encrypt/decrypt zip/unzip

Discussion:

diliup gabadamudalige

2014-08-25 14:08:34 UTC

Having experimented with various methods to obfuscate image, audio and text
files, store them in a zip file pw protect and then retrieving on demand I
finally did this.

coder= a long string with a lot of characters ( written in a separate py
file)

strA = XOR(from_disk.read(), coder)
str1 = XOR(strA,another_coder))

encryption twice to obfuscate even more.

with open(code_to_dir, "wb") as to_disk:
to_disk.write(str1)

then i used win rar to write these files to disk as a pw protected zip file
with store as the comp. method.

the password is obfuscated and saved to a py file

Retrieving the files from inside the zip file was the only hitch as the
python extract routine took a long time.

this was solved by a great package at
https://pypi.python.org/pypi/czipfile#downloads

retrieval time increase by nearly/more than/almost 200 %.

I would like to have your input on the above.

Diliup Gabadamudalige

http://www.diliupg.com
http://soft.diliupg.com/

**********************************************************************************************
This e-mail is confidential. It may also be legally privileged. If you are
not the intended recipient or have received it in error, please delete it
and all copies from your system and notify the sender immediately by return
e-mail. Any unauthorized reading, reproducing, printing or further
dissemination of this e-mail or its contents is strictly prohibited and may
be unlawful. Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability for any
errors or omissions.
**********************************************************************************************

Vincent Michel

2014-08-25 15:52:49 UTC

Permalink

"the password is obfuscated and saved to a py file"
I'm curious about this part, how would you do that?
Do you plan to distribute only your byte code and hope that no one will
reverse it?

Also, why do you need a double encryption? If you want to prevent people
from browsing your package to find the end screen or whatever, isn't
your first encryption enough?

Anyway I think it's an interesting question, I mean, how important is it
to obfuscate game data.

Vincent

Post by diliup gabadamudalige
Having experimented with various methods to obfuscate image, audio and
text files, store them in a zip file pw protect and then retrieving on
demand I finally did this.
coder= a long string with a lot of characters ( written in a separate
py file)
strA = XOR(from_disk.read(), coder)
str1 = XOR(strA,another_coder))
encryption twice to obfuscate even more.
to_disk.write(str1)
then i used win rar to write these files to disk as a pw protected zip
file with store as the comp. method.
the password is obfuscated and saved to a py file
Retrieving the files from inside the zip file was the only hitch as
the python extract routine took a long time.
this was solved by a great package at
https://pypi.python.org/pypi/czipfile#downloads
retrieval time increase by nearly/more than/almost 200 %.
I would like to have your input on the above.
Diliup Gabadamudalige
http://www.diliupg.com
http://soft.diliupg.com/
**********************************************************************************************
This e-mail is confidential. It may also be legally privileged. If you
are not the intended recipient or have received it in error, please
delete it and all copies from your system and notify the sender
immediately by return e-mail. Any unauthorized reading, reproducing,
printing or further dissemination of this e-mail or its contents is
strictly prohibited and may be unlawful. Internet communications
cannot be guaranteed to be timely, secure, error or virus-free. The
sender does not accept liability for any errors or omissions.
**********************************************************************************************

Noel Garwick

2014-08-25 16:22:35 UTC

Permalink

Diliup,

My understanding is that anything you load into memory can be dumped. So
if you're just using this to load all game assets at startup, people could
extract the assets by duping what the interpreter has loaded into memory
(the copies of the unencrypted files).

Post by Vincent Michel
"the password is obfuscated and saved to a py file"
I'm curious about this part, how would you do that?
Do you plan to distribute only your byte code and hope that no one will
reverse it?
Also, why do you need a double encryption? If you want to prevent people
from browsing your package to find the end screen or whatever, isn't
your first encryption enough?
Anyway I think it's an interesting question, I mean, how important is it
to obfuscate game data.
Vincent

**********************************************************************************************

Post by diliup gabadamudalige
This e-mail is confidential. It may also be legally privileged. If you
are not the intended recipient or have received it in error, please
delete it and all copies from your system and notify the sender
immediately by return e-mail. Any unauthorized reading, reproducing,
printing or further dissemination of this e-mail or its contents is
strictly prohibited and may be unlawful. Internet communications
cannot be guaranteed to be timely, secure, error or virus-free. The
sender does not accept liability for any errors or omissions.

**********************************************************************************************

diliup gabadamudalige

2014-08-25 20:04:18 UTC

Permalink

Thanks for the responses.
Firstly I am a bit amused that everybody assumes that I am writing some
kind of game. I never mentioned any game. Is it because of Pygame? :) :)
I am using Pygame as my graphic interface because it is easy to display all
graphics and music (with some MIDI) using Pygame. Incidentally I am writing
a music teaching software.

I use maketrans with a code string and then XOR the result using another
string and then finally base64 it before writing it to disk. So all files
look like -> CSVT121rI_OQt%***@lm and even if someone duoble click or
change the file ext they can not open the file in anything other than a
text file editor.

