Don't. This is a fight you already lost. Besides, people who crack
software are either students with no money or people who never buy
software. Students who crack your software today might be your
customers tomorrow. If your software is a real hassle to crack, they
will crack your competitor's app and use it. Wouldn't you rather have
them use your app? They might be talking about it to their friends.
Oh, then sorry, I never gave much thought to it. If you're not afraid
of legal troubles, you could have it silently phone home so you can
know how many apps are in use at any moment. Given the scale of your
app, it should be feasible for you to simply contact users who didn't
pay and kindly ask them to pay.
The fact that pyc files are so easily de-compiled makes app protection
> It is some kind of in house tool and I want to copy protect it. this
> is very complicated tool and not useful for
> many people. indeed this is an animation manging tool I wrote for my
> company. So if you have any idea that what is the best way to do it,
> I'll appreciate that.
I'll state my agreement with the opinion usually given when these
kinds of questions are asked: that determined people will find a way
to run software if that software is distributed, and running software
as a service is probably the only reliable way of concealing your
code. If your code is in-house, there might be numerous dependencies
on in-house services that would make the code useless to an outsider,
and you could consider exploiting this aspect of your software.
See this recent thread on this subject:
This is very much a frequently asked question (the last thread
appeared about three days ago), so I've tidied up a Python Wiki page
dealing with this topic:
I trust this provides some answers.
> Thanks. But I ask this question technically, I mean I know nothing is
> uncrackable and popular softwares are not well protected. But my
> software is not that type and I don't want this specific software
Then make it as ugly and unusable as you can. Spend the time you planned
for writing documentation for this task. ;-)
Marc 'BlackJack' Rintsch
You cannot distribute any program with the expectation that it
cannot be reverse engineered. Despite what various protection
companies would have folks believe. At some point, the user's
CPU has to execute the code, and at that point, it can be
intercepted, unwound, and intercepted.
The *only* way to prevent people from reverse engineering your
code (until quantum computing becomes a household standard) is to
never give your code to them. Keep it on your servers and only
allow users to access your service, not your code.
Or, you could just trust your customers to adhere to your
licensing terms (with this little thing called "the law" to back
you up, as long as your licensing terms are legal). Then just
distribute your software and spend your energies making a better
product rather than chasing a quixotic dream of protection.
Customers prefer not to be treated as criminals.
From the OP's post, it seemed likely to me that the OP was asked by a
misguided management to make sure it was "reverse-engineer-proof". So
any attempt to convince the OP may be aimed at the wrong person.
Misguided as they are, sometimes you have to placate these people.
So, are there any ways to make it "harder" to reverse engineer a
I used SoftwarePassport ( http://www.siliconrealms.com/ ) for exactly
I have found it to be very complete, with many possible scheme: trial
period, multiple licence schemes, lock on hardware, moveable
Although it will not stop a highly dedicated hacker, it will raise the
barrier very high for breaking the protected software. A few of the
memory protection were incompatible with py2exe, so you need to
carefully test your program. But for me, it was a breeze to setup and
In addition to the standby of
-Don't distribute your program (SaaS)
I'll add to the list:
-Only distribute your program to people too non-technical to
-Don't document your program (or even better, *mis*document your
-Write Lovecraftian code ("import goto" comes to mind) designed
to make reverse-engineers go insane trying to figure out what you
-In your Python, drop to in-line assembly language "for
business-logic optimization". Only targeting specific models of
obscure processor architectures helps minimize your audience.
-Write software that does nothing of interest/value/use
Just a couple ideas to get an enterprising young coder off on the
right track ;)
Don't forget pyobfuscate:
Fun to play with...although not necessarily much more "secure".
Just telling them you did is at least as effective as anything else.
Anyone who knows enough to know that you're lying knows why it's
If you're distributing source code, run it through pyobfuscate
and call it done. Otherwise, just use py2exe or something
similar to bundle it up. Both are pretty ineffective at
preventing reverse engineering. But so's everything else. If
none of the options really work, then you might as well pick an
ineffective one that's cheap and easy.
