How protect proprietary Python code? (bytecode obfuscation?, what better?)

Re: How protect proprietary Python code? (bytecode obfuscation?,wh at better?)


<seberino@spawa r.navy.mil> wrote in message
news:1145293384 .791678.14450@v 46g2000cwv.goog legroups.com...[color=blue]
> How can a proprietary software developer protect their Python code?
> People often ask me about obfuscating Python bytecode. They don't want
> people to easily decompile their proprietary Python app.
>
> I suppose another idea is to rewrite entire Python app in C if compiled
> C code
> is harder to decompile.
>
> Any ideas?[/color]

Go to Google's newsgroup archives for c.l.p (accessible via google.com) and
search for some of the numerous past threads on this issue, which give
several ideas and viewpoints. There may or may not also be something in
the Python FAQ or Wiki at python.com.

Re: How protect proprietary Python code? (bytecode obfuscation?, what better?)

well, you can do something silly: create a c file into which you embed
your code, ie.,

#include<python .h>

char code[] = "print 'hello moshe'";

void main(...)
{
Py_ExecString(c ode);
}

then you can compile the C file into an object file, and use regular
obfuscators/anti-debuggers. of course people who really want to get the
source will be able to do so, but it will take more time. and isn't
that
the big idea of using obfuscation?

but anyway, it's stupid. why be a dick? those who *really* want to get
to the source will be able to, no matter what you use. after all, the
code is executing on their CPU, and if the CPU can execute it, so
can really enthused men. and those who don't want to use your product,
don't care anyway if you provide the source or not. so share.


-tomer

Re: How protect proprietary Python code? (bytecode obfuscation?, what better?)


seberino@spawar .navy.mil wrote:[color=blue]
> How can a proprietary software developer protect their Python code?
> People often ask me about obfuscating Python bytecode. They don't want
> people to easily decompile their proprietary Python app.
>
> I suppose another idea is to rewrite entire Python app in C if compiled
> C code
> is harder to decompile.
>
> Any ideas?[/color]

Shuffle opcode values in random order, recompile Python, recompile
stdlib, recompile py2exe (or whatever you use for bundling). It will
keep attacker busy for several hours

Re: How protect proprietary Python code? (bytecode obfuscation?, what better?)

gangesmaster <tomerfiliba@gm ail.com> wrote:
...[color=blue]
> but anyway, it's stupid. why be a dick? those who *really* want to get
> to the source will be able to, no matter what you use. after all, the
> code is executing on their CPU, and if the CPU can execute it, so
> can really enthused men. and those who don't want to use your product,
> don't care anyway if you provide the source or not. so share.[/color]

Alternatively, if you have secrets that are REALLY worth protecting,
keep a tiny part of your app, embedding all worthwhile secrets, on YOUR
well-secured server -- expose it as a webservice, or whatever, so the
"fat client" (most of the app) can get at it. This truly gives you
complete control: you don't care any more if anybody decompiles the part
you distribute (which may be 90% or 99% of the app), indeed you can
publish the webservice's specs or some API to encourage more and more
people to write to it, and make your money by whatever business model
you prefer (subscription, one-off sale, pay-per-use, your choice!). If
you keep your client thin rather than fat, the advantages increase (your
app can be used much more widely, etc), but you may need substantial
amounts of servers and other resources to support widespread use.

When I started proposing this approach, years and years ago, the fact
that your app can work only when connected to the net might be
considered a real problem for many cases: but today, connectivity is SO
pervasive, that all sort of apps require such connectivity anyway --
e.g, look at Google Earth for a "fat client", Google Maps for a "thin"
one accessing a subset of roughly the same data but running (the client
side) inside a browser (with more limited functionality, to be sure).


Alex

Re: How protect proprietary Python code? (bytecode obfuscation?,wh at better?)

> #include<python .h>[color=blue]
>
> char code[] = "print 'hello moshe'";
>
> void main(...)
> {
> Py_ExecString(c ode);
> }[/color]

I don't get this, with python 2.4 there is no function called
Py_ExecString in any of the header files. I found something that might
do the job PyRun_SimpleStr ing( ) in pythonrun.h, but couldn't get it
to work either. So what is really the way to execute python code in a
string from a C program?

Re: How protect proprietary Python code? (bytecode obfuscation?, what better?)

okay, i got the name wrong. i wasn't trying to provide production-level
code, just a snippet. the function you want is
PyRun_SimpleStr ing( const char *command)

#include <python.h>

char secret_code[] = "print 'moshe'";

int main()
{
return PyRun_SimpleStr ing(secret_code );
}

and you need to link with python24.lib or whatever the object file is
for your platform.



-tomer

Re: How protect proprietary Python code? (bytecode obfuscation?,wh at better?)

> #include <python.h>[color=blue]
>
> char secret_code[] = "print 'moshe'";
>
> int main()
> {
> return PyRun_SimpleStr ing(secret_code );
> }
>
> and you need to link with python24.lib or whatever the object file is
> for your platform.[/color]

Are you sure? On a linux platform I tried linking with libpython2.4.so
(I assume this is the correct object file) but it segfaults in
PyImport_GetMod uleDict( ).

Re: How protect proprietary Python code? (bytecode obfuscation?,wh at better?)

"Daniel Nogradi" wrote:
[color=blue][color=green]
>> char secret_code[] = "print 'moshe'";
>>
>> int main()
>> {
>> return PyRun_SimpleStr ing(secret_code );
>> }
>>
>> and you need to link with python24.lib or whatever the object file is
>> for your platform.[/color]
>
> Are you sure? On a linux platform I tried linking with libpython2.4.so
> (I assume this is the correct object file) but it segfaults in
> PyImport_GetMod uleDict( ).[/color]

I still don't understand why you think that embedding the *source code* in a variable
named "secret" will do a better job than just putting the byte code in some non-obvious
packaging, but if you insist on embedding the code, reading the documentation might
help:


"At the very least, you have to call the function Py_Initialize() "


(minimal PyRun_SimpleStr ing example)

</F>

Re: How protect proprietary Python code? (bytecode obfuscation?,wh at better?)

> >> char secret_code[] = "print 'moshe'";[color=blue][color=green][color=darkred]
> >>
> >> int main()
> >> {
> >> return PyRun_SimpleStr ing(secret_code );
> >> }
> >>
> >> and you need to link with python24.lib or whatever the object file is
> >> for your platform.[/color]
> >
> > Are you sure? On a linux platform I tried linking with libpython2.4.so
> > (I assume this is the correct object file) but it segfaults in
> > PyImport_GetMod uleDict( ).[/color]
>
> I still don't understand why you think that embedding the *source code* in a
> variable
> named "secret" will do a better job than just putting the byte code in some
> non-obvious
> packaging, but if you insist on embedding the code, reading the
> documentation might
> help:
>
> http://docs.python.org/ext/embedding.html
> "At the very least, you have to call the function Py_Initialize() "
>
> http://docs.python.org/ext/high-level-embedding.html
> (minimal PyRun_SimpleStr ing example)[/color]

Well, I was not the original poster in this thread I just picked up
the idea of executing python code that is assigned to a string from
within C and tried to do it with no particular goal, that's all. And
thanks a lot for the links, the docs are pretty clear, I should have
checked them before....

Re: How protect proprietary Python code? (bytecode obfuscation?,wh at better?)

seberino@spawar .navy.mil wrote:[color=blue]
> How can a proprietary software developer protect their Python code?
> People often ask me about obfuscating Python bytecode. They don't want
> people to easily decompile their proprietary Python app.[/color]

Do they ask the same thing for Java or .NET apps ?-)
[color=blue]
> I suppose another idea is to rewrite entire Python app in C if compiled
> C code
> is harder to decompile.[/color]

Do you really think "native" code is harder to reverse-engineer than
Python's byte-code ?
[color=blue]
> Any ideas?[/color]

I'm afraid that the only *proven* way to protect code from
reverse-engineering is to not distribute it *at all*.


--
bruno desthuilliers
python -c "print '@'.join(['.'.join([w[::-1] for w in p.split('.')]) for
p in 'onurb@xiludom. gro'.split('@')])"

Re: How protect proprietary Python code? (bytecode obfuscation?, what better?)


"bruno at modulix" <onurb@xiludom. gro> wrote in message
news:4444c777$0 $9453$626a54ce@ news.free.fr...
[color=blue]
> Do they ask the same thing for Java or .NET apps ?-)[/color]

If you Google for "bytecode obfuscation", you'll find a large number
of products already exist for Java and .Net

Re: How protect proprietary Python code? (bytecode obfuscation?,wh at better?)

Richard Brodie wrote:
[color=blue][color=green]
>> Do they ask the same thing for Java or .NET apps ?-)[/color]
>
> If you Google for "bytecode obfuscation", you'll find a large number
> of products already exist for Java and .Net[/color]

and if you google for "python obfuscator", you'll find tools for python. including
tools that use "psychologicall y inspired techniques to produce extra confusion in
human readers" (probably by inserting small snippets of Perl here and there...).

</F>

Re: How protect proprietary Python code? (bytecode obfuscation?, what better?)

bruno at modulix wrote:[color=blue]
> seberino@spawar .navy.mil wrote:[color=green]
> > I suppose another idea is to rewrite entire Python app in C if compiled
> > C code
> > is harder to decompile.[/color]
>
> Do you really think "native" code is harder to reverse-engineer than
> Python's byte-code ?[/color]

Yes, until there's a native code equivalent of "import dis" that
telepathically contacts the original programmer to obtain variable
names that aren't in the executable.

--
Ben Sizer

Re: How protect proprietary Python code? (bytecode obfuscation?,wh at better?)

Ben Sizer wrote:[color=blue]
> bruno at modulix wrote:
>[color=green]
>>seberino@spaw ar.navy.mil wrote:
>>[color=darkred]
>>>I suppose another idea is to rewrite entire Python app in C if compiled
>>>C code
>>>is harder to decompile.[/color]
>>
>>Do you really think "native" code is harder to reverse-engineer than
>>Python's byte-code ?[/color]
>
>
> Yes, until there's a native code equivalent of "import dis" that
> telepathically contacts the original programmer to obtain variable
> names that aren't in the executable.[/color]

Lol !-)

Ok, granted. Let's rephrase it:
"do you really think that native code is harder *enough* to
reverse-engineer ?"

--
bruno desthuilliers
python -c "print '@'.join(['.'.join([w[::-1] for w in p.split('.')]) for
p in 'onurb@xiludom. gro'.split('@')])"