[Python-il] Fwd: Perl Vs. Python on Various Points

Beni Cherniavsky cben at users.sf.net
Wed Jul 15 12:47:58 IDT 2009

On Mon, Jul 13, 2009 at 16:19, Roman Gaufman<hackeron at gmail.com> wrote:
> I didn't tell my "clients" anything - my employer said you can't use
> Perl because it doesn't have compiled bytecode, I asked what about
> python, it does -  they came back to me saying to use it.
If you are satisfied with this outcome, more power to you ;-)
If want ammunition in favor of Perl:
1. Python bytecode is really easy to decompile, waaay easier than C.
  Details below.
  Be careful with stressing this, lest your employer demands C :-\
2. Perl also uses bytecode, it just doesn't spew it into files by default.
  But it's easy to do - see below.

> There are disassemblers and decompilers for just about all compiled
> bytecode out there - they show you the virtual machine instructions
> used and some reference identifiers. There are also disassemblers and
> decompilers for compiled C code, that also show you the machine
> instructions being used.

Bytecodes tend to use higher-level operations, with well-defined
function frames on stack, debug information, and no ugly C-style
optimizations (inlining, unrolling, order-changing scheduling, etc.)

Also, dynamic languages like Python have almost no information
that can be thrown out after compilation (e.g. types).  Everything
you write is needed for running.

> pyc is compiled bytecode - so while you can reverse engineer compiled
> bytecode (as you can reverse engineer just about everything) -- you
> don't have nesting depths, scope, type - all you have is numeric
> codes, numeric addresses and some visible references. It's a little
> more than fig-leaf protection.
Wrong!  Python bytecode retains scopes, variable names, etc.
Decompiled python code is really almost identical to original!
About the only thing you lost are comments:

You can achieve a bit more protection by obfuscating names:
but these only work on single-module projects and aren't 100% safe.

At the very least, use python -OO to produce .pyo without docstrings.
Note that -O also discards assert statements
(lesson: never use assert for input validation in Python).

Perl bytecode
(I never used any of those, just shooting relevant google results.)

I don't know how much information Perl bytecode retains;
from the little I know about Perl internals, I suspect it loses more
details and does more transformations than Python,
so decompiled code should looks less like the source.
If even more armor is needed, there are obfuscators for Perl too.

Beni <cben at users.sf.net>

More information about the Python-il mailing list