bytecode obfuscation

Alex Martelli aleaxit at yahoo.com
Sun Feb 6 04:47:31 EST 2005 

snacktime <snacktime at gmail.com> wrote:
   ...
> How difficult is it to turn python bytecode into it's original source?

It's pretty easy, not really the original source (you lose comments etc)
but close enough to read and understand.

>  Is it that much different than java (this is what they will probably
> compare it to) ?

It's not very different from Java, or for that matter from C: Python's
bytecode is a bit higher-level than Java's, which is a bit higher level
than typical machine code, but not enough to make a difference if there
is good illicit profit to be made in disassembling and studying it.

> Also, I'm curious how much demand their is for this application in the
> Python world.  The application replaces online credit card

There is as much _wishing_ for magic bullets to slay all monsters, and
magic wands to cure all ills, in the Python world as in others, and
generally just about the same recognition that the magic bullets and
wands are not technically achievable.  You can arrange things so that
somebody wishing to study and reproduce your code will spend 10 hours
instead of 5, maybe (with effort) can go all the way up to making them
spend 20 hours -- but if reproducing that code is worth to them a few
thousand bucks, you're toast anyway.

Whatever code you let out of your control, it WILL get cracked if
there's a profit in cracking it -- and sometimes even if there ain't
(cfr, the cracks of hard-to-crack games abounding on warez sites).

So, if you have any code whose secrecy is important, you just cannot
allow it to get out of your control -- keep it on a solid and closely
guarded server and allow access to it only via well-controlled web
services or the like.  For example:

> processors(Verisign, Authorizenet) by providing a platform that
> connects directly to the bank networks for credit card processing, and

...the code would have to connect (with non-secrecy-critical code) to a
secure server which then does the secrecy-critical connection to the
bank networks -- assuming the secrecy IS critical for that part.

If you're currently distributing that ``secrecy critical'' code as JVM
bytecodes or intel machine code, and there IS indeed a profit to be made
in cracking it, rest assured that it IS cracked, somewhere.


Alex

More information about the Python-list mailing list