Grant Edwards grante Yow! Am I having fun yet?
So there will be very few people with any incentive to
steal it, and even less if it's not distributed to the
In that case, just package it with py2exe and tell him
it's done. The misguided management won't know any better.
The problem with that is it makes it hard for *you* to
figure out what you were thinking...
Psst...other than the Saas answer, they were *all* really bad
ideas :) Sorry if my jesting came across as actually serious.
Why is this a problem? The more time the Original Poster spends
struggling to maintain his copy-protected in-house software that nobody
else wants, the less time he will have to go out and cause mischief by
writing something useful and copy-protecting it.
> Why is this a problem? The more time the Original Poster spends
> struggling to maintain his copy-protected in-house software that
> nobody else wants, the less time he will have to go out and cause
> mischief by writing something useful and copy-protecting it.
\ "Two rules to success in life: 1. Don't tell people everything |
`\ you know." -- Sassan Tat |
> Thanks. But I ask this question technically, I mean I know nothing is
> uncrackable and popular softwares are not well protected. But my
> software is not that type and I don't want this specific software
> It is some kind of in house tool and I want to copy protect it.
Insert some code that tests for something that's special in your
In a networked environment create a simple license server, e.g. one that
uses asymmetric encryption to encrypt incoming data and sends it back to
the client. Your program then send some random data to the server and
decrypts the answer using the server's public key.
Of course that just protects against someone just taking away a copy but
not against reverse engineering.
** Hi! I'm a signature virus! Copy me into your signature, please! **
I find the host id of system (using ipconfig) and create a hash code
based on it.(some math, md5 and functions).
the code for licensing is about 15 lines and is very fast. I needed 20
licenses and I wrote a keygen for myself.
Thank you all.
> the code for licensing is about 15 lines and is very fast. I needed
> 20 licenses and I wrote a keygen for myself.
Given that you still haven't explained what threat in particular
you're securing against, I wonder whether "very fast" is the only
criterion. In which case, 0 lines of code would probably be even
\ "Any intelligent fool can make things bigger and more |
`\ complex... It takes a touch of genius – and a lot of courage |
_o__) – to move in the opposite direction." —Albert Einstein |
> I wrote this in another thread,
And here the HOWTO for the crack:
> 1. Put all the compiled Python bytecode in a heavily encrypted
> binary file. Consider using a hardware hash in the key.
Find the part in the binary where the encrypted bytecode is read,
start the binary in a VM to which a debugger is attached (can't
be detected, as it's in a VM) and put a watchpoint for any
access on the encrypted binary.
> 2. Program a small binary executable (.exe file) in C or C++
> 2a. Reads the binary file.
Debugger intercepts it.
> 2b. Decrypts it to conventional Python byte code.
Record where the decoder puts the decrypted bytecode in memory.
> 2c. Embeds a Python interpreter.
Replace the call of the Python interpreter with a small shellcode
that writes the decrypted code to a file.
> 2d. Executes the bytecode with the embedded Python
Execute that file with the standalone interpreter.
> I will not make reverse engineering impossible, but it will be
> extremely difficult.
No. It's just a matter of reading the decrypted bytecode from
memory. Since Python bytecode is independent from any containing
file, it's very hard to test if a certain bytecode runs from a
valid or cracked container.
Any sort of bytecode will sooner or later run through some
interpreter, where it can be ultimately tapped. And unlike some
CPU binary a bytecode also delivers all information to
deobfuscate it. So even self modifying code doesn't help here.
