How to protect my Python program

Question

What I want to do is protect a Python program from being stolen by people with no computer knowledge. I accept the inevitability of the program being pirated, all I want to do is protect it from average users.

I have come up with two ideas. 1.)Set a time restriction by checking online for the date and time. I.E. 10 days from downloaded time. 2.)Checking the IP or Name of the computer that downloaded it and make the program only runs on that computer. (to prevent friends from simply sharing the file).

The problem with both of these is that I'll need to create a .py file "on the fly" and then use something like pytoexe to make it into an .exe so that the user doesn't need to have Python installed.

The problem with the second is that to my understanding ip's change and getting the computer name is a security risk and might scare away users.

So to sum it up, here are my two questions: 1.) Is there a good way in python to only allow the program to run on that single computer? 2.) What is the best way to implement a "on the fly" creation of the exe? (I was going to host the website on my computer and learn php(?)/servers.

I have moderate c/c++ and basic html/css, java, and python experience.

Thank you for your time!

Answer 1

Messy business. You probably already understand that compiled does not mean encrypted.

However, if you're boss considers c-compiled as satisfactory, you can use cython to compile your python code to c-code and then gcc to compile the c-code.

Check here on how to build your setup.py script.

http://docs.cython.org/src/reference/compilation.html#compiling-with-distutils

And you can embed python using into the resulting c code using the --embed option:

# will generate the target.c 
$ cython target.py --embed

Answer 2

Give each user a customized installer that has a unique key in it. When it runs, it contacts a server (with the key) and requests the actual program. Server-side, you check if the key is valid and if so, serve the program customized with the key, and mark the key as used. The installer saves the program somewhere the user can access it, and creates a hidden file that contains the key somewhere deep in the bowels of the computer, where the "average user" won't think of looking. When the program is run, the first thing it does is check if the hidden file exists and if it contains the correct key, and refuses to run if not.

(I am assuming that unzipping an executable and reading source code is beyond the ability of the "average user" (read: "grandma"), so using py2exe is ok.)

Answer 3

To avoid having to contact anything on the Internet, you could use the following way to 'dongle' your program:

• Take a vital part of your program (something without which the rest won't be useful),
• put it into a string,
• encrypt that string symmetrically with the MAC address of the computer it shall run on,
• then in your program do this:
  • decrypt that string with the MAC address of the current machine it runs on an and
  • call that decrypted string using exec.

Example with the vital part being print "hello world":

def getMyMac():
  return 123456789L  # for testing now
  return uuid.getnode()  # this would be the real thing

def strxor(s, key):
  key *= len(s) / len(key) + 1
  return ''.join(chr(ord(key[i]) ^ ord(s[i])) for i in range(len(s)))

def performVitalCode():
  code = 'A@ZZA\x16\x15P\\]^\\\x14BYET]\x13'
  # I found that code by entering:
  # strxor('print "hello world"', str(getMyMac()))
  realCode = strxor(code, str(getMyMac()))
  exec realCode

• I here used a simple xor on strings for crypting (which is not a hard cypher to crack).
• Of course the user of the "allowed" computer can hand over his MAC address to the next user which then
  • either can patch the getMyMac() or
  • spoof his own MAC address; most network cards allow this.

So this is not a "safe" solution to your problem.

But if a person with just little computer knowledge gave your code to some other guy without any further information (maybe by putting it online in a forum or similar), the receiver won't be able to execute it out of the box.

Finally I need to point out that every chaining of code to a specific computer may well become a hassle for the rightful user of the code. If I'm using a program which stops working just because I switch to a different hardware (maybe just because I get a new laptop), I'm usually pissed and curse the writer of that code. You might not want to annoy your customers.

Answer 4

Seems like a combination of things here. Encapsulating python as others have suggested is a good way to go, for bundling. You may also consider obfuscation, as talked about here in another StackOverflow thread:

Python Code Obfuscation

Which references:

http://freecode.com/projects/pyobfuscate

As for making it so that someone can't just download your program and run it elsewhere or distribute it, how willing are you to inconvenience your end users? :)

As others have noted above, you can generate a compiled and bundled bit of code with the ID specific to the user. That way, if/when the application phones home, you can track usage.

If your end users/customers have the following requirements fulfilled:

• An account with you, which they can login and check their subscription/account status
• Internet connectivity from the machine running the program

You can make the installation process do the following:

• Installer is NOT the full program. Generates a profile of the machine.
• This profile bundled up and a hash is generated. Both are uploaded to your servers.
• The hash is displayed to the end user to enter, once they have signed into their online web account.
• The user installing the application submits the hash, and gets a download link and an unlock key. The key is only good for that dynamically generated download and only on that machine. The downloaded program, however, will accept a range of keys unique to itself(iteratively generated, etc).
• The user can then complete the install and run their program. The program will periodically check the profile of the machine it is on, to make sure that the hash does not deviate. If it does, the program can prompt them to login to their web account to generate a new key. The new key is then used to refresh their application. This can be automated by the application, but with the internet laws and such, having the user sign into their account and perhaps agree to any updates to the EULA, would be better.

If they decide to share the program in a VM bundle, they would still need an active account to get keys.

Note, this does not prevent someone from bypassing the hash check. But for the average user, this will serve as a good way for you to deter people giving away or reselling your program.

Just bear in mind, no system is foolproof.