Python obfuscation

[Yu-Xi Lim]

Bill Mill wrote:
> Your only solution, then, is to write unpopular code. Because, as Alex
> said, it will otherwise be broken into. Let's look at two very popular
> pieces of code: Half-Life 2 and Windows XP. How are they secured?
> Previous version of these software products used sophisticated
> client-side programming to try and be secure, but the security was
> nonexistant. Users share keys and cracks with each other.

and

Mike Meyer wrote:
 > What makes you think this is the case? There are ways to distribute
 > Python modules so that the user can't just open them in a text
 > editor. There are also ways to get cryptographic security for
 > distributed modules. Yes, if you use the same methods you use in C++,
 > it's "much harder". But by the same token, if you tried to use the
 > methods you'd use in a Python program in C++, you'd find that the C++
 > version was "much harder".
 >
 > Of course, as Alex pointed out, all of these are just keeping honest
 > people honest. The crooks have all the advantages in this game, so you
 > really can't expect to win.


Funny you should mention Half-Life 2. I actually went out and bought 
Half-Life 2 from the store instead of waiting for a crack to be released 
(the unique scheme they used meant that crackers will take a little 
longer than usual). I really wanted to play this game (i.e., it's very 
popular) and couldn't wait.

My brother is bugged by Civilization IV's copy protection. A couple of 
days ago, after consulting me on what other options he could try, he 
finally said in frustration, "Maybe I should go buy the game."

This is a personal anecdote, but I'm sure it applies to at least some 
people. Obviously I'm not an honest person. But I'm not so against 
spending money on software that I won't buy it if there's a pretty good 
copy protection system on it. The "keeping honest people honest" 
argument is simplistic and as Ben said, "black and white thinking".

Ben's analogy of the house is not a perfect example, but it's still a 
fair one. You know that if some one really wants to break into your 
house, he will get in, regardless of your sophisticated laser trip wire 
system, ex-SAS guards, and genetically-engineered guard dogs. But as 
long as the cost of protection is less than the cost of the item you're 
protecting (multiplied by the relevant probabilities, factoring 
recurring costs, etc), it's worthwhile to spend money on protection. If 
that fails, then you will of course fall back on the law, but you still 
try to prevent it from happening in the first place.

I do believe that code obfuscation and copy protection measures work, to 
a limited extent. Few software companies believe that their copy 
protection will be uncrackable (though their marketing droids may say 
otherwise), but are most willing to invest in it to at least temporarily 
stave off the piracy.

Distribution of python modules as compiled bytecode is a limited form of 
obfuscation. Some believe it's enough. But if there's a free obfuscator 
out there than can increase the difficulty of reverse engineering, why 
not use that too? Costs you nothing, and may get you a customer or two 
more before some one manages to crack that.

Obfuscation has it's place. It's not the final solution for software 
protection (and there probably isn't one), but it is one more lock you 
can use to deter or delay theives. You can't expect to win against 
determined theives, but you can remove as many advantages that they have.


 > Now, both of these programs require verification (phone and/or web) to
 > be used. The only truly secure method of assuring that they're not
 > used in ways you don't intend is to require the user to contact you to
 > use it, and that's a deal with the devil. One you might need to make
 > if security is that important to you, as Microsoft and Valve have
 > decided it is, but it's a deal with the devil nonetheless.

This seems to be opposite to what you said in the previous paragraph. 
Contacting and verifying with the company every time you use the 
software is obviously not "the only truly secure method", since there 
are cracks and keys floating around. It is also not quite as evil as it 
may seem, since authorization is only required on initial use (and 
online gaming).