npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@callowayisweird/gmod-protect

v1.0.3

Published

Compile Garry's Mod Lua into custom bytecode with a randomized VM runtime — makes addon source unreadable and undecompilable.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

callowayisweirdcallowayisweird

Keywords

gmodgarrys-modluabytecodecompilerobfuscationprotectionglua

Readme

gmod-protect

The most advanced free addon protection for Garry's Mod.

Your source code is your livelihood. Stop giving it away. gmod-protect compiles your GLua into military-grade obfuscated bytecode that no existing tool can read, decompile, or reverse. One command. Zero cost. No subscriptions. No servers. No single point of failure.

Install. Protect. Ship.

npm install -g @callowayisweird/gmod-protect

gprotect build ./my-addon/lua/ --addon-name my_addon

Done. Your entire addon is now protected. The output folder is ready to upload to GModStore, Workshop, or anywhere else.

Anyone who opens your files sees this:

return "R1BCAQEAAgBylU5t7IWYULiylgYAeE8plleRNYlkj+3agfuRVL/M1rvQeKP0sBH..."

Before & After

Your code:

function MyAddon:Initialize()
    self.config = loadConfig("settings.json")
    hook.Add("Think", "MyAddon_Think", function()
        for _, ply in ipairs(player.GetAll()) do
            self:ProcessPlayer(ply)
        end
    end)
end

After protection:

  • Source code is gone. Replaced by custom bytecode running in a proprietary virtual machine.
  • Every string — "Think", "settings.json", "MyAddon" — is encrypted and fragmented. Not a single readable string exists in the output.
  • The control flow is flattened into an unrecognizable state machine. Loops, branches, and function structure are destroyed.
  • Arithmetic and constants are transformed into equivalent but unrecognizable sequences.
  • Dead code paths and decoy instructions are woven throughout, indistinguishable from real logic.
  • Each build generates a completely unique instruction set. Every addon has its own.

No Lua decompiler works. No hex editor helps. No existing tool on earth can read this.

10-Layer Protection Pipeline

Every file passes through ten independent security layers:

| # | Layer | What it does | |---|-------|-------------| | 1 | String fragmentation | Shatters every string into random pieces reassembled at runtime | | 2 | Opaque predicates | Wraps real code in mathematically hard-to-solve conditions | | 3 | Control flow flattening | Destroys if/else/loop structure into a flat state machine | | 4 | Arithmetic metamorphosis | Transforms math operations into equivalent unrecognizable sequences | | 5 | Constant encoding | Numbers are computed at runtime from randomized operands | | 6 | Dead code injection | Inserts realistic fake code blocks that can't be automatically removed | | 7 | Instruction noise | Interleaves decoy instructions between real operations | | 8 | String encryption | All string data encrypted with per-build derived keys | | 9 | Instruction set randomization | Every build creates a unique set of virtual machine opcodes | | 10 | Anti-interception runtime | Native C module prevents bytecode from being captured via Lua hooks |

A typical file goes from 37 instructions to 230+. All variable names, comments, and formatting are permanently erased.

How Developers Use It

1. Develop your addon normally

my-awesome-addon/
└── lua/
    ├── autorun/server/init.lua
    ├── my_addon/sv_core.lua
    ├── my_addon/sv_config.lua
    └── my_addon/cl_hud.lua

2. Protect it

gprotect build ./my-awesome-addon/lua/ --addon-name my_addon -o ./release

3. Ship it

Upload the release/ folder. That's your addon.

release/
├── lua/
│   ├── autorun/server/my_addon_loader.lua    # Auto-generated loader
│   ├── my_addon/                             # Same structure as your original
│   │   ├── sv_core.lua                       # Protected (bytecode)
│   │   ├── sv_config.lua                     # Protected (bytecode)
│   │   └── config/settings.lua               # Excluded (plain Lua, if using -e)
│   └── bin/gmsv_gprotect_*.dll               # Runtime (all platforms)

The output mirrors your original directory structure exactly. Same paths, same filenames — the only difference is file contents.

