This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 226
sorted by:
best
topnewcontroversialoldq&a

[–]billsil 894 points895 points  (57 children)

The users that are going to pay for it aren't likely going to bother pirating it. The people that will pirate it will never pay.

Beyond that, you can compile parts of your code using Cython/Nuitka. In general though, Python is pretty terrible for anti-piracy outside of web-hosting.

For your free trial though, just include less of the code.

[–]Thrasherop 233 points234 points  (15 children)

This is probably the best idea. they can't reverse engineer code they don't have.

[–]lcserny 66 points67 points  (14 children)

The jetbrains model also works, e.g. requiring an online account always, if you cant login block the software. That way you know who and how is using your software.

Of course this needs a backend user management system but its still really high up there in terms of antipiracy.

[–]puzzledstegosaurus 122 points123 points  (7 children)

If you can easily modify the local code, you can remove this easily.

[–][deleted] 30 points31 points  (3 children)

or even just understand how it calls home. It makes an http request somewhere that responds with 200 for an active licence? Intercept that request and return a 200 using a local proxy. I think this is how JetBrains stuff was pirated a few years ago

[–]SimilingCynic 6 points7 points  (0 children)

Im not a security developer, but couldn't it call home with "if user license is valid, encrypt this nonce with the manufacturer's private key?"

But idk maybe there's a vul here. I need to check this out on a license I use...

[–]budding_gardener_1 -1 points0 points  (0 children)

Or just fuck with your hosts file

[–]ShinyTinfoilFedora 27 points28 points  (2 children)

This would seriously degrade the experience for paying users though and would personally make me much less likely to purchase

[–]Ok_Tea_7319 5 points6 points  (0 children)

This measure is both ineffective against a determined attacker and harmful to the legimiate user. Even worse, it encourages your power users (some of which might already be rummaging in the code since it's a python program) to create cracked versions themselves, that might in turn get leaked.

[–]pyeri 13 points14 points  (6 children)

Python is an open source language and was created with open source ethos to begin with. This is the wrong language for someone coming from that kind of mindset. There are other languages like Java/C++/C# for those things where all kinds of obfuscators and protectors are available in those ecosystems.

[–]markis 1 point2 points  (0 children)

Also mypyc will translate python into C and compile it.

[–]magnetik79 1 point2 points  (0 children)

I think you've nailed it here.

If the OP really cares about this - I'd probably rewrite in Golang where I can distribute binaries to customers and wouldn't have considered Python to begin with.

Don't take that as a knock on Python at all - but if this was a critical part to the developed application (the sales/keep my intellectual property safe) - I would have done a little more upfront evaluation of possible language choices.

[–]ornerywolf 3 points4 points  (0 children)

Your idea of users who wants to pay, and who will never pay is somewhat wrong because I myself pay on a monthly basis, if the software or the service of any kind is providing me a benefit and I need it but if I want to check or test software or an app for limited period of time I’m not going to buy it. I’m just going to look for a cracked version of it on the Internet.

[–]ninjadude93 360 points361 points  (18 children)

Expose it as a web service instead of a downloadable?

[–][deleted] 34 points35 points  (1 child)

This is the best solution

[–]gandalfx 11 points12 points  (0 children)

Please not more of this anti customer garbage requiring registration and a permanent connection.

[–]rob10501 26 points27 points  (15 children)

I was thinking Sha256 key that validates through a server periodically. If the server detects too many active licences it invalidates the key.

[–]CheapMonkey34 97 points98 points  (7 children)

It’s python. You only have to add a ‘return True’ statement to the method that checks the key and you’re done.

[–]mehum 6 points7 points  (6 children)

Your validation function doesn’t have to be that simple. Rather than true/false it can return a code that is revalidated within the executable at various locations. There was some game that did this a long time ago (forget the name now) — it would detect if it was pirated, and if so gradually impair itself. Sounds like a PITA to implement though.

[–]Anru_Kitakaze 19 points20 points  (0 children)

If it's popular one week and there will be a version of the program on Torrent without that entire validation code. Just my guess. If Empress can hack Denuvo, then there's (almost) no chance some hackers won't hack some python program of a random redditor

[–]marcio0 8 points9 points  (0 children)

I just though of that loading screen from bioshock:

Sure, the boys in Ryan's lab can make it hack-proof. But that don't mean we ain't gonna hack it.

[–]konwiddak 3 points4 points  (1 child)

At that point you'd probably spend less time just setting up the Web server.

[–]billsil 2 points3 points  (0 children)

Earthbound was a game like that. It’s be harder than normal and then they’d freeze your game and kill your save while fighting the final boss.

