Advanced Red Team Payload Obfuscation Engine
Free & Open Source β Browser-Based β No Data Leaves Your Machine
π Live Demo β’ Features β’ Quick Start β’ Languages β’ Layers
β οΈ For authorized security testing and educational purposes only. Do not use against systems you do not own or have explicit permission to test.
π 100% Client-Side β All obfuscation runs in your browser. Zero server calls. Your payloads never leave your machine.
π§ 8 Stackable Layers β Combine any layers together for maximum evasion depth. Each layer adds a different evasion dimension.
π€ 5 Languages β PowerShell, Python, Bash, C#, and Go with language-specific awareness.
π¬ Context-Aware Tokenizer β Custom parser that understands strings, comments, interpolation, f-strings, here-strings, and escape sequences per language. Never breaks syntax.
π Real-Time Analysis β Shannon entropy meter, detection probability scoring, per-layer breakdown, and output validation.
π― Unicode Safe β B64-first encoding pipeline ensures Greek, Chinese, Emoji, and any Unicode characters work flawlessly across all layers.
π Completely Free β No tiers, no paywalls, no accounts. Every feature is available to everyone.
| Language | Icon | Key Features |
|---|---|---|
| PowerShell | β‘ | IEX Stealth auto-replacement, AMSI/ETW bypass, backtick escape resolution, $() subexpression awareness |
| Python | π | f/r/b/u string prefix detection, f-string deconstruction, __import__() safe dead code, getattr stealth |
| Bash | π | 55+ command obfuscation via printf '\xHH', $'...' ANSI-C quoting preservation, native eval execution |
| C# | π· | Verbatim @"" and interpolated $"" string preservation, shellcode loader templates, in-method injection |
| Go | πΉ | Raw backtick string preservation, safe byte slice encoding, encoding/base64 import awareness |
All 8 layers can be combined in any order. Each layer operates independently and adds a unique evasion dimension:
| # | Layer | Icon | What It Does | Evasion Impact |
|---|---|---|---|---|
| 1 | Variable Randomization | π² | Renames variables and function names to random identifiers | Breaks static signature matching on known variable names |
| 2 | String Encoding | π | Encodes string literals with Base64, Hex, or char arrays | Hides suspicious strings from pattern-matching scanners |
| 3 | Dead Code Injection | π | Inserts non-functional code at safe locations | Alters control flow graph and code fingerprint |
| 4 | Anti-Analysis | π‘οΈ | Adds sandbox detection, sleep timers, CPU/RAM checks | Evades dynamic analysis and sandbox environments |
| 5 | XOR String Encryption | βοΈ | Encrypts each string with unique random XOR key + JIT decrypt | Eliminates all plaintext β defeats heuristic scanners |
| 6 | Control Flow Flattening | π | Flattens code into randomized state-machine (while/switch) | Defeats CFG analysis and decompiler pattern recognition |
| 7 | AMSI/ETW Patch | 𧬠| Prepends obfuscated AMSI bypass + ETW blind | Disables runtime memory scanning on Windows targets |
| 8 | Encryption Wrapper | π | Wraps entire payload in polymorphic XOR/AES envelope | Completely hides payload structure from static scanners |
Each time you encrypt, one of these polymorphic methods is randomly selected:
| Method | Description |
|---|---|
| XOR + Base64 | XOR encrypt Base64-encoded payload with random 16-byte key |
| Hex-Shift | Shift each byte by random offset, encode as hex string |
| Multi-XOR | Double XOR with two independent 16-byte keys |
| Byte Rotation | Rotate each byte by random offset (3-50), stored as array |
All methods use B64-first encoding (Base64 before encryption) to guarantee Unicode safety and prevent byte overflow.
The custom tokenizer (parser.js) splits source code into string, comment, and code tokens. Obfuscation engines only modify the appropriate token types β never breaking syntax, keywords, or structural delimiters.
Interpolated strings are split into static and variable segments:
- PowerShell:
"Hello $name"βencoded_static + $name - Python:
f"Hello {name}"βencoded_static + str(name) - Bash:
"Hello $var"βencoded_static$var - C#:
$"Hello {name}"βstring.Format(encoded, name)
All encoding and encryption operations use a Base64-first approach:
- Resolve language-specific escape sequences (
\nβ real newline) - Encode string to Base64 (guaranteed ASCII, 0-127 range)
- Apply XOR/shift/rotation on the safe B64 bytes
- Decryption stub reverses: decrypt β Base64 decode β UTF-8 string
This prevents the Cannot convert value "913" to type System.Byte error when processing Unicode characters (Greek, CJK, Emoji, etc.).
