VB6 Hiding Strings

Can strings stored in and loaded from a resource file be easily viewed?

More importantly, if a certain string from the resource file is loaded using the LoadResString command, could that particular string be used to identify a key portion of the code for hackers?

Ultimately, anything that can read can be hacked.  What you need to consider is how encrypted you want the data.  You could have a simple encryption when you write the data and reverse it when you read it.  But if you want anything more than something that goes through each character and changes it then you might as well go with the full encryption mentioned above.

As for resource files, I don't recall if they are encrypted, but even if they are, the algorithm is likely very accessible for anyone who wants to break it.

I guess it comes down to "how secure do you want your car?" You can leave the keys in the ignition and hope nobody takes it (unencoded text but people have to look for it). You can leave it unlocked but not leave the keys in and it will be hard to steal.  Lock the doors and it's harder.  Add a basic alarm and it might be harder.  Add an ignition cut-off and it's harder.  Add a code-enabled alarming system and it's harder, etc.
So how hard do you want it to be for people to break your code?

I appreciate the comments and general advice.

However, can someone specifically comment on the resource file text string question, as this may be the easiest compromise balancing practicality and security.

When a text string is loaded from a resource file (using LoadResString), is that string viewable at that location in the code, allowing a hacker to determine the location?

Thanks!

Not sure about VB6 (since I've been on .NET for 12+ years) but in .NET the contents of the resource file are encrypted in the .exe (but visible in the .resx file, which should not be delivered to customers)

Thanks Ark. That method sounds good.

Regarding viewing strings in a resource file: yes, I am able to see the strings and the reference numbers. But the most important question is, whether the reference numbers can somehow be used to find the location in the code where a particular string from the resource file is called. I am not worried about the strings being viewed inside the resource file, but I don't want anyone to be able to reference the "LoadResString(xxx)" statement calling a particular string. Some of the strings would give away critical locations in the code where hackers could potentially defeat piracy protection.

So again, it is clear that nothing is bullet-proof…but it sounds like the Chr(x) method is the best balance of effort/protection perhaps?

How about encrypted strings in a resource file? Would that offer any advantage? Maybe the method mentioned earlier by Luis Pérez in this discussion could be used to encrypt/decrypt the resource file strings?

Actually, the best option is to remove the text from the project entirely and put it in a web-based database, encrypted, with a decryption mechanism in your code.
If the text is in your code, there is always a way that a hacker can do what the code does and extract it.
At least with the web (or other server-based) option, you can limit the way the data is returned so people don't have access to it without proper permissions.

rspahitz, unless you care to share the details, that's way too complicated, and requires software to always be connected to the web.

Thanks guys, for the valuable information!