Recent

Author Topic: Securing a string against decompilation?  (Read 4438 times)

laznewb

  • New Member
  • *
  • Posts: 20
Securing a string against decompilation?
« on: February 22, 2020, 12:07:17 pm »
Hi everyone!  :D

Currently, in my program I have a string str:

Code: Pascal  [Select][+][-]
  1. str := 'PlaintextPassword'

Is it possible that a person who decompiles my program would be able to see this string?

If so, what are some reasonably good, easy methods to make it more difficult to extract this string from a compiled executable?

Thanks!

440bx

  • Hero Member
  • *****
  • Posts: 3944
Re: Securing a string against decompilation?
« Reply #1 on: February 22, 2020, 12:19:59 pm »
Hi everyone!  :D

Currently, in my program I have a string str:

Code: Pascal  [Select][+][-]
  1. str := 'PlaintextPassword'

Is it possible that a person who decompiles my program would be able to see this string?

If so, what are some reasonably good, easy methods to make it more difficult to extract this string from a compiled executable?

Thanks!
If someone wants to see the string, they don't even have to decompile the executable.  A simple file viewer will do.

you could use a cypher to hide it but, that won't give you much safety either because the deciphering algorithm has to be in the executable and the way the string is used gives away that it is a string.

My advice to you: don't bother.  any halfway decent reverse engineer will go through any attempts you make at hiding the string like butter.  He/she will get a chuckle in the process.

HTH.
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

howardpc

  • Hero Member
  • *****
  • Posts: 4144
Re: Securing a string against decompilation?
« Reply #2 on: February 22, 2020, 12:45:47 pm »
If you want to hide something, don't show it. Especially don't put it in a program that other people have access to.
Lazarus and FPC arise from an open source philosophy: the content is open, available, unhidden.
« Last Edit: February 22, 2020, 12:48:35 pm by howardpc »

HeavyUser

  • Sr. Member
  • ****
  • Posts: 397
Re: Securing a string against decompilation?
« Reply #3 on: February 22, 2020, 12:57:59 pm »
Hi everyone!  :D

Currently, in my program I have a string str:

Code: Pascal  [Select][+][-]
  1. str := 'PlaintextPassword'

Is it possible that a person who decompiles my program would be able to see this string?

If so, what are some reasonably good, easy methods to make it more difficult to extract this string from a compiled executable?

Thanks!
What kind of password is this? Can you change your process to auto generated on installation instead?

Thaddy

  • Hero Member
  • *****
  • Posts: 14204
  • Probably until I exterminate Putin.
Re: Securing a string against decompilation?
« Reply #4 on: February 22, 2020, 01:44:03 pm »
What you are asking for is finding the Holy Grail: it has never been done successfully. You can hide such a string a little bit but never - by definition - completely.
A famous example being Borland trying to hide its copyright string, which was actually a decent effort, but also was demonstrated to be futile. (still on delphibasics.info with full explanation)

It only protects against the most naive type of hackers. Anyway, plenty of those Grail examples available. I also tried to do such things 35-40 years ago......
For mathematicians: there is a proof that it can not be done by the late but super famous  prof. Marsalia (known for random theory). Have to look up the paper for that, it was written for fun and teaching purpose.

Note there are such naive ways in the strutils unit. May be enough for you? xorencode, xordecode and xorstring
https://www.freepascal.org/docs-html/rtl/strutils/index-5.html Xor crypt is something every programmer has done...or in your case will do...

You can make it a bit more complex with any other two way cipher, but I would not spend too much time on it....
« Last Edit: February 22, 2020, 02:59:52 pm by Thaddy »
Specialize a type, not a var.

Thaddy

  • Hero Member
  • *****
  • Posts: 14204
  • Probably until I exterminate Putin.
Re: Securing a string against decompilation?
« Reply #5 on: February 22, 2020, 02:23:11 pm »
demo:
Code: Pascal  [Select][+][-]
  1. {$mode delphi}{$H+}
  2. uses
  3.   strutils;
  4. var
  5.   s,k:ansistring;  
  6. begin
  7.   s:='361915000211030d00390d1615021b1b08';
  8.   writeln('enter your password and press enter..');
  9.   readln(k);
  10.   s:=xordecode(k,s);
  11.   writeln(s);
  12. end.
password is 'futile' without quotes. See what happens... 8-)
Code: Bash  [Select][+][-]
  1. enter your password and press enter..
  2. futile
  3. PlaintextPassword

This may be enough for you....but don't be naive....

« Last Edit: February 22, 2020, 02:27:04 pm by Thaddy »
Specialize a type, not a var.

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: Securing a string against decompilation?
« Reply #6 on: February 22, 2020, 02:45:07 pm »
What you are asking for is finding the Holy Grail: it has never been done successfully. You can hide such a string a little bit but never - by definition - completely.

I agree. What's more there are tools around that can look at a file or a block of memory and identify that it looks a bit more random than is usual so might be an encryption key.

* Don't ever put a plaintext key or password in a file.

* Don't ever send a plaintext key or password over a network.