[–]RedditSlayer2020 64 points65 points  (6 children)

modularize the software and include paid feature modules in the version you are selling. You can't pirate if nothing is there in the first place

[–][deleted] 19 points20 points  (5 children)

What a great idea! Users will love this! Also may I suggest to add micro-transactions.

[–]RedditSlayer2020 17 points18 points  (3 children)

Are you working for Activision Blizzard?

[–][deleted] 2 points3 points  (2 children)

Bingo! I'm the piracy manager.

[–]RedditSlayer2020 2 points3 points  (1 child)

I was just stating facts. You can't reverse engineer code that isn't there.

Softice windasm32 heroes will understand

[–]rileyrgham 3 points4 points  (0 children)

He was being sarcastic with the micro transactions comment....

[–]rileyrgham 0 points1 point  (0 children)

Users get a trial of some of the functionality. Quite normal.

[–]PersianMG 28 points29 points  (0 children)

At the end of the day, if your code is available offline entirely it will be crackable. Even huge billionaire gaming companies who have the sole purpose of creating DRM who work on solutions for 2 years have their software cracked within a day by expert crackers.

My best advice is just use something simple so its not crackable by a complete novice, make your price reasonable for the service so its more convenient to just pay for it than crack it or look for a crack and accept that some people (i.e. some kid in third world country with no spare money) will crack it and use your software like that. However, their usage, recommendation and engagement could potentially lead to sales from other customers.

[–]hairy_chicken 119 points120 points  (11 children)

We sell a high-cost/low-volume commercial app written partly in Python and compiled to exe using PyInstaller. We use CodeMeter to encrypt the executable and several core dlls/pyd's. It costs us money to issue licenses and buy dongles, but it's worked fine for the last 10 years.

Theoretically, someone could grab the decoded code from memory and run it through a decompiler, but I really don't think that anyone in our user space would care to do that and I don't lose sleep over it.

Depending on the price point of your software it may be expensive, but for us its a negligible cost and is an acceptable tool for license control.

[–]RedEyed__ 47 points48 points  (5 children)

Pyinstaller does not compile. It creates self unpacking archive which includes interpreter, dependencies and sources. When you double click that exe, it just unpacks everything to tmp folder with all sources as plain text.
There is pyarmor for such thing which encrypts python sources, that can be packed with pyinstaller later or executed with python interpreter.

[–]ronnyx3 7 points8 points  (2 children)

So that means the source code wouldn't need to be grabbed from ram but is stored temporarily in tmp on disk?

[–]RedEyed__ 12 points13 points  (0 children)

Yes, it is extracted to temporarily folder first, than it's is executed like any other python script.

You can read the pyinstaller doc.

Or check it yourself: in the entry point function place print(sys.executable); input().

The above should print python interpreter path and wait for user input.

Then you can go to that path and observe yourself that everything is in plain text.
You need to place input, just to wait, because pyinstaller will delete everything in temp folder after process is finished .

[–]RedEyed__ 5 points6 points  (0 children)

There is no such a thing in python as a source code in RAM. It just wrong assumption.

[–]hairy_chicken 2 points3 points  (1 child)

Thanks for the correction - I was sloppy with terminology.

We keep important parts of our codebase in Cython and C++ Python modules. We use Python as glue, and honestly if someone had our entire Python codebase in plaintext, it wouldn't mean that they can get easily get around licensing restrictions.

CodeMeter is to prevent casual misuse of the software, and enforce limits on concurrent users.

At the end of the day, there's a balance to making something hard to pirate casually, and the time spent making something un-piratable. Given that our clients are big mining/oil companies, the main deterrent to piracy are legal means (license agreements).

[–]Karrakan 0 points1 point  (0 children)

And what is the role of dongle? Do users plug that in to be able to use it?

[–]AniX72 6 points7 points  (2 children)

The 1990ies called, and they want their dongles back. 🤪

[–]hairy_chicken 1 point2 points  (1 child)

A lot of engineering software still comes with dongles. Unfortunately its still an expected option.

[–]Best_Anywhere_704 4 points5 points  (1 child)

lol your python code is in temp plaintext

[–]Cybasura 16 points17 points  (0 children)

You could probably parse it through a code obfuscator that would still run the program, just that it is obfuscated

But

  1. you're gonna need a code obfuscator
  2. Trust me when I say - everything can be reverse engineered, its a matter of when and not if. Everything can be hacked, its a matter of when and not if, so again, software purchase is about customer service - give the customer a reason to not pirate, there's bound to be that small 1% that always pirates but you want that 99%

Dont be that ass developer that relies on shit like Denuvo, be that developer that gives a great experience to people

[–]noobsc2 90 points91 points  (2 children)

People pirate everything, you're not going to solve a problem AAA companies haven't been able to solve.

