pyobfuscator.com offers a multi-layer obfuscation mode that applies the full encode pipeline twice. The result is an obfuscated loader whose payload is another obfuscated loader.
How Single-Layer Works
Standard obfuscation: source code is zlib-compressed, Base64-encoded, reversed, and wrapped in a lambda. The output is a two-line file where the payload decodes directly to your source.
How Multi-Layer Works
Multi-layer mode takes the entire two-line output of the first pass and runs it through the same pipeline again. Pass 1 produces Loader 1. Pass 2 encodes Loader 1 to produce Loader 2. The final file decodes to Loader 1 when executed, and Loader 1 decodes to the original source. A reverse engineer must apply two decode steps to recover the original code.
Does It Significantly Improve Protection?
Technically: marginally. Anyone who recognizes the single-layer pattern will also recognize the two-layer pattern. Both are reversible with the same decode command applied twice. The real benefit is against automated static-analysis tools tuned for the single-layer pattern.
Trade-offs
- Size: The payload is larger -- expect roughly 30-40% size increase over single-layer.
- Runtime: Two decompress + decode operations instead of one -- negligible on modern hardware.
- Compatibility: Identical to single-layer -- only built-in
zlibandbase64required.
When to Use Multi-Layer
- When you want to defeat automated scanners tuned for the single-layer pattern
- When the extra size is acceptable
- As an additional deterrent alongside other measures like Cython or licensing
When to Stick with Single-Layer
For most use cases, single-layer obfuscation is the right choice -- simpler, smaller, faster, and provides the same practical protection against non-expert users.