E-Mail address works, Jabber: hexa...@jabber.org, ICQ: 134682867
I don't think it's particularly productive to continue this
discussion, given that you're obviously in a situation where you don't
have a great deal of flexibility, but I think you and/or your CEO
might benefit from listening to the PyCon 2007 talk "The Absolute
Minimum an Open Source Developer Must Know About Intellectual
Property" . The speaker misrepresents the FSF somewhat in stating
that they don't believe in property (or some similar phrasing - I
don't recall the exact choice of words), but aside from this the talk
is rather well delivered, with the basic definitions of the different
legal instruments described in an approachable fashion.
> so I want to secure my software from some people who love to steal and use it.
It sounds like your CEO has issues with the people he/she employs,
first and foremost.
 Slides available here:
Audio available from here:
> Let me be clear for you: there are someone in my company who
> love to use my software in other companies that she works
> there also. and because it is an inhouse tool, my CEO wanted
> me to protect it from stealing. and really we havn't time to
> copyright it.
Uh what? I don't know what country you're in, but in the US,
it doesn't take any time at all to copyright something. The
mere act of writing something copyrights it. I thought it was
the same in Europe as well.
Grant Edwards grante Yow! Oh, I get it!!
at "The BEACH goes on", huh,
> Let me be clear for you: there are someone in my company who love to
> use my software in other companies that she works there also. and
> because it is an inhouse tool, my CEO wanted me to protect it from
If the person is that untrustworthy, yet already has access *inside*
the company, then any technical solution will be ineffective until the
social issues are dealt with.
\ "I got an answering machine for my phone. Now when someone |
`\ calls me up and I'm not home, they get a recording of a busy |
_o__) signal." -- Steven Wright |
> > I will not make reverse engineering impossible, but it will be
> > extremely difficult.
> No. It's just a matter of reading the decrypted bytecode from
Ok, let med rephrase that: It may not be difficult to you. But the
average user will be incapable of doing it. I don't think it will be
possible to copy-protect any program against someone with your level
of competence. Neither computer programming nor this kind of reverse
engineering are common skills. But most users of computers are capable
of copying a program to a USB-stick and use the program somewhere
> Uh what? I don't know what country you're in, but in the US, it doesn't
> take any time at all to copyright something. The mere act of writing
> something copyrights it. I thought it was the same in Europe as well.
No, it's only copyrighted when you _publish_ it.
>JC> Op Fri, 14 Dec 2007 16:54:35 +0000, schreef Grant Edwards:
>>> Uh what? I don't know what country you're in, but in the US, it doesn't
>>> take any time at all to copyright something. The mere act of writing
>>> something copyrights it. I thought it was the same in Europe as well.
>JC> No, it's only copyrighted when you _publish_ it.
Not here in the Netherlands. It is `the exclusive right of the maker of a
work to publish or copy the work' (loose translation of the introduction of
the law). Otherwise someone else could publish it if he got hold of it in
some legitimate way.
Piet van Oostrum <pi...@cs.uu.nl>
URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C4]
Private email: pi...@vanoostrum.org
If we're still talking about US law here you are incorrect.
* When is my work protected?
Your work is under copyright protection the moment it is created and
fixed in a tangible form that it is perceptible either directly or
with the aid of a machine or device.
* Do I have to register with your office to be protected?
No. In general, registration is voluntary. Copyright exists from the
moment the work is created. You will have to register, however, if you
wish to bring a lawsuit for infringement of a U.S. work. See Circular
1, Copyright Basics, section 'Copyright Registration.'
Interesting. So, in Europe, if somebody steals something you
wrote before you get it published, they're free to do with it
as they please?
I'm glad it doesn't work that way here in the US. Over here,
something is copyrighted as soon as it's written (actually I
think the phrase is "fixed in a medium" or something like
Grant Edwards grante Yow! I have accepted
at Provolone into my life!
No, I believe the above comment is false. The Berne Convention of 1887
makes copyright automatic as soon as a work is written or recorded.
Thus, most of Europe has had automatic copyright for a very long time,
and all of it does now.
