Solved

vc++ - storing strings securely in exe files

Posted on 2004-08-31
13
287 Views
Last Modified: 2010-04-15
hi !!

in my prog, i have to perform encryption, for which i use a key. this key is stored in a const char variable. my app depends on this key being kept private. however, if i open the exe in a hex editor, and look around, the key is displayed in plain sight ...anyway to hide it ??

more general case - anyway to hide const char* in an exe, so that they don't appear in hex editors ?? one way i was thinking would be to assign char by char to the string.. don't know whether this would work though .. and besides, its too tedious to do for all the strings in a prog..

muskad202
0
Comment
Question by:muskad202
  • 6
  • 5
  • 2
13 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 11944547
>>anyway to hide const char* in an exe, so that they don't appear in hex editors ??

No, there is no way. As a simple protection measure, you could just byte-reverse the key and/or add/subtract a certain value from each byte.
0
 
LVL 55

Accepted Solution

by:
Jaime Olivares earned 50 total points
ID: 11944785
I have answered this question before but still I can't find the question. Here is the general idea, if you like I can explain you later:
save your sensitive strings as a resource (string type). Make proper modifications in your program to do that. Create a function (LoadMyString) to read a string from your exe's resource.
Once you have this ready, create a little utility to search strings in an exe's resources string and cypher them with the algorithm you like.
Now, modify your LoadMyString function to decypher string after loading from exe's resource.
This little utility will help you in every project you have.
 
0
 
LVL 86

Expert Comment

by:jkr
ID: 11944878
And, what's the difference (except of storing the string in a resource)?
0
 
LVL 2

Author Comment

by:muskad202
ID: 11944915
jaime_olivares: one thing .. the ciphering process would require a key ... which would need to be stored in the exe itself for deciphering .. any way to hide tht too ??
muskad202
0
 
LVL 86

Expert Comment

by:jkr
ID: 11944957
That's why I suggested a 'simple' method. BTW, you have to be clear about one thing: When debugging your application, there will be the time when your key will reside in memory in a unencrypted, clear way. And right *then* it can be grabbed anyway...
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11945128
>And, what's the difference (except of storing the string in a resource)?
The different is that you can reach the string easily with simple WinApi functions, don't have to search in the middle of an exe's executable portion. The cipher algorithm is not inside, just the decipher.

>the ciphering process would require a key ... which would need to be stored in the exe itself for deciphering .. any way to hide tht too ??
Yes, you can hide it in many ways, but at least all your strings will be totally unlegible. Even you can use a strong alg. like 3DES, IDEA or many others.

>That's why I suggested a 'simple' method. BTW, you have to be clear about one
> thing: When debugging your application, there will be the time when your key will
 >reside in memory in a unencrypted, clear way. And right *then* it can be grabbed >anyway...
My method is more secure than this:
>As a simple protection measure, you could just byte-reverse the key and/or
> add/subtract a certain value from each byte.
There are very well-know algorithms that detect byte-reverse and xor'ed strings easily. It will be harder to find a key in memory, but remember that there is not perfect algorithm, just some better than others.

You have to consider also who is interested in crack your software, a hobbist cracker, a mid-ranged cryptoanalyst or a goverment heavy weight guru.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Author Comment

by:muskad202
ID: 11945166
"jaime_olivares" : can u tell me any way to hide the key ??

thanks :)
muskad202
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11945195
You can store it at different variables declared at different times.
You can store in the resouce ciphered with another key.
You can make some math with key components
Any combinations of the above.

It is true that you will have the key in the memoty at some moment, every cipher software does, but you can store it in an unordered fashion to difficult cracking.
0
 
LVL 86

Expert Comment

by:jkr
ID: 11945202
>>The different is that you can reach the string easily with simple WinApi functions, don't have to search in the middle
>>of an exe's executable portion

Um, what's so bad about

char* pszEncryptedKey = "...";

?

muskad202,

thanks for blissfully ignoring my statements and giving no response at all, maybe I can do that with your Qs in the future also.
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11945282
>Um, what's so bad about
>char* pszEncryptedKey = "...";

I will tell you the advantages. Assumming that you will store the string cyphered let's say:
char* pszEncryptedKey = "KFHOR5UGD8NVJHLEOFJGF0H4EKD2OP4WEJFHF7KDO1RUHGVJFD";

You have to cypher manually each sensitive string of your application. With my method you don't have to do that, just store the unciphered string in a resource and use the utility program I suggested to cypher every resource string, automatically, in batch.
Your internal decyphering string could detect if string is cyphered or not, and decipher as needed, so you can have a protected and an unprotected version of your exe.
If you decide to change a string (or many strings), it is simple just do it, and run the cyphering tool again. No pain.


 
0
 
LVL 86

Expert Comment

by:jkr
ID: 11948166
Yup, you indeed have a point about the "manually" thing. But, generating a .rc file instead of a .c file does not make a big difference :o)
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11948217
I think you have not understood me clear. I suggest to design a little utility to modify an .exe resource strings **after** compiling. It is a big differente if you try to search those strings inside the .exe's code.
Even you can translate strings and recipher to create international versions.
There are lots of advantages, exposing only a few.
0
 
LVL 86

Expert Comment

by:jkr
ID: 11948234
Yes, if you change them after compiling this is *indeed* an advantage on Win32 systems.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Windows programmers of the C/C++ variety, how many of you realise that since Window 9x Microsoft has been lying to you about what constitutes Unicode (http://en.wikipedia.org/wiki/Unicode)? They will have you believe that Unicode requires you to use…
This is a short and sweet, but (hopefully) to the point article. There seems to be some fundamental misunderstanding about the function prototype for the "main" function in C and C++, more specifically what type this function should return. I see so…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use nested-loops in the C programming language.
The goal of this video is to provide viewers with basic examples to understand and use conditional statements in the C programming language.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now