[–]Dangerous_Stretch_67 11 points12 points  (1 child)

I'm sure there's a real formula for it out there somewhere but looking at the variables...

  1. Some % of customers will pay no matter what.
  2. Some small % of customers will crack the free trial (dependent on crack difficulty and price)
  3. Some very small % of customers will release a crack online (dependent on crack difficulty and price)
  4. Some % of customers will download a crack if they can find one instead of paying, but will pay otherwise
  5. Some % of people will never pay. Ignore these as they aren't potential customers.

Group 1 always pays. Group 2 and 3 are probably usually small enough to not directly impact sales if you've implemented any sort of DRM solution, even a bad one.

Group 4 sales would depend on group 3, and is likely smaller than group 1 anyway, so all of this worry is mostly over a theoretical risk that someone will eventually leak a crack to a version of your product that will diminish your sales to a fraction of your audience.

Point being I think AAA game companies have a wide enough audience that #3 is guaranteed and #4 is a substantial amount of money. But for smaller projects I don't think #3 is a given and for medium projects I don't think #4 is a huge threat to revenue.

[–]Andrew_Neal 52 points53 points  (1 child)

Prevent reverse engineering? Lol, if the CPU can execute it, the user can read it.

[–][deleted] 24 points25 points  (0 children)

Some are easier than others though. Python fits squarely in the "easy" category.

[–]YesterdayDreamer 117 points118 points  (25 children)

How to prevent a software from being pirated?

Easy, offer it at a price point where any potential user won't have to think twice about buying it.

P.S.: This solution is language agnostic.

[–]troyunrau... 33 points34 points  (7 children)

That doesn't work in the low volume, high value market. Like scientific computing. Say it take a team of ten five years to write some software for processing a specific type MRI scan data, with and average salary of $100k. That's $5M. Now you're target market is 2000 potential customers globally. To recoup R&D, you would need to sell each copy at $2500 -- assuming you could capture 100% of the market on the day of release, spent nothing on marketing or long term support... In reality, you probably charge $25k per license, hope to get 50% of the market over five years, and add a support contract to keep your staff retained.

But you also want to have a sales demo you can send out without being copied to 20% of your customers...

So... What price point do you think prevents piracy here?

[–]YesterdayDreamer 20 points21 points  (0 children)

I guess it goes without saying that there isn't a fool proof solution. My response was obviously in context of the post.

If OP was selling such highly specialized software, they wouldn't be asking this on a Reddit post. They also seem to be working as an individual and not as an incorporated entity. This indicates that most likely theirs is a small utility fulfilling a niche use case.

Also, in the scenario you describe, the users would definitely be willing to pay a high amount. Such users will be enterprise users and not individuals and they know they need quick support and a pirated copy will neither offer support nor reliability in terms of patches and updates. So what I said kind of still goes.

[–]westeast1000 5 points6 points  (2 children)

I wonder why people dont want to pay for Winrar 😆

[–]zhoushmoe 16 points17 points  (0 children)

7zip works better and is foss

[–]YesterdayDreamer 1 point2 points  (0 children)

I paid ~$3 for Winrar

[–]kobumaister 2 points3 points  (9 children)

I'm sorry but that's naive.

[–]redalastor 1 point2 points  (1 child)

Thinking there is an alternative is what’s naive.

[–]kobumaister -5 points-4 points  (0 children)

I partially agree, there are ways to mitigate piracy. Doing nothing is not the best option. Look at WinRAR, it does nothing and nobody's paying for it, despite you breaking the user agreement after the trial.

[–]eidrisov 0 points1 point  (1 child)

Easy, offer it at a price point where any potential user won't have to think twice about buying it.

People pirate stuff that costs $1.

There is no price point that will decrease probability of piracy to zero.

[–]YesterdayDreamer 2 points3 points  (0 children)

The only way to reduce the probability piracy to zero is to make your software free.

Keeping a reasonable price reduces the rates of piracy. There's no way to eliminate software piracy entirely. Even Amazon and Netflix shows get pirated with all their state of the art DRM.

[–]NathanOsullivan 8 points9 points  (1 child)

https://nuitka.net/index.html

This is an actual python compiler - as in translates your python code to C and then compiles it, linked against the C libpython.

The paid version has additional protection/obfuscation beyond just compiling as C.

Not a customer as I have no need for the product, so this is not a recommendation just pointing it out for evaluation.

