Solved

VB6 Hiding Strings

Posted on 2014-01-08
15
564 Views
Last Modified: 2014-01-21
Dear Experts,

What's the best way to hide strings used in an application (for various messages given to the user) to prevent them from being viewed within the exe file?

Thanks!
0
Comment
Question by:ttobin333
  • 6
  • 4
  • 4
  • +1
15 Comments
 
LVL 25

Assisted Solution

by:Luis Pérez
Luis Pérez earned 84 total points
Comment Utility
Well, a simple way is to have a pair of Encrypt/Decrypt global functions in a .bas file, so you can declare your string message variables with the encrypted text, not the real text. When you compile your project into an .exe file, the real message won't be visible.

Here's a simple encryption function for VB6:
http://www.vbforums.com/showthread.php?620873-VB6-Encryption-amp-Decryption-Try-it-!-(Make-itSimple)

Hope that helps.
0
 

Author Comment

by:ttobin333
Comment Utility
Can strings stored in and loaded from a resource file be easily viewed?

More importantly, if a certain string from the resource file is loaded using the LoadResString command, could that particular string be used to identify a key portion of the code for hackers?
0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
Ultimately, anything that can read can be hacked.  What you need to consider is how encrypted you want the data.  You could have a simple encryption when you write the data and reverse it when you read it.  But if you want anything more than something that goes through each character and changes it then you might as well go with the full encryption mentioned above.

As for resource files, I don't recall if they are encrypted, but even if they are, the algorithm is likely very accessible for anyone who wants to break it.

I guess it comes down to "how secure do you want your car?" You can leave the keys in the ignition and hope nobody takes it (unencoded text but people have to look for it). You can leave it unlocked but not leave the keys in and it will be hard to steal.  Lock the doors and it's harder.  Add a basic alarm and it might be harder.  Add an ignition cut-off and it's harder.  Add a code-enabled alarming system and it's harder, etc.
So how hard do you want it to be for people to break your code?
0
 

Author Comment

by:ttobin333
Comment Utility
I appreciate the comments and general advice.

However, can someone specifically comment on the resource file text string question, as this may be the easiest compromise balancing practicality and security.

When a text string is loaded from a resource file (using LoadResString), is that string viewable at that location in the code, allowing a hacker to determine the location?

Thanks!
0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
Not sure about VB6 (since I've been on .NET for 12+ years) but in .NET the contents of the resource file are encrypted in the .exe (but visible in the .resx file, which should not be delivered to customers)
0
 
LVL 27

Accepted Solution

by:
Ark earned 333 total points
Comment Utility
Hi
Everything storing in resource section of PE can be easy read even from VB (see my sample at http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=25890&lngWId=1)
You can hide valuable strings in your app with smth like
Dim x As String
x = Chr(72) & Chr(101) & Chr(108) & Chr(108) & Chr(111) & Chr(32) & Chr(87) & Chr(111) & Chr(114) & Chr(108) & Chr(100)
MsgBox x

Open in new window

0
 

Author Comment

by:ttobin333
Comment Utility
Thanks Ark. That method sounds good.

Regarding viewing strings in a resource file: yes, I am able to see the strings and the reference numbers. But the most important question is, whether the reference numbers can somehow be used to find the location in the code where a particular string from the resource file is called. I am not worried about the strings being viewed inside the resource file, but I don't want anyone to be able to reference the "LoadResString(xxx)" statement calling a particular string. Some of the strings would give away critical locations in the code where hackers could potentially defeat piracy protection.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Assisted Solution

by:Ark
Ark earned 333 total points
Comment Utility
Actually it's not necessary LoadResString just before calling MsgBox(strYou_are_a_pirate) - you can load it anitime before. But I'm afraid if hacker can disasm your executable, then find FindResource/LoadResource API entries, read correctly eax pushes (params) and final pop (string address) - (s)hi is experienced enough to break your defence.

Chr(x) trick is quite well known to hide string in executables (ie protect against disassembly), but it cannot protect against debugging - memory dump immediately shows all your secrets. Actually, when debugging, hacker even don't need these strings - settings breaks on MessageBoxW would be enough.
0
 

Author Comment

by:ttobin333
Comment Utility
So again, it is clear that nothing is bullet-proof…but it sounds like the Chr(x) method is the best balance of effort/protection perhaps?

How about encrypted strings in a resource file? Would that offer any advantage? Maybe the method mentioned earlier by Luis Pérez in this discussion could be used to encrypt/decrypt the resource file strings?
0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
Actually, the best option is to remove the text from the project entirely and put it in a web-based database, encrypted, with a decryption mechanism in your code.
If the text is in your code, there is always a way that a hacker can do what the code does and extract it.
At least with the web (or other server-based) option, you can limit the way the data is returned so people don't have access to it without proper permissions.
0
 
LVL 27

Assisted Solution

by:Ark
Ark earned 333 total points
Comment Utility
If you already have piracy protection in your software, the way to bypass it is to replace your checking routine with nop/jmp commands. In this case the bottle-neck for crackers is to find this checking routine. There are a number of methods to make this harder - you can display message not just after checking but with some delay, or degrade app without warning, or show a form with warning labeland tons of controls with Visible=False and numerous dummy math functions inside form which do nothing. Compile your app into P-Code - digging through  runtime dlls spagetty when debugging is a nightmare.
See more advices at http://www.woodmann.com/crackz/Tutorials/Protect.htm (though code is in asm, there are lot of practical advices and usefull links)
0
 

Author Comment

by:ttobin333
Comment Utility
rspahitz, unless you care to share the details, that's way too complicated, and requires software to always be connected to the web.
0
 
LVL 22

Assisted Solution

by:rspahitz
rspahitz earned 83 total points
Comment Utility
t, you are correct that this will require a web connection (thought not necessarily always-on.)
However, if you deliver all the pieces in an .exe, then someone can always find a way to locate the parts they want.  Is it worth their while?  Probably not unless your product is going to make them hundreds of thousands of dollars.
This problem really comes down to risk-analysis.  If it's that valuable, you'll need to store the data outside of the customer's realm.  If it's less valuable, then a simple encryption routine may suffice.
Personally, I would probably store the info in an encrypted database (e.g. Access) with password permissions, then have the app pull the info as needed.  The DB can still be hacked, but if you do it right, it will be hard to figure out what the pieces mean.
0
 
LVL 27

Assisted Solution

by:Ark
Ark earned 333 total points
Comment Utility
AFAIK there are 2 ways to bypass protection:
1. Understand key-generation (or key checking) routine and create own with same logic (AKA keygen building). Require some valuable info (key-building algorithm, key - string, password etc. - can be protected if storing on server)
2. Find checking routine address and bypass it with asm code editing (AKA patching). In this case you can hide password on the Moon on switched-off computer - this doesn't help against patching. Instead you must hide your checking routine as deep as possible inside your code and check if known debuggers (like SoftIce/Olly/WinDbg) running - this makes patching not impossible but harder.
0
 

Author Closing Comment

by:ttobin333
Comment Utility
Thanks guys, for the valuable information!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I’ve seen a number of people looking for examples of how to access web services from VB6.  I’ve been using a test harness I built in VB6 (using many resources I found online) that I use for small projects to work out how to communicate with web serv…
You can of course define an array to hold data that is of a particular type like an array of Strings to hold customer names or an array of Doubles to hold customer sales, but what do you do if you want to coordinate that data? This article describes…
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now