Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 297
  • Last Modified:

vc++ - storing strings securely in exe files

hi !!

in my prog, i have to perform encryption, for which i use a key. this key is stored in a const char variable. my app depends on this key being kept private. however, if i open the exe in a hex editor, and look around, the key is displayed in plain sight ...anyway to hide it ??

more general case - anyway to hide const char* in an exe, so that they don't appear in hex editors ?? one way i was thinking would be to assign char by char to the string.. don't know whether this would work though .. and besides, its too tedious to do for all the strings in a prog..

muskad202
0
muskad202
Asked:
muskad202
  • 6
  • 5
  • 2
1 Solution
 
jkrCommented:
>>anyway to hide const char* in an exe, so that they don't appear in hex editors ??

No, there is no way. As a simple protection measure, you could just byte-reverse the key and/or add/subtract a certain value from each byte.
0
 
Jaime OlivaresSoftware ArchitectCommented:
I have answered this question before but still I can't find the question. Here is the general idea, if you like I can explain you later:
save your sensitive strings as a resource (string type). Make proper modifications in your program to do that. Create a function (LoadMyString) to read a string from your exe's resource.
Once you have this ready, create a little utility to search strings in an exe's resources string and cypher them with the algorithm you like.
Now, modify your LoadMyString function to decypher string after loading from exe's resource.
This little utility will help you in every project you have.
 
0
 
jkrCommented:
And, what's the difference (except of storing the string in a resource)?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
muskad202Author Commented:
jaime_olivares: one thing .. the ciphering process would require a key ... which would need to be stored in the exe itself for deciphering .. any way to hide tht too ??
muskad202
0
 
jkrCommented:
That's why I suggested a 'simple' method. BTW, you have to be clear about one thing: When debugging your application, there will be the time when your key will reside in memory in a unencrypted, clear way. And right *then* it can be grabbed anyway...
0
 
Jaime OlivaresSoftware ArchitectCommented:
>And, what's the difference (except of storing the string in a resource)?
The different is that you can reach the string easily with simple WinApi functions, don't have to search in the middle of an exe's executable portion. The cipher algorithm is not inside, just the decipher.

>the ciphering process would require a key ... which would need to be stored in the exe itself for deciphering .. any way to hide tht too ??
Yes, you can hide it in many ways, but at least all your strings will be totally unlegible. Even you can use a strong alg. like 3DES, IDEA or many others.

>That's why I suggested a 'simple' method. BTW, you have to be clear about one
> thing: When debugging your application, there will be the time when your key will
 >reside in memory in a unencrypted, clear way. And right *then* it can be grabbed >anyway...
My method is more secure than this:
>As a simple protection measure, you could just byte-reverse the key and/or
> add/subtract a certain value from each byte.
There are very well-know algorithms that detect byte-reverse and xor'ed strings easily. It will be harder to find a key in memory, but remember that there is not perfect algorithm, just some better than others.

You have to consider also who is interested in crack your software, a hobbist cracker, a mid-ranged cryptoanalyst or a goverment heavy weight guru.
0
 
muskad202Author Commented:
"jaime_olivares" : can u tell me any way to hide the key ??

thanks :)
muskad202
0
 
Jaime OlivaresSoftware ArchitectCommented:
You can store it at different variables declared at different times.
You can store in the resouce ciphered with another key.
You can make some math with key components
Any combinations of the above.

It is true that you will have the key in the memoty at some moment, every cipher software does, but you can store it in an unordered fashion to difficult cracking.
0
 
jkrCommented:
>>The different is that you can reach the string easily with simple WinApi functions, don't have to search in the middle
>>of an exe's executable portion

Um, what's so bad about

char* pszEncryptedKey = "...";

?

muskad202,

thanks for blissfully ignoring my statements and giving no response at all, maybe I can do that with your Qs in the future also.
0
 
Jaime OlivaresSoftware ArchitectCommented:
>Um, what's so bad about
>char* pszEncryptedKey = "...";

I will tell you the advantages. Assumming that you will store the string cyphered let's say:
char* pszEncryptedKey = "KFHOR5UGD8NVJHLEOFJGF0H4EKD2OP4WEJFHF7KDO1RUHGVJFD";

You have to cypher manually each sensitive string of your application. With my method you don't have to do that, just store the unciphered string in a resource and use the utility program I suggested to cypher every resource string, automatically, in batch.
Your internal decyphering string could detect if string is cyphered or not, and decipher as needed, so you can have a protected and an unprotected version of your exe.
If you decide to change a string (or many strings), it is simple just do it, and run the cyphering tool again. No pain.


 
0
 
jkrCommented:
Yup, you indeed have a point about the "manually" thing. But, generating a .rc file instead of a .c file does not make a big difference :o)
0
 
Jaime OlivaresSoftware ArchitectCommented:
I think you have not understood me clear. I suggest to design a little utility to modify an .exe resource strings **after** compiling. It is a big differente if you try to search those strings inside the .exe's code.
Even you can translate strings and recipher to create international versions.
There are lots of advantages, exposing only a few.
0
 
jkrCommented:
Yes, if you change them after compiling this is *indeed* an advantage on Win32 systems.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now