6

I am developing proprietary software that would be distributed in a form of .exe file. In order to use it, users will have to authenticate with their whitelist credentials (username + password).

The issue I have encountered is that in the industry I am selling on, there are a lot of "hackers" who will try to decompile your executable file, get the source code and distribute it for free to other people.

To combat these reverse-engineering attempts, I have tried to both obfuscate my code and use various compilers, but so far to no success.

What I have tried:

  • Use py2exe compiler: "hackers" managed to decompile executable in an hour.
  • Use pyinstaller compiler: same as with py2exe.
  • Use pyminifier to obfuscate the code: "hackers" managed to deobfuscate the code.
  • Use Oxyry Python Obfuscator: same as with pyminifier.

Those who managed to decompile and deobfuscate my program explained that the open-source nature of the 4 tools mentioned above means that their algorithms are well-known and there are solutions out there made to reverse-engineer programs that use these open-source compilers and obfuscators.

What I didn't try yet:

  • Using Pyarmor to obfuscate my code. I've heard it is good, but it costs 50$, so I want to be sure that it is the best obfuscation tool out there before purchasing the license.
  • Using Cython library to create a C-wrapper for my program, making it compiled in C instead of Python. Since C binaries are much harder to read, it will make the program significantly harder to decompile. However, I have never programmed in C, and I want to know if there are better ways to compile my source Python code, without the need to learn C.

What I am not going to try:

  • Completely rewrite my whole program in a language other than Python. I am not strong in other languages, plus the program itself consists of over 1,000 lines of code, so I can't just completely rewrite it for the sole purpose of making it harder to decompile.
  • Making program open-source: This is a for-profit software, so I am not going to release the proprietary code, thank you for understanding.
  • Making the program a web-app: Since my program directly interacts with files on the user's PC, I can't make it web-based, it has to be on the user's PC.

Please also consider that if "hacker" will be able to disable the whitelist system without even accessing the source code, he will be able to distribute it to other users with no limitation. Therefore, I am looking for a way that will not only make it extremely hard to decompile the program, but also make it almost impossible to meddle with binaries and turn off certain parts of the program's code.

TimesAndPlaces
  • 510
  • 1
  • 4
  • 20
  • 1
    Are the people that will take the free / hacked version going to be your customers? Because if not, there is no harm done. Real customers will pay (and get support?) anyway, the hacked ones only add to a larger user base. Another thing you can consider is to change your business model in such a way that you can still make money, even if the code is leaked (subscription model, cloud based, etc). – Bart Friederichs Nov 30 '19 at 16:15
  • 2
    All technical solutions have drawbacks. Most will be trivially defeated. This is true regardless of the language you use. Your best protection is good user agreements and fair pricing. – ChrisGPT was on strike Nov 30 '19 at 16:15
  • 3
    @Chris ... and excellent support :-) – Steve Friedl Nov 30 '19 at 16:16
  • @BartFriederichs Yes, if people are looking to purchase my product and have an option to get it for free, they will get it for free. Most users are also enough tech-savvy to not require support if it means that they can use the product for free. Since my product is one of its kind on the market, people will try to crack it and either release it for free or will get the source code and try to resell it at half the price. – TimesAndPlaces Nov 30 '19 at 16:20
  • 1
    In that case, get other customers ;). Of course I kid, but changing your business model might not be such a bad idea... – Bart Friederichs Nov 30 '19 at 16:21
  • @Chris I mean, the free product will always beat any price I will put on it. And regarding the user agreement, how will I be able to enforce it on the users? – TimesAndPlaces Nov 30 '19 at 16:22
  • @BartFriederichs On the market, I am operating at, unfortunately, there is no way to change the business model. The difficulty I am having is not the philosophical search of business strategy, but a technical challenge to obfuscate and compile code to make it extremely hard to reverse-engineer. – TimesAndPlaces Nov 30 '19 at 16:24
  • 1
    Businesses usually won't buy hacked software and uphold the license agreement. If damages are big enough, suing might even be worthwhile. (I assume reverse engineering is not allowed by your license agreement). – Bart Friederichs Nov 30 '19 at 16:24
  • @BartFriederichs I am not operating as a business entity, so suing is not an option. Neither will be my competitors. So once program is cracked, there is no way to stop the leak. That's why I am saying that my question is more technical, rather than business-related. – TimesAndPlaces Nov 30 '19 at 16:27
  • 1
    @TimesAndPlaces, if you want to run a business you need to provide value. If you're relying solely on technical restrictions you're going to fail. They all do. Piracy is cheaper than Netflix and some people pirate everything but a lot of people happily pay monthly for the convenience and content that Netflix provides. Make your users _want_ to pay for your software. Price it fairly, offer good support, frequent updates, whatever you need to. Maybe you pair that with technical restrictions like an online requirement. But fundamentally, this isn't a technical question. It's a business question. – ChrisGPT was on strike Nov 30 '19 at 16:28
  • 2
    To the OP: Your aims are honorable, but there is likely no technical solution that will work. You only need *one person* who's determined enough to crack this, and then everybody else gets their work for free. As depressing as it is, you're essentially asking Santa to bring you a unicorn for Christmas. – Steve Friedl Nov 30 '19 at 16:33
  • @Chris As I already mentioned in previous comments: 1. I am operating in a market where users will **always** prefer a free cracked version over my "legal" version with support and updates, regardless of what price I put over it. 2. Since my software is one-of-a-kind, the value proposition is also extremely good. The issue is with the market being very niche and well-connected, so if someone will leak my code, all potential buyers will instead go for the cracked free version. – TimesAndPlaces Nov 30 '19 at 16:34
  • @SteveFriedl that's why all these businesses are moving towards cloud-based and subscription-based software models. – Bart Friederichs Nov 30 '19 at 16:34
  • 2
    Then maybe your business isn't a business. If your code must run on your users' machines _literally every technical restriction will be defeated_. Some will be defeated trivially, others with more effort. This is not specific to Python. – ChrisGPT was on strike Nov 30 '19 at 16:36
  • 1
    @TimesAndPlaces two things, your product is not one of a kind and you can never make it uncrackable, it’s not possible, just wasted effort. – Fredrik Nov 30 '19 at 16:48
  • @Fredrik I never said I want to make it uncrackable. I just need to make it hard enough to crack so that it won't be worth it anymore. And considering the market I am operating on is very niche, my product is indeed unique in it's functionality. – TimesAndPlaces Nov 30 '19 at 16:56
  • We had the same issue because a part of our application was written in python and we did want to make it `hard to crack` and after a lot of different techniques that we tried цe came to the conclusion that everything is open source for you if you know assembler. So try to find a line between "Oh it will take a day to hack" and "I'd better pay several dollars for it". – funnydman Nov 30 '19 at 17:35
  • @funnydman Good point. Since I am 95% sure that someone with extensive reverse-engineering experience will not be interested in cracking my program, I am simply looking for a way to make it hard to access the source code and comprehensively read and edit binaries. – TimesAndPlaces Nov 30 '19 at 17:41
  • @funnydman it's even *more* open source if you have IDA Pro! – Steve Friedl Nov 30 '19 at 17:55
  • @SteveFriedl Agree, or radare2 for free) – funnydman Nov 30 '19 at 17:57

