473,836 Members | 1,533 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Python obfuscation

Are there any commercial, or otherwise obfuscators for python source
code or byte code and what are their relative advantages or
disadvantages. I wonder because there are some byte code protection
available for java and .NET, although from what i've read these seem to
be not comprehensive as protection schemes



http://petantik.blogsome.com - Telling it like it is

Nov 9 '05
159 13536
Yu-Xi Lim <yu**@ece.gatec h.edu> wrote:
...
My brother is bugged by Civilization IV's copy protection. A couple of
days ago, after consulting me on what other options he could try, he
finally said in frustration, "Maybe I should go buy the game."
It's interesting, in this context, that Civilization IV is mostly
written in Python (interfaced to some C++ via BoostPython).

It took me 12 seconds with a search engine to determine that CivIV's
protection uses "SafeDisc 4.60" and 30 more seconds to research that
issue enough to convince myself that there's enough information out
there that I could develop a crack for the thing (if I was interested in
so doing), quite apart from any consideration of the languages and
libraries used to develop it -- and I'm not even a particularly good
cracker, nor am I wired into any "undergroun d channels", just looking at
information easily and openly available out on the web and in the index
of a major search engine.

Obfuscation has it's place.


What I think of this thesis is on a par of what I think of this way of
spelling the possessive adjective "its" (and equally unprintable in
polite company). If I could choose to eradicate only one of these two
from the world, I'd opt for the spelling -- the widespread and totally
unfounded belief in the worth of obfuscation is also damaging, but less
so, since it only steals some time and energy from developers who (if
they share this belief) can't be all that good anyway;-).
Alex
Nov 11 '05 #31
petantik wrote:
Alex Martelli wrote:
I think that's feeble protection. If you have valuable code, and
distribute it, people WILL crack it -- just check the warez sites for
experimenta l proof... EVERYTHING that people are really interested in
DOES get cracked, no matter what tricky machine-code the "protection s"
are coded in.

There's ONE way to have uncrackable code -- don't distribute it, but
rather put it up on the net on a well-secured machine under your
control, available as (say) a webservice (subscription-only, pay per
use, or whatever business model you want).
.... I think that is not workable because it is easy to say the the internet
is available everywhere.

It is not available in developing countries...


Erh, the internet is certainly spreading to most of the
world, and there is an abundance of cracked and pirated
software in the poorer countries in the world, so the
obfuscation part has certainly proven not to work there.
Nov 11 '05 #32
The Eternal Squire wrote:
Two things: .... 2) Only sell to an honest customer willing to be locked into
nondisclosure agreements. This goes back to the maxim of good
salesmanship: Know Your Customer.


If you have this, you don't need the obfuscation.

Nov 11 '05 #33
Mike Meyer wrote:
Yu-Xi Lim <yu**@ece.gatec h.edu> writes:
Ben's analogy of the house is not a perfect example, but it's still a
fair one. You know that if some one really wants to break into your
house, he will get in, regardless of your sophisticated laser trip
wire system, ex-SAS guards, and genetically-engineered guard dogs. But
as long as the cost of protection is less than the cost of the item
you're protecting (multiplied by the relevant probabilities, factoring
recurring costs, etc), it's worthwhile to spend money on
protection. If that fails, then you will of course fall back on the
law, but you still try to prevent it from happening in the first place.
Sounds like you just said that manufacturers should improve their
protection until they aren't making any profit on the product. That's
silly. The goal isn't to maximize protection, it's to maximize
profit. That means it only makes sense to spend money on better
protection if the cost of the protection is less than the expected
profit from adding it.


I agree with what you're saying, but it seems like you're arguing
against what was said rather than what was intended. Without wishing to
put words into anybody's mouths, I'm pretty sure what Yu-Xi Lim meant
was just that even imperfect protection is worthwhile if you estimate
that it will benefit you more than it will cost you. This is in
contrast to the opinion that any protection is useless because someone
will break it if they want to.
A recent, heavily
publicized case where Sony added copy protection to a product cost
them sales, and from what I've heard, even legal fees.


