Docs
Everything you need to protect, deliver, and manage your Lua scripts with Sudo.
Overview
Sudo is a loadstring-based script protection system for Lua. It protects your scripts with multiple security layers and serves them through single-use URLs.
- Custom virtual machine — no standard deobfuscation tools work
- Per-request obfuscation — every output is unique
- Multi-layer encryption on all constants and strings
- Single-use payload URLs — no sharing, no replay
- Intrusion detection and HWID banning
Quick Start
- Get a key: Free key (4 days) or purchase a longer key
- Register an account at the Dashboard using your key
- Upload your script through the dashboard
- Copy the generated loadstring and use it in your executor
Key System
Free keys require completing 3 checkpoints. Each checkpoint opens a new tab — complete the page and return to the key system. After all 3 checkpoints, click "Claim Your Key" to generate your key.
Key types
- Free (4 days) — 3 checkpoints, HWID-bound
- Premium ($5/mo) — No checkpoints, 30-day validity
- Lifetime ($35) — No checkpoints, never expires
Keys are bound to one HWID. If you need a reset, contact us on Discord.
Dashboard
The dashboard lets you manage your scripts and account:
- Upload / Edit scripts — paste or drag-drop .lua files. Editing re-protects under the same URL.
- Copy loadstring — one-click copy of your loadstring or direct URL
- Messages — direct communication with the site owner
- Intrusion log — (owner only) view tamper attempts and ban HWIDs
Loadstring Format
Each loadstring URL serves a unique obfuscated script per request. The URL looks like:
When an executor requests this URL, it receives a freshly protected version of your script. Every request produces unique output with different structure and variable names.
Browser requests are redirected to the homepage — scripts are only served to valid executors. Payload URLs are single-use and expire quickly.
Security
Sudo uses multiple layers of protection to keep your scripts secure. Each layer is designed so that bypassing one does not expose the others.
- Custom virtual machine with per-build randomization
- Multi-layer encryption — no readable strings in output
- Every request generates unique output — no two are the same
- Single-use delivery URLs that expire immediately after fetch
- Intrusion detection with automatic HWID banning
Standard deobfuscation tools do not work on Sudo output, and the pipeline is continuously hardened against reversing.
API Reference
GET /obf/:scriptId — Returns the protected script. Executor requests get the obfuscated Lua; browser requests get redirected to the homepage.
POST /api/keysystem — Key system endpoints for checkpoint completion and key generation. Used internally by the key system pages.
POST /api/auth — Authentication endpoints for login, registration, and session management.
POST /api/scripts — Script management: upload, edit, delete, list. Requires authentication.
FAQ
Can I change my HWID?
Contact us on Discord for a HWID reset.
Why does my key say expired?
Free keys last 4 days. Get a new one or upgrade to Premium/Lifetime.
Can someone deobfuscate my script?
Standard deobfuscation tools do not work on Sudo output, and the custom VM is continuously hardened.
How do I report a bug?
Join the Discord server and post in general chat.