I haven’t toyed around with Panda3D very much yet, but from what I’ve seen so far I’m thoroughly impressed. So now I’m currently considering using it for a big project in the future, but a few things have had me worried.
One of them involves the Python coding system. I’ve read that the power comparison between using C++ and Python in Panda3D are virtually the same, while Python offers a faster developmental period. But the big issue I never really figured out is if it’s possible to hide the Python code from the users. This is in regards to security, as I intend on using it for an online multi-player project, and having access to the code would essentially allow for unlimited cheating. I obviously wouldn’t want that, so I need to know if it’s possible to lock people out of the code to keep them from tampering with it.
Any help/suggestions are much appreciated. Thank you for your time.
even if you write in assembler… keeping people out of the code is not possible.
you can hide it from beeing readable “just like that” by only distributing bytecode.
the by far more important point is. no matter how hard you try, you can not trust a client in a network application. so best thing you can do is to make your server more secure and prevent a hacked client from disturbing other people’s game experience.
btw. discussions about python and security in multiplayer applications pop up from time to time on the forum so you might want to search for older threads where this topic was discussed in detail.
Py2exe is not very safe for that purpose, as it simply zips up the pyc files and embeds it into the .exe. You can even directly read them with a program like WinZip.
I prefer Freeze, which might be a tiny bit more safe than shipping .pyc files. It simply embeds .pyc code directly into the executable.
In the latest CVS (and in the future 1.7) there is a pfreeze utility that can easily and automatically freeze Panda games into .exe.
Note that the harder you make it to crack your game’s code, the more hackers you may attract.
It looks like freeze is only for *nix systems while py2exe is for windows…
Really sucks if its so insecure…
Does anyone know if it would be possible to use py2exe to only ship .pyc files???
Actually, Freeze is for Windows too. I’ve been using pfreeze myself for Windows, and it works great for me.
Packpanda can ship .pyc files too, although it generates quite big installer files.
Note that the upcoming Panda release will make it a lot easier to distribute your games.
Keep in mind that in the end, there is no entirely safe solution - whether py2exe, pyinstaller, freeze or just shipping pyc, anyone with a bit of experience will be able to alter some bits in the bytecode in the end. If you are afraid of cracked clients, I advise finding other ways to prevent that.
But if you just want to hide your source code, any of these solutions will work.
@pro-rsoft: can you please explain a bit more about pfreeze or freeze running on windows. so where do i find the pfreeze.py and how are the command flags. and is there anywhere a source to download pfreeze or freeze for windows? freeze.py dont got installed by installing python 2.5 on windows. thank you
I like the idea…I’ll wait for next release to see the results.
By the way, there are samples of make installers of panda using Setup scripts like NullSoft or InnoSetup ?
If you really wanted to go crazy, you could build your own Python and modify the pyc format into something bizarre so existing de-compilers won’t work. Then use Panda’s virtual file system to encrypt the source materials. Re-write the BAM system for Panda into some custom format. Generally, do everything you can to make as annoying as possible to reverse-engineer the game contents.
However, even for an online game, this won’t stop determined people. Until we live in a world were something like Trusted Computing is a reality*, then you can’t do anything about people examining your running code.
*I hope we don’t! It’ll be the end of people like me!
Heck, even your assets aren’t safe: You can use a program like glIntercept to dump all textures/meshes from an OpenGL program.
You can also play the eternal cat-and-mouse game and perform invasive scans of your user’s PCs when they connect to your servers, looking for modified files or processes. (Some MMORPGs do this.) But you will have to be on top of this all the time as determined cheaters will adapt quickly.
If you want to see how a popular MMORPG handles using Python, you should research EVE Online’s model. I am not familiar with their methods, but as far as I know they aren’t doing anything particularly heinous, such as the methods I’ve mentioned. The game is mostly Python code talking to a C++ graphics engine, just like Panda3d, and it adheres to the usual don’t-trust-the-client network model.
Of course, even assuming you decide not to bother with such draconian methods, I wouldn’t make it TOO easy. I’d at least strip out the pydoc strings.
I believe the parameter to pfreeze.py should be a module name, rather than a python file name.
So, in the VC command prompt, do this: H:
cd H:\Panda3D-1.6.2\products\Dhessboard
ppython H:\Panda3D-1.6.2\direct\showutil\pfreeze.py -o boardcore.exe main
Er, no, that’s incorrect. You should not put the full path before the “main”, but instead, “cd” to the directory where main.py resides. Just execute the commands in my previous post.
