I am developing proprietary software that would be distributed in a form of .exe file. In order to use it, users will have to authenticate with their whitelist credentials (username + password).
The issue I have encountered is that in the industry I am selling on, there are a lot of "hackers" who will try to decompile your executable file, get the source code and distribute it for free to other people.
To combat these reverse-engineering attempts, I have tried to both obfuscate my code and use various compilers, but so far to no success.
What I have tried:
Use py2exe compiler: "hackers" managed to decompile executable in an hour.
Use pyinstaller compiler: same as with py2exe.
Use pyminifier to obfuscate the code: "hackers" managed to deobfuscate the code.
Use Oxyry Python Obfuscator: same as with pyminifier.
Those who managed to decompile and deobfuscate my program explained that the open-source nature of the 4 tools mentioned above means that their algorithms are well-known and there are solutions out there made to reverse-engineer programs that use these open-source compilers and obfuscators.
What I didn't try yet:
Using Pyarmor to obfuscate my code. I've heard it is good, but it costs 50$, so I want to be sure that it is the best obfuscation tool out there before purchasing the license.
Using Cython library to create a C-wrapper for my program, making it compiled in C instead of Python. Since C binaries are much harder to read, it will make the program significantly harder to decompile. However, I have never programmed in C, and I want to know if there are better ways to compile my source Python code, without the need to learn C.
What I am not going to try:
Completely rewrite my whole program in a language other than Python. I am not strong in other languages, plus the program itself consists of over 1,000 lines of code, so I can't just completely rewrite it for the sole purpose of making it harder to decompile.
Making program open-source: This is a for-profit software, so I am not going to release the proprietary code, thank you for understanding.
Making the program a web-app: Since my program directly interacts with files on the user's PC, I can't make it web-based, it has to be on the user's PC.
Please also consider that if "hacker" will be able to disable the whitelist system without even accessing the source code, he will be able to distribute it to other users with no limitation. Therefore, I am looking for a way that will not only make it extremely hard to decompile the program, but also make it almost impossible to meddle with binaries and turn off certain parts of the program's code.
Since people in this thread did not provide any satisfiable answers, I will explain what I did to secure my program. As I mentioned previously, my goal is not to create an "uncrackable" program, just one that is secure enough to deter away amateurs.
I got help on one of the reverse-engineering forums, so props to those people!
Firstly, I used Nuitka to convert .py file into a C-based standalone executable. Then, I passed a resulting .exe file through VMProtect to obfuscate the binaries.
I've tested it on a few CS graduates, and they weren't able to crack or deobfuscate the program, so this is good enough for me.
P.S. Those who said that "it is impossible" or "your business model is wrong", please do not share your opinions unless you have a reverse-engineering experience, thank you :)
I guess I'll be the brave one to post as the answer: There is no technical means you can take to prevent software running on end user machines from being cracked.
You can perhaps make it more difficult, but since you've stated that in this market, people will always prefer cracked software to legit at any price, this is a situation you have essentially no hope of winning: if you have determined pirates, they will win every time.
So: You can't; give up
Sorry :-(
Related
I need to integrate a body of Python code into an existing OSGi (Apache Felix) deployment.
I assume, or at least hope, that packages exist to help with this effort.
If it helps, the Python code is still relatively new and small, so can probably re re-architected to meet whatever constraints are needed. However, it must remain in Python, because of dependencies on third-party libraries.
What are suggested best practices?
The trick is to make this an extender, see 1 and 2. You want your Python code to be separate from the code that handles the interaction with the interpreter. So what you do is wrap the Python code and any native libraries in a bundle. This is trivial since it is just a zip file.
You then develop a bundle that listens to starting bundle (see the BundleTracker) that have python code. A manifest is often used but you can also look in a directory in the JAR. If you detect this code, you extract any native libraries and run the code in the interpeter of your choice.
If can use JYthon then that would be highly recommended. You can then carry the interpreter as an OSGi bundle that runs on the VM. If you need to use a native compiler your life is less rosy. You can rely on the environment to provide you with an interpreter but then why use OSGi in the first place. You basically lose the write once run anywhere advantage. You could go the full monty by creating bundles that contain Python installers for all platforms you support. Can be done, not even that hard, but a maintenance nightmare. Believe me, native code suck, it only does it a bit faster than Java.
Recently I've been developing Python code as a freelancer. I've mostly worked on social media bots, my usual way of delivering the code is as a Python script for people to run on their compilers. However, I've started to run into people that lack the technical knowledge of installing modules and running the code that way. How do I create a package like software and deliver it in a way that can be ready-to-run and users don't have to download anything extra? Thank you in advance for your feedback.
