Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best way to protect source code of .exe program running on Python?

I am developing proprietary software that would be distributed in a form of .exe file. In order to use it, users will have to authenticate with their whitelist credentials (username + password).

The issue I have encountered is that in the industry I am selling on, there are a lot of "hackers" who will try to decompile your executable file, get the source code and distribute it for free to other people.

To combat these reverse-engineering attempts, I have tried to both obfuscate my code and use various compilers, but so far to no success.

What I have tried:

  • Use py2exe compiler: "hackers" managed to decompile executable in an hour.
  • Use pyinstaller compiler: same as with py2exe.
  • Use pyminifier to obfuscate the code: "hackers" managed to deobfuscate the code.
  • Use Oxyry Python Obfuscator: same as with pyminifier.

Those who managed to decompile and deobfuscate my program explained that the open-source nature of the 4 tools mentioned above means that their algorithms are well-known and there are solutions out there made to reverse-engineer programs that use these open-source compilers and obfuscators.

What I didn't try yet:

  • Using Pyarmor to obfuscate my code. I've heard it is good, but it costs 50$, so I want to be sure that it is the best obfuscation tool out there before purchasing the license.
  • Using Cython library to create a C-wrapper for my program, making it compiled in C instead of Python. Since C binaries are much harder to read, it will make the program significantly harder to decompile. However, I have never programmed in C, and I want to know if there are better ways to compile my source Python code, without the need to learn C.

What I am not going to try:

  • Completely rewrite my whole program in a language other than Python. I am not strong in other languages, plus the program itself consists of over 1,000 lines of code, so I can't just completely rewrite it for the sole purpose of making it harder to decompile.
  • Making program open-source: This is a for-profit software, so I am not going to release the proprietary code, thank you for understanding.
  • Making the program a web-app: Since my program directly interacts with files on the user's PC, I can't make it web-based, it has to be on the user's PC.

Please also consider that if "hacker" will be able to disable the whitelist system without even accessing the source code, he will be able to distribute it to other users with no limitation. Therefore, I am looking for a way that will not only make it extremely hard to decompile the program, but also make it almost impossible to meddle with binaries and turn off certain parts of the program's code.

like image 262
TimesAndPlaces Avatar asked Dec 18 '22 15:12

TimesAndPlaces


2 Answers

Since people in this thread did not provide any satisfiable answers, I will explain what I did to secure my program. As I mentioned previously, my goal is not to create an "uncrackable" program, just one that is secure enough to deter away amateurs.

I got help on one of the reverse-engineering forums, so props to those people!

Firstly, I used Nuitka to convert .py file into a C-based standalone executable. Then, I passed a resulting .exe file through VMProtect to obfuscate the binaries.

I've tested it on a few CS graduates, and they weren't able to crack or deobfuscate the program, so this is good enough for me.

P.S. Those who said that "it is impossible" or "your business model is wrong", please do not share your opinions unless you have a reverse-engineering experience, thank you :)

like image 64
TimesAndPlaces Avatar answered Dec 28 '22 10:12

TimesAndPlaces


I guess I'll be the brave one to post as the answer: There is no technical means you can take to prevent software running on end user machines from being cracked.

You can perhaps make it more difficult, but since you've stated that in this market, people will always prefer cracked software to legit at any price, this is a situation you have essentially no hope of winning: if you have determined pirates, they will win every time.

So: You can't; give up

Sorry :-(

like image 36
Steve Friedl Avatar answered Dec 28 '22 10:12

Steve Friedl