so you built something in python and you want to sell it.
maybe a discord bot. maybe an automation tool. maybe a SaaS script. maybe something niche that people in a specific community will pay for.
before you ship it to your first customer, read this.
because the thing most developers do before selling, "obfuscate it with X tool", probably isn't protecting anything.
what most people do:
they run their script through a basic obfuscator. the output looks scary. nested lambdas, encoded strings, everything renamed to _0x3f7a style names. looks protected.
then they sell it.
what actually happens:
someone buys it, opens pylingual, uploads in the bytecode(.pyc).
reads the logic in five minutes.
i know because i did this for a year as a hobby. my friend kept buying paid scripts. i kept cracking them. price didn't matter. obfuscator used didn't matter. if it had python bytecode, i could read it.
the obfuscation everyone uses doesn't work because it doesn't address how decompilers actually work.
decompilers don't care about variable names. they don't care about string encoding. they reconstruct logic from bytecode patterns. and as long as your bytecode is there and readable, the obfuscation on top is irrelevant.
what you actually need before selling:
minimum viable protection:
bytecode encryption with polymorphic keys. this makes the decompiler fail — not produce messy output, actually fail to read the file. and because the keys are different every build, once someone breaks one copy they have to start over with the next version.
recommended protection:
python to C compilation. this eliminates the bytecode entirely. your source is compiled to machine code. reversing it requires disassembly, not a python decompiler. this is a completely different threat model that makes casual attackers give up immediately.
full protection:
combine the above with a decompiler-breaker (output specifically designed to crash pylingual and pycdc internally) and anti-tamper (detects hooking and frida at runtime). this covers every practical attack vector.
the honest version:
if you sell something valuable enough, someone will eventually try to crack it. that's just reality.
but there's a massive difference between "anyone with pylingual and 5 minutes can read your code" and "cracking this requires weeks of serious RE work."
most people trying to steal a $20/month script don't have weeks of serious RE work in them. make the economics not work and they move on.
one thing to do before you launch:
test your own protection. download pylingual(or use the web version). run it against your protected output. if you can read your logic, so can your customers.
if pylingual crashes or produces garbage, you're in a much better position.
we post openly available protected test files on discord after every nyami update. you can test our output yourself with whatever tools you want. no trust required.
nyami.cc | discord.nyami.cc | documentation.nyami.cc
got any questions? dm me on discord @justmaniak
Top comments (0)