开发者

How to hide literals in code

What are the main existing approaches to hide the value of literals in code, so that they are not easily traced with just an hexdumper or a decompiler?

For example, instead of coding this:

    static final int MY_VALUE = 100;

We could have:

    static final int MY_VALUE = myFunction1();

    private int myFunction1(){
        int i = 23;
        i += 8 << 4;
        for(int j = 0; j < 3; j++){
            i-= (j<<1);
        }
        return myFunction2(i);
    }

    private int myFunction2(int i){
        return i + 19;
    }

That was just an example of what we're trying to do. (Yes, I know, the compiler may optimize it and precalculate the constant).

Disclaimer: I know this will not provide any aditional security at all, but it makes the code more obscure (o开发者_如何学JAVAr interesting) to reverse-engineer. The purpose of this is just to force the attacker to debug the program, and waste time on it. Keep in mind that we're doing it just for fun.


Since you're trying to hide text, which will be visible in the simple dump of the program, you can use some kind of simple encryption to obfuscate your program and hide that text from prying eyes.

Detailed instuctions:

  1. Visit ROT47.com and encode your text online. You can also use this web site for a more generic ROTn encoding.
  2. Replace contents of your string constants with the encoded text.
  3. Use the decoder in your code to transform the text back into its original form when you need it. ROT13 Wikipedia article contains some notes about implementation, and here is Javascript implementation of ROTn on StackOverflow. It is trivial to adapt it to whatever language you're using.

Why use ROT47 which is notoriously weak encryption?

In the end, your code will look something like this:

decryptedData = decryptStr(MY_ENCRYPTED_CONSTANT)
useDecrypted(decryptedData)

No matter how strong your cypher, anybody equipped with a debugger can set a breakpoint on useDecrypted() and recover the plaintext. So, strength of the cypher does not matter. However, using something like Rot47 has two distinct advantages:

  1. You can encode your text online, no need to write a specialized program to encode your text.
  2. Decryption is very easy to implement, so you don't waste your time on something that does not add any value to your customers.
  3. Anybody reading your code (your coworker or yourself after 5 years) will know immediately this is not a real security, but security by obscurity.
  4. Your text will still appear as gibberish to anyone just prying inside your compiled program, so mission accomplished.


Run some game of life variant for a large number of iterations, and then make control flow decisions based on the final state vector.

If your program is meant to actually do something useful, you could have your desired branches planned ahead of time and choose bits of the state vector to suit ("I want a true here, bit 17 is on, so make that the condition..")


You could also use some part of compiled code as data, then modify it a little. This would be hard to do in a program executed by virtual machine, but is doable in languages like asm or c.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