If we keep the worst case scenarios out my majority users would be average
computer users and I doubt somone taking the trouble to reverse engineer
this software which is absolutely unknown. Maybe they will do so if it gets
world famous ( :-) ) but then I will hire a professional team to encrypt it
or I will use a dongle protection. But right now I am trying to close the
files from prying eyes. When compiled with py2exe all the py files are
strung together and one exe file is formed but all the assets remain in the
folder with the same names inside the folder where the exe is. So anyone
can simply copy the files and the text inside. But this way they have no
access as the zip file is encrypted. If they crack that open then all the
files are encrypted and the encrypted password is in another py file inside
the exe.
Isn't this some kind of protection against no protection at all? I also
clear the windows clipboard on every run of the main program loop thus
preventing the user from taking screen grabs with print screen., These are
taking into account THE THE AVERAGE USER.
Considering the average user are the precautions I have taken fair? What do
you think?

Post by Noel Garwick
Diliup,
My understanding is that anything you load into memory can be dumped. So
if you're just using this to load all game assets at startup, people could
extract the assets by duping what the interpreter has loaded into memory
(the copies of the unencrypted files).

**********************************************************************************************

--
Diliup Gabadamudalige

http://www.diliupg.com
http://soft.diliupg.com/

**********************************************************************************************
This e-mail is confidential. It may also be legally privileged. If you are
not the intended recipient or have received it in error, please delete it
and all copies from your system and notify the sender immediately by return
e-mail. Any unauthorized reading, reproducing, printing or further
dissemination of this e-mail or its contents is strictly prohibited and may
be unlawful. Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability for any
errors or omissions.
**********************************************************************************************

Dan Uznanski

2014-08-25 21:06:28 UTC

Permalink

Why bother? The average user won't care, the skilled users will see
through your ruse like it's plastic wrap, and the ones who care but aren't
that good will just find out what the skilled users did on the internet.
The only thing you do by adding obfuscation is make it a little bit more
of a pain for others to modify and improve your program, and make it a lot
more of a pain for you to test your program.

Post by diliup gabadamudalige
Thanks for the responses.
Firstly I am a bit amused that everybody assumes that I am writing some
kind of game. I never mentioned any game. Is it because of Pygame? :) :)
I am using Pygame as my graphic interface because it is easy to display
all graphics and music (with some MIDI) using Pygame. Incidentally I am
writing a music teaching software.
I use maketrans with a code string and then XOR the result using another
string and then finally base64 it before writing it to disk. So all files
change the file ext they can not open the file in anything other than a
text file editor.
If we keep the worst case scenarios out my majority users would be average
computer users and I doubt somone taking the trouble to reverse engineer
this software which is absolutely unknown. Maybe they will do so if it gets
world famous ( :-) ) but then I will hire a professional team to encrypt it
or I will use a dongle protection. But right now I am trying to close the
files from prying eyes. When compiled with py2exe all the py files are
strung together and one exe file is formed but all the assets remain in the
folder with the same names inside the folder where the exe is. So anyone
can simply copy the files and the text inside. But this way they have no
access as the zip file is encrypted. If they crack that open then all the
files are encrypted and the encrypted password is in another py file inside
the exe.
Isn't this some kind of protection against no protection at all? I also
clear the windows clipboard on every run of the main program loop thus
preventing the user from taking screen grabs with print screen., These are
taking into account THE THE AVERAGE USER.
Considering the average user are the precautions I have taken fair? What
do you think?

**********************************************************************************************

--
Diliup Gabadamudalige
http://www.diliupg.com
http://soft.diliupg.com/
**********************************************************************************************
This e-mail is confidential. It may also be legally privileged. If you are
not the intended recipient or have received it in error, please delete it
and all copies from your system and notify the sender immediately by return
e-mail. Any unauthorized reading, reproducing, printing or further
dissemination of this e-mail or its contents is strictly prohibited and may
be unlawful. Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability for any
errors or omissions.
**********************************************************************************************

Vincent Michel

2014-08-25 21:28:06 UTC

Permalink

I agree with Dan.

Also, there're some great answers over here:
http://stackoverflow.com/questions/261638/how-do-i-protect-python-code

For instance I like this one:
""" Since no technical method can stop your customers from reading
your code, you have to apply ordinary commercial methods.
1 - Licenses. Contracts. Terms and Conditions. This still works even
when people can read the code. Note that some of your Python-based
components may require that you pay fees before you sell software
using those components. Also, some open-source licenses prohibit you
from concealing the source or origins of that component.
2 - Offer significant value. If your stuff is so good -- at a price
that is hard to refuse -- there's no incentive to waste time and money
reverse engineering anything. Reverse engineering is expensive. Make
your product slightly less expensive.
3 - Offer upgrades and enhancements that make any reverse engineering
a bad idea. When the next release breaks their reverse engineering,
there's no point. This can be carried to absurd extremes, but you
should offer new features that make the next release more valuable
than reverse engineering.
4 - Offer customization at rates so attractive that they'd rather pay
you to build and support the enhancements.
[...] """

About py2exe, it is a really limited obfuscation cause it actually
just stores the .pyc byte code files in a .zip archive. It means that
you can unzip your .exe file and see what's inside, there's no
protection at all. Though, the python byte code files offer a basic
protection since you need to use some tools like uncompyle, pyretic or
pycdc.