> On 2007-12-18, Jan Claeys <use...@janc.be> wrote:
>> Op Fri, 14 Dec 2007 16:54:35 +0000, schreef Grant Edwards:
>>> Uh what? I don't know what country you're in, but in the US, it
>>> doesn't take any time at all to copyright something. The mere act of
>>> writing something copyrights it. I thought it was the same in Europe
>>> as well.
>> No, it's only copyrighted when you _publish_ it.
> Interesting. So, in Europe, if somebody steals something you wrote
> before you get it published, they're free to do with it as they please?
Please do not conflate theft and copyright infringement, or theft and
plagiarism. They are very different concepts, and confusing them does not
> I'm glad it doesn't work that way here in the US. Over here, something
> is copyrighted as soon as it's written (actually I think the phrase is
> "fixed in a medium" or something like that).
I'm not glad at all. The Change from an "everything is uncopyrighted
unless explicitly copyrighted" model to a "everything is copyrighted
unless explicitly exempted" model was only one of many deleterious
changes to copyright law over the last half century or so.
It means the merest throw-away scribble on a napkin has equal protection
to the opus an author slaved over for thirty years (although in fairness
you are unlikely to win a copyright case over the words "Meet me at the
bar" scribbled on a napkin then tossed in a rubbish bin... *wink*). It
means that there is a serious problem of "orphan works", where rare and
valuable films from the 1920s and earlier are rapidly decaying into an
unusable powder because nobody dares copy them lest the unknown copyright
owners descend like vultures and sue you for copyright infringement
*after* you've done the hard work of restoring our cultural heritage.
(Although the orphan works problem is at least equally as much a problem
of excessively long copyrights as it is to do with automatic copyright.)
I dare say that European countries which have had automatic copyright
longer than the US have seen far more of their national heritage (early
film, photographs and the like) rot away.
Discussions of copyright so often focus on protecting the author's
privileges and ignore the opportunity costs of locking up works. When
works needed to be explicitly copyrighted, something of the order of just
ONE PERCENT of authors bothered to copyright their published works -- and
just one percent of them bothered to renew it for a second 14 year term.
That gives you an idea of how valuable copyright really is. For every
Mickey Mouse, there are 100,000 or more works that don't have enough
economic value to the creator to bother protecting -- but they're part of
our cultural heritage, and maybe somebody else could build on top of it,
like Disney built their empire on other folks' uncopyrighted stories and
ideas. Even Mickey Mouse himself got his start in a derivative work of
Buster Keaton's Steamboat Bill Jr.
This newsgroup is a perfect example of the fraud that is the idea of
copyright. Every single post sent to the newsgroup is copyrighted, and
yet they invariable have no economic value to the author. If they have
any economic value, it is to the readers -- but they don't pay for it,
and we authors don't ask for payment. In principle, anyone who forwards
on something they read here, or uses a code snippet in their own work, is
infringing copyright. We don't need copyright to encourage us to create
works of this nature, and in fact this newsgroup can only exist by
pretending copyright doesn't exist -- there are informal conventions that
unless somebody explicitly states otherwise, any reader can forward on
posts, copy and reuse code, and so forth.
(Disclaimer: for the avoidance of all doubt, I'm not suggesting that ALL
creative works should be uncopyrighted, or that no creative works benefit
from the encouragement of copyright.)
I wasn't. If I write something down and somebody steals that
paper, that's theft.
> They are very different concepts, and confusing them does not
Sorry if I was unclear. The "stealing" was of the medium
containing the authored work.
Grant Edwards grante Yow! Used staples are good
at with SOY SAUCE!
Indeed. One of the most famous and ridiculous cases is that of the
Domesday Project: a nationwide survey of Britain in the spirit of the
Domesday Book (which was 900 years old at the time of the endeavour),
where the newly gathered, late twentieth century information was in
danger of becoming unrecoverable due to the scarcity of parts for, and
knowledge about, the technology employed (now just over 20 years old).