Check out py2exe. It is a wrapper that converts your script into an executable, so the user can run it without needing to install any python libraries.
Alternatives to py2exe are:
PyInstaller - the advantage of using this is that it lets you build executables in formats other than exe, if you want to make your program run on non-Windows platforms, for example.
cx_Freeze - this is also another cross-platform alternative.
One method would be (as stated in the previous answer) is to use exe converters, but that wouldn't be as effective if you target Mac and Linux users as well.
My solution is going to take you a little more time, but it will be worth it. Here goes:
Please learn Angular JS, or some other framework (I prefer Angular). Once you know that, you can easily develop a web app for your project, and add your Python to that.
The good news is, there are lots of tutorials for this, such as https://codehandbook.org/creating-a-web-app-using-angularjs-python-mongodb/ (also teaches you mongodb) Anyways, you can find other tutorials on your own.
You could of course, I guess, build it into a mobile app, but I think web app would be easier.
I'm looking for a way I can package a tool I've built for use by my colleagues. In order to run it requires modules that are currently only found on my own workstation. Adding the modules to other workstations is not possible because it's explicitly prohibited.
So far I've been unable to locate any way to accomplish my goal without using a module or other software that converts the script into an exe.
My work-site has strict rules for executable software. I am prohibited from creating anything that requires installation, makes any changes to the registry, and/or has exe as its native file extension.
I'm hoping someone here might know a way to get around this restriction while still adhering to that policy. Bending or breaking these rules, even for a moment, would be met with harsh consequences for myself.
This is not a Python problem. It's a problem with your company policies.
You simply cannot accomplish what you want to do with those policies, and if you do find a way, it will most likely violate the policies anyway.
You need to talk to a manager.
I have written a program. I don't know if it is important how it is written but you can find it here: http://pastebin.com/Z3ZvVPV8 Basically, it asks you to assign values to variables and will perform calculations depending on what variables you chose, and prints the answer.
I would like to know how I can make the program run in a window other than cmd (I am using Windows Vista 32bit). I don't need much at all in terms of GUI, just a window that is a bit more user friendly/easier to look at when they are using the program.
EDIT: To those suggesting using IDLE, while that would work for me, if others want to use the program they would have to download it, so I was hoping for a way for that not to happen.
Python comes with a sort of default GUI package TkInter you can use it.
Also there is a lot of other GUI packages available.
The Python standard library offers a lot of ways to implemt simple (but also rather complex) GUIs. I'd like to point you at the documentation of TK (tool kit for graphical interfaces) http://docs.python.org/library/tk.html where you will find also some useful example of use.
Py2Exe is a viable option if you really don't need a gui. This will make it run and look like a command prompt, but it will be an .exe file. Here is a quick quote from thier page: "py2exe is a Python Distutils extension which converts Python scripts into executable Windows programs, able to run without requiring a Python installation."
Another alternative is to get Portable Python. Here is a quote from thier webpage: "Portable Python is a Python® programming language preconfigured to run directly from any USB storage device, enabling you to have, at any time, a portable programming environment. Just download it, extract to your portable storage device or hard drive and in 10 minutes you are ready to create your next Python® application." After packaging the portable python and your .py or .pyc file then create a .bat file that runs the portable python "Python-Portable.exe" with the correct command line parameters for loading your script. Be sure to use relative paths in the batch file in case they are running it from a flash drive, or something other than the same location as you.
NOTE: This is really not a good way to do this as thier download page states: "Installed size: based on selected packages, between 49MB and 480MB". Also be sure to read the the current Python Software Foundation License, as that is what Portable Python is released under, and it may or may not be legal to package it in a closed source project. I haven't really looked at the license myself to be able to tell you. If you are releasing it as open source, then there would not be an issue though. As a quick side note, if you need that .bat file to be a .exe file then you can use a .bat to .exe converter battoexe.com is one. This is really going the long way about doing the whole thing, but it is an option.
Sources:
Working with Python on and off for 7 years now, a lot that using a portable version on a flash drive, and also dealing with Batch files much longer.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
What exactly is the sole purpose of python being an interpreter.
It doesn't provide executable files (how a commercial software developer use it?)
If any part of the code had bugs, it doesn't show up unless python
goes to that line at run it. In large projects, all parts of code
doesn't get interpreted every time, so, there would be a lot of
hidden bugs inside project
Every system should have a python installed in it to run those software's...
I am using py2exe, and I find myself puzzled to just look at the executable file size (too large).
First, answers to your questions.
