sadams123 at optushome.com.au
Tue Sep 17 03:03:09 CEST 2002
> > This question ("how can I obscure Python byte-code?") comes up at least
> > once a month on this list. It's fairly clear that any scheme you come
> > up with will take longer to implement than it will to break by a
> > competent hacker.
> True.. that's why I'm planning to obfuscate the code then encrypt it.
you don't want to go overboard with this, people still have to use the
program - where are you going to keep the code that is 'now' (once
decrypted) in plaintext?
At some stage your code must be in the clear, and at that stage, anyone can
get at it.
e.g. running it on linux, just start it up, get past whatever encryption
you've put on there, when the program is running - and you've either got
unencrypted files sittng on disk, or, (you decideed to be tricky and keep it
all in memory) just 'cat /proc/kcore > some_file.txt' and you've got a
complete memory dump to look through.
As everyone has said, you're running against diminishing returns on any
security through obscurity.
> A hacker (not every programmer) is specialized in modify jmp instructions
> and could find the password
> to decrypt the .pyc in less than 20 minutes, but maybe 5% of them knows
> about python.
if they're able to run the code, it'd be a fairly solid bet that they'd know
about Python, if not, a quick search on Google would probaly net you all the
info you need to find out just what that file is. After all, in order to run
the program they'd need to at least install Python somehow - unless you're
planning to embed Python in some other app, and run your code in that...
I'd say, don't bother, copyright it, and only distribute the compiled python
files under a restrictive license.
More information about the Python-list