Free Online PHP Obfuscator

Cobra Private PHP Obfuscator Private Version Available

Hello, thanks for using tool. Every public obfuscator / encoder including can easily be decoded using websites such as, and If you need an obfuscator / encoder that can not be deobfuscated / decoded, check out Cobra PHP Obfuscator. Unlike IonCube and SourceGuardian, Cobra PHP Obfuscator does not require server-side extensions in order to work. Check out the Cobra PHP Obfuscator homepage for information, features and purchase instructions -

Until the 18th of March, purchase Cobra PHP Obfuscator for 89USD (normally 170USD) from:

php code to obfuscate and encode

Obfuscation Options

Strip whitespace and comments
preg_match Stub
Encryption -- Encryption depth:
Subscribe to updates via email?
Encryption Depth: The number of times to encrypt, encode and pack the code. Higher depth means more security, but a larger file size and slower load times after 25 around levels. This free obfuscator will only let you go up to 3 anyway, but if you want up to 50 plus other features, then check out my premium PHP obfuscator: Cobra PHP Obfusator / Encoder.
Email Updates: Everyone who is subscribed will be notified when obfuscator updates are released. Also, I will be sending out discount codes so you can purchase Cobra even cheaper than before.

79 Responses

  1. Sandesh Kumar says:

    Thanks for this tool, its clean and works properly

  2. Saurabh Chadha says:

    I query, how easy is to de obfuscate it ????

    i obfuscated my code, i selected 3, how can i do it to 50, as you said ?

  3. Alois says:

    I would like to try your Cobra obfuscator with one of my test files. With Sourcecop I don`t get any false positives on Virus Total, no matter which obfuscated file I uploaded so far. The most important thing for me is not to get false positive alarms, cos these might crash my program, that is using the php scripts I am talking about. So Sourcecop is kind of a treshold for that…but as we all know, it can be decoded like Ioncube etc. That`s why I am thinking of switching to Cobra. Do you have a testversion of Cobra?

    • atomiku says:

      Yes I have a test version of Cobra. Get in contact with me Skype: at0miku or use the contact form. I will obfuscate a few of your files with Cobra for free as a test / demo.

  4. DrBUG says:

    Hi, friend!
    Maybe come back online demonstration of the obfuscator for small blocks of code (lines 10-15)? I’d like to try out how it works. (ps: I’m sorry for my bad english). Good Luck!

  5. Lyle says:

    Muy bueno, mas no estoy de pacto con todo.

    Gracias por la información, bss

  6. Toto says:

    Hi you could not have 2 options eval with a preg_replace and one with ?
    And I ‘ve read the same eval Devil is so evil .
    Greetings from Germany Toto

  7. atomiku says:

    I made an update to the free obfuscator to fix this error on PHP 5.5:
    Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead

    I’ve switched preg_replace to eval. Note this is still insecure and I recommend using Cobra if you do not want your code to be decrypted. I’ve just released an update to Cobra which introduces API functionality so that you can obfuscate code with Cobra using your own scripts.

  8. al says:

    i just dont get it.. it still shows the source as is when i view source on internet explorer and chrome, whats the point of encrypting then? can someone tell me?

    • atomiku says:

      It is the PHP that is obfuscated. The HTML and javascript that is outputted by the PHP will not be obfuscated too. But if you’d like to obfuscate the javascript, there are obfuscators available online if you have a look on Google.

  9. MAQ says:

    How i can call a variable that has been encoded, Because i want to encode a variable and later on i want to use it.

    • atomiku says:

      MAQ, usually I would recommend disabling ‘Encode variable names’ if you plan to access those variables outside of the obfuscated script. But if you only need to access a few variables, you can work out what the obfuscator has renamed them to. I have uploaded the variable encoding/renaming PHP function to my pastebin website. Check out this link, it also contains an example of how you should use it.

  10. Teb says:

    I used this code and as soon as I installed, my network reported a Backdoor.PHP.Agent.ut trojan. DO NOT USE

    • atomiku says:

      Hi Teb, thanks for taking the time to mention this. Another commenter also had a obfuscated PHP file flagged up as a virus. A number of people replied, confirming that this is a false-positive and there is no virus or trojan. If you scroll to the bottom of this page where the oldest comments are, you will see the discussion that took place about this.