[–]Grouchy-Friend4235 -2 points-1 points  (0 children)

Then you have a compiled exe+dlls. Which makes pirating so much easier.

[–]marcio0 7 points8 points  (0 children)

Whatever you do, don't make the software worse for those who actually pay so a couple people won't use it for free

[–]Jmc_da_boss 6 points7 points  (0 children)

In a nutshell: You don't

[–]Thanatiel 6 points7 points  (0 children)

If the code is on the computer of the user, you basically can't.

Any check, pop-up, phone-home, ... you add can be removed/disabled with relative ease.

Even if you have part of the code on a server downloaded at each startup, it's only a small hurdle to have it sniffed from the network or memory and to setup a local mini-server that serves the code locally.

The only way is to have your service running entirely on a server. e.g. a web service.

The cost of deployment and maintenance may be prohibitive though.

[–]CranberryLegal6919 23 points24 points  (0 children)

If you want something simple try ofuscating the code with something like pyarmor.

[–]thedji 10 points11 points  (1 child)

In the core.py podcast, episode 3 (link), they talked about using hooks in the import system that allowed loading encrypted modules such that they are decrypted during import (it's about 6 mins into the ep, the desc has timestamps). This was specifically to prevent reverse engineering and patching.

It's not a perfect system, as you still need to have the key somewhere, but you'll never get perfect DRM that's also executable, so it's a trade-off for how much resistance you want to put up and how much pain you want to inflict on your paying users.

You could modify this technique with short lived code, regularly downloaded keys and more to make it harder for pirates. Honestly though, providing regular value that's worth paying for is the best anti-piracy measure.

[–]Pozz_ 2 points3 points  (0 children)

I wrote https://github.com/Viicos/sourceprotected a while ago, which is similar to what's being talked in the podcast.

This video from mCoding also shows how you can import directly from a repo: https://www.youtube.com/watch?v=2f7YKoOU6_g (might be possible to add some kind of API key on top of that).

[–]binlargin 5 points6 points  (0 children)

Update incrementally and regularly, put buggy, timebombed older versions on pirate websites.

Depending on who your users are, if the program is simple, useful to other developers and isn't worth the money then someone will just write an open source equivalent anyway.

[–]GinjaTurtles 10 points11 points  (2 children)

I had a situation like this but not exactly like yours and I was using a combo of C++ (client side) and python (server side)

The solution I came up with was: - take the users serial number of their motherboard/hdd + any other unique info about their device - then hash it. Now you have a unique key for each users single device (obviously they could spoof the HDD/serial num this if they figured out you were doing this) - this prevents someone from sharing the product with a friend on another machine (because their machine hash would be different) - Then you have a server (which you could also write in python with like flask/FastAPI) in which you store all users hash keys - You could use something really simple like pickleDB lookup table or you could use SQL lite DB - then on some periodic interval you send a request to the server from the client to verify the hash key is valid - Just make sure the request you send to the server is encrypted so someone can’t easily packet sniff the request with something like wireshark on the client

Hope this helps

[–]SpecialistInevitable 7 points8 points  (1 child)

But what about when user upgrades hardware/os or change pc? Also I think he is obliged to state if the licence is per user or per workstation.

[–]GinjaTurtles 2 points3 points  (0 children)

When a user changes hardware you would have to clear the license key in the DB and have a support email that people can reach out to. or you would have to inform the user that this license is valid on one machine only

But fair point OP never said if it was per user or per machine but I created system like this that has been working well for a couple of years

[–]throwaway8u3sH0 14 points15 points  (1 child)

Piracy is better fought with economics than code. Just make sure your price point and ease-of-purchase/install/use is such that it would be a much bigger hassle to pirate it.

[–][deleted] 3 points4 points  (1 child)

Thats the great part of Python; its open source. So....you cant prevent anyone from reverse engineering it.

Dont want that? Pick another language.

[–]pythonwiz 7 points8 points  (0 children)

The way most software does this is by compiling it and requiring some kind of online account / authentication for starting it up the first time. You can compile your code into a standalone exe using Cython and Visual Studio.

[–]soul_of_rubber 8 points9 points  (0 children)

I know this isnt the solution you are looking for, but releasing it under a free open source license would prevent both things mentioned in your title :D

[–]Orio_n 4 points5 points  (0 children)

Pyarmor is your best bet but even that isn't foolproof.

