py2exe how safe is my source ?

Tim Peters tim.one at home.com
Mon Jun 11 03:06:17 EDT 2001


[Tomasz Stochmal, wonders about reverse-engineering .pyc files]

[Alex Martelli, doesn't cheer him up]
> ...
> From a .pyc you even get the line numbers to help you
> reconstruct the exact layout, blank lines and all...  at least
> a .pyo (as obtained for import when you run Python with
> -O, or -OO to eliminate docstrings too) hides _that_:-)

Not very well, though.  There's still a mechanism for finding line numbers
under -O, else tracebacks would be much harder to follow.  And Python being
Python, you can figure it out easily enough with a Python program.  For
example, here's a program:

def f(x):
    x += 1
    # Multiply by 2.
    x *= 2
    return x

tab = f.func_code.co_lnotab
addr, line = 0, f.func_code.co_firstlineno
i = 0
while i < len(tab):
    addrincr, lineincr = map(ord, tab[i:i+2])
    addr += addrincr
    line += lineincr
    print "bytecode offset", addr, "corresponds to line", line
    i += 2

import dis
dis.dis(f)

and here's output from running that under -O:

bytecode offset 0 corresponds to line 2
bytecode offset 10 corresponds to line 4
bytecode offset 20 corresponds to line 5
          0 LOAD_FAST                0 (x)
          3 LOAD_CONST               1 (1)
          6 INPLACE_ADD
          7 STORE_FAST               0 (x)
         10 LOAD_FAST                0 (x)
         13 LOAD_CONST               2 (2)
         16 INPLACE_MULTIPLY
         17 STORE_FAST               0 (x)
         20 LOAD_FAST                0 (x)
         23 RETURN_VALUE
         24 LOAD_CONST               0 (None)
         27 RETURN_VALUE

However, from that alone, it's impossible to know whether the body of f was
*really*

def f(x):
    x += \
        1
    x *= 2
    return x

instead <wink>.

security-thru-transparency-ly y'rs  - tim





More information about the Python-list mailing list