* if you're temporarily manipulating a plaintext key or password, overwrite every temporary string with spaces before changing its length or letting it go outside scope.

If a user doesn't want to enter a password every time, then find out what "wallet" etc. he wants to use, and learn its API. Storing a hashed password is a bit better, but it will show up as an area of memory with different randomness ("entropy") from the rest and validating it needs care. See https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol#Working_cycle for something which might possibly help, allowing that "secret" in this context can equally well be a plaintext password (which you don't want to do, for reasons explained above) or a non-reversible hash of the password stored at both ends.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Thaddy

  • Hero Member
  • *****
  • Posts: 14204
  • Probably until I exterminate Putin.
Re: Securing a string against decompilation?
« Reply #7 on: February 22, 2020, 02:55:58 pm »
[plaintext password (which you don't want to do, for reasons explained above) or a non-reversible hash of the password stored at both ends.

MarkMLl
-  That's why we store (one way) hashes, not passwords
-  That's why we use two factor authentication

My example can be hacked in milliseconds, that is the point.

All this is a bit beyond OP's original question and knowledge.
(without being rude, we all tried this...)
« Last Edit: February 22, 2020, 02:59:01 pm by Thaddy »
Specialize a type, not a var.

440bx

  • Hero Member
  • *****
  • Posts: 3944
Re: Securing a string against decompilation?
« Reply #8 on: February 22, 2020, 02:57:05 pm »
encryption is a funny thing... it reminds me of a true WWII story.

The Allies wanted to break the Nazi's Enigma machine and, it proved to be very difficult.  One thing that would be very helpful in figuring out the cypher would be to have a sample of plaintext and its encoded representation.   Not something the Nazis were going to provide willingly.

Some smart cookie figured a solution and the Allies carried it out.  They found a German town with a very long and unusual name.   They bombed the cr*p out of it, left nothing standing.  The Nazis got busy sending messages around that the Allies were bombing town of "thewatchamacallittownwithalongname". Having encoded messages where it was known that one or more of them included that long piece of text was key to breaking the Enigma machine.

Creativity is more powerful than Mathematics. :)


« Last Edit: February 22, 2020, 02:59:30 pm by 440bx »
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

Thaddy

  • Hero Member
  • *****
  • Posts: 14204
  • Probably until I exterminate Putin.
Re: Securing a string against decompilation?
« Reply #9 on: February 22, 2020, 02:58:23 pm »
So true, oh so true.... :) ;) :D O:-)
Specialize a type, not a var.

Thaddy

  • Hero Member
  • *****
  • Posts: 14204
  • Probably until I exterminate Putin.
Re: Securing a string against decompilation?
« Reply #10 on: February 22, 2020, 03:29:37 pm »
If a user doesn't want to enter a password every time, then find out what "wallet" etc.
Oh Mark I forgot to explain that a whole string can be done on just one byte, hence that is not completely valid... You need just one byte, nibble or even bit of memory location to en.decrypt.
Again, a bit beyond OP's question. Let's focus on the question at hand. Provided example. ::)
Specialize a type, not a var.

lucamar

  • Hero Member
  • *****
  • Posts: 4219
Re: Securing a string against decompilation?
« Reply #11 on: February 22, 2020, 03:37:32 pm »
Some smart cookie figured a solution and the Allies carried it out [...]

Marian Rejewski and team, of the Polish Cipher Bureau. More (and quite interesting) info in Wikipedia: Cryptanalysis of the Enigma
Turbo Pascal 3 CP/M - Amstrad PCW 8256 (512 KB !!!) :P
Lazarus/FPC 2.0.8/3.0.4 & 2.0.12/3.2.0 - 32/64 bits on:
(K|L|X)Ubuntu 12..18, Windows XP, 7, 10 and various DOSes.

Thaddy

  • Hero Member
  • *****
  • Posts: 14204
  • Probably until I exterminate Putin.
Re: Securing a string against decompilation?
« Reply #12 on: February 22, 2020, 03:43:45 pm »
Yes. That is correct.

Leaves the matter of calling your variable str...https://www.freepascal.org/docs-html/rtl/system/str.html ....
(although that is not a deadly sin...)
Specialize a type, not a var.

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: Securing a string against decompilation?
« Reply #13 on: February 22, 2020, 04:35:45 pm »
encryption is a funny thing... it reminds me of a true WWII story.
[...] The Nazis got busy sending messages around that the Allies were bombing town of "thewatchamacallittownwithalongname". Having encoded messages where it was known that one or more of them included that long piece of text was key to breaking the Enigma machine.

For some small value of "true". As somebody else has remarked, a lot was derived from the work of the Polish Cypher Bureau, but I believe that at various times during the war the RAF methodically knocked out a light ship with Bletchley expecting a recognisable warning to appear (I believe that the word in use was something like "leutonne").

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

winni

  • Hero Member
  • *****
  • Posts: 3197
Re: Securing a string against decompilation?
« Reply #14 on: February 22, 2020, 05:03:16 pm »
Leuchttone (ger) =  light buoy


 

TinyPortal © 2005-2018