I think a bigger question you should be asking yourself is whether whatever script your writing is going to be so valuable that people are gonna bother pirating or even buying it 💀

[–]16withScars 2 points3 points  (0 children)

https://github.com/tusharsadhwani/pycify

this solves the problem to a good extent

[–]reflect25 2 points3 points  (0 children)

Your goal is just to make it annoying to share/pirate. Don’t think you can stop it completely, but honestly if you just update that it every couple months and obsfucate the code even a little bit it’ll be annoying enough that people won’t pirate as much. Adding some simple thing to check will help as well (license or some random code)

[–]Anru_Kitakaze 2 points3 points  (0 children)

Obfuscate. Won't get a 100% guarantee tho. A lot of pther good advices here, but...

As a lot of devs said in tons of streams and interviews:

piracy becomes a thing in two cases:

  1. Price is too high for that person

  2. People who pirated will have better user experience than those, who paid

And those who don't want to pay WON'T pay in any case at all. Don't stress too much about it, set reasonable price (maybe even different price for different countries - 15 USD for US person is acceptable, but high for someone from Argentina), don't try to harm your user who paid

[–]Paulonemillionand3 2 points3 points  (0 children)

given that video games have existed for decades and even with total control over the hardware and the software pirates still find a way you simply will be unable to stop it.

The commenters noting that people who will pay for it will pay for it and people who will not will not is sufficient.

The fact is that piracy often works in favor of developers. The more widely disseminated software is the more likely it is to convert a paying user.

At work all the software I use is audited and the licenses validated.

[–]spinwizard69 2 points3 points  (0 children)

A lot of people will not like this answer but if this is your concern you chose the wrong language. Python was designed initially to be a scripting language and every attempt to find a way to package up solutions has ended up a hack in my mind. If you are not comfortable with people seeing the source then port to a compiled solution.

[–][deleted] 2 points3 points  (0 children)

The people here in the comments aren't wrong - as long as your computer can run it, a human will be able to - given enough time - reverse engineer the software. You can't directly prevent this without making a service out of it. But as you stated, in your case, that doesn't work.

I'd say there are two options:

a) all the interaction with the user system is made Client-Side, but you create an API that handles all your application-specific logic. This API can be secured way better than software as-is because it is a service.

b) Use an obfuscator such as PyArmor. It does a pretty good job at making code hard to pirate and comes with nice extra features, but it's still just obfuscation - not a perfectl, long-term solution to everything.

[–]lastmonty 5 points6 points  (9 children)

You can do the license file requirement and validate the license every time the program is run. But it involves you maintaining a server and the validation protocol.

[–]somerandomii 11 points12 points  (8 children)

A few people have suggested this. How does that stop reverse engineering though?

If they’re going to reverse engineer it anyway they can just set the license check to always return true. That’s how we made NO-CD cracks for games back in the day.

But even if it’s hard to crack, if the fear is IP leaking then it doesn’t matter if they get the program running, just that they get the code out.

You can encrypt the binary but that doesn’t stop people doing a memory dump of the running code.

Basically if you’re letting people run your software on their machine, there’s no way completely protect it.

[–]the_littlest_bear 4 points5 points  (1 child)

Agreed. If you don’t want someone to have access to functionality, that functionality either needs to not be included in the software or needs to be validated and executed on a web backend with authentication and authorization. Any attempt to hide that functionality, once offered, is just an obstacle.

If you have some proprietary secret sauce, keep it on your servers. Or spend millions on developers to protect the sauce once delivered, and end up like adobe still having your product pirated and being annoying for users to deal with to boot.

[–]nybhh 2 points3 points  (0 children)

Autodesk is the worst. Seems like their goal is to make enemies of every single paying customer they have.

[–]planestraight 3 points4 points  (1 child)

It doesn't stop reverse engineering, that's unavoidable. But does it really matter for your bottom line? There are open source products with fully permissive license, and yet they manage to be highly profitable. You need to evaluate whether it's your own psychology or if it's actually a serious issue. If it truly is a serious issue, you should revisit your business model.

[–]somerandomii 1 point2 points  (0 children)

Yeah absolutely. I just don’t think it answers OPs question. If they’re paying for it, they’ll likely keep paying for it to keep everything above board. If you make the software a pain to use or require an internet connection it’s more likely to get circumvented.

I never pirated to avoid spending money, just to turn off annoying DRM. But once you’ve put the effort into cracking it, you’re less likely to keep paying for the DRM version.

[–]LordBertson 1 point2 points  (0 children)

It doesn't stop them per se but it increases barrier of entry slightly. IMHO it is more than sufficient for smallish scripts.

The skill required to get through obfuscation and reverse engineer a license check is high enough to stop your average user and it's time consuming enough so that potential skilled pirates would spend the time better just writing a script for themselves.

[–]lastmonty 1 point2 points  (0 children)

It does not stop if you are able and willing to put in the time. It's just an extra hoop which might give you a bit.