      A person named Alex had wrote a deobfuscator for this, and he confirms that there is no backdoor added to the obfuscated code. Additionally, you are able to check this for yourself by submitting the code to a PHP decoder such as

      I hope this clears things up! After seeing your comment, I also decided to write a blog post about this issue. It can be located here:

      For those who are interested in purchasing a license to my private PHP obfuscator named ‘Cobra’, please see – Cobra can not be decoded online and does not get flagged as a virus either.

      UPDATE: I looked into this further and have isolated which part of the obfuscated script is causing Avast to flag it as a trojan. This encoded string: ‘eval(gzinflate(base64_decode(‘. when I remove it, Avast no longer complains. I am releasing an algorithm update for Cobra to fix this issue. Turns out all public obfuscators have this issue, though. I will not be releasing an algorithm update for my public obfuscator at this time.

  11. Hari says:

    Hey please tell me the method of deleting this file. I encoded main file by using this technique but after 2 days it’s become empty file with permission 000 and even not able to delete this file and modify permission as well. Kindly suggest me the solution on urgent basis.

    • atomiku says:

      I’m not sure, perhaps something has happened with the webhost. A few users have reported the obfuscated being flagged as a false-positive by certain anti-viruses, perhaps an anti-virus running on the webhost has quarantined the file or something. Have you tried chmodding the file to 777 and then deleting it?

  12. atomiku says:

    Hey guys. Despite the fact that my public obfuscator isn’t supported or developed anymore, I thought I would release a small update. I have fixed the PHP warnings that you get when ‘Scramble Slice’ is enabled, by removing the feature completely. Considering this tool can be decrypted anyway, it doesn’t make much of a difference having sramble slice anyway.

    I recently updated my private obfuscator, too. If you’d like to purchase lifetime access to it, go to – currently none of the online decoders can crack it. I am offering a 10% discount until the end of October.

    Kind Regards

  13. David says:

    I wrote a de-obfuscator for this in Python

    Your obfuscator is actually more difficult to decode than most of the paid software that does the same thing :P

    • atomiku says:

      Nice work! The private version of the obfuscator would be much much harder to write a decoder for. I’d like to send you a sample if you’re up for the challenge. But if you manage to do it, I’ll have to update my obfuscator and send it out to all my customers hehe.

      • David says:

        Thanks, I’d be up for that challenge. Please email me a couple samples and their plain-text equivalents and I’ll give it a go :)

  14. nikhil says:

    is there any malicious code in it ? file get deleted by antivirus !!!!!

  15. Ayush says:

    Hey do you have any desktop version of this script? How can you help me to perfectly hide my codes?

    Thank You

    • atomiku says:

      My private version will perfectly hide your code and if you buy it you get support, too, so I could ‘help you perfectly hide your codes’ too if you wanted some help, no problem! There isn’t a desktop version, as it requires to be run on Apache or IIS with PHP installed… but you could install a web server on your local machine if you wanted to. Contact me if you’re interested.

  16. John says:

    It doesn’t work! I entered “Matt is a cocksucker” and all it did was returned “boy, you are sure right on there!”

    • atomiku says:

      How strange! I think you’ve just discovered a bug, there. I was unable to replicate the bug myself so I am unsure how I can fix this, would anybody like to commit a patch to the code?


  17. Hello Matt

    Like I said you before your tool is proving extremely util

  18. ShayanKM says:

    Thanks for this useful tool.!! I use it in many cases… ;)

  19. Johne492 says:

    Hi, Neat post. There’s a problem with your site in internet explorer, would test this IE still is the market leader and a good portion of people will miss your excellent writing because of this problem. efkeekkddkgb

  20. Jack says:

    AWESOME tool, i love using this!

