Solved

VB6 Hiding Strings

Posted on 2014-01-08
15
587 Views
Last Modified: 2014-01-21
Dear Experts,

What's the best way to hide strings used in an application (for various messages given to the user) to prevent them from being viewed within the exe file?

Thanks!
0
Comment
Question by:ttobin333
  • 6
  • 4
  • 4
  • +1
15 Comments
 
LVL 25

Assisted Solution

by:Luis Pérez
Luis Pérez earned 84 total points
ID: 39767367
Well, a simple way is to have a pair of Encrypt/Decrypt global functions in a .bas file, so you can declare your string message variables with the encrypted text, not the real text. When you compile your project into an .exe file, the real message won't be visible.

Here's a simple encryption function for VB6:
http://www.vbforums.com/showthread.php?620873-VB6-Encryption-amp-Decryption-Try-it-!-(Make-itSimple)

Hope that helps.
0
 

Author Comment

by:ttobin333
ID: 39769732
Can strings stored in and loaded from a resource file be easily viewed?

More importantly, if a certain string from the resource file is loaded using the LoadResString command, could that particular string be used to identify a key portion of the code for hackers?
0
 
LVL 22

Expert Comment

by:rspahitz
ID: 39771520
Ultimately, anything that can read can be hacked.  What you need to consider is how encrypted you want the data.  You could have a simple encryption when you write the data and reverse it when you read it.  But if you want anything more than something that goes through each character and changes it then you might as well go with the full encryption mentioned above.

As for resource files, I don't recall if they are encrypted, but even if they are, the algorithm is likely very accessible for anyone who wants to break it.

I guess it comes down to "how secure do you want your car?" You can leave the keys in the ignition and hope nobody takes it (unencoded text but people have to look for it). You can leave it unlocked but not leave the keys in and it will be hard to steal.  Lock the doors and it's harder.  Add a basic alarm and it might be harder.  Add an ignition cut-off and it's harder.  Add a code-enabled alarming system and it's harder, etc.
So how hard do you want it to be for people to break your code?
0
 

Author Comment

by:ttobin333
ID: 39773790
I appreciate the comments and general advice.

However, can someone specifically comment on the resource file text string question, as this may be the easiest compromise balancing practicality and security.

When a text string is loaded from a resource file (using LoadResString), is that string viewable at that location in the code, allowing a hacker to determine the location?

Thanks!
0
 
LVL 22

Expert Comment

by:rspahitz
ID: 39775199
Not sure about VB6 (since I've been on .NET for 12+ years) but in .NET the contents of the resource file are encrypted in the .exe (but visible in the .resx file, which should not be delivered to customers)
0
 
LVL 27

Accepted Solution

by:
Ark earned 333 total points
ID: 39781293
Hi
Everything storing in resource section of PE can be easy read even from VB (see my sample at http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=25890&lngWId=1)
You can hide valuable strings in your app with smth like
Dim x As String
x = Chr(72) & Chr(101) & Chr(108) & Chr(108) & Chr(111) & Chr(32) & Chr(87) & Chr(111) & Chr(114) & Chr(108) & Chr(100)
MsgBox x

Open in new window

0
 

Author Comment

by:ttobin333
ID: 39791733
Thanks Ark. That method sounds good.

Regarding viewing strings in a resource file: yes, I am able to see the strings and the reference numbers. But the most important question is, whether the reference numbers can somehow be used to find the location in the code where a particular string from the resource file is called. I am not worried about the strings being viewed inside the resource file, but I don't want anyone to be able to reference the "LoadResString(xxx)" statement calling a particular string. Some of the strings would give away critical locations in the code where hackers could potentially defeat piracy protection.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 27

Assisted Solution

by:Ark
Ark earned 333 total points
ID: 39791794
Actually it's not necessary LoadResString just before calling MsgBox(strYou_are_a_pirate) - you can load it anitime before. But I'm afraid if hacker can disasm your executable, then find FindResource/LoadResource API entries, read correctly eax pushes (params) and final pop (string address) - (s)hi is experienced enough to break your defence.

