?
Solved

Hiding strings/keys & receiving encrypted data

Posted on 2007-10-14
63
Medium Priority
?
264 Views
Last Modified: 2013-11-23
Using Delphi 7..

Scenario: I have a delphi app which calls a php script.. this php script then connects to a MySQL db, authenticates their user/pass (passed as variables),  and returns a list of names and URLs (direct link to their portfolios pdf) from the db. The list of names is displayed to the user (not the links). When a user double clicks on a name, their portfolio is downloaded and displayed.

Problem: I want to make sure no one can find out the direct link to the pdfs. Also, I'd like to protect the application from being cracked and given different strings.

I think what I need to find out is how to hide strings in my delphi code. I can store the links encrypted on the db, but I don't know how to hide the key from prying eyes in my delphi code. Also, how can I protect it from a cracker trying to feed his own urls into it? i.e. i want to prevent the app from being modified and used with a db other than mine, or even opening pdfs stored locally.

Any suggestions? Or better methods  (but still as cheap) ?
0
Comment
Question by:kashleee
  • 21
  • 21
  • 19
  • +1
63 Comments
 
LVL 16

Accepted Solution

by:
CodedK earned 1200 total points
ID: 20076151
Hi kasleee.
"The list of names is displayed to the user " >> In your delphi form ?

The steps you should take :
1) Protect the executable and/or the dlls from reverse engineering.
2) Protect the memory application
3) Protect the traffic send/receive from to the server.

Solution :
1) Download and use some executable packer
AsProtect is by far the best. It hasnt been cracked. There is no automated unpacking solution.
Furthermore it protects your application memory so we cover the 2nd step.
So about the 3rd step.

{P.s Dont store any string you dont want the user see in labels only in variables...}

You should protect your application from Packet sniffers
To do this you can download any ADO component that supports encryption. A free one is AnyDac.
But it would be nice if you automate some encrypt / decrypt function from your Delphi app to your PHP
file and vice versa.

To see for your self if everything works as it should you can download :
A packet sniffer from nirsoft.net
A memory string search application like Process Explorer from SysInternals.
A PE Sniffer to cross check your packed application and check the proposed unpackers.

I think that this should cover some descent level of security.
Hope this helps.
CodedK.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20076266
how do you 'download' the pdf right now, do yo do it yourself, if so, what protocol. Or do you use a normal internet browser to retreive the pdf?
0
 

Author Comment

by:kashleee
ID: 20077211
CodedK: Yes, the list is displayed in a TListView. AsProtect looks ok and the price is reasonable. As far as automating an encrypt/decrypt function - I have been using this example succesfully http://www.cityinthesky.co.uk/files/PHPEncryption.zip          Would this be secure enough given that the key to decrypt would be hidden by AsProtect? Or does using a component like AnyDac offer advantages over this?

MerijnB: Apologies, I wasn't clear.  I download the pdf over http, using ICS.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 19

Assisted Solution

by:MerijnB
MerijnB earned 300 total points
ID: 20077310
in this case, can't you do the decrypting or generating of the download URL server side in PHP, and not in your application.
In other words: the user double clicks on the name of a person, you 'download' the pdf not by directly linking to the pdf, but by opening an php page, which then will check the credentials of the user (just like you do with getting the list) and passing the right PDF back to your delphi app.

This way there is never a list of url's in your app, and that is the best way of making sure no one will ever hack it :)
0
 

Author Comment

by:kashleee
ID: 20077373
MerijnB: The pdfs are stored on various domains which aren't mine.. i'm guessing you mean store the file itself in the db?
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20077446
no, if I understand you correctly, at this time when a user logs in in your delphi app, it downloads a list of person's names from your server, with the location to download their portfolios with that, so that if the users clicks on a persons name, you can download the portfolio.

This means that the url's of the portfolios are stored in the database (not the portfolios self, but the locations where to download them). If this is so, you should be able to make a php page which 'redirects' you to the right portfolio.

So you'd have a GetList.php to which you give your username/password, which gives back a list of names (no urls to portfolios!).
Besides that you have a GetPortfolio.php to which you give your username/password and the id of a person. This php page can check your username/password, and if it matches redirect you to the url of the portfolio (since these urls are stored in the database). This way, the urls are never in your app.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20077466
Hi Kasleee.

My comment is based on the fact that you want to handle the strings in your Delphi app.
Its easier this way, but you need to do some things to secure it.
As i mentioned earlier 3 things are vulnerable.
Application, Memory and last net traffic.
If you secure those things then "noone" will mess with your code.
Doing the encryption server side and storing the file in your server dbase, provides the user with less things to tamper with. Thats all. As i said earlier it would be nice to do some encryption function in your php file...