I think that's a poor example - the cost hasn't come from the mere act
of adding protection, but the method in which that protection operates.
I don't think anybody here - certainly not me - is talking about
infecting a user's system to protect our property, or taking any other
intrusive steps. I'd just like to make it non-trivial to make or use
additional copies.

--
Ben Sizer.

Nov 11 '05 #34
Mike Meyer wrote:
There are ways to distribute
Python modules so that the user can't just open them in a text
editor. There are also ways to get cryptographic security for
distributed modules.
I know distributing as bytecode helps, but I was under the impression
that the disassembers worked pretty well. With the dynamic nature of
the language I expect that all the variable names are largely left
intact. You win some, you lose some, I guess.

As for cryptographic security, could you provide a link or reference
for this? I am quite interested for obvious reasons. I'd be concerned
that there's a weak link in there at the decoding stage, however.

I have considered distributing my program as open source but with
encrypted data. Unfortunately anyone can just read the source to
determine the decryption method and password. Maybe I could put that
into an extension module, but that just moves the weak link along the
chain.
Yes, if you use the same methods you use in C++,
it's "much harder". But by the same token, if you tried to use the
methods you'd use in a Python program in C++, you'd find that the C++
version was "much harder".
Well, I'm not sure what you mean here. A compiled C++ program is much
harder to extract information from than a compiled Python program.
That's without applying any special 'methods' on top of the normal
distribution process.
Of course, as Alex pointed out, all of these are just keeping honest
people honest. The crooks have all the advantages in this game, so you
really can't expect to win.


No, certainly not. But if you can mitigate your losses easily enough -
without infringing upon anyone else's rights, I must add - then why not
do so.

--
Ben Sizer.

Nov 11 '05 #35
"Ben Sizer" <ky*****@gmail. com> writes:
A recent, heavily
publicized case where Sony added copy protection to a product cost
them sales, and from what I've heard, even legal fees. I think that's a poor example - the cost hasn't come from the mere act
of adding protection, but the method in which that protection operates.


That was sort of the point - that the effect on the bottom line of
adding copy protection is usually worse than just the cost of the
software, and can be much worse. This is a particularly egregious
example, but that just makes it an egregious example, not a poor one.
I don't think anybody here - certainly not me - is talking about
infecting a user's system to protect our property, or taking any other
intrusive steps. I'd just like to make it non-trivial to make or use
additional copies.


I've returned software that wouldn't run from a backup copy. Would I
return your software? If yes, have you factored the loss of sales to
people like me into your profit calculations?

<mike
--
Mike Meyer <mw*@mired.or g> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
Nov 11 '05 #36
Ben Sizer wrote:
Mike Meyer wrote:
There are ways to distribute
Python modules so that the user can't just open them in a text
editor. There are also ways to get cryptographic security for
distributed modules.


I know distributing as bytecode helps, but I was under the impression
that the disassembers worked pretty well. With the dynamic nature of
the language I expect that all the variable names are largely left
intact. You win some, you lose some, I guess.

As for cryptographic security, could you provide a link or reference
for this? I am quite interested for obvious reasons. I'd be concerned
that there's a weak link in there at the decoding stage, however.

I have considered distributing my program as open source but with
encrypted data. Unfortunately anyone can just read the source to
determine the decryption method and password. Maybe I could put that
into an extension module, but that just moves the weak link along the
chain.
Yes, if you use the same methods you use in C++,
it's "much harder". But by the same token, if you tried to use the
methods you'd use in a Python program in C++, you'd find that the C++
version was "much harder".


Well, I'm not sure what you mean here. A compiled C++ program is much
harder to extract information from than a compiled Python program.
That's without applying any special 'methods' on top of the normal
distribution process.
Of course, as Alex pointed out, all of these are just keeping honest
people honest. The crooks have all the advantages in this game, so you
really can't expect to win.