" I also clear the windows clipboard on every run of the main program
loop thus preventing the user from taking screen grabs with print
screen."
This seems so wrong man, what if the user is trying to copy/paste
anything while your program is running on the background?

Why bother? The average user won't care, the skilled users will see through
your ruse like it's plastic wrap, and the ones who care but aren't that good
will just find out what the skilled users did on the internet. The only
thing you do by adding obfuscation is make it a little bit more of a pain
for others to modify and improve your program, and make it a lot more of a
pain for you to test your program.

Post by diliup gabadamudalige
Thanks for the responses.
Firstly I am a bit amused that everybody assumes that I am writing some
kind of game. I never mentioned any game. Is it because of Pygame? :) :)
I am using Pygame as my graphic interface because it is easy to display
all graphics and music (with some MIDI) using Pygame. Incidentally I am
writing a music teaching software.
I use maketrans with a code string and then XOR the result using another
string and then finally base64 it before writing it to disk. So all files
change the file ext they can not open the file in anything other than a text
file editor.
If we keep the worst case scenarios out my majority users would be average
computer users and I doubt somone taking the trouble to reverse engineer
this software which is absolutely unknown. Maybe they will do so if it gets
world famous ( :-) ) but then I will hire a professional team to encrypt it
or I will use a dongle protection. But right now I am trying to close the
files from prying eyes. When compiled with py2exe all the py files are
strung together and one exe file is formed but all the assets remain in the
folder with the same names inside the folder where the exe is. So anyone can
simply copy the files and the text inside. But this way they have no access
as the zip file is encrypted. If they crack that open then all the files are
encrypted and the encrypted password is in another py file inside the exe.
Isn't this some kind of protection against no protection at all? I also
clear the windows clipboard on every run of the main program loop thus
preventing the user from taking screen grabs with print screen., These are
taking into account THE THE AVERAGE USER.
Considering the average user are the precautions I have taken fair? What
do you think?

--
Diliup Gabadamudalige
http://www.diliupg.com
http://soft.diliupg.com/
**********************************************************************************************
This e-mail is confidential. It may also be legally privileged. If you are
not the intended recipient or have received it in error, please delete it
and all copies from your system and notify the sender immediately by return
e-mail. Any unauthorized reading, reproducing, printing or further
dissemination of this e-mail or its contents is strictly prohibited and may
be unlawful. Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability for any
errors or omissions.
**********************************************************************************************

diliup gabadamudalige

2014-08-26 04:40:09 UTC

Permalink

Dear Vincent and Dan,

All points taken positively. I'm still learning Python and all this help
and advice is making me write better and more pythonic code.

I will leave this path and continue on the one I started traversing.

I thank you all very much. May you be well.

Post by Vincent Michel
I agree with Dan.
http://stackoverflow.com/questions/261638/how-do-i-protect-python-code
""" Since no technical method can stop your customers from reading
your code, you have to apply ordinary commercial methods.
1 - Licenses. Contracts. Terms and Conditions. This still works even
when people can read the code. Note that some of your Python-based
components may require that you pay fees before you sell software
using those components. Also, some open-source licenses prohibit you
from concealing the source or origins of that component.
2 - Offer significant value. If your stuff is so good -- at a price
that is hard to refuse -- there's no incentive to waste time and money
reverse engineering anything. Reverse engineering is expensive. Make
your product slightly less expensive.
3 - Offer upgrades and enhancements that make any reverse engineering
a bad idea. When the next release breaks their reverse engineering,
there's no point. This can be carried to absurd extremes, but you
should offer new features that make the next release more valuable
than reverse engineering.
4 - Offer customization at rates so attractive that they'd rather pay
you to build and support the enhancements.
[...] """
About py2exe, it is a really limited obfuscation cause it actually
just stores the .pyc byte code files in a .zip archive. It means that
you can unzip your .exe file and see what's inside, there's no
protection at all. Though, the python byte code files offer a basic
protection since you need to use some tools like uncompyle, pyretic or
pycdc.
" I also clear the windows clipboard on every run of the main program
loop thus preventing the user from taking screen grabs with print
screen."
This seems so wrong man, what if the user is trying to copy/paste
anything while your program is running on the background?

Post by Dan Uznanski
Why bother? The average user won't care, the skilled users will see

through

Post by Dan Uznanski
your ruse like it's plastic wrap, and the ones who care but aren't that

good

Post by Dan Uznanski
will just find out what the skilled users did on the internet. The only
thing you do by adding obfuscation is make it a little bit more of a pain
for others to modify and improve your program, and make it a lot more of

Post by Dan Uznanski
pain for you to test your program.
On Mon, Aug 25, 2014 at 4:04 PM, diliup gabadamudalige <

files