Instructions for your buyers:

  1. Extract to garrysmod/addons/
  2. Place the .dll files in garrysmod/lua/bin/
  3. Restart your server

That's it. The DLL is universal — one runtime for all gprotect addons. Install it once, every protected addon works.

Developer Notes

  • Re-protect on every release. Each build generates a completely new instruction set. Old builds can't be reused.
  • Keep your source code safe. Protection is one-way. There is no "unprotect" command. If you lose your source, it's gone forever.
  • Test before shipping. Always verify the protected build on a local server.
  • Config files that buyers need to edit should be excluded with -e. They'll be copied as plain Lua.

Supported GLua

Full Lua 5.1 + all GMod extensions:

  • // and /* */ comments
  • !, !=, &&, || operators
  • continue keyword
  • Tables, closures, upvalues, varargs
  • Method calls (ply:Nick(), timer.Simple(...))
  • Numeric and generic for loops
  • Multiple return values
  • Nested functions and scoping

CLI

gprotect build <dir>                              # Protect entire addon
gprotect build <dir> -o ./release                 # Custom output directory
gprotect build <dir> -n my_addon                  # Custom addon name
gprotect build <dir> -e "config/*" "sh_*.lua"     # Exclude files (copied as plain Lua)
gprotect build <dir> -e "**/config.lua"           # Exclude by pattern
gprotect build <dir> --no-obfuscate               # Bytecode only, skip obfuscation
gprotect compile <file.lua>                       # Protect a single file

Excluding files

Use -e / --exclude to keep files as readable Lua. Excluded files are copied to the output as-is — not protected, not removed. This is for config files, shared code, or anything buyers need to read or edit.

# Exclude all config files and shared code
gprotect build ./lua -e "config/*" "sh_*.lua" "**/settings.lua"

# Exclude entire directories
gprotect build ./lua -e "my_addon/config/**"

Glob patterns: * matches within a directory, ** matches across directories, ? matches a single character. Matching is case-insensitive.

Why Not LegionDRM?

| | LegionDRM | gmod-protect | |---|---|---| | Cost | Paid subscription | Free forever | | Dependency | Their servers go down = your addon breaks | Runs 100% locally | | Runtime | Per-addon system | One universal DLL for all addons | | Setup | Account, API keys, integration | npm install, one command | | Source required? | Send your code to their servers | Never leaves your machine | | Development | Closed, opaque | Actively maintained, community feedback welcome |

FAQ

Can someone reverse-engineer the protected code? The bytecode runs in a custom virtual machine with a unique instruction set per build. There is no existing decompiler, disassembler, or analysis tool that can read this format. Building one from scratch would require significant reverse engineering of the compiled native runtime — far beyond the capability of typical GMod script kiddies.

Is the runtime DLL safe? The runtime is a standard GMod binary module (like mysqloo or chttp). It follows the same GMOD_MODULE_OPEN / GMOD_MODULE_CLOSE pattern. It reads protected files, decrypts them internally, and executes them in a sandboxed virtual machine.

Does this protect client-side code? No. The runtime DLL runs on the server. Clients don't have it and you can't make them install it. Protect your server-side code — that's where your addon logic, database access, permissions, and API keys live. Client-side code (HUD rendering, UI elements) is cosmetic and not worth protecting.

Does Workshop upload work? Yes. The output is standard .lua files in a standard addon folder structure. Workshop sees normal Lua files.

What if two addons both use gmod-protect? They both work. The runtime DLL is universal — it handles any number of protected addons simultaneously, each with their own unique instruction set.

V1 Limitations

  • No coroutines
  • No debug library (intentional)
  • No goto statement
  • No metatables on non-table types

License

Copyright (c) 2026 callowayisweird. All rights reserved.

This software is provided as a free tool. Redistribution of the source code is not permitted.