WhatThePy targets CPython 3.10 through 3.14 on Windows. Generated artifacts are intended to run only on the same CPython minor version that built them.
WhatThePy is a deterrence tool, not a security boundary. It is designed to:
- reject truncated, oversized, duplicated, or tampered payloads fail-closed
- hide literals and payload bytes behind compression, encryption, and scattering
- detect simple pure-Python monkeypatches of core loader callables before execution
- expose static import metadata for PyInstaller without executing those imports at startup
WhatThePy is not designed to stop:
- a skilled reverse engineer with debugger or live process access
- generic dynamic dumping of decrypted code objects from memory
- native code injection, kernel hooks, or patched CPython builds
- an attacker who controls the host before the obfuscated script starts
Before loading a payload, generated stubs verify that:
marshal.loadsis the built-in C implementation (with a reload fallback)zlib.decompressobjis the expected built-in typetypes.FunctionTypeis the expected built-in type used as the execution sinkhmac.compare_digestandhashlib.sha256are the expected built-in callables
If verification fails, the loader raises RuntimeError("loader runtime modified") and exits without executing user payload code.
These checks detect common sitecustomize-style Python wrappers. They do not claim resistance to native hooks or a compromised interpreter.
If you believe you found a security issue, open a private report through GitHub Security Advisories for this repository. Include:
- affected WhatThePy version
- CPython version and platform
- minimal reproduction steps
- expected vs actual behavior
Please do not open public issues for exploit details before a fix is available.
Do not rely on WhatThePy to protect secrets, credentials, licensing logic, or valuable intellectual property. Treat obfuscated output as harder to read, not impossible to recover.