i spent over a year on the attacking side of python RE before i switched to building defenses.
so when i say "this doesn't work" i mean i've personally used the attacks.
here's what the threat model actually looks like and what protection means against each layer.
the attacks, in order of how easy they are:
layer 1 - static decompilation (easiest)
tools: pylingual, pycdc, uncompyle6, decompile3
what they do: take your .pyc bytecode and reconstruct something close to your original source
how long it takes: 30 seconds
protection that stops it: bytecode encryption, pytoc (python to C compilation), decompiler-breaking techniques that make these tools crash on your specific output
protection that doesn't stop it: variable renaming, string encoding, basic obfuscation
layer 2 - pyinstaller extraction (easy)
tools: pyinstxtractor + decompiler
what they do: unpack your exe, extract the bytecodes, then decompile from there
how long it takes: 2-5 minutes
protection that stops it: encrypting the bytecodes inside the bundle, making extraction fail or produce garbage, converting to native code with pytoc
protection that doesn't stop it: pyinstaller alone, most off-the-shelf obfuscators applied before packing
layer 3 - dynamic analysis / hooking (medium)
tools: frida, x64dbg, custom python hooks, patched interpreters
what they do: instrument the running process, intercept function calls, read decrypted code from memory at runtime
how long it takes: hours to days depending on skill
protection that stops it: anti-tamper that detects hooks, debugger detection, integrity checks that crash the process when tampering is detected, checks that fire from external files and can't be trivially patched out
protection that doesn't stop it: anything that only checks once at startup, anything that's easy to patch with a hex editor
layer 4 - full RE with serious dedication (hard)
tools: all of the above, custom tooling, time
what they do: systematic reverse engineering of the whole protection stack
how long it takes: days -> weeks
protection that stops it: honestly, nothing stops a truly dedicated attacker with unlimited time. but the goal isn't "impossible" it's "not worth it." at weeks of work for a script that costs $20/month, most people stop.
what this means practically:
if you protect with basic obfuscation you're stopping nobody. a bored teenager with pylingual cracks it in minutes.
if you protect with real bytecode encryption + anti-tamper + decompiler-breaking, you're stopping probably 99% of real-world attempts. the remaining 1% have to invest weeks of serious work, which just doesn't happen for most targets.
that's the gap that matters.
i built nyami specifically to cover layers 1-3 properly. every build is polymorphic so signature-based attacks don't scale. the decompiler-breaker is different per build. the anti-tamper watches for frida and external hooks, not just in-process ones.
protection isn't magic. but it doesn't have to be magic to be effective.
nyami.cc | discord.nyami.cc | documentation.nyami.cc
got any questions? ask me on discord @justmaniak
Top comments (0)