>> Would this be secure enough given that the key to decrypt would be hidden by AsProtect?
Or does using a component like AnyDac offer advantages over this?

Yes i thing this thing would be very secure.I could start listing many commercial apps that use AsProtect. You'll see that you wont be able to find any keygen / serial...

0
 

Author Comment

by:kashleee
ID: 20078097
CodedK: Thank you for explaining further. When it comes to securing net traffic, is AnyDac more secure than the method I've been using?

MerijnB: Using   header("Location: ".$url);  ?
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078120
that's an option, there are probably more, but I don't think there is much difference in them from this point of view
0
 

Author Comment

by:kashleee
ID: 20078216
i take it that ultimately, whichever way I use to hide the url's, someone will always be able to sniff the packets and find out where the pdf is being downloaded from (since the app downloads it over http).. or am I wrong?
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078262
No..
If someone start to sniff the traffic he/she will see this :

Something that called the pdf perhaps a query ?
The first part of the pdf file
The second part of the pdf file
...
...
The last part.
Some ping requests.

This is it :)
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078314
you won't be able to see it sniffing the traffic, like CodedK says, since the actual url is never sent over the net.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078335
Thats what i'm saying MerijnB :)
He will only see parts of the pdf.
But the query to the database he will be able to see it.
>>IF<< he query the database.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078379
sure, but the query is just as secure as getting the list, in other words, you can only see the username and password you've provided yourself...
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078399
Exactly :)
So this is why i proposed AnyDAC. It can encrypt and compress the Password / Username.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078476
I don't see the need to compress the password / username, there is nothing one could do with that.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078517
If he try the application in a lan environment the password for the database could be sniffed.
I think this is not good.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078555
only if you're connected to a hub instead of a switch, which is very very unlikely these days.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078606
You are right MerijnB.
The time we are speaking i'm doing an application that sends queries to my webpage.
Reads / writes and deletes some records from the DB.
I'm going to give this app to 4 person (admins).
They wont complete the password for the DB but a code that relies in their HD serial.
DB password is stored inside my app.

Now... I'm not afraid of those persons but in case someone gets this app, he could sniff the password thats why i sound so paranoic. :)
0
 

Author Comment

by:kashleee
ID: 20078684
I think I will use a combination of AsProtect to hide the strings + encryption and transfer of data... and use php redirects... it seems if I do this, I can protect the links, and also protect the application from being modified to use a different php script/database.

Anything more you have to add would be greatly appreciated.
0
 

Author Comment

by:kashleee
ID: 20078701
I missed some of your posts before posting! I will have the db username & pass in the php file... my users would be authenticated using a php authentication script
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078707
even if someone sniffs the password, it's just the password they filled out in the app themselves, so I still don't see a reason to encrypt it to be honest :)
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078743
No MerijnB.
They fill the password i will generate based on the serial of their HD.
Now inside my app connects to the remote database.
So sniffed the packets appear like this :

Connect to : RmtDbase.
Table : Sooo
Password : Something
username : blabla

Select * from Users;

encrypted its like this :
(...2h..2.3 3.44.=1†[hnF]]]@ .sooo.[22ssdfRmtDba
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078769
so in your case it's even less a 'problem'. _if_ someone figures out that it is their own HDD serial, they will know that their serial is not accepted.
Once you know that, you could try to figure out the hdd serial of someone who can use the program of course.
I'd rather encrypt the HDD serial you use as password, easier to do and you don't need commercial stuff.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078776
just saw AnyDAC is free, that makes things a lot nicer.

In that case, if it's no trouble to use it, why shouldn't you...
0
 

Author Comment

by:kashleee
ID: 20078863
when you used AnyDac in your app, you were still using AsProtect to prevent people from seeing the db password, right CodedK?
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078872
Yes thats right.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078874
why should you keep the db password in your app?
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078898
Me or kashlee ? :)
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078917
if you use php as an interface to the db, anybody :)
0
 

Author Comment

by:kashleee
ID: 20078932
i think we both have the same answer... because we are not giving our users MySQL usernames and passwords.... we use our own authentication..  CodedK used AnyDac and stores the DB password in the app, i'm thinking of storing it in the php.. i think that's right :)
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078941
ok, that explains
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20078946
and with that, it makes sense to encrypt your queries to the database :)
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20078954
Look.
Maybe my English suck bigtime :)
I'll try to explain.

