36

I discovered that it is possible to extract the hard-coded strings from a binary.
For example the properties view of Process Explorer displays all the string with more than 3 characters.

Here is the code of a simple executable that I wrote to simply test it:

#ifndef _WIN32_WINNT #define _WIN32_WINNT 0x0501 #endif #include <stdio.h> #include <tchar.h> #include <Windows.h> int _tmain(int argc, _TCHAR* argv[]) { _TCHAR* hiddenString1 =_T("4537774B-CC80-4eda-B3E4-7A9EE77991F5"); _TCHAR* hiddenString2 =_T("hidden_password_or_whatever"); for (int i= 0; i<argc; i++) { if (0 == _tcscmp(argv[i],hiddenString1)) { _tprintf (_T("The guid argument is correct.\n")); } else if (0 == _tcscmp(argv[i],hiddenString2)) { _tprintf (_T("Do something here.\n")); } } _tprintf (_T("This is a visible string.\n")); //Keep Running Sleep(60000); return 0; }

The strings can clearly be extracted from the corresponding executable:
alt text

I think that it is a little too easy to find the strings.

My questions are:

  1. How to simply hide hiddenString1 or hiddenString2 in the executable?
  2. Is there a more secure way to use "cheat code" than with some obscure hidden input?
Improve this question
5
  • 1
    Is this question about the GUID or about strings in general? Commented May 29, 2009 at 17:20
  • The GUID was just an example: there are URLs for http requests that I would like to hide too. Commented May 29, 2009 at 17:27
  • 2
    Hiding URLs for http requests isn't going to work. Anyone with a sniffer will be able to see exactly what your app is doing, and doing so would be much easier than examining the memory of your process. Commented Jan 19, 2010 at 15:48
  • How to hide a string in binary code? Commented Feb 2, 2016 at 16:30
  • You can refer to this - it explains what is functional encryption and fully homomorphic encryption. Commented May 11, 2016 at 11:49

9 Answers 9

Reset to default
35

Welcome to the wider world of defensive programming.

There are a couple of options, but I believe all of them depend on some form of obfuscation; which, although not perfect, is at least something.

  1. Instead of a straight string value you can store the text in some other binary form (hex?).

  2. You can encrypt the strings that are stored in your app, then decrypt them at run time.

  3. You can split them across various points in your code, and reconstitute later.

Or some combination thereof.

Bear in mind, that some attacks go further than looking at the actual binary. Sometimes they will investigate the memory address space of the program while it's running. MS came up with something called a SecureString in .Net 2.0. The purpose being to keep the strings encrypted while the app is running.

A fourth idea is to not store the string in the app itself, but rather rely on a validation code to be submitted to a server you control. On the server you can verify if it's a legit "cheat code" or not.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Nice options. Since the questioner is specifically concerned about hiding a Windows GUID string -- which is just a hexadecimal number -- that data could also be stored as a few ints.
I would like to add to your nice answer the possibility to salt the password.
@CyberSpock: I'm not sure the purpose of salting it would be. The string (salted or not) is stored in the binary and therefore is subject to discovery. Which means there are only two solutions: obfuscate to at least make it a little harder or don't store it in the app at all.
it may be more difficult to spot a password if it is salted since it would be an algorithm to compare passwords with one another but anyway it is all for naught.
i just tried converting my arrayed string (char str[] = {'H', 'i', '\0'}) to a sequence of hex bytes and they are discover-able in very same way
|
20

There are many ways to obscure data in an executable. Others here have posted good solutions -- some stronger than others. I won't add to that list.

Just be aware: it's all a cat-and-mouse game: it is impossible to guarantee that nobody will find out your "secret".

No matter how much encryption or other tricks you use; no matter how much effort or money you put into it. No matter how many "NASA/MIT/CIA/NSA" types are involved in hiding it.

It all comes down to simple physics:
If it were impossible for any user to pull out your secret from the executable and "unhide" it, then the computer would not be able to unhide it either, and your program wouldn't be able to use it. Any moderately skilled developer with enough incentive will find the way to unhide the secret.

The moment that you have handed your executable to a user, they have everything they need to find out the secret.

The best you can hope for is to make it so hard to uncover the secret that any benefits you can get from knowing the secret become not worth the hassle.

So, it's OK to try to obscure the data if it's merely "not-nice" for it to be public, or if the consequences of it becoming public would just be "inconvenient". But don't even think of hiding in your program "the password to your master client database", a private key, or some other critical secret. You just can't.

If you have truly critically secret information that your program will somehow need but should NEVER become public information (like a private key), then you will need to have your program talk to a remote server under your control, apply appropriate authentication and authorization controls (that is, make sure only the approved people or computers are able to make the request to the server), and have that server keep the secret and use it.

Improve this answer

1 Comment

Well said. And true crackers are quite formidable, you won't be able to stop them with a small trick. They will notice the hotspot where you play with strings and patiently for the application to decrypt it to see the real thing.
11

The simplest way is to encrypt them with something trivial like xor or rot-13, and then decrypt them on the fly when they're used. That will eliminate casual viewing of them, but it won't stop anyone with much experience at reversing.

