███████╗███╗ ██╗██╗ ██╗ ██████╗ █████╗ ██╗ █████╗
██╔════╝████╗ ██║██║ ██╔╝██╔═══██╗██╔══██╗██║ ██╔══██╗
█████╗ ██╔██╗ ██║█████╔╝ ██║ ██║███████║██║ ███████║
██╔══╝ ██║╚██╗██║██╔═██╗ ██║ ██║██╔══██║██║ ██╔══██║
███████╗██║ ╚████║██║ ██╗╚██████╔╝██║ ██║███████╗██║ ██║
╚══════╝╚═╝ ╚═══╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
Code Obfuscation & Encryption Engine
"If they can read it, you didn't try hard enough."
Python.py
Comment strip → ZLIB max compress → XOR-32 encrypt → base64 chunk → exec(compile()) loader with lookalike var names + noise lambdas
JavaScript.js
ZLIB compress → XOR-16 encrypt → base64 → IIFE loader using native DecompressionStream, pako.js CDN fallback
TypeScript.ts
Same pipeline as JS wrapped in @ts-nocheck IIFE with typed stubs; DecompressionStream runtime decode
PHP.php
Comment strip → compress → XOR encrypt → eval(gzuncompress(base64_decode())) with noise variables
Java.java
Minify → compress → XOR → Base64 → self-contained class with Inflater decode + Nashorn eval
C#.cs
Minify → compress → XOR → Convert.FromBase64String → DeflateStream decompress → reflection invoke
Ruby.rb
Comment strip → compress → XOR → eval(Zlib::Inflate.inflate(Base64.decode64())) with noise vars
Lua.lua
Comment strip → compress → XOR → embedded pure-Lua base64 decoder → load() execution
LuaU.luau
Roblox-optimised: bit32.bxor XOR, typed annotations, task.spawn + loadstring runtime decode
CSS.css
Minify → strip comments → shorten colors → rename all classes and IDs to encoded names with embedded map
HTML.html
Strip comments → minify → recursively obfuscate all inline <script> and <style> blocks
SQL.sql
Strip comments → minify → randomise keyword casing → rename all identifiers to encoded short names
$enkoala app.js
$enkoala server.py -o server_obf.py
$enkoala styles.css -o dist/styles.min.css
$enkoala game.luau -o game_obf.luau
$enkoala ./src --dir -o ./dist --recursive
$enkoala myfile --lang py -o out.py
$enkoala update
$enkoala version
$enkoala uninstall
✓
SHA-256 checksum verification
All downloads verified against sha256 in version.json before installation. Mismatch aborts with no file written.
✓
TLS 1.2+ enforced
curl installer uses --proto '=https' --tlsv1.2. PowerShell installer forces SecurityProtocol TLS 1.2.
✓
Temp file cleanup
Shell installer registers a trap cleanup on EXIT, INT, and TERM. PowerShell uses try/finally. No temp files left on failure.
✓
Update rollback
Self-update backs up the current binary before writing. Any failure automatically restores the backup.
✓
Strict HTTP headers
HSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy set on all responses.
✓
No-cache on all downloads
enkoala.py, install scripts, and version.json served with Cache-Control: no-store so stale versions are never served.
✓
Safe path quoting (Windows)
PowerShell shim generator quotes both the Python path and script path, preventing injection from paths containing spaces.
✓
No external runtime deps
enkoala.py uses Python stdlib only. No pip install, no supply chain attack surface beyond Python itself.