Login/Register
Best way to protect source code of .exe program running on Python?
Asked Answered
Solved pythonccompilationexeobfuscation
O

3

10

I am developing proprietary software that would be distributed in a form of .exe file. In order to use it, users will have to authenticate with their whitelist credentials (username + password).

The issue I have encountered is that in the industry I am selling on, there are a lot of "hackers" who will try to decompile your executable file, get the source code and distribute it for free to other people.

To combat these reverse-engineering attempts, I have tried to both obfuscate my code and use various compilers, but so far to no success.

What I have tried:

  • Use py2exe compiler: "hackers" managed to decompile executable in an hour.
  • Use pyinstaller compiler: same as with py2exe.
  • Use pyminifier to obfuscate the code: "hackers" managed to deobfuscate the code.
  • Use Oxyry Python Obfuscator: same as with pyminifier.

Those who managed to decompile and deobfuscate my program explained that the open-source nature of the 4 tools mentioned above means that their algorithms are well-known and there are solutions out there made to reverse-engineer programs that use these open-source compilers and obfuscators.

What I didn't try yet:

  • Using Pyarmor to obfuscate my code. I've heard it is good, but it costs 50$, so I want to be sure that it is the best obfuscation tool out there before purchasing the license.
  • Using Cython library to create a C-wrapper for my program, making it compiled in C instead of Python. Since C binaries are much harder to read, it will make the program significantly harder to decompile. However, I have never programmed in C, and I want to know if there are better ways to compile my source Python code, without the need to learn C.

What I am not going to try:

  • Completely rewrite my whole program in a language other than Python. I am not strong in other languages, plus the program itself consists of over 1,000 lines of code, so I can't just completely rewrite it for the sole purpose of making it harder to decompile.
  • Making program open-source: This is a for-profit software, so I am not going to release the proprietary code, thank you for understanding.
  • Making the program a web-app: Since my program directly interacts with files on the user's PC, I can't make it web-based, it has to be on the user's PC.

Please also consider that if "hacker" will be able to disable the whitelist system without even accessing the source code, he will be able to distribute it to other users with no limitation. Therefore, I am looking for a way that will not only make it extremely hard to decompile the program, but also make it almost impossible to meddle with binaries and turn off certain parts of the program's code.

Olsen answered 30/11, 2019 at 16:5 Comment(20)
Are the people that will take the free / hacked version going to be your customers? Because if not, there is no harm done. Real customers will pay (and get support?) anyway, the hacked ones only add to a larger user base. Another thing you can consider is to change your business model in such a way that you can still make money, even if the code is leaked (subscription model, cloud based, etc).Eleanore
All technical solutions have drawbacks. Most will be trivially defeated. This is true regardless of the language you use. Your best protection is good user agreements and fair pricing.Hydrogenous
@Hydrogenous ... and excellent support :-)Gianina
@BartFriederichs Yes, if people are looking to purchase my product and have an option to get it for free, they will get it for free. Most users are also enough tech-savvy to not require support if it means that they can use the product for free. Since my product is one of its kind on the market, people will try to crack it and either release it for free or will get the source code and try to resell it at half the price.Olsen
In that case, get other customers ;). Of course I kid, but changing your business model might not be such a bad idea...Eleanore
@Hydrogenous I mean, the free product will always beat any price I will put on it. And regarding the user agreement, how will I be able to enforce it on the users?Olsen
@BartFriederichs On the market, I am operating at, unfortunately, there is no way to change the business model. The difficulty I am having is not the philosophical search of business strategy, but a technical challenge to obfuscate and compile code to make it extremely hard to reverse-engineer.Olsen
Businesses usually won't buy hacked software and uphold the license agreement. If damages are big enough, suing might even be worthwhile. (I assume reverse engineering is not allowed by your license agreement).Eleanore
@BartFriederichs I am not operating as a business entity, so suing is not an option. Neither will be my competitors. So once program is cracked, there is no way to stop the leak. That's why I am saying that my question is more technical, rather than business-related.Olsen
@TimesAndPlaces, if you want to run a business you need to provide value. If you're relying solely on technical restrictions you're going to fail. They all do. Piracy is cheaper than Netflix and some people pirate everything but a lot of people happily pay monthly for the convenience and content that Netflix provides. Make your users want to pay for your software. Price it fairly, offer good support, frequent updates, whatever you need to. Maybe you pair that with technical restrictions like an online requirement. But fundamentally, this isn't a technical question. It's a business question.Hydrogenous
To the OP: Your aims are honorable, but there is likely no technical solution that will work. You only need one person who's determined enough to crack this, and then everybody else gets their work for free. As depressing as it is, you're essentially asking Santa to bring you a unicorn for Christmas.Gianina
@Hydrogenous As I already mentioned in previous comments: 1. I am operating in a market where users will always prefer a free cracked version over my "legal" version with support and updates, regardless of what price I put over it. 2. Since my software is one-of-a-kind, the value proposition is also extremely good. The issue is with the market being very niche and well-connected, so if someone will leak my code, all potential buyers will instead go for the cracked free version.Olsen
@SteveFriedl that's why all these businesses are moving towards cloud-based and subscription-based software models.Eleanore
Then maybe your business isn't a business. If your code must run on your users' machines literally every technical restriction will be defeated. Some will be defeated trivially, others with more effort. This is not specific to Python.Hydrogenous
@Olsen two things, your product is not one of a kind and you can never make it uncrackable, it’s not possible, just wasted effort.Barrow
@Barrow I never said I want to make it uncrackable. I just need to make it hard enough to crack so that it won't be worth it anymore. And considering the market I am operating on is very niche, my product is indeed unique in it's functionality.Olsen
We had the same issue because a part of our application was written in python and we did want to make it hard to crack and after a lot of different techniques that we tried цe came to the conclusion that everything is open source for you if you know assembler. So try to find a line between "Oh it will take a day to hack" and "I'd better pay several dollars for it".Lail
@Lail Good point. Since I am 95% sure that someone with extensive reverse-engineering experience will not be interested in cracking my program, I am simply looking for a way to make it hard to access the source code and comprehensively read and edit binaries.Olsen
@Lail it's even more open source if you have IDA Pro!Gianina
@SteveFriedl Agree, or radare2 for free)Lail
O
22