They can use it for parts of their system for which they don't mind the source being visible (e.g. extensions) or they can Open Source their application. They can also use it to develop backend services for something which they're providing as a service (e.g. Youtube). They can also use it for internal tools which they don't plan to release(e.g. with Google).
That's why you need to write tests, exercise discipline and measure test coverage regularly. You sacrifice the compilers ability to check for things and some speed for advantages which I've detailed below.
Yes but it's not too hard to bundle Python along with your app. The entire interpreter + libraries is not that big. Python is pretty much a standard on most UNIX environments today. This is usually not a practical problem. The same issue is there with (say) Java (you need the JVM installed).
py2exe bundles all the modules into a single executable. It will be big. If you want to do compiled programs that are lean, don't use Python. Wrong fit.
Now, a few reasons on why "interpreted".
Faster development time. Programmer time is costlier than computer time so we should optimise for that.
No compilation cycle. Very easy to make incremental changes and check. Quick turnaround.
Introspection and dynamic typing allows certain kinds of coding not possible with some compiled languages like C.
Cross platform. If you have an interpreter for your platform, the program will run there even if it was written on a different platform.
You bring up a few different issues, here are some responses:
1) Technically, Python isn't interpreted (usually) - it is compiled to bytecode and that bytecode is run on a virtual machine.
So Python doesn't provide executables because it runs bytecode, not machine code.
You could just as well ask why Java doesn't produce executables.
The standard advantages of virtual machines apply: A big one being a simplified cross-platform development experience.
You could distribute just the .pyc (compiled bytecode) files if you don't want your source to be available. See this reference.
2) Here, you are talking about dynamic vs. static languages. There are tradeoffs, of course. One disadvantage of dynamic languages, as you mention, is that you get more run-time errors rather than compile-time errors.
There are, of course, corresponding advantages. I'll point you to some resources discussing both sides:
Dynamic type languages versus static type languages
What do people find so appealing about dynamic languages?
http://research.microsoft.com/en-us/um/people/emeijer/Papers/RDL04Meijer.pdf
3) Quite right. Just as you need the Java VM installed to run Java, perl to run Perl, etc.
Regarding your last point:
The whole idea of running in a VM is that you can install that VM once, then run many different apps. By bundlig the whole VM with every app (such as with py2exe), you are going against that concept. So yes, you have to pay the cost in terms of size.
Sole purpose of python is to provide a beautiful language to program in.
Your point #1 and #3 are similar and answer is that professional programmers use py2exe/pyinstaller etc to bundle their programs and distribute, in cases of frameworks/libraries they even don't need to do that.
Your point number #2 is also valid for statically compiled languages, something compiles correctly in C++ doesn't mean it will not crash at run-time or business logic is correct, you anyway need to test each part of your code, so with good unittests and functional tests python is at par with other languages in finding bugs, and as it doesn't need to be comiled and being dynamic means better productivity.
IMO
Python is not an interpreter, but an interpreted language.
This question is more about interpreted language VS compiled languages which has actually no other answer that the usual "it depends of your need".
See Noufal Ibrahim for details, but I'm not sure this question is a good fit for SO.
(1) You can provide installers for Python code (which may install the Python environment). This doesn't prevent you from having commercial code. Note that you can also have Java (also "interpreted" or JIT-compiled) commercial or desktop code and require your users to install a JRE.
(2) Any language, even compiled and strongly type, may produce errors that only show up when you get to that given code (e.g. division by zero). I guess you may be referring to strongly v.s. loosely typed languages. It's not just a matter of compilation, but the fact that strongly-typed languages generally make it easier to find "structural" bugs (e.g. trying to use a string as a number) during the compilation process. In contrast, loosely-typed language often lead to shorter code, which may be easier to manage. What to use really depends on the goal of your application.
Interactivity is good. I find it encourages making small, easily testable functions that build together to make an application.
Unless you are writing simple, statically linked applications, you will usually have some run-time baggage that must be included or installed (mfc, dot net, etc.) for compiled languages. Look at the winsxs folder. Sure, you get to "share" that stuff most of the time, but there is still a lot of space taken up by "needed", if hidden, requirements.
And as far as bugs, run-time bugs will be the same no matter what. Any good programmer would test as much as possible when making changes. This should catch what would be compile time bugs in other languages as well as testing run-time behavior.
A python .exe has to necessarily include a complete copy of the python interpreter. As you say, since it's interpreted it won't touch every line of code until that line is actually run. Some parts may actually invoke a python parse/compile sequence (e.g. eval(), some regexes, etc...). These would fail in a compiled .exe unless the full interpreter was available.