18

I'm trying to understand why PyInstaller documentation states that the --key argument to encrypt Python source code can be easily extracted:

Additionally, Python bytecode can be obfuscated with AES256 by specifying an encryption key on PyInstaller’s command line. Please note that it is still very easy to extract the key and get back the original byte code, but it should prevent most forms of “casual” tampering.

My basic understanding of AES-256 is that if no one has the encryption key you specify, they can't extract it "easily"

Does anyone have better understanding ?

Luca Brasi
  • 681
  • 2
  • 12
  • 28

2 Answers2

34

Pyinstaller optionally encrypts the python sources with a very strong method.

Of course without the key it is nearly impossible to extract the files.

BUT the sources still need to be accessed at run time or the program couldn't work (or someone would have to provide the password each time, like protected excel files for instance).

It means that the key lies somewhere embedded in the installed software. And since all this stuff is open source, looking at the source code tells you where PyInstaller embeds the key. Of course, it's not trivial, but not an encryption-breaking problem, just reverse engineering with - added - the source available.

Jean-François Fabre
  • 137,073
  • 23
  • 153
  • 219
5

Jean-Francois' answer above is correct - the encryption key has to be distributed with the executable somewhere or it couldn't self-decrypt when running.

According to a reverse engineering blog, the key is distributed in one of the .pyc files which is generated when building the executable. De-compiling this file may allow access to the key, which could then be used to decrypt the code at rest. (Since that blog is from 2017, the location he talks about may have changed, but it remains the case that the key has to be in there somewhere)

Greg
  • 131
  • 1
  • 4