Since people in this thread did not provide any satisfiable answers, I will explain what I did to secure my program. As I mentioned previously, my goal is not to create an "uncrackable" program, just one that is secure enough to deter away amateurs.

I got help on one of the reverse-engineering forums, so props to those people!

Firstly, I used Nuitka to convert .py file into a C-based standalone executable. Then, I passed a resulting .exe file through VMProtect to obfuscate the binaries.

I've tested it on a few CS graduates, and they weren't able to crack or deobfuscate the program, so this is good enough for me.

P.S. Those who said that "it is impossible" or "your business model is wrong", please do not share your opinions unless you have a reverse-engineering experience, thank you :)

Olsen answered 11/2, 2020 at 4:23 Comment(1)
Could you share more about this VMProtect software you used? Thanks a lotCorporeal
G
0

I guess I'll be the brave one to post as the answer: There is no technical means you can take to prevent software running on end user machines from being cracked.

You can perhaps make it more difficult, but since you've stated that in this market, people will always prefer cracked software to legit at any price, this is a situation you have essentially no hope of winning: if you have determined pirates, they will win every time.

So: You can't; give up

Sorry :-(

Gianina answered 30/11, 2019 at 16:55 Comment(5)
OR: you roll your own obfuscation, which may not attract wider hacker attention, but is unlikely to be very good and in any case is certainly not going to be worth your time to reinvent this weel.Gianina
Yeah, fair enough. I already mentioned in my post that Pyarmor is a good obfuscation tool that is also private. And while some people know how to bypass it, they are very good specialists that won't waste their time on a very niche product like mine. I might go with it as an obfuscation tool then. Since no one proposed anythign better.Olsen
Good luck, please let us know how it goes.Gianina
But obfuscating the code is only half of the problem since I need to find a way to make it hard to decompile the program.Olsen
Make it a hybrid system, web based then download files to user's pc. Your system must have some kind of proprietary data treatment, as long as part of it is remote you get better protection.Bramblett
A
0

The answers saying "it is not possible" to prevent software from being cracked are not exactly correct while not being totally wrong.

It is just not black and white ! The correct answer comes back to the original question: What is security? You can argument that NO SECURITY measure can stand EVERYTHING. If you use 2 m steel or concrete walls, their are missiles or an attack of 100 soldiers who can break that. Somebody can threat or blackyou and your family, and so on.

So of course, there is nearly nothing you can do to protect software as you can do nothing to protect your house against an attack of an whole army.

The real question:

1. How expensive (related to time-consuming) should it be to crack your software? This is very different to how to make it impossible.

Plus: 2. How likely the cracker could be interested in your next version? I he is, he has limited advantages from getting source code, especially any interest to change it. VERY limited.

I advise comparing technical security measures always to a front door of your house. It is strange, but just closing it results in nearly the same security as locking it with the best lock int the world (because a burglar could just crash a window..)

There was already given a good answer. Just to give another one:

3. If you want the maximum security, that someone cannnot understand your algorithm or logic, you could obfuscate your code in something like an LLM (or similar). Having maybe some megabyte or even gigabyte of executable code sets the limit high enough that nobody can understand with normal measures and costs what your code is doing :-) Not impossible, but way to expensive. You don't even need to further obfuscate or change from Python to C, but it would be possible as an addition.

Angeliaangelic answered 26/2 at 13:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.