Nyami
FeaturesHow It WorksComparisonBlog

How It Works

A single Python file enters a pipeline of 40+ protection modules and emerges as a hardened, polymorphically-encrypted binary with active runtime defense.

1. Parse & Prepare

AST Parsing

Your Python source is parsed into an Abstract Syntax Tree. Every function, class, import, and expression is mapped for transformation.

Variable Renaming

All identifiers (variables, functions, classes) are replaced with random, meaningless names using a cryptographically seeded generator. Imports and builtins are preserved.

Minification

Whitespace, comments, docstrings, and unnecessary tokens are stripped. Reduces file size and removes human-readable annotations.

Number Conversion

Numeric literals are converted to hex, octal, or binary representations. Integer constants are broken into arithmetic expressions.

All-Names Preservation

Module __all__ exports are preserved through the entire obfuscation pipeline. Obfuscated scripts can still be used as importable modules with correct public APIs.

Multi-Layer Encoding

The entire payload is run through a chained encoding pipeline: zlib compression, base64, base32, character scrambling, and string reversal. Each layer must be peeled in order at runtime.

2. Obfuscation

String Encryption

Every string literal is encrypted using XOR with random, per-session keys. Unicode-aware with configurable exclusion lists for strings that must remain readable.

Function Obfuscation

Individual functions are extracted, encrypted, and replaced with wrapped execution contexts. The original function body is only decrypted at call time.

Lite Function Obfuscation

Functions are compressed and marshaled into compact byte arrays using zlib, bz2, lzma, or pyzstd (whichever shrinks each function best). Decompiler breaker is applied before reinsertion.

Control Flow Flattening

Code structure is shattered into a switch-based state dispatch loop. All branching logic is collapsed into a single flat state machine -- the original if/else/loop structure becomes unrecoverable.

MBA Obfuscation

Mixed Boolean-Arithmetic transforms simple expressions (x + y) into algebraically equivalent but unrecognizable forms using MBA identities. 4 complexity levels.

Opaque Predicates

Always-true or always-false conditions are injected throughout the code using mathematical invariants (x*(x+1)%2==0, (x^2+x)%2). Static analysis cannot distinguish real branches from fake ones.

Junk Code Injection

Non-functional dead code and unreachable branches are inserted. Every junk block looks legitimate -- it uses real variables and calls real functions, but never executes.

Function Wrapping

The entire codebase is wrapped into a single function call. All imports are extracted and re-injected inside the wrapper, altering global scope visibility.

Bytecode Transformation

Bytecode is converted into an abstract instruction set executed by an embedded interpreter class. The interpreter dispatches operations from an integer-coded opcode list instead of native Python bytecodes.

3. Hardening & Anti-Tamper

Decompiler Breaking

Bytecode EXTENDED_ARG chains are deliberately corrupted in ways that specifically crash pylingual, pycdc, and uncompyle6. Decompilers see nonsense opcodes or infinite loops and abort.

Anti-Debug (11 Methods)

Process scan for debugger modules, VM environment detection via hardware/firmware/registry indicators, timing attacks (perf_counter drift detection), debugger DLL checks, parent/child process validation, hardware breakpoint detection, stack frame analysis. On detection: TerminateProcess.

Anti-Dump (Memory Zeroing)

Code objects are zeroed from memory via ctypes.memset after execution. Decrypted bytecode buffers are destroyed in-place so gc.get_objects() and memory dumps cannot recover them.

Memory Page Protection

Code memory is marked read-only at the OS level via VirtualProtect (Windows) or mprotect (Linux). In-memory patching and hot-patching tools are blocked at the page table level.

Hydra Anti-Tamper

3 cross-verified daemon threads are spawned at runtime. Thread 1 monitors built-in identity and system trace/profile state. Thread 2 issues heartbeats. Thread 3 respawns dead peers. If any thread detects tampering, the process hard-kills via ExitProcess, _exit, and a deliberate segfault.

Anti-Monkey-Patching

HMAC-SHA256 challenge-response tokens are issued at startup. Every critical built-in function (exec, eval, compile, __import__) is verified against its original reference before each use. Any mismatch triggers immediate termination.