No, certainly not. But if you can mitigate your losses easily enough -
without infringing upon anyone else's rights, I must add - then why not
do so.

--
Ben Sizer.


The economics of software distribution must certainly come into it,
doing a cost/benefit analysis of whether it's worth the effort to
protect your code from would be crackers.

The problem with code protection methodology in general is that once
its cracked everyone has access to code for, maybe, all software using
the particular protection scheme.

the argument that most people buy software rather than get a pirated
version depends on the country that they are in e.g. china's piracy
problem where shops sell pirated software with no retribution by the
state - remember china is about to be the worlds largest economic
superpower

The above problem illustrate why code needs to be protected in an
effective way, by law and code protection schemes

With python there is no comfort factor in knowing that your code is
being protected, well not than I can see, compared with protection
schemes for compiled code which are used by many commercial software
companies.

Of course, we know that there can never be a 100% way to protect code
that some pirate won't overcome but it still stops the casual user or
beginner 'crackers' from stealing the code and digging in to your
profit margin.

btw i'm no expert on copy protection mechanism but the question I
raised originally, i believe, is valid and should be discussed



http://petantik.blogsome.com - A Lucid Look at Reality

Nov 11 '05 #37
"Ben Sizer" <ky*****@gmail. com> writes:
Mike Meyer wrote:
There are ways to distribute
Python modules so that the user can't just open them in a text
editor. There are also ways to get cryptographic security for
distributed modules. As for cryptographic security, could you provide a link or reference
for this? I am quite interested for obvious reasons. I'd be concerned
that there's a weak link in there at the decoding stage, however.


How about some ideas: Store your code in a zip file, and add it to the
search path. That immediately takes you out of the "just open the file
with a text editor" mode. For cryptographic security, use the ihooks
module to make "import" detect and decode encrypted modules before
actually importing them. Or digitally sign the modules, and check the
signature at import time. All of these are dead simple in Python.
I have considered distributing my program as open source but with
encrypted data. Unfortunately anyone can just read the source to
determine the decryption method and password. Maybe I could put that
into an extension module, but that just moves the weak link along the
chain.
This isn't aPython problem, it's a problem with what you're doing. Try
Alex's solution, and put the data on a network server that goes
through whatever authentication you want it to.
Yes, if you use the same methods you use in C++,
it's "much harder". But by the same token, if you tried to use the
methods you'd use in a Python program in C++, you'd find that the C++
version was "much harder".

Well, I'm not sure what you mean here. A compiled C++ program is much
harder to extract information from than a compiled Python program.


It is? Is the Python disassembler so much advanced over the state of
the art of binary disassemblers, then? Or maybe it's the Python
decompilers that are so advanced? As far as I can tell, the only real
difference between Python bytecodes and x86 (for instance) binaries is
that Python bytecodes keep the variable names around so it can do
run-timme lookups. That's not that big a difference.

As for what I meant - Python has ihooks and imp, that make it simple
to customize import behavior. Doing those kinds of things with C++
code requires building the tools to do that kind of thing from
scratch.
Of course, as Alex pointed out, all of these are just keeping honest
people honest. The crooks have all the advantages in this game, so you
really can't expect to win.

No, certainly not. But if you can mitigate your losses easily enough -
without infringing upon anyone else's rights, I must add - then why not
do so.


Elsewhere in the thread, you said:
I'd just like to make it non-trivial to make or use additional copies.


How do you do that without infringing my fair use rights?

<mike
--
Mike Meyer <mw*@mired.or g> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
Nov 11 '05 #38
On Fri, 11 Nov 2005 11:17:43 -0500, Mike Meyer wrote:
I'd just like to make it non-trivial to make or use additional copies.


How do you do that without infringing my fair use rights?


And that is the million dollar question.

