Protect Python Source

Christian Tismer tismer at tismer.com
Fri Nov 1 05:09:31 EST 2002 

hope wrote:
> Hi,
> 
> If i am to develop a full fledge commercial application using Python :
> 
> a. Can i compile my python source into binary ? I have read about py2exe for
> windows. Is there one for Linux ?
> 
> b. Can I distribute the bytecode only (.pyo, .pyd) and not the source (.py)
> ? Can the bytecode be 'de-compiled' to source ?

In addition to Alex' reply with which I totally agree:
Using the Installer gives you the advantage that
no source code can be seen and even no bytecode
is visible in the first place. It is of course ungzipped
from the executable at execution time, but there are
no visible files, it is in memory, only.
That means, the average user will not be able to read
your source, and the bytecode is not so easy to access.

This doesn't provide safety against true hackers, but
this doesn't exist by definition.

There is one way to do some more obfuscation of the
bytecode which comes for quite cheap and raises the
fence for disasseblers a little:
You can easily create a Python interpreter with permuted
opcodes. You can even use a different interpreter for
every customer. There are lots of variations of this
principle. But it isn't really strong, since the opcodes
can be guessed by a statistical approach, or disassembling
the interpreter.
The problem is that it doesn't take long
until somebody publishes a tool to disassemble it
again, and then those kiddies who think they are
hackers just because they know to use a tool come
into the play.

Some promising idea which I didn't try yet is to combine
the opcode permutation idea with redundancy: Create
many versions of the same functions, which slightly
changed behavior and slightly different opcodes.
Make a huge code bloat out of this, with just a small
percentage of "real" code. The idea is to confuse
the hacker by myriads of similar, slightly different
objects, and by a reasonable total size of the code
that might make him give up earlier.

Yet another way of obfuscation would be to use compilers
like Psyco, and store the compiled code instead of the
.pyc data. This would make the disassembly reasonably
harder. AFAIK, Psyco isn't ready yet to produce
executables, but I guess this will be an option pretty
soon.

but-open-source-is-so-much-more-fun - ciao - chris

-- 
Christian Tismer             :^)   <mailto:tismer at tismer.com>
Mission Impossible 5oftware  :     Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a     :    *Starship* http://starship.python.net/
14109 Berlin                 :     PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34  home +49 30 802 86 56  pager +49 173 24 18 776
PGP 0x57F3BF04       9064 F4E1 D754 C2FF 1619  305B C09C 5A3B 57F3 BF04
      whom do you want to sponsor today?   http://www.stackless.com/

More information about the Python-list mailing list