Thoughts regarding obfuscated Python code in WoT modifications

Source: Elkano, EU WoT Forums

Note: This post is mainly directed towards other authors of modifications for WoT, although it might be of interest to other users, too.

Many modifications for WoT are at least partially written in Python, with their compiled source code resulting in .pyc files. In general, it is not hard to decompile these files again in order to obtain the original code. There are numerous tools around that can be used for this.
However, there are also plenty of WoT modifications around for which they don’t succeed. The reason for this is that their author decided to obfuscate the code in order to prevent access to the source code.

Why would someone choose to do so, i.e. block access to the sources?

There are mainly two reasons for this.

  1. preventing that others
    • further modify the code
    • base own work on it
    • claim it as their own
  2. hiding malicious intentions and code

While fortunately I haven’t found any mod that would fall in the second category, yet, it’s still potential use case often found in malware.
And with (most?) of the Python API at hand, a lot of dirty stuff is possible from with a modification’s code.
There are already wide spread mods around that will report their usage (e.g. the player’s unique id and time of use) to the author which could be considered a privacy violation.
While this is mostly harmless, other data could also be included in the upload or downloaded to your PC.

The first group however consists of valid reasons, mainly the protection of the author’s intellectual property.
However, it also prevents others from learning from the code or maintaining it if the author decides to stop doing so himself (BUT unless he has given permission, e.g. in the form of a license, you aren’t legally allowed to do so anyways).

How is the code obfuscated?

In the context of Python code and WoT, I’ve observed mainly three forms of code obfuscation:

  • source code modification
    The code is altered in order to make it more difficult to understand what it is intended to do. This can range from changing variable names and masking values in meaningless calculations to altering the control flow of the program.
  • byte code wrapping
    The compiled code is wrapped in an additional layer such that it will be loaded from a (calculated) string at run time, preventing direct access.
  • byte code tampering
    The byte code is manipulated into a form that can’t be achieved with the normal compiler, it will however still run. This can take the form of invalid opcodes and misaligned jumps in the code.

Why should I, as a player, care? I just want to run it anyways…

From the listed methods, only variable renaming (and some forms of control flow alteration, e.g. loop unrolling) won’t affect performance.
Others will only prolong the initial load time when the unwrapping is done.
The rest does directly affect the performance during runtime, however it’s likely you wont notice much of a difference, even if multiple layers of obfuscation are in place.

So the only reason why you might care is that no one is able to have a look at the code. Most users will not be interested in it anyways but it means that you’ll have to trust the author as there’ll also be no other user doing any kind of code review. This also includes Wargaming. Any malicious behavior can thus only be detected “in action”. And bugs causing crashes and low performance won’t be pointed out, either.

Why should I, as a author, care?

As I said before, I consider the intent to protect your intellectual property a valid reason for considering to use obfuscation.
But you should also ask yourself why you are releasing modifications for WoT.
Just for fame and potential monetization of your content? Or are you doing it to support the players and community?
We still lack any (decent) from of code documentation, so why not share your code as an additional example and source of discussion.

I should also note that obfuscation does not completely prevent access to the sources, it just makes it harder since the usual tools will no longer work.
This is due to the fact that the code still has to be run by WoT.

Having looked into how it’s usually done (and how to work around it) I decided to not apply obfuscation myself anymore, at least for WoT.
Since I’m also coding addons for WoW, I’m used to my code being open sourced i.e. readable. Note that this does not imply that anyone is automatically allowed to produce derivative work, it will however not stop them from doing so if they opt to not care.

What’s the view of other authors (coders and mod pack maintainers alike) on that matter?
If you do obfuscate your code, mind to share your reasons? Same if you actively decided against hide your code.