So-called "intellectu al property" is a government-granted monopoly which
is not based on any principle of ownership. Ideas are not something you
can own in any real sense (as opposed to the legal fiction), ideas are
something that you can *have* -- but having had an idea, you can't
naturally prevent others from having the same idea independently, or
making use of your idea if you tell them about it -- and should you tell
them your idea so that now they have it as well, that does not diminish
the fact that you also have that idea.

Given the absolute lack of real evidence that strong "intellectu al
property" laws are good for either innovation or the economy, and given
the absolute artificiality of treating ideas as if they were scarce goods,
I don't understand why the artificial monopoly rights of copyright holders
are allowed to trump the natural rights of copyright users.

--
Steven.

Nov 22 '05 #39
On Fri, 11 Nov 2005 08:11:32 -0800, petantik wrote:
the argument that most people buy software rather than get a pirated
version depends on the country that they are in e.g. china's piracy
problem where shops sell pirated software with no retribution by the
state - remember china is about to be the worlds largest economic
superpower

The above problem illustrate why code needs to be protected in an
effective way, by law and code protection schemes


I'm sorry, what problem? You haven't actually stated a problem -- in fact,
you have just given a perfect example of why the so-called "problem" is
not a problem at all. Let us see:

Historically, the UK had no concept of intellectual property rights until
very recently, and even when it was introduced, it was very limited until
the late 20th century.

Likewise for continental Europe.

Nevertheless, the UK and Europe became economic superpowers.

The USA, like China and Russia today, was a pirate nation for the first
century or two of its existence. American publishers simply reprinted
English books without paying royalties until well into the 20th century.
Hollywood got its start by fleeing the east coast to California, where
enforcement of Thomas Edison's patents on motion picture technology was
not enforced.

The USA has become an economic superpower.

China has little effective protection for artificial monopoly rights over
ideas. China is becoming an economic superpower.

So where is the problem?

Ah, now I understand it. Having become rich and powerful by ignoring
so-called intellectual property, the UK, Europe and especially the USA is
desperate to ensure that the developing world does not also become rich
and powerful. One way of doing so is to force a system of artificial
government-granted monopolies, together with all the proven economic
inefficiencies of such monopolies, on the developing world.

--
Steven.

Nov 22 '05 #40

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

46
6309
by: Jon Perez | last post by:
Can one run a 1.5 .pyc file with the 2.x version interpreters and vice versa? How about running a 2.x .pyc using a 2.y interpreter?
13
2123
by: vincent | last post by:
I made the suggestion "Need built in obfuscation support in C# compiler" to Microsoft. Anyone here agree with me? If yes, please cast your vote on this suggestion to raise its priority.
17
19683
by: seberino | last post by:
How can a proprietary software developer protect their Python code? People often ask me about obfuscating Python bytecode. They don't want people to easily decompile their proprietary Python app. I suppose another idea is to rewrite entire Python app in C if compiled C code is harder to decompile. Any ideas?
10
2208
by: John T. | last post by:
Hi all Figure this scenario: - My Company develops an assembly (a controls DLL) - Since an obfuscation software is too expensive, my Company engages a consultant and delegates him the assembly obfuscation process - The consultant uses his (regulary purchased and licensed) obfuscation software for obfuscate my Company's assembly - My Company pays the consultant and receive back the obfuscated assembly
0
1269
by: Gabriel Genellina | last post by:
QOTW: "Template engines are amongst the things that seem easy enough to look at the available software and say 'bah, I'll write my own in a day', but are complex enough to keep them growing over years until they become as huge and inaccessible as all the other implementations. Then it's time for someone else to look at it and say 'bah, I'll write my own in a day'." - Stefan Behnel...
9
1386
by: Steve Holden | last post by:
Banibrata Dutta wrote: The Python world isn't particularly paranoid about obfuscation. It's quite easy to publish compiled code only (.pyc and/or .pyo files), and that offers enough protection for most. The sad fact is that there seems to be an almost direct inverse correlation between the worth of the code and the authors' desire to protect it from piracy. regards
0
9827
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
10862
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10560
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10607
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10262
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9389
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
5662
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4468
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3119
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.