Hello.
We have created some programs in Python that are to be distributed
around. The programs will be made into .exe files by py2exe. However,
in the source there are certain webadresses, logins and passwords that
the programs use, that we would like to keep away from the end users.
They will use them thru the program, but we would like them not to be
extracted and used separately for other purposes.
Is the compiling by py2exe enough? I have opened all the files in the
directory py2exe has made, and have not found anything I could read in
clear text. However, that does not mean that others can not. Is it
possible to extract these passwords, adresses and logins from the
sourcecode? If py2exe is not enough, is there some other simple tools
we can use to hide the source from the endusers?
Thanks in advance. 12 3480
someone can sniff the client for the information it sends/receives so
its possible to extract the info that way.
On 3 May 2005 05:03:00 -0700, Terje Johan Abrahamsen <te*****@gmail.com> wrote: We have created some programs in Python that are to be distributed around. The programs will be made into .exe files by py2exe. However, in the source there are certain webadresses, logins and passwords that the programs use, that we would like to keep away from the end users. They will use them thru the program, but we would like them not to be extracted and used separately for other purposes.
If your program can access these details, then a suficiently
determined attacker can access them too, regardless of what you do.
--
Cheers,
Simon B, si***@brunningonline.net, http://www.brunningonline.net/simon/blog/
Simon Brunning wrote: On 3 May 2005 05:03:00 -0700, Terje Johan Abrahamsen
<te*****@gmail.com> wrote: We have created some programs in Python that are to be distributed around. The programs will be made into .exe files by py2exe.
However, in the source there are certain webadresses, logins and passwords
that the programs use, that we would like to keep away from the end
users. They will use them thru the program, but we would like them not to
be extracted and used separately for other purposes.
If your program can access these details, then a suficiently determined attacker can access them too, regardless of what you do.
Yes, I assume so. Luckily it is not national secrets we are trying to
hide. But, how does py2exe compare with for example a program written
in a compiled language like C++? Is it easier to find the info in a
py2exe .exe than a c++ compiled c++?
Terje Johan Abrahamsen wrote: If your program can access these details, then a suficiently determined attacker can access them too, regardless of what you do.
Yes, I assume so. Luckily it is not national secrets we are trying to hide. But, how does py2exe compare with for example a program written in a compiled language like C++? Is it easier to find the info in a py2exe .exe than a c++ compiled c++?
Its not the exe file you need to be concerned about, its the pyc files
that are created with it. I imagine the strings will be in plain text
form, just like compiled C++.
As others have pointed out, it would be impossible to prevent an
attacker from discovering information inside the app. The best you can
do is obfuscate the strings somehow and 'un-obfuscate' them when the app
runs. That way they at least wont be obvious. Take a look at my
signature for an example!
Will McGugan
-- http://www.willmcgugan.com
"".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-84)%26) for c
in "jvyy*jvyyzpthtna^pbz" ] )
"Terje Johan Abrahamsen" <te*****@gmail.com> writes: Hello.
We have created some programs in Python that are to be distributed around. The programs will be made into .exe files by py2exe. However, in the source there are certain webadresses, logins and passwords that the programs use, that we would like to keep away from the end users. They will use them thru the program, but we would like them not to be extracted and used separately for other purposes.
Is the compiling by py2exe enough? I have opened all the files in the directory py2exe has made, and have not found anything I could read in clear text. However, that does not mean that others can not. Is it possible to extract these passwords, adresses and logins from the sourcecode? If py2exe is not enough, is there some other simple tools we can use to hide the source from the endusers?
Thanks in advance.
Putting passwords in your program is a bad idea, with or without
Python and py2exe. Even if you wrote the program in obfuscated C, and
stripped comments etc, an attacker could use "strings" to search for
candidate passwords. Or just start at the beginning of the program
and use each byte as a candidate starting char.
Since you are working on MS Windows, consider getting:
M. Howard, D. LeBlanc, "Writing Secure Code", Microsoft Press, 2002.
-- ha************@boeing.com
6-6M21 BCA CompArch Design Engineering
Phone: (425) 294-4718
On Tue, May 03, 2005 at 06:01:33AM -0700, Terje Johan Abrahamsen wrote: Simon Brunning wrote: On 3 May 2005 05:03:00 -0700, Terje Johan Abrahamsen <te*****@gmail.com> wrote: We have created some programs in Python that are to be distributed around. The programs will be made into .exe files by py2exe. However, in the source there are certain webadresses, logins and passwords that the programs use, that we would like to keep away from the end users. They will use them thru the program, but we would like them not to be extracted and used separately for other purposes.
