开发者

Is it possible to hide a password defined within C++ code

问答 作者:

... so that browsing the disassembly won't immediately expose the password (declared as a static variable). As an example, imagine a program that has a zip file attached that it must open for assets b开发者_高级运维ut is not easily accessible to prying eyes.

I know that it is impossible to completely hide or protect that zip but I'm curious what means are available to at least hold off a casual snooper.

Thanks!

If your program is a Windows program, just use "This program cannot be run in DOS mode." as the password. That string is in nearly every Windows executable.

I'm only half kidding, since it's probably nearly as secure as XOR-ing the password with a key that's elsewhere in the program and there will be pretty much zero headaches maintaining it.

No but there are things you can do to make it harder.

Store the password as a series of numbers, do some calcualtions on them to generate the actual password, store parts of the password in resources such as icons etc.

In short, no, Any cracker would just set a breakpoint on the function that opens the zip file, and get the password from RAM there.

Instead of the actual password store the XOR encrypted version of the password as static variable. When you need to use it you just apply simple XOR decryption to retrieve the actual password.

http://en.wikipedia.org/wiki/XOR_cipher

One solution would be to xor the static password with another constant or even another string. This would spread your password out between however many parts need to be combined to get it back. A strings on the compiled binary doesn't show the pw string.

#include <stdio.h>

char pw[8] = {124, 109, 127, 127, 123, 99, 126, 104};

int main(int argc, char** argv) {
  for (int i = 0; i < 8; i++) {
    pw[i] = pw[i] ^ 12;
  }
  printf("%s\n", pw);  // => 'password'
}

There are a number of ways to protect data from a casual inspection, a determined adversary is another matter altogether (just ask the folks doing DRM.)

You could xor the password with another password derived from some data of your program, for example the relative position of a field (in a packed struct/class) relative to the beginning of the struct/class, or perhaps use some "constant" data (the current century and millennium are quite constant, for the next 89 years :-) ), or the conversion of some characters from one codepage to another, or perhaps the conversion of some numbers to float or double (perhaps even some simple divisions like 2/3, 3/5, 5/7 in double used as a password. Be sure to "force" the compiler to not optimize them (probably deriving the number from other "measurable" things, like the length of some strings)). Especially the first one is probably the easiest to hide: it's quite common to "measure" the relative position of a field. None of these methods will survive 5 minutes of an hacker... They'll only protect against "casual snooping with an hex editor".

Well why store it at all? Why not have a second packed application that your first encrypts based off of an xor algorithm? That way there is no need to store the password at all!

Of course this method is a little more difficult, But I would say you greatly benefit from not only using this method, but learning the necessary things required to make it work.

Show a picture with another code in italics to the user and insert a text box where the user can enter the code that is written in the picture. XOR the password of the ZIP file with the code in the picture. The result can be implemented hardcoded. The program has to XOR the hardcoded code with the input of the user to get the code of the ZIP file. Optionally, you can verify the inputted code using another one-way-code.

obfuscate the password with a perl script. Hackers can still reverse engineer your machine code...but at least your password its not obvious from a hex editor.

obfuscate_password("my_password434");

sub obfuscate_password($) {

  my $string = shift;
  my @c = split(//, $string);
  push(@c, "skip"); # Skip Null Terminator
                    # using memset to clear this byte
  # Add Decoy Characters
  for($i=0; $i < 100; $i++) {
    $ch = rand(255);
    next if ($ch == 0);
    push(@c, chr($ch));
  }                     
  my $count1 = @c;
  print "  int x1, x2, x3, x4, x5;\n";
  print "  char password[$count1];\n";
  print "  memset(password, 0, $count1);\n";
  my $count2 = 0;
  my %dict  = ();
  while(1) {
    my $x = int(rand($count1));
    $y = obfuscate_expr($count1, $x);
    next if (defined($dict{$x}));
    $dict{$x} = 1;
    last if ($count2+1 == $count1);
    if ($c[$x] ne "skip") {
      #print "  $y\n";
      print "  $y password[x4] = (char)" . ord($c[$x]) . ";\n";
    }
    $count2++;
  }
}

sub obfuscate_expr($$) {
    my $count  = shift;
    my $target = shift;
    #return $target;

    while(1) {

       my $a = int(rand($count*2));
       my $b = int(rand($count*2));
       my $c = int(rand($count*2));
       next if (($a == 0) || ($b == 0) || ($c == 0));
       my $y = $a - $b;
       #print "$target: $y : $a - $b\n";
       if ($y == $target) {
          #return "$a - $b + $c";
          return "x1=$a; x2=$b; x3=$c; x4=x1-x2+x3; x5= +=x4;";
       }
    } 
}

继续阅读:assemblyinformation-hiding

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9