I dont want the 4 other persons to know this password. The Db password...For the site.
>>Once you know that, you could try to figure out the hdd serial of someone who can use the program of course.<<
So i made a keygenerator that gives a certain password for a certain HDD Serial (The reallyt Unique one).
I didnt use php for authentication. I desided that from the beginning because i worked for a long time securing and reversing apps.
I really really proposed from the beggining a combination or just server side but i stucked to the app side security since this was the initial question.
0
 

Author Comment

by:kashleee
ID: 20079028
Fantastic, we all understand each other now :)

MerijnB: yes it makes sense, together with something like AsProtect to protect the strings (the key, iv, etc).

you are both of great help, thanks
0
 

Author Comment

by:kashleee
ID: 20079253
CodedK: researching AsProtect on cracking forums, it seems that it's somewhat of a joke amongst them, with people referring to it as "protection" in inverted commas, because it's so easy to break. I've also seen links to unpackers for AsProtect (but not tried them). I can't really use something that already has a crack for it :)

Any different solutions or advice? Or possible techniques? Would something like building strings from an array of characters work to make things more difficult?
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20079358
There is no. And i guaranty that NO automated unpacker for AsProtect.
Itthe only one taht requires manual unpacking. This product is been on the scene for ages
and had some unpackers for the earlier versions. Check the version on the official page and check
what Caspr (probably the one you found) can unpack or stripper. You ll be struggling with 0% success.
Manual unpacking is based on the knowledge someone has.
You could also try :
PeCompact, UPack in combination with exe cryptors, Mew, Morphine....
Manual Packing...

Probably you were reading some forum like exetools ;)
I'm not curious at all that those guys make a contest who will brake it first.
Results : IF IF IF they manage to do it : ---> (Manually and with no general approach).
No application for the lamers.

Anyway check this :
--I can see many people acting and talking about cracking ASProtect.
Here at 2.2 I can hear a big silence...
--Has not registration keys. It is impossible to restore encrypting codes.

The way this encryption works there is no way to refix it because it just deletes a big part of the code.

0
 

Author Comment

by:kashleee
ID: 20079460
i  have found ths here http://azmoaore.wordpress.com/2007/05/13/unpacking-asprotect-2xx/  very quickly on google.. my worry is just that the moment someone can see the strings, all the security crumbles (because they will know the key).

The same with your application which you referred to... someone can use this tutorial to find your db password, despite you using AnyDac. It just doesn't seem so secure... most important thing for me is keeping those strings hidden
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20079665
I have a version that this script doesnt support. If this script works. Its still  an attachment in Olly debugger and i dont know if it can really fix the tables right. All the other scripts i tried really messed the code.
Btw Solodovnikov is the only one who caused so much trouble in the reverse forums.
Notice that the last version is in 2005 and this script was made in 2007. In the same forum you posted they mentioned all the problems for the previous automated unpackers. Basically they cripple the executable file. Furthermore he use to update his version everytime someone found a wickness.
Now it has been bought from StarForce security systems and there is been talk about some new version.
Anyway feel free to try any other commercial or free packer. This was just a suggestion/favourite.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20079674
What you want here is a 3-way handshake approach. I don't know if that is possible using php though. If you could write your own application server side you could make things much more secure.
0
 

Author Comment

by:kashleee
ID: 20079731
can you tell me which version you use? I value your comments, so I don't mean to come across as dismissive of your suggestion. Just trying to make sure :) if someone can read the key from the exe, and if they have a user/pass from me, they could write an app or whatever to duplicate my database of links.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20079818
kashleee, you must realize that anything is hackable, the only thing you can do is change how much effort is needed to get there. But I agree, that this doesn't really sound promising for AnyDac.

I just figured that probably can do a 3-way handshake using php, but it takes a little more effort.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20079967
Well Kashleee as MerijnB said everything is hackable. If it worths the time that is.
If someone wants... Really wants to manually unpack your application then... Itwill be broken.
To make things harder for anyone you can brake the things from the beggining.

The first thing i will do when it comes to disassembly a file is to see...
Is it packed ? If it is .. Then with what? Is there anyready made unpacker for that ?
Does it worth to be cracked?
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Well lets hit the first step.
Is it Packed ?
-> Here there are many PE Sniffers to do taht job.
Download PeId : http://www.peid.tk/   
Download ExeInfo : http://www.exeinfo.go.pl/
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Pack your executable with an EP protector like : Vmprotect.
Pack a second copy of your app with PackMan
(http://programmerstools.org/taxonomy/term/15?from=10)
(In the manual unpacking project they have everything commercial and free, you want find these 2 anywhere ! There's a reason for this).
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Scan your 2 copies... Nothing found / No packer detected / No unpacker suggested !
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Create a new clean original copy...
Now protect a copy with VMProtect and then pack it with PackMan. Scan it.
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
How will anyone start to unpack this ? Only manually without knowing whatheis facing.