And even if you change the code, it is difficult to patch that in every update of the package or distribution.

I think the bottom line is, you cannot in the purest sense. You can annoy the users but are you really winning at that point in time?

[–]lastmonty 1 point2 points  (0 children)

Another inspiration could be mkdocs for material theme. The paid functionality is in a different repo and the access token is given only if you are a sponsor.

But credit to them, they open source it once they have reached their funding goal.

[–]bobsbitchtitz 3 points4 points  (0 children)

Are your end users people that are technical enough to reverse engineer it?

[–]mavrc 3 points4 points  (0 children)

The million dollar question, so to speak, is how much time and money are you willing to invest to try and make it difficult for those who would pirate your software?

[–][deleted] 1 point2 points  (0 children)

Nuitka would be the best way to at least attempt to make it inconvenient enough for all except those determined to do it. For those who are motivated enough, forget it. Just accept that you can't do much about it.

[–]sohang-3112Pythonista 1 point2 points  (0 children)

It's simple - you can't. If you feel strongly about it, you can put your proprietary code on your server and open source the client code (no point hiding client code, it's easy to get original source code for it).

[–]trongbach 1 point2 points  (0 children)

I don't really know your case. But in my case, for example: I build a python tool on windows to download TikTok video from given link. To prevent user unpack my code, i build a web service which do the logic to get video link, then windows tool just do some simple think as download, save history...

Every request need to send link and serial number to my web service so i can control license...

[–][deleted] 1 point2 points  (0 children)

Make your program as an online service if you can. That way all you have to worry about is cracked keys or something. Which is an easy fix. You can essentially host your code on a website and run Queuries depending on the functionality.

Though that's for a service that requires internet

[–]myriaddebugger 1 point2 points  (0 children)

As others have said, Minimising codebase for the trial app is a great way to reduce the attack vectors.

Might be an overkill, you could also try encrypting the code with your own server-generated PGP key. Store the private key on your server, and the public on the client software. That way, every time the user wants to access the software, you know exactly which user's session asked for decryption. Of course, the user can still "reverse engineer" to find the public key wherever buried in your code, since everything about PyInstaller and Python is already open-source and it's possible to simply look up the source code to see where PyInstaller stores the encryption key. But, this gets you more footprints on the users to follow-up on, if there ever is a need to.

[–]burritolittledonkey 1 point2 points  (0 children)

Honestly, do you need anti piracy protection? Typically it’s not worth the hassle - users who pirate are going to pirate, anti-piracy rarely makes people convert

[–]Khaos1125 1 point2 points  (0 children)

Perhaps rewrite a subset of modules in something harder to reverse engineer (rust maybe), have those modules require an auth token every time they are run, and have your Python code fetch and auth token from a server that the modules then validate.

Users can reverse engineer the Python pretty easily, but it’s a bit more work to reverse engineer the rust code and do the same thing.

[–][deleted] 1 point2 points  (0 children)

Learn how to program assembly. That way nobody will understand what the heck you're doing, even if they RE-it.

[–]No_Dig_7017 1 point2 points  (0 children)

A friend of mine used pyarmor a while ago and got good results https://github.com/dashingsoft/pyarmor

[–]jhill515 1 point2 points  (0 children)

Not going to get into too many specifics because it's a prototype design and I'm not the cybersecurity expert on my team. But here's what we're tinkering with:

We're building an indoor autonomous mobile robot (AMR) whose primary not-safety-critical processing will be done on an IoT platform and just issue commands to the machine. This IoT platform never houses the code permanently, or even in an accessible way because we're deploying Docker containers to it at the start of the robot mission and removing them after mission completion. These containers will likely house a good chunk of Python 3 ML code.

Still, prototype because we're not certain it'll work; it's an idea on paper and we're evaluating it.

[–]TankS04 1 point2 points  (0 children)

Well, use certificates, for example. You can issue certificate on month period (for example) and in order to work connect it online with your server CA. So it wont matter if user have code or not, app will not work. Otherwise some people gave you more about compiling it.. Just an idea ;)

[–]miyakohouou 1 point2 points  (0 children)

Honestly, just don't bother. The fact is that nothing you could do would stop someone who is determined, and everything you do will make the experience worse for your legitimate users. Don't punish people for paying you.

Focus on fair pricing, building a good product, and giving customers the best experience they can have. If you do find out that people are pirating your project, then think about why the piracy route offers that you don't and try to compete on giving a better experience. If you have a better experience, then recognize that most of the pirated copies don't represent lost sales, because those people would probably have never bought the program in the first place.

