python obfuscate

[Wesley]

Hi all,
Does python has any good obfuscate?

Currently our company wanna release one product developed by python to our customer. But dont's wanna others see the py code.

I googled for a while but mostly just say using pyc. Any better one?

Our product is deployed on Linux bed.

Thanks.
Wesley

 

[Tobiah]

Hi all, Does python has any good obfuscate?

Currently our company wanna release one product developed by python
to our customer. But dont's wanna others see the py code.

I googled for a while but mostly just say using pyc. Any better one?

Does that work? If so, wouldn't that be a great solution?

Toby

 

[Wesley]

pyc has weakness:
1. easy to decompile
2. python version related, e.g. pyc from py2.5 cannot be used to py2.7 bed


在 2014å¹´4月11日星期五UTC+8上åˆ9æ—¶48分04秒，Tobiah写é“：

 

[Wesley]

Umm, just wanna make all .py files not human readable.

Or, maybe need a tool like zend in php.

在 2014å¹´4月11日星期五UTC+8上åˆ9æ—¶41分11秒，Ben Finney写é“：

 

[Ian Kelly]

Does that work? If so, wouldn't that be a great solution?

No, pyc files contain Python byte code, which can easily be
disassembled -- in fact, the capacity to do this can be found in the
"dis" module of the standard library. The result of disassembly is
not valid Python, but it is not hard to read either. There are also
decompilers available that can go the extra step and produce actual
Python from the pyc file.

 

[Ian Kelly]

Umm, just wanna make all .py files not human readable.

Or, maybe need a tool like zend in php.

The only reliable way to prevent a customer from reverse-engineering
your software is to not give them the software. For example, instead
of giving them software containing the critical code that you want to
protect, give them access to a web service running that code, which
you host and control.

This is true no matter what language you're using to write the software.

 

[Mark Lawrence]

(Please don't top-post; instead, use interleaved replies
<URL:https://en.wikipedia.org/wiki/Posting_style#Interleaved_style> to
make the conversation legible.)

Further would you please use the mailing list
https://mail.python.org/mailman/listinfo/python-list or read and action
this https://wiki.python.org/moin/GoogleGroupsPython to prevent us
seeing double line spacing and single line paragraphs, thanks.

 

[Joshua Landau]

Does python has any good obfuscate?

Most other people on the list will point out why such a thing is
mostly pointless and you don't really need it.

However, if this really is your major blocker to using Python, I
suggest compiling with Cython. There are downsides, but untyped Cython
basically compiles the bytecode into C without actually changing the
program, making compatibility really good. It's very difficult to
reverse-engineer, largely because there aren't specialised tools to do
it. But I do warn that it's adding another abstracting step that
doesn't improve - it probably harms - the overall usability of the
product. Further, a determined hacker can circumvent it, much as they
can circumvent everything else.

 

[Chris Angelico]

But I do warn that it's adding another abstracting step that
doesn't improve - it probably harms - the overall usability of the
product. Further, a determined hacker can circumvent it, much as they
can circumvent everything else.

I had this argument with my boss at work about obfuscating our
JavaScript code. He said that he was extremely concerned that nobody
should be able to rip off all his code; I said that anybody could
still rip it off, just by using the code exactly the way the browser
would. The *ONLY* advantage you can possibly get from an obfuscation
system is that your users can't easily figure out what's going on
internally; they can still, by definition, run the program unchanged.

If you run obfuscated code through a prettifier (or a decompiler and
then a prettifier, as the case may be), you end up with something
that's practically indistinguishable from poorly-commented code. Sure,
it's not as nice to work with as something with helpful variable names
and comments, but it's far from impossible.

ChrisA

 

[Sturla Molden]

The only reliable way to prevent a customer from reverse-engineering
your software is to not give them the software.

Not really. You just need to make it so difficult that it is not worth the
effort. In that case they will go away and do something else instead. At
least if the threat is other companies out to make money. Dropbox is an
example.

Sturla

 

[Sturla Molden]

However, if this really is your major blocker to using Python, I
suggest compiling with Cython.

Cython restains all the code as text, e.g. to readable generate exceptions.
Users can also still steal the extension modules and use them in their own
code. In general, Cython is not useful as an obfuscation tool.

Sturla

 

[Sturla Molden]

Does python has any good obfuscate?

Currently our company wanna release one product developed by python to
our customer. But dont's wanna others see the py code.

I googled for a while but mostly just say using pyc. Any better one?

It depends on the threat and how competent persons you want to protect your
code from. If this comes from your boss, chances are he does not know that
even x86 machine code can be decompiled. So as many has said, this is
mostly futile business. The only way to protect your code is never to ship
anything.

Hacking the interpreter might be satisfactory to calm your boss:

- Run a script that strips comments and make variable names
incomprehensible
- Swap .pyc byte codes so they don't mean the same as in vanilla Python
- Make the compiler spit out scrambled bytes and make the .pyc loader
unencrypt

Any of these measures can be circumvented, though. But it is hardly easier
to read than compiled C++.

Sturla

 

[Chris Angelico]

The only way to protect your code is never to ship anything.

It's worth noting, as an aside, that this does NOT mean you don't
produce or sell anything. You can keep your code secure by running it
on a server and permitting users to access it; that's perfectly safe.

ChrisA

 

[Ian Kelly]

Not really...

It depends on the threat and how competent persons you want to protect your
code from. If this comes from your boss, chances are he does not know that
even x86 machine code can be decompiled. So as many has said, this is
mostly futile business. The only way to protect your code is never to ship
anything.

How is that last statement different from the one I made above, that
you disagreed with?

 

[Steven D'Aprano]

How is that last statement different from the one I made above, that you
disagreed with?

Isn't it obvious? When *you* say something, you're making a knee-jerk
reaction without considering all the circumstances, so even if you're
right you're right for the wrong reasons and hence wrong. But when *I*
say the same thing, I've made a deep and careful consideration of all the
nuances and therefore am right for the right reasons and hence right.

 

[cl]

It's worth noting, as an aside, that this does NOT mean you don't
produce or sell anything. You can keep your code secure by running it
on a server and permitting users to access it; that's perfectly safe.

Perfectly?

 

[Sturla Molden]

How is that last statement different from the one I made above, that
you disagreed with?

Who says I disagreed?

But to answer you question, it depends on the level of safety you need:
Total secrecy or just enough protection to make it not worthwhile to access
the code?


Sturla

 

[Chris Angelico]

Perfectly?

Heh. Well, as perfectly as anything ever is. All they can do is try to
find exploits (hi, Heartbleed!) and get at some of the code. It's not
like "hey look, here it is, I can just run it".

ChrisA

 

[Sturla Molden]

Perfectly?

Unless you have a heartbleed

Sturla

 

[Mark Lawrence]

Unless you have a heartbleed

Sturla

I was thinking more along the lines of Greek tragedies.