- PowerShell:
ScriptBlock::Create(),ExecutionContext.InvokeCommand,Invoke-Command(randomized) - Bash:
eval "$(β¦)"with variable indirection (no pipe/subshell scope loss) - IEX Stealth: Auto-replaces
IEX/Invoke-Expressionwith& ($ShellId[1]+$ShellId[13]+'X')
The built-in analysis panel provides real-time feedback:
- Shannon Entropy β Measures randomness (Higher = harder to fingerprint)
- Detection Score β Estimates probability of AV/EDR detection per active layer
- Size Ratio β Before/after payload size comparison
- Validation β Checks balanced delimiters and structural integrity
# Clone the repository
git clone https://github.com/Ilias1988/payload-obfuscator.git
cd payload-obfuscator
# Install dependencies
npm install
# Start development server
npm run dev
# Build for production
npm run buildThen open http://localhost:5173 in your browser.
Or just visit the Live Demo β
payload-obfuscator/
βββ index.html # SEO-optimized shell
βββ vite.config.js # Vite configuration
βββ tailwind.config.js # Tailwind theme (dark terminal)
βββ scripts/
β βββ build.mjs # Production build script
βββ public/
β βββ robots.txt
β βββ sitemap.xml
βββ src/
βββ App.jsx # Main application
βββ main.jsx # React entry point
βββ index.css # Tailwind + custom styles
βββ components/
β βββ layout/ # Header, Footer
β βββ panels/ # Input, Output, Options, Analysis, Language
β βββ seo/ # SEOHead, SEOContent
β βββ ui/ # CopyButton, EntropyMeter, Toast
βββ data/
β βββ techniques.js # Languages, layers, templates
βββ engines/
β βββ powershell.js # PowerShell engine (8 layers)
β βββ python.js # Python engine (6 layers)
β βββ bash.js # Bash engine (6 layers)
β βββ csharp.js # C# engine (8 layers)
β βββ golang.js # Go engine (7 layers)
β βββ controlflow.js # Scope-aware CFF engine
β βββ amsi.js # AMSI/ETW patch generator
βββ hooks/
β βββ useObfuscator.js # Core state management
βββ utils/
βββ encoding.js # Base64, Hex, XOR, resolveLanguageEscapes()
βββ entropy.js # Shannon entropy + detection scoring
βββ parser.js # Context-aware tokenizer
βββ randomization.js # Variable/function name generation
βββ validator.js # Output validation
| Technology | Purpose |
|---|---|
| React 18 | UI framework |
| Vite 5 | Build tool & dev server |
| Tailwind CSS 3.4 | Styling (dark terminal theme) |
| Lucide React | Icons |
| React Helmet Async | Dynamic SEO meta tags |
7 pre-built payload skeletons included:
- β‘ PowerShell Download Cradle
- π‘οΈ AMSI Bypass Template
- π΄ Master Payload v3.0 (AMSI + Stealth IEX + Download Cradle)
- π Python Reverse Shell
- π Bash Reverse Shell
- π· C# Shellcode Loader Skeleton
- πΉ Go Reverse Shell
| Version | Highlights |
|---|---|
| v5.3 | B64-first Unicode safety (all engines), resolveLanguageEscapes(), escape sequence fix, Python XOR B64-first |
| v5.2 | F-string var rename sync, as/for capture, 2-phase randomization |
| v5.1 | Dead code __import__() safety β zero NameError crashes |
| v5.0 | F-string deconstruction, context-aware parser |
| v4.5 | Polymorphic encryption wrappers (4 methods), stealth exec |
| v4.1 | Scope-aware CFF rewrite (brace counting, atomic try/catch) |
| v4.0 | XOR String Encryption, Control Flow Flattening |
| v3.0 | IEX Stealth, AMSI templates, entropy analysis |
| v2.0 | Context-aware parser, string-safe encoding |
| v1.0 | 5 languages, 5 layers, basic obfuscation |
MIT License β See LICENSE for details.
Ilias Georgopoulos
- π Website
- π» GitHub
- π¦ X / Twitter
Built with β and π₯ for the red team community