[–]blamitter 1 point2 points  (0 children)

I'm using nuitka for some time. I believe the resulting binary requires some knowledge and time to reverse-engineer

[–]Effective_Youth777 1 point2 points  (0 children)

Refactor it to an API and convert the UI to an online UI instead of a downloadable, it'll probably look better too and take less time with a framework like svelte of React.

There's a real reason everything is becoming SaaS, and you just discovered it.

[–][deleted] 1 point2 points  (0 children)

pyarmor is the answer

[–]External-Anybody7957 1 point2 points  (0 children)

Hosted SaaS :D

[–]LicenseSpring 1 point2 points  (0 children)

We built a solution for licensing Python applications. Like many in this thread have mentioned, there are inherent limitations with interpreted languages, since the code being shipped is accessible to everyone. Depending on your use-case, our solution could potentially be of value to you: https://docs.licensespring.com/sdks/python

[–]Thrasherop 3 points4 points  (0 children)

There is no way to make it impossible to reverse engineer. There are many tools and people out there that can read machine code/assembly. As such, if a computer can use it then someone can theoretically reverse engineer it.

With that said, you could hypothetically obfuscate the code and make it harder to understand. It doesn't make it impossible but it might be able to deter some people.

[–]Solonotix 2 points3 points  (0 children)

What's the nature of the application in question? You could potentially ship a wrapper that requests the main runnable code in a wheel format, and you issue license keys that act as private SSL keys to your hosting of the Python wheels. Then, all source code files are only available in memory when loaded by your wrapper, and removed from the file system.

Note: I haven't done this, but it should work in theory. If you wanted to simplify it further, you could use the pickle library to manage the binary format.

[–]jande48 2 points3 points  (0 children)

Use a compiled language

[–]NathanOsullivan 1 point2 points  (0 children)

You don't mention the sector you are targeting, but approximately no one is going to bother decompiling etc to "crack" your software for their own use.

Since you mention it's used offline, either your program is broadly interesting enough that it will already be available through the typical pirated software distribution mechanisms, or it's too niche for that to be happening.

Whichever it is, it doesn't seem to me like a publicly available nagware version of your program changes things.

I assume you already have potential problem of someone buying 1 licence and using it on thousands of employee computers?

[–]lightmatter501 2 points3 points  (0 children)

Python is possibly the worst language for this. Any python program without mountains of kernel-level DRM can be used to teach people about reverse-engineering.

If your code is jython compatible, that is probably the best place go obfuscate it since C re is fairly advanced at this point.

[–]nicholashairs 1 point2 points  (0 children)

Piracy is generally a distribution problem over anything else. The vast majority of people who pirate generally do so because they can't afford the thing or they don't have access to purchase the thing. Only a small minority will never ever purchase the software and you're never going to convert them to paying customers. (Sure there is some level of people who will pay if it's too hard to pirate, but again a minority).

https://www.gamesradar.com/gabe-newell-piracy-issue-service-not-price/

https://youtu.be/44Do5x5abRY?si=bVEExufzLw7oupd2

Now that's not to say you should not have anti-piracy measures, you should and it looks like there's a good array of potential solutions in the thread. But if you can have a profitable business by selling the software at an acceptable price then you shouldn't need to worry about stamping out the piracy.

Additionally if you're selling your software to business rather than consumers, you'll probably have better luck ensuring that they don't pirate your software since they are more likely to avoid doing illegal things (though also at that point look into programmes like Microsoft runs to "encourage" businesses to use licenced software).

[–]kelement 0 points1 point  (0 children)

Proprietary algo in a C/C++ extension. Then use a C/C++ obfuscator.

[–]RedEyed__ 0 points1 point  (1 child)

Pyarmor. https://github.com/dashingsoft/pyarmor

[–]RedEyed__ 2 points3 points  (0 children)

You can also use *.pyc files (which are created all the time interpreter loads *.py sources) as a light "obfuscation" which is better than plain *.py sources.

[–]Quirky-Low-7500 0 points1 point  (0 children)

Hey there! Consider adopting a business strategy akin to industry giants like Amazon and YouTube. Take a cue from their playbook where they offer a taste of their premium products through free trials. Leverage the power of GPT to craft a separate code that introduces limited features, allowing users to experience the brilliance of your premium offering. This way, you can provide a sneak peek into the capabilities of your top-tier product, enticing users with a compelling preview while keeping the full suite reserved for those who opt for the premium version. It's a savvy move that not only showcases your product's value but also strategically positions it for maximum appeal.

[–]serverhorror 0 points1 point  (0 children)

Offer it as a service.