2 Answers2

17

Since people in this thread did not provide any satisfiable answers, I will explain what I did to secure my program. As I mentioned previously, my goal is not to create an "uncrackable" program, just one that is secure enough to deter away amateurs.

I got help on one of the reverse-engineering forums, so props to those people!

Firstly, I used Nuitka to convert .py file into a C-based standalone executable. Then, I passed a resulting .exe file through VMProtect to obfuscate the binaries.

I've tested it on a few CS graduates, and they weren't able to crack or deobfuscate the program, so this is good enough for me.

P.S. Those who said that "it is impossible" or "your business model is wrong", please do not share your opinions unless you have a reverse-engineering experience, thank you :)

TimesAndPlaces
  • 510
  • 1
  • 4
  • 20
1

I guess I'll be the brave one to post as the answer: There is no technical means you can take to prevent software running on end user machines from being cracked.

You can perhaps make it more difficult, but since you've stated that in this market, people will always prefer cracked software to legit at any price, this is a situation you have essentially no hope of winning: if you have determined pirates, they will win every time.

So: You can't; give up

Sorry :-(

Steve Friedl
  • 3,929
  • 1
  • 23
  • 30
  • OR: you roll your own obfuscation, which may not attract wider hacker attention, but is unlikely to be very good and in any case is certainly not going to be worth your time to reinvent this weel. – Steve Friedl Nov 30 '19 at 17:08
  • Yeah, fair enough. I already mentioned in my post that Pyarmor is a good obfuscation tool that is also private. And while some people know how to bypass it, they are very good specialists that won't waste their time on a very niche product like mine. I might go with it as an obfuscation tool then. Since no one proposed anythign better. – TimesAndPlaces Nov 30 '19 at 17:12
  • Good luck, please let us know how it goes. – Steve Friedl Nov 30 '19 at 17:12
  • But obfuscating the code is only half of the problem since I need to find a way to make it hard to decompile the program. – TimesAndPlaces Nov 30 '19 at 17:12
  • Make it a hybrid system, web based then download files to user's pc. Your system must have some kind of proprietary data treatment, as long as part of it is remote you get better protection. – BobRun Nov 30 '19 at 21:19