  21. atomiku says:

    Hello everyone, thanks for using this obfuscator. It has recently come to my attention that my obfuscator, and almost every other public obfuscator can easily be decoded using tools such as and

    It is because of this, that I am no longer supporting this public version of my obfuscator. I have private versions for sale, that can not be deobfuscated by anything, if you are interested please use the contact form on my website.


  22. Sander says:

    Very good. Only problem I see is that my logs are getting a lot of records because of the old reg_replace

    Deprecated functionality: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead

    Can we fix this?

    • atomiku says:

      You can add error_reporting(0); to the code. But I am going to replace preg_replace with eval instead. I would like to say that this obfuscator isn’t supported any more. Only my private versions. Seeing as this and every other public obfuscator can easily be decoded by online decoders, it doesn’t make sense for me to update this.

  23. I deobfuscate a ‘hello world’ in 3 minutes. Interesting obfuscator, but deprecated since php 5.5.0 due to the modifier ‘/e’ (PREG_REPLACE_EVAL).

    • atomiku says:

      Thanks for your comment. Yes, any obfuscated code can eventually be deobfuscated (even manually) by a decent PHP coder. It just takes time sometimes, that’s all. Which is why with this obfuscator I introduce recursion, so the person would have to go through the iterations manually replacing eval with echo.

  24. Bharat says:

    its not working ?

  25. DGea says:

    Dear friend,
    Could you share to me your source code? or any idea? Thanks.

  26. cocco says:

    I decrypted the result, there is NO malicious code or else.
    However this encoder is good job, now the first time I needed to decode a file because I lost the original one, I spent an hour with it.

  27. Jake says:

    Hi mate, I like this obfuscator. Any where I can get the source code?

  28. Jimmy says:

    this is excellent..!!! thnk u so much…..

  29. cartem says:

    thanks :)) nice job.

  30. Ivan says:

    Constantly obfuscation page does not load until the end. Have to try again and again until you get a full page.

  31. Samet says:

    But i get error when i try on two different files to obfuscate… ( this two files included on single file… )

  32. Samet says:

    Great work. I hope your publishing soon this tool on desktop version… I always used x3 depth encode but i’m not sure about performance… Maybe not prevent this method for prof. thief , but absolutely stopped junior thief :) Thanks…

  33. Сергей says:

    Спасибо за ресурс! Отличная работа и хорошая защита!

  34. Matrixclub says:

    nice job

  35. Anirban Nath says:

    Notice: Undefined variable: xcfcd in C:\xampp\htdocs\**\***.php on line 2
    Notice: Undefined variable: xce84 in C:\xampp\htdocs\**\**.php on line 3
    Notice: Undefined variable: x6222 in C:\xampp\htdocs\**\**.php on line 4
    Notice: Undefined variable: x6d4a in C:\xampp\htdocs\**\**.php on line 5

    Keeps on getting this errors , any help will be much appreciated !

    • atomiku says:

      Have you tried disabling the ‘Encode variable names’ option?

      • Anirban Nath says:

        yep , But now getting a different error :( !

        Notice: Undefined variable: xcfcd in C:\xampp\htdocs\test\studyroom.php(2) : regexp code(1) : eval()’d code on line 1
        Notice: Undefined variable: xce84 in C:\xampp\htdocs\test\studyroom.php(2) : regexp code(1) : eval()’d code on line 2
        Notice: Undefined variable: x6222 in C:\xampp\htdocs\test\studyroom.php(2) : regexp code(1) : eval()’d code on line 3
        Notice: Undefined variable: x6d4a in C:\xampp\htdocs\test\studyroom.php(2) : regexp code(1) : eval()’d code on line 4

      • Anirban Nath says:

        If i uncheck all option and just keep encryption depth its working fine ! But is it a good chioice ?? Was wondering u have any standalone (desktop) version of this php obfuscator !

        Anyways Nice work ! Thanks for replying

  36. Kyle Coots says:

    Thanks, works great!

    You should consider coming up with some kinda of API for this or a way to obfuscate a whole framework/project at one time. That wouold be awesome!

  37. Root(RED) says:

    :) Thanks (y) Like it.. works like a charm :D LOL

  38. walt says:

    I think there is a little bug.
    if I obfuscate this code : phpinfo();

    your programme give me :

    When I execute this code, it show me phpinfo(); instead executing this function.

