pythondecompilinginspect

How to prevent decompilation or inspecting python code?


let us assume that there is a big, commercial project (a.k.a Project), which uses Python under the hood to manage plugins for configuring new control surfaces which can be attached and used by Project.

There was a small information leak, some part of the Project's Python API leaked to the public information and people were able to write Python scripts which were called by the underlying Python implementation as a part of Project's plugin loading mechanism.

Further on, using inspect module and raw __dict__ readings, people were able to find out a major part of Project's underlying Python implementation.

Is there a way to keep the Python secret codes secret?

Quick look at Python's documentation revealed a way to suppres a import of inspect module this way:

import sys
sys.modules['inspect'] = None

Does it solve the problem completely?


Solution

  • No, this does not solve the problem. Someone could just rename the inspect module to something else and import it.

    What you're trying to do is not possible. The python interpreter must be able to take your bytecode and execute it. Someone will always be able to decompile the bytecode. They will always be able to produce an AST and view the flow of the code with variable and class names.

    Note that this process can also be done with compiled language code; the difference there is that you will get assembly. Some tools can infer C structure from the assembly, but I don't have enough experience with that to comment on the details.

    What specific piece of information are you trying to hide? Could you keep the algorithm server side and make your software into a client that touches your web service? Keeping the code on a machine you control is the only way to really keep control over the code. You can't hand someone a locked box, the keys to the box, and prevent them from opening the box when they have to open it in order to run it. This is the same reason DRM does not work.

    All that being said, it's still possible to make it hard to reverse engineer, but it will never be impossible when the client has the executable.