If your program can access these details, then a suficiently determined attacker can access them too, regardless of what you do.
Yes, I assume so. Luckily it is not national secrets we are trying to hide. But, how does py2exe compare with for example a program written in a compiled language like C++? Is it easier to find the info in a py2exe .exe than a c++ compiled c++?
About the same. C++ programs do have their string constants as cleartext
in the binary too.
Personally I'd be more concerned about the network side (use https and
verify the server certificate), and debugging tools that might be able
to intercept your traffic anyway.
Andreas
I suggest You to use base 64 encoded strings
something like
password = 'aGlkZGVuX3Bhc3N3b3Jk\n'
password = pasword.decode("base64")
On 2005-05-03, mahasamatman <vl***************@gmail.com> wrote: I suggest You to use base 64 encoded strings something like password = 'aGlkZGVuX3Bhc3N3b3Jk\n' password = pasword.decode("base64")
That will delay the attacker for a few minutes.
--
Grant Edwards grante Yow! Do you like "TENDER
at VITTLES"?
visi.com
Grant Edwards wrote: On 2005-05-03, mahasamatman <vl***************@gmail.com> wrote:password = pasword.decode("base64")
That will delay the attacker for a few minutes.
True, but a script kiddie that only knows about the 'strings' program
will be forever baffled :)
Though deprecated, I think the enigma cipher (rotor) is still present in
python - it could find its use in simple cases like this.
Keep in mind what i said, even you encrypt it the source (and decode at
run time), even if compiled via c++,c, etc., it can still be decrypted
if your using http as the protocol, all the person has to do is sniff
the packets. So if your going to encrypt your information make sure you
use a secure protocol (https).
I think that encrypt with public/private key will be a solution in your
case. I don't know if python has a module to do this kind of encrypt.
i used to work in a place that did this exact same thing. they attempted
to hide passwords in source code.
there is an even bigger problem with this then security of it in source
- if someone comprimises the password, how are you going to change it
quickly? all those systems will have to update their exe.
keep in mind they could get it any other number of ways forcing you to
change it.
it's the same reason it's not a good idea to put static address's in source. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: RJS |
last post by:
Hi all,
I can't get a py2exe compiled app to run with numarray (numarray-0.5.win32-
py2.2).
Also wxPythonWIN32-2.3.3.1-Py22 and ActivePython-2.2.1-222.
In the sample below, commenting out...
|
by: Giles Brown |
last post by:
I'm feeling quite dumb this morning.
I'm trying to build a COM server DLL using py2exe and it ain't working.
Here's what ain't working...
setup_dll.py based on py2exe sample:
"""from...
|
by: Stefan Behrens |
last post by:
Hi,
does anybody know how I can get py2exe to work with wxPython's
wxCalendarCtrl?
Currently, I have just a "standard" setup.py, and py2exe gives me a
syntax error.
Do I need to include any...
|
by: Kathleen Kudzma |
last post by:
I'm having a problem with py2exe for Python 2.3. I got fixed the
Lookuperror no codec search functions registered: can't find encoding by
following the instructions on the py2exe page (added...
|
by: Kathleen Kudzma |
last post by:
Does anyone know how to resolve the following problem that I'm getting in
Python 2.2 and 2.3?
PROBLEM: When I try to create a classReader object I get an exception:
"SAXReaderNotAvailable: No...
| |
by: Steven Bell |
last post by:
I am trying to build an executable from a python script.
Using python 2.3, SOAPpy 0.10.3, Py2exe 0.4.2.
Build command: python setup.py py2exe -w --includes
xml.sax.drivers2.drv_py
I get the...
|
by: Luc Saffre |
last post by:
Hello,
I had a strange problem when freezing (using either py2exe or McMillan
installer) a script that imports reportlab (which imports PIL (which
imports FixTk))).
- Python 2.3.3c (also with...
|
by: Golawala, Moiz M (GE Infrastructure) |
last post by:
Hi Folks,
I am trying to build my application using py2exe version0.5.2 for python 2.3 but the build does not seem to pick the pyro modules. I used an earlier version of py2exe to build the same...
|
by: Kinsley Turner |
last post by:
Hey,
Does os.popen() actually work in a py2exe win32 package?
As far as I can tell, it just doesn't seem to do anything,
although it seems to work ok outside of py2exe.
Any hints? There...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| |