DEV Community

Just Maniak
Just Maniak

Posted on

My python script was decompiled. here's what i learned.

#python #security #programming #beginners

so this happens more than people talk about.

you sell a script, or you share a tool, or you release something you spent months building.

and then someone sends you your own source code back.

or you find it on a github repo you've never seen. or someone's selling a "cracked" version of your paid tool for free.

it's a horrible feeling. and the worst part is it's almost always preventable.

here's what actually happened and why:

the decompilation problem:

python compiles your code to bytecode (.pyc files) before running it.

bytecode is not source code. but it's close enough.

tools like pylingual, pycdc, and uncompyle6 can take that bytecode and reconstruct something very close to your original source. variable names, logic, structure. all of it.

if you shipped a .py file or a pyinstaller exe with no real protection, anyone with five minutes and a decompiler has your source code.

and i know this because i used to be the person doing it.

what doesn't help:

  • renaming your variables to x1, x2, a, b — decompilers don't care about names, they care about bytecode
  • base64 encoding your strings — easily decodable lmao
  • using a basic obfuscator — most of them just do the above and call it protection
  • pyinstaller alone — the exe is just a container, extractable in minutes with pyinstxtractor

i cracked tons of paid scripts using exactly these tools. scripts people were paying monthly for. scripts that were "supposed" to be protected.

the obfuscation was just bad.

what actually helps:

real protection means making the decompiler fail, not just making the output messy.

the approach that works:

  • converting python to C and compiling to machine code (no bytecode = nothing to decompile)
  • encrypting bytecode with polymorphic keys so every build is different
  • specifically targeting the internal pipelines of decompilers so they crash instead of output
  • anti-tamper that detects hooking and instrumentation at runtime

if your source got decompiled, it's not your fault for writing python. it's that the protection you trusted wasn't designed by someone who actually understands how the attacks work.

what to do right now:

  1. check if your deployed files are already floating around — search github for unique strings from your codebase
  2. rotate any hardcoded API keys or credentials immediately
  3. rebuild your protection from scratch with something that actually understands decompilation

the damage is done for existing deployments. but the next version can be protected properly.

i built nyami after going through exactly this process — understanding every attack vector, then building defenses that actually counter them.

if you want to test what proper protection looks like, we post protected test files on our discord after every update. try to decompile them yourself.

nyami.cc | discord.nyami.cc

happy to answer questions, if you want to contact me directly on discord @justmaniak

Top comments (0)