Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #70078 > unrolled thread

python obfuscate

Back to article view | Back to comp.lang.python

Contents

  python obfuscate Wesley <nispray@gmail.com> - 2014-04-10 18:29 -0700
    Re: python obfuscate Tobiah <toby@tobiah.org> - 2014-04-10 18:48 -0700
      Re: python obfuscate Wesley <nispray@gmail.com> - 2014-04-10 19:14 -0700
      Re: python obfuscate Ian Kelly <ian.g.kelly@gmail.com> - 2014-04-10 20:23 -0600
    Re: python obfuscate Ben Finney <ben+python@benfinney.id.au> - 2014-04-11 11:41 +1000
      Re: python obfuscate Wesley <nispray@gmail.com> - 2014-04-10 19:17 -0700
        Re: python obfuscate Ian Kelly <ian.g.kelly@gmail.com> - 2014-04-10 20:28 -0600
          Re: python obfuscate Grant Edwards <invalid@invalid.invalid> - 2014-04-11 16:19 +0000
        Re: python obfuscate Ben Finney <ben+python@benfinney.id.au> - 2014-04-11 13:12 +1000
        Re: python obfuscate Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-04-11 06:53 +0100
        Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-11 09:17 +0000
        Re: python obfuscate Ian Kelly <ian.g.kelly@gmail.com> - 2014-04-11 04:22 -0600
          Re: python obfuscate Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-04-11 11:44 +0000
        Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-11 12:42 +0000
    Re: python obfuscate Joshua Landau <joshua@landau.ws> - 2014-04-11 07:00 +0100
    Re: python obfuscate Chris Angelico <rosuav@gmail.com> - 2014-04-11 16:10 +1000
    Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-11 09:17 +0000
    Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-11 09:17 +0000
    Re: python obfuscate Chris Angelico <rosuav@gmail.com> - 2014-04-11 19:40 +1000
      Re: python obfuscate cl@isbd.net - 2014-04-11 13:32 +0100
        Re: python obfuscate Chris Angelico <rosuav@gmail.com> - 2014-04-11 22:47 +1000
        Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-11 13:06 +0000
        Re: python obfuscate Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-04-11 14:10 +0100
      Re: python obfuscate Grant Edwards <invalid@invalid.invalid> - 2014-04-11 16:22 +0000
    Re: python obfuscate alister <alister.nospam.ware@ntlworld.com> - 2014-04-11 13:07 +0000
      Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-11 14:00 +0000
        Re: python obfuscate Grant Edwards <invalid@invalid.invalid> - 2014-04-11 16:27 +0000
          Re: python obfuscate Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-04-12 00:49 +0000
            Re: python obfuscate Ben Finney <ben+python@benfinney.id.au> - 2014-04-12 14:52 +1000
    Re: python obfuscate Mark H Harris <harrismh777@gmail.com> - 2014-04-11 10:09 -0500
      Re: python obfuscate Chris Angelico <rosuav@gmail.com> - 2014-04-12 01:22 +1000
      Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-11 16:13 +0000
      Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-11 16:13 +0000
        Re: python obfuscate CM <cmpython@gmail.com> - 2014-04-11 22:01 -0700
          Re: python obfuscate Sturla Molden <sturla.molden@gmail.com> - 2014-04-12 12:07 +0000
            Re: python obfuscate CM <cmpython@gmail.com> - 2014-04-12 20:14 -0700
    Re: python obfuscate Michael Torrie <torriem@gmail.com> - 2014-04-11 09:19 -0600
    Re: python obfuscate Chris Angelico <rosuav@gmail.com> - 2014-04-12 01:30 +1000
    Re: python obfuscate Joshua Landau <joshua@landau.ws> - 2014-04-11 22:48 +0100
    Re: python obfuscate Denis McMahon <denismfmcmahon@gmail.com> - 2014-04-12 07:48 +0000
    Re: python obfuscate Stefan Behnel <stefan_ml@behnel.de> - 2014-04-13 06:58 +0200

Page 1 of 3  [1] 2 3  Next page →

#70078 — python obfuscate

Hi all,
  Does python has any good obfuscate?

Currently our company wanna release one product developed by python to our customer. But dont's wanna others see the py code.

I googled for a while but mostly just say using pyc. Any better one?

Our product is deployed on Linux bed.

Thanks.
Wesley

[toc] | [next] | [standalone]

#70079

On 4/10/2014 6:29 PM, Wesley wrote:
 > Hi all, Does python has any good obfuscate?
 >
 > Currently our company wanna release one product developed by python
 > to our customer. But dont's wanna others see the py code.
 >
 > I googled for a while but mostly just say using pyc. Any better one?

Does that work?  If so, wouldn't that be a great solution?