Chr(x) trick is quite well known to hide string in executables (ie protect against disassembly), but it cannot protect against debugging - memory dump immediately shows all your secrets. Actually, when debugging, hacker even don't need these strings - settings breaks on MessageBoxW would be enough.
0
 

Author Comment

by:ttobin333
ID: 39792455
So again, it is clear that nothing is bullet-proof…but it sounds like the Chr(x) method is the best balance of effort/protection perhaps?

How about encrypted strings in a resource file? Would that offer any advantage? Maybe the method mentioned earlier by Luis Pérez in this discussion could be used to encrypt/decrypt the resource file strings?
0
 
LVL 22

Expert Comment

by:rspahitz
ID: 39792620
Actually, the best option is to remove the text from the project entirely and put it in a web-based database, encrypted, with a decryption mechanism in your code.
If the text is in your code, there is always a way that a hacker can do what the code does and extract it.
At least with the web (or other server-based) option, you can limit the way the data is returned so people don't have access to it without proper permissions.
0
 
LVL 27

Assisted Solution

by:Ark
Ark earned 333 total points
ID: 39792965
If you already have piracy protection in your software, the way to bypass it is to replace your checking routine with nop/jmp commands. In this case the bottle-neck for crackers is to find this checking routine. There are a number of methods to make this harder - you can display message not just after checking but with some delay, or degrade app without warning, or show a form with warning labeland tons of controls with Visible=False and numerous dummy math functions inside form which do nothing. Compile your app into P-Code - digging through  runtime dlls spagetty when debugging is a nightmare.
See more advices at http://www.woodmann.com/crackz/Tutorials/Protect.htm (though code is in asm, there are lot of practical advices and usefull links)
0
 

Author Comment

by:ttobin333
ID: 39793076
rspahitz, unless you care to share the details, that's way too complicated, and requires software to always be connected to the web.
0
 
LVL 22

Assisted Solution

by:rspahitz
rspahitz earned 83 total points
ID: 39797933
t, you are correct that this will require a web connection (thought not necessarily always-on.)
However, if you deliver all the pieces in an .exe, then someone can always find a way to locate the parts they want.  Is it worth their while?  Probably not unless your product is going to make them hundreds of thousands of dollars.
This problem really comes down to risk-analysis.  If it's that valuable, you'll need to store the data outside of the customer's realm.  If it's less valuable, then a simple encryption routine may suffice.
Personally, I would probably store the info in an encrypted database (e.g. Access) with password permissions, then have the app pull the info as needed.  The DB can still be hacked, but if you do it right, it will be hard to figure out what the pieces mean.
0
 
LVL 27

Assisted Solution

by:Ark
Ark earned 333 total points
ID: 39798852
AFAIK there are 2 ways to bypass protection:
1. Understand key-generation (or key checking) routine and create own with same logic (AKA keygen building). Require some valuable info (key-building algorithm, key - string, password etc. - can be protected if storing on server)
2. Find checking routine address and bypass it with asm code editing (AKA patching). In this case you can hide password on the Moon on switched-off computer - this doesn't help against patching. Instead you must hide your checking routine as deep as possible inside your code and check if known debuggers (like SoftIce/Olly/WinDbg) running - this makes patching not impossible but harder.
0
 

Author Closing Comment

by:ttobin333
ID: 39798945
Thanks guys, for the valuable information!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many ways to remove duplicate entries in an SQL or Access database. Most make you temporarily insert an ID field, make a temp table and copy data back and forth, and/or are slow. Here is an easy way in VB6 using ADO to remove duplicate row…
Since upgrading to Office 2013 or higher installing the Smart Indenter addin will fail. This article will explain how to install it so it will work regardless of the Office version installed.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now