Hide the python-script from user

[hlubenow]

Hi,

recently there was a thread about hiding the python-script from the user.
The OP could use

http://freshmeat.net/projects/pyobfuscate/

H.

 

[ts-dev]

recently there was a thread about hiding the python-script from the user.
The OP could use

Interesting - thanks

 

[hlubenow]

Interesting - thanks

Well, testing it, it doesn't seem to work very well ...

It seems, Python-code is rather difficult to obfuscate, probably because of
its clear syntax and indentations. Here's yet another approach:

http://pythonhacker.is-a-geek.net/my_programs/pyfuscate/pyfuscate-0.1.zip/view

H.

 

[hlubenow]

Well, testing it, it doesn't seem to work very well ...

It seems, Python-code is rather difficult to obfuscate, probably because
of its clear syntax and indentations. Here's yet another approach:

http://pythonhacker.is-a-geek.net/my_programs/pyfuscate/pyfuscate-0.1.zip/view

H.

That didn't work very well either .

Ok, but now I can offer a real secure solution:

You can have real encryption in Python using this modules:


http://www.amk.ca/files/python/crypto/pycrypto-2.0.1.tar.gz

and

http://sourceforge.net/projects/yawpycrypto

Below I post a code-example that I've written some time ago. With it,
encrypting text is rather easy.

Then you have to program a start-script, that reads in your script and the
decryption-key. The decryption-key must be encrypted too. Such a encrypted
key can be generated by the modules if you don't pass a password to my
function "doEncrypt(). The decryption-key must then be hidden somewhere
within the encrypted program-script. That's because, if the user knows
where to find the key, he can decrypt the program-script.

If your start-script is written, everything should work automatically, one
shouldn't nearly notice the decryption-process.

Ok, here's my example code, how to encrypt and decrypt some text with the
modules:

----------------------------------------------------------------------------

#!/usr/bin/env python

import os
import sys
import base64

from yawPyCrypto.Cipher import DecryptCipher, EncryptCipher
from yawPyCrypto.Cipher import ZipDecryptCipher, ZipEncryptCipher
from yawPyCrypto.Constants import CIPHER_BLOWFISH, MODE_CBC


def doEncrypt(text, passw = None):

e = EncryptCipher(passw, CIPHER_BLOWFISH, MODE_CBC)
e.feed(text)
e.finish()
encryptedtext = e.data

if passw != None:
passwr = passw
else:
passwr = e.password

a = (encryptedtext, passwr)
return a


def doDecrypt(encryptedtext, passw):
d = DecryptCipher(passw)
d.feed(encryptedtext)
d.finish()
decoded = (d.data)
return decoded


# Calling the encryption routine.
# If you just pass the text to encrypt, a password is generated:

a = doEncrypt("For your eyes only !", "Melina")


# Just trying to clean the screen:

if sys.platform == "win32":
os.system("cls")
else:
os.system("clear")

print
print "Hello !"
print
print "I just encrypted some text. It looks like this now:"
print

print base64.b64encode(a[0])

print
print 'Please notice, that I just encoded the text once more using
"base64.b64encode()" to make it printable.'
print
print "The password for decryption is: "
print
print base64.b64encode(a[1])
print
print "Let's decrypt again (the original password must be passed without
b64encoding):"
print
print doDecrypt(a[0], a[1])
print

 

[Steven D'Aprano]

Hi,

recently there was a thread about hiding the python-script from the user.
The OP could use

http://freshmeat.net/projects/pyobfuscate/

Wearing my developer hat, I can tell you that there's nothing I love more
than getting error reports from my users that look like this:

Traceback (most recent call last):
File "myapp.py", line 36, in ?
print i1I1Iiii1111 ( )
File "myapp.py", line 33, in i1I1Iiii1111
return IiiIII111iI ( )
File "myapp.py", line 24, in IiiIII111iI
O0oo0OO0 = IiII + I1i1iiI1 ( iI1Ii11111iIi ) + i1i1II [ 2 ] - Oo ( )
File "myapp.py", line 18, in Oo
raise iI1 ( "a problem happened" )
__main__.iI1: a problem happened


I love a challenge!

 

[Jason F. McBrayer]

Ok, but now I can offer a real secure solution:
Nope.