Toby

[toc] | [prev] | [next] | [standalone]

#70081

pyc has weakness:
1. easy to decompile
2. python version related, e.g. pyc from py2.5 cannot be used to py2.7 bed


在 2014年4月11日星期五UTC+8上午9时48分04秒，Tobiah写道：
> On 4/10/2014 6:29 PM, Wesley wrote:
> 
>  > Hi all, Does python has any good obfuscate?
> 
>  >
> 
>  > Currently our company wanna release one product developed by python
> 
>  > to our customer. But dont's wanna others see the py code.
> 
>  >
> 
>  > I googled for a while but mostly just say using pyc. Any better one?
> 
> 
> 
> Does that work?  If so, wouldn't that be a great solution?
> 
> 
> 
> Toby

[toc] | [prev] | [next] | [standalone]

#70083

On Thu, Apr 10, 2014 at 7:48 PM, Tobiah <toby@tobiah.org> wrote:
> On 4/10/2014 6:29 PM, Wesley wrote:
>> Hi all, Does python has any good obfuscate?
>>
>> Currently our company wanna release one product developed by python
>> to our customer. But dont's wanna others see the py code.
>>
>> I googled for a while but mostly just say using pyc. Any better one?
>
> Does that work?  If so, wouldn't that be a great solution?

No, pyc files contain Python byte code, which can easily be
disassembled -- in fact, the capacity to do this can be found in the
"dis" module of the standard library.  The result of disassembly is
not valid Python, but it is not hard to read either.  There are also
decompilers available that can go the extra step and produce actual
Python from the pyc file.

[toc] | [prev] | [next] | [standalone]

#70080

Wesley <nispray@gmail.com> writes:

> Hi all,
>   Does python has any good obfuscate?

Define “good obfuscate”. What is your goal?

If it is to hide your program's secrets from others, then obfuscation
isn't going to help: no matter how good it is, it still needs to be
readable by the runtime on the machine.

Moreover, the more effective the obfuscation, the less correspondence
there is between the distributed code and the code ytou actually
maintain. Attempting to debug problems will be infeasible, directly in
proportion to how effective the obfuscation is.

Before looking to obfuscate your code, first establish – beyond mere
emotional conviction – that there actually is something in the code
which is worth hiding from recipients.

> Currently our company wanna release one product developed by python to
> our customer. But dont's wanna others see the py code.

That's impossible: the code is in the hands of the customer. If your
threat model is “the person who possesses the code must not have
access”, then you've lost, just as DRM is a failure.

-- 
 \      “People demand freedom of speech to make up for the freedom of |
  `\   thought which they avoid.” —Soren Aabye Kierkegaard (1813–1855) |
_o__)                                                                  |
Ben Finney

[toc] | [prev] | [next] | [standalone]

#70082

Umm, just wanna make all .py files not human readable.

Or, maybe need a tool like zend in php.

在 2014年4月11日星期五UTC+8上午9时41分11秒，Ben Finney写道：
> Wesley <nispray@gmail.com> writes:
> 
> 
> 
> > Hi all,
> 
> >   Does python has any good obfuscate?
> 
> 
> 
> Define “good obfuscate”. What is your goal?
> 
> 
> 
> If it is to hide your program's secrets from others, then obfuscation
> 
> isn't going to help: no matter how good it is, it still needs to be
> 
> readable by the runtime on the machine.
> 
> 
> 
> Moreover, the more effective the obfuscation, the less correspondence
> 
> there is between the distributed code and the code ytou actually
> 
> maintain. Attempting to debug problems will be infeasible, directly in
> 
> proportion to how effective the obfuscation is.
> 
> 
> 
> Before looking to obfuscate your code, first establish – beyond mere
> 
> emotional conviction – that there actually is something in the code
> 
> which is worth hiding from recipients.
> 
> 
> 
> > Currently our company wanna release one product developed by python to
> 
> > our customer. But dont's wanna others see the py code.
> 
> 
> 
> That's impossible: the code is in the hands of the customer. If your
> 
> threat model is “the person who possesses the code must not have
> 
> access”, then you've lost, just as DRM is a failure.
> 
> 
> 
> -- 
> 
>  \      “People demand freedom of speech to make up for the freedom of |
> 
>   `\   thought which they avoid.” —Soren Aabye Kierkegaard (1813–1855) |
> 
> _o__)                                                                  |
> 
> Ben Finney

[toc] | [prev] | [next] | [standalone]

#70084

On Thu, Apr 10, 2014 at 8:17 PM, Wesley <nispray@gmail.com> wrote:
> Umm, just wanna make all .py files not human readable.
>
> Or, maybe need a tool like zend in php.

The only reliable way to prevent a customer from reverse-engineering
your software is to not give them the software.  For example, instead
of giving them software containing the critical code that you want to
protect, give them access to a web service running that code, which
you host and control.