    When I decode de preg_prelace, I found if I remove this ‘\x3f\x3e’, the code work fine.

    $xcfcd .= “\x3f\x3e\x70\x68″;
    $xa87f .= “\x70\x69\x6e\x66″;
    $xc9f0 .= “\x6f\x28\x29\x3b”;
    eval($xcfcd . $xa87f . $xc9f0);

  39. Derry says:

    very nice

  40. Aziz Mazgour says:

    This works perfectly.

  41. none says:

    strip white space and comment not seems to work

    I put

    and i get


    with space , comment and php tag for bonus ;)

  42. none says:


    => regex /e Warning This feature has been DEPRECATED as of PHP 5.5.0. Relying on this feature is highly discouraged.

  43. Nice utility!
    Good work!

  44. Rojo says:

    There is a problem. If you have a structure where there is an include in one file. If you encode the include file and then also encode the file that calls the include file, there are errors thrown. Settings are level 3.

  45. Rahul says:

    Is there any way to decrypt this encrypted code?
    I mean, are your sure they cant reverse engineer to get original code?

    • atomiku says:

      Yes, someone has made a decrypter for my obfuscator. It was bound to happen eventually, as I say in the post, all obfuscated code can be decrypted. It’s impossible to make an obfuscator thats fool proof, unless you use server side extensions.

  46. Mahesh says:

    This works perfectly. Thanks.

  47. bertrand says:


    c’est dommage que c’est outils n’exécute pas le code php lors du décodage?? du coup il me sert strictement à rien, je comprend pas même à quoi il sert pour obscusifier du php??

    j’ai tenté un eval( devant en vain…

    merci quand même

  48. adh says:

    I have tow php file after code by your site give under error

    Parse error: syntax error, unexpected ‘.’ in 2.php(2) : regexp code(1) : eval()’d code(4) : eval()’d code on line 1

    file 1.php


    file 2.php
    echo "$i”;

    Please help

  49. BEnas says:

    Cleans perfectly

  50. Rapture says:

    Thanks for this tool, I’ve used a lot of obfuscators but this one is the best I’ve found, no errors, clean and very useful :)

  51. HOST RAZOR says:

    I am a system administrator for a company and I deal with these alerts on a daily basis; basically any antivirus be on win32 (kaspersky/avg/sophos) and even on linux/unix systems such as clamav will have signatures set and these detect false positives, one lucky example is a plugin for WHM(cPanel) called WHMXtra, they had obfuscated code hidden in there plugin that nobody knew about, it was to login to a database and enter the number 1 every time somebody used it (so they could get an estimate on plugin usage) and this was flagged on my system as a virus, after decrypting the code I found it and emailed them (they had completley forgot that it was there) and planned to move it after next release.

    If your not sure open it up in a sandbox and test first, watch any changes that may occur. Just because an anti virus flags it up as a threat does not 100% guarantee its a virus.

    Viruses/Trojans/Malware these days are often not detected by your anti virus anyway! “Real Hackers” use crypted programming and hide the data from anti virus scanners making it impossible to detect unless they have an heuristic scanner or more advanced technology – so your never safe unless you sandbox something unknown first!! – “lol @ hacker”

  52. wewt says:

    I can confirm this is not a virus.

  53. hacker says:

    this is a virusssssssssss……….liarss………….fake.

    • atomiku says:

      Hey there. This isn’t a virus, and hopefully someone with a bit of skill will be able to look into the obfuscated code to see what it’s doing to prove that it’s not a virus.

      Why do you think it’s a virus? If it’s because your virus scanner is picking it up, it would be because when people make PHP backdoors they obfuscate it with the same methods that this obfuscator uses. Any online PHP obfuscator you use will have the same result.

      What I’m trying to say is: It’s just a false positive! This PHP obfuscator isn’t a virus.
      Someone please back me up on this.

    • mahmoud says:

      It not a virus, i just decode it.

  1. November 7, 2014

    […] online […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>