Skip to content
Obfuscation

Mojibake steganography

Each byte of input is encoded as a higher Unicode codepoint picked at random. Example: an A (U+0041) may become U+5E41 (a CJK ideogram). The resulting text is illegible at a glance, but decoding extracts each character's codepoint modulo 256 to recover the original byte. UTF-8-safe throughout.

Codepoint range (hex)

The range only affects encoding. Decoding works with any range.

Plaintext
Obfuscated text

Warning: this is not encryption

This tool does reversible obfuscation without a key. Anyone who knows the algorithm can decode the message in seconds. It's for visual masking (e.g. making a message look like a random CJK string in a text editor), NOT for protecting secrets. For real encryption, use AES-256-GCM via libsodium or GPG.

Frequently asked questions

What is a mojibake tool actually useful for?
Mostly didactic demos of steganography (hiding the existence of a message, not its content) and red team awareness. Real use-case example: a text file full of commentary that looks like 'random CJK ideograms' but is actually readable strings once decoded. Useful for CTFs, security training, or simply for curiosity about Unicode codepoints.
Why is the output different each time for the same input?
Because the 'k value' (the high Unicode offset) is random per character. Only the Braille preset produces deterministic output (the range has only one high value available, 0x28). All other presets randomize, yielding different output every time. Decoding still works because it's based on modulo 256 of the codepoint, not on the high value.
Does it support emoji and non-ASCII input?
Yes. Input is first converted to UTF-8 (so an Italian 'è' becomes 2 bytes, an emoji 4 bytes), then each byte is obfuscated. On decode, bytes are rejoined and reinterpreted as UTF-8. Emoji 🎯 🔒, Italian accents (perché, città, più), CJK, Arabic, Hebrew: all supported.
Is it safe to hide passwords or sensitive info?
NO. Repeat: this is not encryption. Anyone with a JavaScript console can decode your output in 3 seconds. For real protection, use symmetric encryption with a secret key (AES-256-GCM via libsodium) or a decent password manager.
How does it work technically?
The algorithm applies a specific sequence of encoding and decoding steps (UTF-8 to ISO-8859-1 and back), exploiting the very interpretation bug that produces mojibake characters. The implementation uses the native browser TextEncoder and TextDecoder, avoiding the legacy unescape/encodeURIComponent hack.

Light obfuscation isn't enough? You need real encryption.

If you're looking for how to hide sensitive content in production, this tool is not what you need. I offer consulting on applied cryptography (libsodium, sealed boxes, encrypted columns in DB), key management with HSM/KMS, code audits for side-channel vulnerabilities and prompt injection in LLM agents. Concrete applied cybersecurity, not theoretical.

Talk to me about cryptography and security