Improve this answer

2 Comments

Nothing would really stop anyone with much experience at reversing, for that matter ;)
Since they must have the decryption key in memory to run the program then AES isn't going to stop them either.
6

In addition to those methods Chris mentions you could also use a hashing algorithm. If all you want to do is check if the correct ID was specified you don't actually need to store the whole ID in your program.

  • Create a hash (MD5, SHA, etc) of the string/password/id you want to compare against, maybe add a 'salt' value to it. Store this in your program
  • When the program is run, do the same algorithm on the input string/password/id and compare the two hashes to see if they match.

This way the actual text is never stored in your program and they cannot reverse engineer your program to find out what the original text was because hash algorithms are one-way only.

Improve this answer

3 Comments

be careful, collisions for some hashes (e.g. md5) can be found relatively easy these days..
I'm not sure that's a problem for this use.
You can go further, and just do the public key-only side of a publc key encryption deal. that'll handle the collision issue. It's also one of the more secure ways to do it - as secure as the encryption algorithm you use, even after it's dug out via hex editor.
5

There are URLs for http requests that I would like to hide too.

If your app is making the request, there is no point hiding this. Running an app like fiddler, http analyzer, or one of dozens of other free and readily available methods will show all the traffic your app is creating.

Improve this answer

4 Comments

That's really bad. :(
@ZeeshanMahmood what part?
Means, we cannot hide URLs in code as by some other means these are going to be revealed.
You can hide them, but as soon a you access it, it's visible
4

The best you can do is to code your password or other string that you want to hide as char array. For example:

std::string s1 = "Hello"; // This will show up in exe in hex editor char* s2 = "World"; // this will show up in exe in hex editor char s3[] = {'G', 'O', 'D'}; // this will not show up in exe in hex editor.
Improve this answer

2 Comments

In this simple programm in C char s3[] = {'G', 'O', 'D'}; int n = sizeof(s3)/sizeof(s3[0]); printf("%d\n", n);, I find the text with the hex editor -> .D$.G.D$.O.D$.D.D$. in the build executable.
I saw that if data is in heap the string into the executable is in plain, if is in stack the string disappears. I am aware that this is very compiler/platform dependant (I am on win 10)
3

Here is the method I use for this purpose. First, I use the the Strings tool by Sysinternals to display the strings in an EXE or DLL. I then use the following small tool (see article) to replace these strings with a scrambled array of characters stored as an arithmetic expression: for example: instead of the string: "this is a test" I will place the following code: (which is automatically generated by this tool)

WCHAR T1[28]; T1[22] = 69; T1[15] = 121 - 17; T1[9] = L':' + -26; T1[12] = L't' - 1; T1[6] = 116 - 1; T1[17] = 117 - 12; T1[3] = 116 - 1; T1[14] = L'' - 3; T1[13] = L'w' - 3; T1[23] = 69; T1[26] = L'Y' + 3; T1[19] = 111 + 0; T1[21] = L'k' - 34; T1[27] = L'\\' - 8; T1[20] = L'B' + 32; T1[4] = 42 + -10; T1[25] = L'm' - 17; T1[16] = L'H' + 18; T1[18] = L'A' + 56; T1[24] = 68; T1[1] = 105 - 1; T1[11] = L'k' - 6; T1[10] = 66 + 50; T1[2] = 105; T1[0] = 117 - 1; T1[5] = L'k' - 2; T1[8] = 89 + 8; T1[7] = 32;

There are many solutions to this problem and none of them (including mine) is perfect, however there are ways to scramble, disguise, and hide the sensitive strings. You can of course encrypt them and decrypt during runtime (see this article), but I find more important to make these string disappear among the bits and bytes of the executable file and it works. After running my tool, you won't find "this is a test" in the executable file.

Improve this answer

Comments

2

Will all your secret codes be GUIDs or was that just an example?

Perhaps store your secret as a binary guid:

const GUID SecretGuid = { 0x4537774B, 0xCC80, 0x4eda, { 0x7A, 0x9E, 0xE7, 0x79, 0x91, 0xF5 } };

Then convert your supplied guid from string to binary format and compare the two binary guids.

Improve this answer

2 Comments

The GUID was just an example. There are URLs for http requests that I would like to hide too.
Everyone who has the knowledge to look for strings in your excutable will be able to start a sniffer and watch for HTTP-Request from your app. In fact I would try the sniffer first before looking for strings.
2

If there's a specific string you don't want people to be able to see, then encrypt it and decrypt at runtime.

If you don't want people to see your GUID, then construct it from bytes, rather than constructed from a string:

const GUID SecretGuid = { 0x4537774B, 0xCC80, 0x4eda, { 0x7A, 0x9E, 0xE7, 0x79, 0x91, 0xF5 } };
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.