Integrity Checks (Marshal Level)

The code payload is loaded via ctypes.PyMarshal_ReadObjectFromString directly into a types.CodeType object. If the marshal data is tampered with, the call fails and the process exits. No fallback to Python-level marshal.loads.

Anti-VM Detection

8 detection methods: CPU vendor string inspection, MAC address vendor prefix matching, BIOS serial/version patterns, system firmware checks, hardware device enumeration, SMBios table analysis, display driver checks, and register-based heuristic flags.

Audit Hook Protection

Python audit hooks are installed at bootstrap that block unauthorized syscalls, subprocess creation, and debugger attachment. The audit hook itself is validated before each invocation.

Caller Frame Validation

Every execution context validates its call stack: the frame chain is inspected to ensure code is being called from a legitimate obfuscated context, not from an injected ctypes callback or eval injection.

Anti-Trace Anti-Profile

sys.settrace and sys.setprofile are captured and their original references are stored. A background thread polls the current trace/profile state every 2 seconds. If a tracer or profiler is detected, the process hard-kills.

4. Encryption & Packaging

Bytecode Encryption (AES-256-GCM)

The entire code object is encrypted with AES-256-GCM using authenticated encryption. A random key and nonce are generated per build, then scrambled into the stub loader.

White-Box Cryptography

An 8-round Feistel network cipher where the key is embedded in 2 substitution-boxes per round (256 bytes each), derived via SHA-256 expansion. The key is never reconstructed at runtime -- only the lookup tables exist in the output, making key extraction impossible.

Polymorphic Key Derivation

5 unique key derivation schemes (PBKDF2-HMAC-SHA256, dual-SHA-256, reversed-seed-multi-hash, XOR-rotated, and seed-split-HMAC) are randomly selected per build. Two obfuscations of the same file produce structurally different outputs with different encryption parameters.

Polymorphic Stub Generation

A self-extracting stub is generated with nested function wrappers, encrypted marshal payloads, and version-locked bootstrap code. 5 stub variants exist, each using a different decryption and loading strategy.

Custom N-Serialize Format

The obfuscated code object is serialized using a custom format (NYCO magic bytes) that cannot be parsed by standard Python marshal or pickle. Custom deserializer code is injected into the output to reverse this at runtime.

Compression (pyzstd)

The final encrypted payload is compressed using Zstandard (pyzstd) compression before being embedded in the stub. Decompression happens inside the stub before decryption, further complicating static analysis.

Watermark Embedding

A tamper-proof watermark is embedded in the obfuscated output identifying it as Nyami-protected. If the watermark is removed or altered, the obfuscated code raises a RuntimeError.

5. Compilation & Distribution (Optional)

PYTOC (Python To C)

Obfuscated Python is compiled to a native .pyd extension via Cython. The transformation goes Python -> .pyx -> C -> compiled machine code, eliminating Python source entirely while maintaining a single-file import interface.

PyInstaller Automation

Automatic PyInstaller spec file generation with full hidden-import collection. Scans the original script for all import statements, maps third-party modules to their package names, resolves transitive dependencies, and generates a build-ready spec.

HWID Locking (AES-256-GCM)

Hardware-bound encryption locks the obfuscated output to specific machines. A hardware fingerprint (UUID, MAC, disk serial) is hashed via PBKDF2 and used as AES-GCM additional authenticated data. The file will only decrypt on the authorized machine.

Trial System

Time-limited licensing built into the obfuscated output. Supports multi-unit specifications (30d, 6mo, 1y). The expiration is embedded in the encrypted payload and checked at runtime against a secure timestamp.

Secure Cleanup

Temporary build artifacts (pyx files, intermediate C sources, build directories) are overwritten in 3 passes before deletion. Forensic recovery of intermediate compilation artifacts from disk is prevented.

Bootstrap Generation

A version-locked bootstrap loader is generated for each build. The bootstrap checks sys.version_info at import time, installs audit hooks, validates the runtime environment, and only then proceeds to decrypt and execute the payload.

Ready to protect your code?

Start with a single obfuscation token for EUR 1 -- no subscription required.

View all features