Login/Register
How to hide strings in a exe or a dll?
Asked Answered
Solved c++securityobfuscationreverse-engineeringdefensive-programming
B

9

36

I discovered that it is possible to extract the hard-coded strings from a binary.
For example the properties view of Process Explorer displays all the string with more than 3 characters.

Here is the code of a simple executable that I wrote to simply test it:

#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0501
#endif
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>

int _tmain(int argc, _TCHAR* argv[])
{
    _TCHAR* hiddenString1 =_T("4537774B-CC80-4eda-B3E4-7A9EE77991F5");
    _TCHAR* hiddenString2 =_T("hidden_password_or_whatever");
    for (int i= 0; i<argc; i++) {
        if (0 == _tcscmp(argv[i],hiddenString1)) {
            _tprintf (_T("The guid argument is correct.\n")); }
        else if (0 == _tcscmp(argv[i],hiddenString2)) {
            _tprintf (_T("Do something here.\n")); }
    }

    _tprintf (_T("This is a visible string.\n"));
    //Keep Running
    Sleep(60000);
    return 0;
}

The strings can clearly be extracted from the corresponding executable:
alt text

I think that it is a little too easy to find the strings.

My questions are:

  1. How to simply hide hiddenString1 or hiddenString2 in the executable?
  2. Is there a more secure way to use "cheat code" than with some obscure hidden input?
Berneta answered 29/5, 2009 at 14:10 Comment(5)
Is this question about the GUID or about strings in general?Grassplot
The GUID was just an example: there are URLs for http requests that I would like to hide too.Berneta
Hiding URLs for http requests isn't going to work. Anyone with a sniffer will be able to see exactly what your app is doing, and doing so would be much easier than examining the memory of your process.Waterfront
How to hide a string in binary code?Majorette
You can refer to this - it explains what is functional encryption and fully homomorphic encryption.Dolor
M
35

Welcome to the wider world of defensive programming.

There are a couple of options, but I believe all of them depend on some form of obfuscation; which, although not perfect, is at least something.

  1. Instead of a straight string value you can store the text in some other binary form (hex?).

  2. You can encrypt the strings that are stored in your app, then decrypt them at run time.

  3. You can split them across various points in your code, and reconstitute later.

Or some combination thereof.

Bear in mind, that some attacks go further than looking at the actual binary. Sometimes they will investigate the memory address space of the program while it's running. MS came up with something called a SecureString in .Net 2.0. The purpose being to keep the strings encrypted while the app is running.

A fourth idea is to not store the string in the app itself, but rather rely on a validation code to be submitted to a server you control. On the server you can verify if it's a legit "cheat code" or not.

Migdaliamigeon answered 29/5, 2009 at 14:14 Comment(6)
Nice options. Since the questioner is specifically concerned about hiding a Windows GUID string -- which is just a hexadecimal number -- that data could also be stored as a few ints.Doscher
I would like to add to your nice answer the possibility to salt the password.Irretentive
@CyberSpock: I'm not sure the purpose of salting it would be. The string (salted or not) is stored in the binary and therefore is subject to discovery. Which means there are only two solutions: obfuscate to at least make it a little harder or don't store it in the app at all.Migdaliamigeon
it may be more difficult to spot a password if it is salted since it would be an algorithm to compare passwords with one another but anyway it is all for naught.Irretentive
i just tried converting my arrayed string (char str[] = {'H', 'i', '\0'}) to a sequence of hex bytes and they are discover-able in very same wayLeatherjacket
@Leatherjacket They would be because that's how it is stored in memory (in both scenarios). One simple way around it is to pick a different datatype like an short or int but still you can see the hex codes. What you could do then devise your own obfuscation technique applies to the hex values like bit shifting, adding junk, etc.Grafting
S
20

There are many ways to obscure data in an executable. Others here have posted good solutions -- some stronger than others. I won't add to that list.

Just be aware: it's all a cat-and-mouse game: it is impossible to guarantee that nobody will find out your "secret".

No matter how much encryption or other tricks you use; no matter how much effort or money you put into it. No matter how many "NASA/MIT/CIA/NSA" types are involved in hiding it.

It all comes down to simple physics:
If it were impossible for any user to pull out your secret from the executable and "unhide" it, then the computer would not be able to unhide it either, and your program wouldn't be able to use it. Any moderately skilled developer with enough incentive will find the way to unhide the secret.

The moment that you have handed your executable to a user, they have everything they need to find out the secret.

The best you can hope for is to make it so hard to uncover the secret that any benefits you can get from knowing the secret become not worth the hassle.

So, it's OK to try to obscure the data if it's merely "not-nice" for it to be public, or if the consequences of it becoming public would just be "inconvenient". But don't even think of hiding in your program "the password to your master client database", a private key, or some other critical secret. You just can't.

If you have truly critically secret information that your program will somehow need but should NEVER become public information (like a private key), then you will need to have your program talk to a remote server under your control, apply appropriate authentication and authorization controls (that is, make sure only the approved people or computers are able to make the request to the server), and have that server keep the secret and use it.

Sinkage answered 29/5, 2009 at 21:4 Comment(1)
Well said. And true crackers are quite formidable, you won't be able to stop them with a small trick. They will notice the hotspot where you play with strings and patiently for the application to decrypt it to see the real thing.Bridgework
S
10

The simplest way is to encrypt them with something trivial like xor or rot-13, and then decrypt them on the fly when they're used. That will eliminate casual viewing of them, but it won't stop anyone with much experience at reversing.

