?
Solved

vc++ - storing strings securely in exe files

Posted on 2004-08-31
13
Medium Priority
?
293 Views
Last Modified: 2010-04-15
hi !!

in my prog, i have to perform encryption, for which i use a key. this key is stored in a const char variable. my app depends on this key being kept private. however, if i open the exe in a hex editor, and look around, the key is displayed in plain sight ...anyway to hide it ??

more general case - anyway to hide const char* in an exe, so that they don't appear in hex editors ?? one way i was thinking would be to assign char by char to the string.. don't know whether this would work though .. and besides, its too tedious to do for all the strings in a prog..

muskad202
0
Comment
Question by:muskad202
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
13 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 11944547
>>anyway to hide const char* in an exe, so that they don't appear in hex editors ??

No, there is no way. As a simple protection measure, you could just byte-reverse the key and/or add/subtract a certain value from each byte.
0
 
LVL 55

Accepted Solution

by:
Jaime Olivares earned 200 total points
ID: 11944785
I have answered this question before but still I can't find the question. Here is the general idea, if you like I can explain you later:
save your sensitive strings as a resource (string type). Make proper modifications in your program to do that. Create a function (LoadMyString) to read a string from your exe's resource.
Once you have this ready, create a little utility to search strings in an exe's resources string and cypher them with the algorithm you like.
Now, modify your LoadMyString function to decypher string after loading from exe's resource.
This little utility will help you in every project you have.
 
0
 
LVL 86

Expert Comment

by:jkr
ID: 11944878
And, what's the difference (except of storing the string in a resource)?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:muskad202
ID: 11944915
jaime_olivares: one thing .. the ciphering process would require a key ... which would need to be stored in the exe itself for deciphering .. any way to hide tht too ??
muskad202
0
 
LVL 86

Expert Comment

by:jkr
ID: 11944957
That's why I suggested a 'simple' method. BTW, you have to be clear about one thing: When debugging your application, there will be the time when your key will reside in memory in a unencrypted, clear way. And right *then* it can be grabbed anyway...
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11945128
>And, what's the difference (except of storing the string in a resource)?
The different is that you can reach the string easily with simple WinApi functions, don't have to search in the middle of an exe's executable portion. The cipher algorithm is not inside, just the decipher.

>the ciphering process would require a key ... which would need to be stored in the exe itself for deciphering .. any way to hide tht too ??
Yes, you can hide it in many ways, but at least all your strings will be totally unlegible. Even you can use a strong alg. like 3DES, IDEA or many others.

>That's why I suggested a 'simple' method. BTW, you have to be clear about one
> thing: When debugging your application, there will be the time when your key will
 >reside in memory in a unencrypted, clear way. And right *then* it can be grabbed >anyway...
My method is more secure than this:
>As a simple protection measure, you could just byte-reverse the key and/or
> add/subtract a certain value from each byte.
There are very well-know algorithms that detect byte-reverse and xor'ed strings easily. It will be harder to find a key in memory, but remember that there is not perfect algorithm, just some better than others.

You have to consider also who is interested in crack your software, a hobbist cracker, a mid-ranged cryptoanalyst or a goverment heavy weight guru.
0
 
LVL 2

Author Comment

by:muskad202
ID: 11945166
"jaime_olivares" : can u tell me any way to hide the key ??

thanks :)
muskad202
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11945195
You can store it at different variables declared at different times.
You can store in the resouce ciphered with another key.
You can make some math with key components
Any combinations of the above.

It is true that you will have the key in the memoty at some moment, every cipher software does, but you can store it in an unordered fashion to difficult cracking.
0
 
LVL 86

Expert Comment

by:jkr
ID: 11945202
>>The different is that you can reach the string easily with simple WinApi functions, don't have to search in the middle
>>of an exe's executable portion

Um, what's so bad about

char* pszEncryptedKey = "...";

?

muskad202,

thanks for blissfully ignoring my statements and giving no response at all, maybe I can do that with your Qs in the future also.
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11945282
>Um, what's so bad about
>char* pszEncryptedKey = "...";

I will tell you the advantages. Assumming that you will store the string cyphered let's say:
char* pszEncryptedKey = "KFHOR5UGD8NVJHLEOFJGF0H4EKD2OP4WEJFHF7KDO1RUHGVJFD";

You have to cypher manually each sensitive string of your application. With my method you don't have to do that, just store the unciphered string in a resource and use the utility program I suggested to cypher every resource string, automatically, in batch.
Your internal decyphering string could detect if string is cyphered or not, and decipher as needed, so you can have a protected and an unprotected version of your exe.
If you decide to change a string (or many strings), it is simple just do it, and run the cyphering tool again. No pain.


 
0
 
LVL 86

Expert Comment

by:jkr
ID: 11948166
Yup, you indeed have a point about the "manually" thing. But, generating a .rc file instead of a .c file does not make a big difference :o)
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11948217
I think you have not understood me clear. I suggest to design a little utility to modify an .exe resource strings **after** compiling. It is a big differente if you try to search those strings inside the .exe's code.
Even you can translate strings and recipher to create international versions.
There are lots of advantages, exposing only a few.
0
 
LVL 86

Expert Comment

by:jkr
ID: 11948234
Yes, if you change them after compiling this is *indeed* an advantage on Win32 systems.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface I don't like visual development tools that are supposed to write a program for me. Even if it is Xcode and I can use Interface Builder. Yes, it is a perfect tool and has helped me a lot, mainly, in the beginning, when my programs were small…
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
The goal of this video is to provide viewers with basic examples to understand and use pointers in the C programming language.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use nested-loops in the C programming language.
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question