This site provides an overview of the recovery process and information
about the history of the project:
Although other technical discussions and perspectives have been
published about the project [1,2], the most pertinent issue to this
particular discussion is mentioned here:
"Many different copyright owners contributed a range of different
types of data to the Domesday Project for inclusion on the discs.
Unfortunately it is unclear as to exactly who contributed and under
what circumstances the data in question can be used."
In many ways, those acting to preserve the contents of the Domesday
Project were able to act with some pretty large organisations watching
their backs. Others may not be as fortunate, as was pointed out.
P.S. Steven's post is indeed highly informative reading for those
willing to consider more thoroughly the nature and impact of
> On 2007-12-18, Steven D'Aprano <st...@REMOVE-THIS-cybersource.com.au>
>> On Tue, 18 Dec 2007 17:04:29 +0000, Grant Edwards wrote:
>>> On 2007-12-18, Jan Claeys <use...@janc.be> wrote:
>>>> Op Fri, 14 Dec 2007 16:54:35 +0000, schreef Grant Edwards:
>>>>> Uh what? I don't know what country you're in, but in the US, it
>>>>> doesn't take any time at all to copyright something. The mere act
>>>>> of writing something copyrights it. I thought it was the same in
>>>>> Europe as well.
>>>> No, it's only copyrighted when you _publish_ it.
>>> Interesting. So, in Europe, if somebody steals something you wrote
>>> before you get it published, they're free to do with it as they
>> Please do not conflate theft and copyright infringement, or theft and
> I wasn't. If I write something down and somebody steals that paper,
> that's theft.
In which case copyright isn't going to protect you -- especially if you
were relying on automatic copyright and haven't registered it.
Well, you can get injunctive relief without registering the copyright. Copyright
doesn't protect one from physical theft, but it does grant some protection
against the things the thief might do with the stolen goods.
For example, suppose someone steals my laptop with all of my code on it. They
could take my unpublished code and slap it on SourceForge. Provided that I could
prove authorship, I could get a court order for the thief to remove that code. I
don't need to prove that he stole my laptop in order to do that. Actually, now
that I think about it, I could issue a DMCA takedown notice, and I wouldn't need
to prove anything at all unless if the notice gets challenged; then the burden
of proof is on them.
"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco
>SD> It means that there is a serious problem of "orphan works", where rare
>SD> and valuable films from the 1920s and earlier are rapidly decaying
>SD> into an unusable powder because nobody dares copy them lest the
>SD> unknown copyright owners descend like vultures and sue you for
>SD> copyright infringement *after* you've done the hard work of restoring
>SD> our cultural heritage.
Our (Dutch) copyright law has a specific exemption for this particular
case for libraries, museums and archives.
>> I expect a nice script in 15-35 lines that protects my software from
>> working on another machine.
> Ah, but at that shortness, what will protect the protection script?
> Proprietary information/trade-secret is only effective if it is
> never allowed OUT of the company. If someone has access to the code,
> there is nothing that can stop them reverse-engineering, copying, etc.
> except honor... Don't allow memory cards, CD or DVD, floppies, and email
> attachments to go out.
At 15-35 lines, it is short enough for people to copy it down on paper,
or even memorize it, then take it home and work on finding a
vulnerability in it.
> SD declaimed the following in
> > At 15-35 lines, it is short enough for people to copy it down on paper,
> > or even memorize it, then take it home and work on finding a
> > vulnerability in it.
> <heh> I'd actually been thinking of the real product getting out,
> not just the "protection"...
I wonder if the OP would not be better off splitting the app into two bits,
releasing the "client" side and keeping the "server" side secret, in a protected
That would add the complication of a protocol to make a hacker's life more
miserable, and if there is an "interesting bit" it can be hidden in the server
It also has the advantage that you can log accesses to the server.
Its a lot of extra work, though, and if the stuff is computationally intensive,
it can be slow, because what could be done concurrently on several client
machines would be done serially on the single secret server.
Pyro could help here, as always.