Sprue answered 29/5, 2009 at 14:19 Comment(2)
Nothing would really stop anyone with much experience at reversing, for that matter ;)Precedence
Since they must have the decryption key in memory to run the program then AES isn't going to stop them either.Oberammergau
H
6

In addition to those methods Chris mentions you could also use a hashing algorithm. If all you want to do is check if the correct ID was specified you don't actually need to store the whole ID in your program.

  • Create a hash (MD5, SHA, etc) of the string/password/id you want to compare against, maybe add a 'salt' value to it. Store this in your program
  • When the program is run, do the same algorithm on the input string/password/id and compare the two hashes to see if they match.

This way the actual text is never stored in your program and they cannot reverse engineer your program to find out what the original text was because hash algorithms are one-way only.

Halfandhalf answered 29/5, 2009 at 14:18 Comment(3)
be careful, collisions for some hashes (e.g. md5) can be found relatively easy these days..Acme
I'm not sure that's a problem for this use.Bertrando
You can go further, and just do the public key-only side of a publc key encryption deal. that'll handle the collision issue. It's also one of the more secure ways to do it - as secure as the encryption algorithm you use, even after it's dug out via hex editor.Rowlock
C
5

There are URLs for http requests that I would like to hide too.

If your app is making the request, there is no point hiding this. Running an app like fiddler, http analyzer, or one of dozens of other free and readily available methods will show all the traffic your app is creating.

Coppage answered 19/1, 2010 at 15:32 Comment(4)
That's really bad. :(Lingcod
@ZeeshanMahmood what part?Coppage
Means, we cannot hide URLs in code as by some other means these are going to be revealed.Lingcod
You can hide them, but as soon a you access it, it's visibleCoppage
G
4

The best you can do is to code your password or other string that you want to hide as char array. For example:

std::string s1 = "Hello";   // This will show up in exe in hex editor
char* s2 = "World";   // this will show up in exe in hex editor
char s3[] = {'G', 'O', 'D'}; // this will not show up in exe in hex editor.
Gene answered 12/6, 2009 at 13:14 Comment(2)
In this simple programm in C char s3[] = {'G', 'O', 'D'}; int n = sizeof(s3)/sizeof(s3[0]); printf("%d\n", n);, I find the text with the hex editor -> .D$.G.D$.O.D$.D.D$. in the build executable.Lalla
I saw that if data is in heap the string into the executable is in plain, if is in stack the string disappears. I am aware that this is very compiler/platform dependant (I am on win 10)Hatchett
N
3

Here is the method I use for this purpose. First, I use the the Strings tool by Sysinternals to display the strings in an EXE or DLL. I then use the following small tool (see article) to replace these strings with a scrambled array of characters stored as an arithmetic expression: for example: instead of the string: "this is a test" I will place the following code: (which is automatically generated by this tool)

WCHAR T1[28];
 T1[22] = 69;
 T1[15] = 121 - 17;
 T1[9] = L':' + -26;
 T1[12] = L't' - 1;
 T1[6] = 116 - 1;
 T1[17] = 117 - 12;
 T1[3] = 116 - 1;
 T1[14] = L'' - 3;
 T1[13] = L'w' - 3;
 T1[23] = 69;
 T1[26] = L'Y' + 3;
 T1[19] = 111 + 0;
 T1[21] = L'k' - 34;
 T1[27] = L'\\' - 8;
 T1[20] = L'B' + 32;
 T1[4] = 42 + -10;
 T1[25] = L'm' - 17;
 T1[16] = L'H' + 18;
 T1[18] = L'A' + 56;
 T1[24] = 68;
 T1[1] = 105 - 1;
 T1[11] = L'k' - 6;
 T1[10] = 66 + 50;
 T1[2] = 105;
 T1[0] = 117 - 1;
 T1[5] = L'k' - 2;
 T1[8] = 89 + 8;
 T1[7] = 32;

There are many solutions to this problem and none of them (including mine) is perfect, however there are ways to scramble, disguise, and hide the sensitive strings. You can of course encrypt them and decrypt during runtime (see this article), but I find more important to make these string disappear among the bits and bytes of the executable file and it works. After running my tool, you won't find "this is a test" in the executable file.

Noonberg answered 7/8, 2018 at 12:42 Comment(0)
B
2

If there's a specific string you don't want people to be able to see, then encrypt it and decrypt at runtime.

If you don't want people to see your GUID, then construct it from bytes, rather than constructed from a string:

const GUID SecretGuid = 
      { 0x4537774B, 0xCC80, 0x4eda, { 0x7A, 0x9E, 0xE7, 0x79, 0x91, 0xF5 } };
Bentley answered 29/5, 2009 at 14:23 Comment(0)
R
2

Will all your secret codes be GUIDs or was that just an example?

Perhaps store your secret as a binary guid:

const GUID SecretGuid =
    { 0x4537774B, 0xCC80, 0x4eda, { 0x7A, 0x9E, 0xE7, 0x79, 0x91, 0xF5 } };

Then convert your supplied guid from string to binary format and compare the two binary guids.

Rafiq answered 29/5, 2009 at 15:24 Comment(2)
The GUID was just an example. There are URLs for http requests that I would like to hide too.Berneta
Everyone who has the knowledge to look for strings in your excutable will be able to start a sniffer and watch for HTTP-Request from your app. In fact I would try the sniffer first before looking for strings.Brickkiln

© 2022 - 2024 — McMap. All rights reserved.