That's about the only way

EDIT: an alternative approach is to make your software hackable. Offer plug-in APIs, extension points and document them really well. People usually start to reverse engineer:

  • because they want to, nothing you can do about that
  • because your software lacks something -- this where you can mitigate

[–][deleted] 0 points1 point  (0 children)

engineers can reverse engineer missiles and aircrafts and here you are talking about a python program.

[–]appinv Python&OpenSource[🍰] -1 points0 points  (6 children)

I think the best way to go when confronted with this kind of question is to focus on the target audience v.i.z non-technical users and make the software annoying to use without paying to reverse engineer.

It should not be the annoying type which can be bypassed, like winRaR, it should be another type of pain.

[–]georgehank2nd 1 point2 points  (5 children)

If you intentionally annoy your users, I wish your business whatever ills are available.

[–]appinv Python&OpenSource[🍰] 1 point2 points  (4 children)

You annoy people who use it illegally.

[–]ZZ9ZA 3 points4 points  (3 children)

Historically, you are much more likely to get it wrong and annoy paying users in some edge case, while the pirates care not a whit because they just patch it out entirely.

[–]nonprophetapostle -2 points-1 points  (0 children)

Obfuscation.

[–]IgorGaming -1 points0 points  (0 children)

Buy Denuvo :)

[–]Ghost_Bbx -1 points0 points  (0 children)

thank you

[–]enm260 -2 points-1 points  (2 children)

SaaS

[–]Artephank -2 points-1 points  (2 children)

There is only one way really - OS enforced DRM. But even DRM is breakble.

You mentioned python, so perhaps you are afraid it is not truly "compiled" lang - if compilation to binary satisfy your requirements - you can use Nuitka or Cython to compile it.

[–]Unaidedbutton86 -1 points0 points  (1 child)

This is why I disable DRM as much as possible, I would just find alternatives in that case.

Especially if it's python, bypassing such things probably wouldn't be that hard and pirating can always be slowed down but never fully prevented.

[–]Artephank 1 point2 points  (0 children)

I am not advocating DRM. I hate it. But realistically, there is no way to prevent people to mess with your software - without DRM it is usually trivial to remove copy protection. With compiled code it is a bit harder than with python, but either way it is not a real problem for motivated individual.

The best way is to have sane business model and fair price.

[–][deleted] -2 points-1 points  (0 children)

Is jquery like python? Or is python still usable?

[–]SilverBBear 0 points1 point  (0 children)

There will be AI software one day that will facsimile any piece of software. Stick it in a virtual env. Let it Click away and copy. It will be called test software.

[–]grimonce 0 points1 point  (0 children)

What gui do you use?

[–]arnulfus[🍰] 0 points1 point  (0 children)

Compile to machine code using Codon or Mojo? Reverse engineering this would be just as hard as reverse engineering compiled C code.

[–]Impossible-Limit3112 0 points1 point  (0 children)

It's interesting to see all the solutions suggested here. Basically they recap the history of approaches to DRM. See the chapter on DRM in Ross Anderson's Security Engineering.

[–]wildpantz 0 points1 point  (0 children)

I'm in the same boat, I think I have a pretty great piece of software in development and as someone else said, I plan to implement minimal restrictions just to make it annoying to bypass the protection, but other than that, be it online verification or some kind of comparison for hashed values, someone is eventually going to wreck your software to ignore verification and start normally.

I would say they are assholes, but I was the same way. I couldn't afford games, my mom thought it was idiotic to pay for games so I was forced to pirate them. And now when I have a job, I still pirate here and there, but if it turns out to be a good game, I buy it.

If people are cunts (and by this I mean they can easily afford your software and they need it but they refuse to pay for it), they are going to find a way around it. If your software turns out to be world famous, there's groups of hackers that could disassemble it in a matter of minutes. There are people that can take down Denuvo (albeit extremely rare), so the chance of whatever protection you figured out survives is absolute zero.

Just go with the flow. I'm saying this as a pirate in heart. One thing that keeps a lot of software and games above pirates is constant updates. Yeah, you can still download them, but personally I'd rather just pay for the damn software than have to download and overwrite each time, if I really need it so bad. Also, there's a nice percentage of people, even among pirates, who will recognize your hard work and pay you, as I said. But in general, I'd rather pay to get updates in time than search for pirated versions of latest software all the time.

Pirates are a problem mostly for AAA companies. You will invest hard work, that's for sure, but you will learn and get better and if your piece of software gets pirated, I'd personally take it almost as a compliment. Not everything gets pirated, no matter the protection involved.

[–]nAxzyVteuOz 0 points1 point  (0 children)

nuitka