[snip]

Then you have to program a start-script, that reads in your script and the
decryption-key. The decryption-key must be encrypted too. Such a encrypted
key can be generated by the modules if you don't pass a password to my
function "doEncrypt(). The decryption-key must then be hidden somewhere
within the encrypted program-script. That's because, if the user knows
where to find the key, he can decrypt the program-script.

If your start-script is written, everything should work automatically, one
shouldn't nearly notice the decryption-process.

That is to say, for the user to be able to run your program, they must
have the key. They don't have to know they have the key, but they
have to have it. This isn't really secure, it's just obscure. It
depends on the user not finding the key, and on no one telling them
where it is. A determined and technically savvy user will surely find
the key (not least by debugging the start-script).

Basically, this doesn't work for the same reason that DRM doesn't
work.

--
+-----------------------------------------------------------+
| Jason F. McBrayer (e-mail address removed) |
| If someone conquers a thousand times a thousand others in |
| battle, and someone else conquers himself, the latter one |
| is the greatest of all conquerors. --- The Dhammapada |

 

[hlubenow]

Well, testing it, it doesn't seem to work very well ...

It seems, Python-code is rather difficult to obfuscate, probably because
of its clear syntax and indentations. Here's yet another approach:

http://pythonhacker.is-a-geek.net/my_programs/pyfuscate/pyfuscate-0.1.zip/view

H.

That didn't work very well either .

Ok, but now I can offer a real secure solution:

You can have real encryption in Python using this modules:


http://www.amk.ca/files/python/crypto/pycrypto-2.0.1.tar.gz

and

http://sourceforge.net/projects/yawpycrypto

Below I post a code-example that I've written some time ago. With it,
encrypting text is rather easy.

Then you have to program a start-script, that reads in your script and the
decryption-key. The decryption-key must be encrypted too. Such a encrypted
key can be generated by the modules if you don't pass a password to my
function "doEncrypt(). The decryption-key must then be hidden somewhere
within the encrypted program-script. That's because, if the user knows
where to find the key, he can decrypt the program-script.

If your start-script is written, everything should work automatically, one
shouldn't nearly notice the decryption-process.

Ok, here's my example code, how to encrypt and decrypt some text with the
modules:

----------------------------------------------------------------------------

#!/usr/bin/env python

import os
import sys
import base64

from yawPyCrypto.Cipher import DecryptCipher, EncryptCipher
from yawPyCrypto.Cipher import ZipDecryptCipher, ZipEncryptCipher
from yawPyCrypto.Constants import CIPHER_BLOWFISH, MODE_CBC


def doEncrypt(text, passw = None):

e = EncryptCipher(passw, CIPHER_BLOWFISH, MODE_CBC)
e.feed(text)
e.finish()
encryptedtext = e.data

if passw != None:
passwr = passw
else:
passwr = e.password

a = (encryptedtext, passwr)
return a


def doDecrypt(encryptedtext, passw):
d = DecryptCipher(passw)
d.feed(encryptedtext)
d.finish()
decoded = (d.data)
return decoded


# Calling the encryption routine.
# If you just pass the text to encrypt, a password is generated:

a = doEncrypt("For your eyes only !", "Melina")


# Just trying to clean the screen:

if sys.platform == "win32":
os.system("cls")
else:
os.system("clear")

print
print "Hello !"
print
print "I just encrypted some text. It looks like this now:"
print

print base64.b64encode(a[0])

print
print 'Please notice, that I just encoded the text once more using

"base64.b64encode()" to make it printable.'

print
print "The password for decryption is: "
print
print base64.b64encode(a[1])
print
print "Let's decrypt again (the original password must be passed without b64encoding):"
print
print doDecrypt(a[0], a[1])
print

----------------------------------------------------------------------------

See you

H.

This still has a problem: The start-script has to know how to decrypt the
main-script and the start-script is visible, so the user can see how it
does it.
Perhaps one could obfuscate the start-script or write a C extension, that
does decrypting instead of the start-script.
This is getting rather complicated ...

H.

 

[Sherm Pendley]

A determined and technically savvy user will surely find
the key (not least by debugging the start-script).

.... and then write a patch that disables the key, and distribute that to
a few million of his not so determined or savvy friends.

Basically, this doesn't work for the same reason that DRM doesn't
work.

That reason being, it only needs to be cracked once. The odds are heavily
stacked in the crackers' favor.

sherm--