This is true no matter what language you're using to write the software.

[toc] | [prev] | [next] | [standalone]

#70159

On 2014-04-11, Ian Kelly <ian.g.kelly@gmail.com> wrote:
> On Thu, Apr 10, 2014 at 8:17 PM, Wesley <nispray@gmail.com> wrote:
>> Umm, just wanna make all .py files not human readable.
>>
>> Or, maybe need a tool like zend in php.
>
> The only reliable way to prevent a customer from reverse-engineering
> your software is to not give them the software.  For example, instead
> of giving them software containing the critical code that you want to
> protect, give them access to a web service running that code, which
> you host and control.

If you do that the odds of them obtaining your code are reduced, but
don't assume they go to 0.  ;)

-- 
Grant Edwards               grant.b.edwards        Yow! I just heard the
                                  at               SEVENTIES were over!!  And
                              gmail.com            I was just getting in touch
                                                   with my LEISURE SUIT!!

[toc] | [prev] | [next] | [standalone]

#70085

Wesley <nispray@gmail.com> writes:

> Umm, just wanna make all .py files not human readable.

(Please don't top-post; instead, use interleaved replies
<URL:https://en.wikipedia.org/wiki/Posting_style#Interleaved_style> to
make the conversation legible.)

You want the code not readable by which humans? Any code which is
readable by the machine is readable to the person who owns that machine,
given enough effort of course. And any obfuscation needs to be reversed
when the code is run, otherwise the machine reading it can't run it.

So it seems you don't want obfuscation; you want to not distribute the
code at all.

-- 
 \          “They who can give up essential liberty to obtain a little |
  `\            temporary safety, deserve neither liberty nor safety.” |
_o__)                                   —Benjamin Franklin, 1775-02-17 |
Ben Finney

[toc] | [prev] | [next] | [standalone]

#70098

On 11/04/2014 04:12, Ben Finney wrote:
> Wesley <nispray@gmail.com> writes:
>
>> Umm, just wanna make all .py files not human readable.
>
> (Please don't top-post; instead, use interleaved replies
> <URL:https://en.wikipedia.org/wiki/Posting_style#Interleaved_style> to
> make the conversation legible.)
>

Further would you please use the mailing list 
https://mail.python.org/mailman/listinfo/python-list or read and action 
this https://wiki.python.org/moin/GoogleGroupsPython to prevent us 
seeing double line spacing and single line paragraphs, thanks.

-- 
My fellow Pythonistas, ask not what our language can do for you, ask 
what you can do for our language.

Mark Lawrence

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

[toc] | [prev] | [next] | [standalone]

#70110

Ian Kelly <ian.g.kelly@gmail.com> wrote:

> The only reliable way to prevent a customer from reverse-engineering
> your software is to not give them the software.  

Not really. You just need to make it so difficult that it is not worth the
effort. In that case they will go away and do something else instead. At
least if the threat is other companies out to make money. Dropbox is an
example.

Sturla

[toc] | [prev] | [next] | [standalone]

#70119

On Fri, Apr 11, 2014 at 3:17 AM, Sturla Molden <sturla.molden@gmail.com> wrote:
> Ian Kelly <ian.g.kelly@gmail.com> wrote:
>
>> The only reliable way to prevent a customer from reverse-engineering
>> your software is to not give them the software.
>
> Not really...

On Fri, Apr 11, 2014 at 3:17 AM, Sturla Molden <sturla.molden@gmail.com> wrote:
> It depends on the threat and how competent persons you want to protect your
> code from. If this comes from your boss, chances are he does not know that
> even x86 machine code can be decompiled. So as many has said, this is
> mostly futile business. The only way to protect your code is never to ship
> anything.

How is that last statement different from the one I made above, that
you disagreed with?

[toc] | [prev] | [next] | [standalone]

#70124

On Fri, 11 Apr 2014 04:22:49 -0600, Ian Kelly wrote:

> On Fri, Apr 11, 2014 at 3:17 AM, Sturla Molden <sturla.molden@gmail.com>
> wrote:
>> Ian Kelly <ian.g.kelly@gmail.com> wrote:
>>
>>> The only reliable way to prevent a customer from reverse-engineering
>>> your software is to not give them the software.
>>
>> Not really...
> 
> On Fri, Apr 11, 2014 at 3:17 AM, Sturla Molden <sturla.molden@gmail.com>
> wrote:
>> It depends on the threat and how competent persons you want to protect
>> your code from. If this comes from your boss, chances are he does not
>> know that even x86 machine code can be decompiled. So as many has said,
>> this is mostly futile business. The only way to protect your code is
>> never to ship anything.
> 
> How is that last statement different from the one I made above, that you
> disagreed with?


