let's skip the theory and get to what actually works.
if you sell python scripts, deploy python tools, or just don't want your code readable by anyone who downloads it, this is for you.
first, understand what you're actually protecting against:
most people stealing python code aren't elite hackers. they're developers who:
- want to understand how your logic works so they can copy it
- want to remove your license checks so they can use it without paying
- want to resell a cracked version of your paid tool
these people are not running custom exploits. they're opening pylingual and uploading in your bytecode(.pyc). it takes them two minutes if you have no real protection.
that's the actual threat. not a nation-state attacker. a bored developer with a decompiler.
what doesn't work (and why):
variable obfuscation
renaming calculate_price to x7a3f doesn't matter. decompilers reconstruct the logic, not the names. your code is just as readable, just harder to skim.
string encoding
base64, xor, rot13 on your strings. trivially reversible. anyone who finds the encoding finds the decoder right next to it. two minutes to reverse.
most obfuscators on the market
i tested this. i spent a year cracking paid scripts protected with real commercial obfuscators. the output looked scary - nested lambdas, encoded strings, renamed everything. i still cracked them in minutes with pylingual. because the bytecode was still there, readable, unencrypted.
the obfuscators looked like protection. they weren't.
pyinstaller alone
a lot think packaging an exe hides the code. it doesn't. pyinstxtractor extracts the bytecodes in 30 seconds. then you decompile normally.
what actually works:
python to C compilation (the best option)
convert your python to C code and compile it to machine code. there's no python bytecode anymore. decompilers have nothing to work with. your logic exists as compiled native code that requires serious reverse engineering skill to understand, not five minutes with a python decompiler.
bytecode encryption with polymorphic keys
encrypt the actual bytecode and use a different key every build. even if someone breaks one copy, they have to start over with the next version. signatures don't work because every build is different.
decompiler-breaking
build output that specifically causes pylingual, pycdc, and similar tools to crash or fail. when the tool fails, the casual attacker moves on. this is different from just confusing the output, it means understanding how decompilers work internally and breaking their analysis pipeline.
anti-tamper that watches for hooking
the last line of defense. when someone uses frida or a patched interpreter to hook your running process, detect it and crash. make the failure loud and unhelpful. this stops the dynamic analysis approach when static decompilation fails.
the honest answer:
nothing is truly uncrackable. if someone dedicates serious time and skill they can reverse anything.
but that's not the goal. the goal is making your code not worth cracking for the 99% of people who'd consider it. if breaking your protection takes 3 weeks of serious work instead of 5 minutes, most people give up. the economics stop making sense.
that's what real protection looks like.
i built nyami after spending a year on the other side of this problem, cracking paid scripts and understanding exactly why every protection i encountered failed. it covers every layer above: pytoc, bytecode encryption with polymorphic keys, decompiler-breaking, and anti-tamper.
if you want to see what properly protected python looks like, we post test files on discord after every update. try to decompile them yourself with whatever tools you want.
nyami.cc | discord.nyami.cc
got any questions? dm on discord @justmaniak
Top comments (0)