DEV Community

Just Maniak
Just Maniak

Posted on

I spent a year+ cracking paid Python scripts, so I built an obfuscator that actually works

#programming #python #obfuscate #beginners

so about a year and a half ago i got bored and started learning python RE.
like actually learning it, going through decompilers, understanding bytecode,
the whole thing.

but here's the thing that really sent me down the rabbit hole: my friend kept
sending me paid python scripts he'd bought. cheap/expensive ones. scripts people
were actually paying for.

and i just... cracked them. all of them.

like genuinely every single paid script he sent me, i could break through the
obfuscation/security it had in minutes.

and that's when i realized: the obfuscators protecting these aren't actually
protecting anything.

the reality:

i'm talking scripts that cost $5-50+ monthly. scripts with/without obfuscation built in.
scripts that were supposed to be "secure" or "uncrackable" or whatever.

none of them were.

because the obfuscation they used was just... bad. like really bad.

  • they were just renaming variables and encoding strings
  • decompilers don't care about variable names
  • string encoding is trivial to reverse
  • most of them you could just pylingual and read the logic in minutes

so i'm sitting there looking at all these paid scripts that i was able to
completely reverse engineer, and i'm thinking: "how is this even possible?"

like people are paying money monthly for these scripts and anyone can break them in
5 minutes?

that's when i asked the real questions:

if the obfuscation is this weak on paid scripts, what's the obfuscator doing?

how bad must the obfuscation market be if people are selling protected scripts
with this level of protection?

and most importantly: what would real protection actually look like?

so i spent a year researching python security and obfuscation.

because if i can break paid scripts that are supposed to be protected, then
the obfuscators everyone's using are fundamentally broken.

what i learned:

most obfuscators are made by people who understand code but don't understand
attacks.

they use static obfuscation so signature detection works. once you break one
copy, every copy is broken.

they don't use polymorphism. they don't encrypt the bytecode. they don't think
about actual defense in depth.

the market is broken.

so i built nyami:

because if i can break paid scripts protected with current obfuscators, then
developers need real protection.
full feature list @ https://nyami.cc/features

the 4 core features:

  1. Python To C (PYTOC)

    • literally converts your python to C, then compiles it to machine code
    • your python source code basically doesn't exist anymore
    • still deploys as one .py file like normal
    • best one imo

  2. Bytecode Encryption

    • encrypts the actual compiled bytecode
    • and the keys are polymorphic so every build is different
    • decompilers literally cannot read encrypted bytecode

  3. Decompiler Breaker

    • i spent time understanding how pycdc, pylingual, uncompyle6 actually work
    • the tools that broke every paid script i tested
    • then built stuff specifically to break them
    • and it's different every build so signatures don't work

  4. Polymorphic Obfuscator

    • every build is unique
    • v1.0 and v1.1 look different even though they do the same thing
    • this is why paid scripts fail, they use the same obfuscation pattern which if broken once, its over

real talk:

obfuscation isn't magic. if someone dedicates serious time they can probably
still reverse your code. but that's not the point.

right now if you sell a python script protected with basic obfuscation, i can
probably crack it in minutes. with nyami it would take weeks of serious work, which at that point
most give up on even trying, because lets be real most of the times is not that important.

that's the difference that matters.

pricing:

€1 per token if you want to just test it out. €20/month if you're actually
protecting production code or selling scripts.

i didn't want to gatekeep this. if i could break paid scripts, small devs
should have access to something that actually works.

link: nyami.cc
you can also find nyami on discord @ https://discord.nyami.cc
and if you want to read documentation is @ https://documentation.nyami.cc
if you want to try deobfuscating one of our files we offer test files on discord
after almost every update, we also have the same file posted open-source on there

honestly just tired of seeing people trust broken tools so i built something
better.

happy to answer questions if anyone's curious about the technical stuff or
python security in general. or if you want to tell me why i'm wrong lol

Top comments (0)