Isn't it obvious? When *you* say something, you're making a knee-jerk 
reaction without considering all the circumstances, so even if you're 
right you're right for the wrong reasons and hence wrong. But when *I* 
say the same thing, I've made a deep and careful consideration of all the 
nuances and therefore am right for the right reasons and hence right.

:-)



-- 
Steven D'Aprano
http://import-that.dreamwidth.org/

[toc] | [prev] | [next] | [standalone]

#70131

Ian Kelly <ian.g.kelly@gmail.com> wrote:

> How is that last statement different from the one I made above, that
> you disagreed with?

Who says I disagreed? 

But to answer you question, it depends on the level of safety you need:
Total secrecy or just enough protection to make it not worthwhile to access
the code?


Sturla

[toc] | [prev] | [next] | [standalone]

#70101

On 11 April 2014 02:29, Wesley <nispray@gmail.com> wrote:
>   Does python has any good obfuscate?

Most other people on the list will point out why such a thing is
mostly pointless and you don't really need it.

However, if this really is your major blocker to using Python, I
suggest compiling with Cython. There are downsides, but untyped Cython
basically compiles the bytecode into C without actually changing the
program, making compatibility really good. It's very difficult to
reverse-engineer, largely because there aren't specialised tools to do
it. But I do warn that it's adding another abstracting step that
doesn't improve - it probably harms - the overall usability of the
product. Further, a determined hacker can circumvent it, much as they
can circumvent everything else.

[toc] | [prev] | [next] | [standalone]

#70104

On Fri, Apr 11, 2014 at 4:00 PM, Joshua Landau <joshua@landau.ws> wrote:
> But I do warn that it's adding another abstracting step that
> doesn't improve - it probably harms - the overall usability of the
> product. Further, a determined hacker can circumvent it, much as they
> can circumvent everything else.

I had this argument with my boss at work about obfuscating our
JavaScript code. He said that he was extremely concerned that nobody
should be able to rip off all his code; I said that anybody could
still rip it off, just by using the code exactly the way the browser
would. The *ONLY* advantage you can possibly get from an obfuscation
system is that your users can't easily figure out what's going on
internally; they can still, by definition, run the program unchanged.

If you run obfuscated code through a prettifier (or a decompiler and
then a prettifier, as the case may be), you end up with something
that's practically indistinguishable from poorly-commented code. Sure,
it's not as nice to work with as something with helpful variable names
and comments, but it's far from impossible.

ChrisA

[toc] | [prev] | [next] | [standalone]

#70111

Wesley <nispray@gmail.com> wrote:

>   Does python has any good obfuscate?
> 
> Currently our company wanna release one product developed by python to
> our customer. But dont's wanna others see the py code.
> 
> I googled for a while but mostly just say using pyc. Any better one?

It depends on the threat and how competent persons you want to protect your
code from. If this comes from your boss, chances are he does not know that
even x86 machine code can be decompiled. So as many has said, this is
mostly futile business. The only way to protect your code is never to ship
anything. 

Hacking the interpreter might be satisfactory to calm your boss:

- Run a script that strips comments and make variable names
incomprehensible
- Swap .pyc byte codes so they don't mean the same as in vanilla Python
- Make the compiler spit out scrambled bytes and make the .pyc loader
unencrypt

Any of these measures can be circumvented, though. But it is hardly easier
to read than compiled C++.

Sturla

[toc] | [prev] | [next] | [standalone]

#70112

Joshua Landau <joshua@landau.ws> wrote:

> However, if this really is your major blocker to using Python, I
> suggest compiling with Cython.

Cython restains all the code as text, e.g. to readable generate exceptions.
Users can also still steal the extension modules and use them in their own
code. In general, Cython is not useful as an obfuscation tool.

Sturla

[toc] | [prev] | [next] | [standalone]

#70116

On Fri, Apr 11, 2014 at 7:17 PM, Sturla Molden <sturla.molden@gmail.com> wrote:
> The only way to protect your code is never to ship anything.

It's worth noting, as an aside, that this does NOT mean you don't
produce or sell anything. You can keep your code secure by running it
on a server and permitting users to access it; that's perfectly safe.

ChrisA

[toc] | [prev] | [next] | [standalone]

#70128

Chris Angelico <rosuav@gmail.com> wrote:
> On Fri, Apr 11, 2014 at 7:17 PM, Sturla Molden <sturla.molden@gmail.com> wrote:
> > The only way to protect your code is never to ship anything.
> 
> It's worth noting, as an aside, that this does NOT mean you don't
> produce or sell anything. You can keep your code secure by running it
> on a server and permitting users to access it; that's perfectly safe.
> 
Perfectly?  :-)

-- 
Chris Green
·

[toc] | [prev] | [next] | [standalone]

Page 1 of 3  [1] 2 3  Next page →

Back to top | Article view | comp.lang.python

csiph-web