →