protect python code from reverse engineering

python debugging assembly reverse-engineering obfuscation

11,882

Solution 1

Generally speaking, it's almost impossible for you to make your program unbreakable as long as there's enough motive for the hackers.

But still you can make it harder to be reverse engineered, try to use cython to compile your core codes into pyd or so files.

Solution 2

There's no way to make anything digital safe nowadays.

What you CAN do is making it hard to a point where it's frustrating to do it, but I admit I don't know python specific ways to achieve that. The amount of security of your program is not actually a function of programsecurity, but of psychology.

Yes, psychology.

Given the fact that it's an arms race between crackers and anti-crackers, where both continuously attempt to top each other, the only thing one can do is trying to make it as frustrating as possible. How do we achieve that?

By being a pain in the rear!

Every additional step you take to make sure your code is hard to decipher is a good one.

For example could you turn your program into a single compiled block of bytecode, which you call from inside your program. Use an external library to encrypt it beforehand and decrypt it afterwards. Do the same with extra steps for codeblocks of functions. Or, have functions in precompiled blocks ready, but broken. At runtime, utilizing byteplay, repair the bytecode with bytes depending on other bytes of different functions, which would then stop your program from working when modified.

There are lots of ways of messing with people's heads and while I can't tell you any python specific ways, if you think in context of "How to be difficult", you'll find the weirdest ways of making it a mess to deal with your code.

Funnily enough this is much easier in assembly, than python, so maybe you should look into executing foreign code via ctypes or whatever.

Summon your inner Troll!

Solution 3

Story time: I was a Python programmer for a long time. Recently I joined in a company as a Python programmer. My manager was a Java programmer for a decade I guess. He gave me a project and at the initial review, he asked me that are we obfuscating the code? and I said, we don't do that kind of thing in Python. He said we do that kind of things in Java and we want the same thing to be implemented in python. Eventually I managed to obfuscate code just removing comments and spaces and renaming local variables) but entire python debugging process got messed up.

Then he asked me, Can we use ProGuard? I didn't know what the hell it was. After some googling I said it is for Java and cannot be used in Python. I also said whatever we are building we deploy in our own servers, so we don't need to actually protect the code. But he was reluctant and said, we have a set of procedures and they must be followed before deploying.

Eventually I quit my job after a year tired of fighting to convince them Python is not Java. I also had no interest in making them to think differently at that point of time.

TLDR; Because of the open source nature of the Python, there are no viable tools available to obfuscate or encrypt your code. I also don't think it is not a problem as long as you deploy the code in your own server (providing software as a service). But if you actually provide the product to the customer, there are some tools available to wrap up your code or byte code and give it like a executable file. But it is always possible to view your code if they want to. Or you choose some other language that provides better protection if it is absolutely necessary to protect your code. Again keep in mind that it is always possible to do reverse engineering on the code.

11,882

avinoam

Updated on June 04, 2022

Comments

avinoam almost 2 years

I'm creating a program in python (2.7) and I want to protect it from reverse engineering.

I compiled it using cx_freeze (supplies basic security- obfuscation and anti-debugging)

How can I add more protections such as obfuscation, packing, anti-debugging, encrypt the code recognize VM.

I thought maybe to encrypt to payload and decrypt it on run time, but I have no clue how to do it.
- user2740652 over 7 years
  
  Every lock on computer have a hole somewhere so why bother implementing a security thing that will be expensive and eventually broken later
- fuz over 7 years
  
  And if you want to achieve some sort of obfuscation, I recommend you to use a programming language that doesn't need to know symbol names at runtime (which Python does).
z0rberg's over 7 years

Why would this make it harder? Using cython you get machine code, which I'd say makes it easier, no?
Shane over 7 years

Well I would say it's relatively easier to understand python code than machine code.
z0rberg's over 7 years

This is only true to a degree when it comes to compiled python bytecode, which i hope he is distributing, instead of plain sourcecode. See, when it's all plain machine code I believe it gets easier, because there's no cpython in between. Otoh python debuggers exist as well, but most likely can be tricked much easier than machine code debuggers.
z0rberg's over 7 years

Downvoted, why? Ever challenged someone to crack your code? I did. It's a mindgame.
zaph over 7 years

Perhaps: "There's no way to make anything digital safe nowadays" is an overstatement?
z0rberg's over 7 years

Do you count computers that never connect anywhere, never use USB, CD, DVD? There's software out there targetting the airgap successfully! Mark Zuckerberg covers the cam of his PC. Nothing digital is safe. Sure, you can put a hard disk in a safe, but what's the point of that? :)
zaph over 7 years

HSMs where the key is never outside it. In the case of iMessages Apple hashes (with a blender) the admin cards so so even they do not have access. Also consider Whisper systems. Signal by Open Whisper Systems. Just for kicks my CISSP agrees that it is an overstatement.
z0rberg's over 7 years

Cheers, I'll look it up!
zaph over 7 years

In general security is all about increasing the work factor of an attacker. One needs to consider the attacker (Well funded nation state to PFY) and the value of the thing being attacked (nuclear launch codes to grandma's okra recipe. Once needs to know this and design accordingly.
JJ_Coder4Hire almost 5 years

try pyarmor or cython
Module_art about 2 years

Are there enough motive for the hackers to hack Windows OS code?! Just keep in mind it was never cracked. So I agree that everything is hackable it's just a matter of effort. But they are methods to do that, but on SO I don't think that anyone is smart enough to give you instructions on how to do that.