Now... You can do the same with VMProtect and AsProtect. Try any script you like afterwards.
Or try any other detectable Protector that can be combined.

Hope this helps.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20079984
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20079986
I just point the road you choose.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20080116
Also add this lines inside your project (after you finish it)
...
implementation
....
function IsDebuggerPresent :
   boolean; stdcall; external kernel32 name 'IsDebuggerPresent';
...
//On FormCreate event or any other crutial event :
~-~-~-~-~-~-
  if IsDebuggerPresent then
  begin
   Application.ShowMainForm := false;
   Application.Terminate;
  end;    
~-~-~-
0
 

Author Comment

by:kashleee
ID: 20080143
well you recommend AsProtect to be good enough to protect your db password, and you have far more experience than I do... are you suggesting VMProtect as a similar alternative to AsProtect?
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20080248
--> VMProtect is a Protector (Virtual Machine) NOT
a Packer/Encryptor/MemoryProtector like AsProtect...

Its a virtual machine to execute your code. Something antivirus companies use for years. (Until virus creators learn how to crush it, then it just went better-perfect..something like a sandbox)

Guess whats the evil thing...You can combine those two !!! (Protector + Encrypt/Protect)

Now as i said you can buy AsProtect and VMProtect. OR u can use an undetectable packer (notcryptor) -->"PackMan" (ITS FREE) and use it with combination with VMProtect.
Old and some versions of AsProtect you can find within pages like Wayback.

Download the PESniffers i gave you and check the results ... You ll be amazed.
0
 

Author Comment

by:kashleee
ID: 20080758
Just to clear up/summarise the options:

1) AsProtect
or
2) VMProtect + Packman

Does option 2 protect the memory like 1?
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20080767
why don't you 'store' the sensitive keys encrypted in your source instead of literally?
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20080771
1) AsProtect alone.
2) AsProtect with some Protector like VMProtect.
3) Unknown packer protector like PackMan
4) PackMan + VMProtect (Best results for time being)
5) Other Commercial or free packer/encrypter
0
 

Author Comment

by:kashleee
ID: 20080802
MerijnB: My understanding is, the delphi app will be receiving enrcypted information, and I will need the decryption key in the code to decrypt it. I don't understand why encrypting the keys would help.. care to expand?
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20083668
because then they key's won't be easily readable in your source.

I still think best way though is to use a generated key instead of a static one.
0
 

Author Comment

by:kashleee
ID: 20084822
MerijnB: If you think using a generated key instead of a static is the best way, then can you please explain to me how to do it and why the method is better than using vmprotect+packman combo?
0
 
LVL 9

Expert Comment

by:Alex
ID: 20087042
A little bit more help if you want my friend kashleee.
I found a very good link for Anti Cracking and i thought that maybe you'll be interest for this.

Regards Alex_Code.
0
 
LVL 9

Expert Comment

by:Alex
ID: 20087049
0
 

Author Comment

by:kashleee
ID: 20087903
thanks, i've seen that one before. it says " Build strings dynamically or encrypt them." Like what MerijnB suggested i think.. however, i still don't understand why that makes it more secure or how to implement it.
Unless what is meant is somehing like... make the key out of manipulating username&pass ?
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20089121
the idea is simple:

the side which initiates contact generates a random key and sends it to the other side.
After that there is an authentication phase, so both sides know the other end is trustworthy.
Now both sides use the random generated key.

It's more secure because you never use the same key, and it's not stored anywhere in your application.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20089173
>>and it's not stored anywhere in your application.
Whats stored in the application is the algorithm that generates the "random" key.
So if someone breaks through the app source then its exactly the same thing as a stored key.
0
 
LVL 19

Expert Comment

by:MerijnB
ID: 20089184
like I said before, everything is hackable, you can only make it harder, this makes it harder.
0
 

Author Comment

by:kashleee
ID: 20098140
thanks for your help guys, i've learned a lot.

By the way,  I tried downloading a php file with a redirect, while sniffing the traffic. You can actually see the full URL. I am guessing this is because I am passing header data from php, which kind of seems obvious now! It's better to send the actual link encrypted back to the app rather than a link to a php file which redirects you.
0
 

Author Comment

by:kashleee
ID: 20098686
it seems that i was slightly hasty in accepting answers, as it turns out none of the tools (asprotect,vmprotect,packman) prevent process explorer from sysinternals from seeing the strings.

So as it stands, I need a reliable way to hide literal strings.  i'll post another question.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 20098846
Give me your msn i will contact you in ~8 hours.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month16 days, 3 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question