Recent

Author Topic: Securing a string against decompilation?  (Read 4443 times)

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: Securing a string against decompilation?
« Reply #15 on: February 22, 2020, 05:08:18 pm »
Leuchttone (ger) =  light buoy

Thanks for that, I was working from memory.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

jamie

  • Hero Member
  • *****
  • Posts: 6091
Re: Securing a string against decompilation?
« Reply #16 on: February 22, 2020, 05:11:00 pm »
I have a method I use and I would rather not spit out here how I do it because to date I have not seen where it has gotten broken and I've gotten lots of reports of those attempting to crack at least two of my apps.

  I can say this however, each EXE file goes out personalized per user and requires an external app to prep it..
The only true wisdom is knowing you know nothing

Thaddy

  • Hero Member
  • *****
  • Posts: 14210
  • Probably until I exterminate Putin.
Re: Securing a string against decompilation?
« Reply #17 on: February 22, 2020, 05:12:32 pm »
Just as futile as my example....
Specialize a type, not a var.

Otto

  • Full Member
  • ***
  • Posts: 226
Re: Securing a string against decompilation?
« Reply #18 on: February 22, 2020, 05:19:24 pm »

@  jamie

Hello.

I would be very interested to know your solution.

Otto.
Kind regards.

Thaddy

  • Hero Member
  • *****
  • Posts: 14210
  • Probably until I exterminate Putin.
Re: Securing a string against decompilation?
« Reply #19 on: February 22, 2020, 07:04:25 pm »
I think Jamie has a smile on his face, because his solution is not very different.... 8-)
You get bonus points if you can hack my (very insecure, the easiest to hack) solution as presented in the example.
Old school ROTFL stuff... https://bhilburn.org/roflcopter-ascii-text/
Maybe I knew you all: https://gifimage.net/wp-content/uploads/2018/04/rotfl-gif-10.gif
« Last Edit: February 22, 2020, 07:23:10 pm by Thaddy »
Specialize a type, not a var.

440bx

  • Hero Member
  • *****
  • Posts: 3946
Re: Securing a string against decompilation?
« Reply #20 on: February 22, 2020, 07:32:43 pm »
For some small value of "true". As somebody else has remarked, a lot was derived from the work of the Polish Cypher Bureau, but I believe that at various times during the war the RAF methodically knocked out a light ship with Bletchley expecting a recognisable warning to appear (I believe that the word in use was something like "leutonne").

MarkMLl
Just in case, I didn't mean to imply that particular incident resulted in breaking the Enigma machine, though saying it was "key" does make it sound like that which wasn't my intention.  The Allies did take "unusual" actions to cause messages to likely have some words (plaintext), which definitely helped but, it is the efforts of many dedicated and brilliant people that got the job done.
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

laznewb

  • New Member
  • *
  • Posts: 20
Re: Securing a string against decompilation?
« Reply #21 on: February 22, 2020, 08:06:44 pm »
Thanks everyone for your input, it's been a really interesting and educating thread to read.

jamie

  • Hero Member
  • *****
  • Posts: 6091
Re: Securing a string against decompilation?
« Reply #22 on: February 22, 2020, 11:53:29 pm »
Just as futile as my example....

Results speaks louder than mud slinging.
The only true wisdom is knowing you know nothing

winni

  • Hero Member
  • *****
  • Posts: 3197
Re: Securing a string against decompilation?
« Reply #23 on: February 23, 2020, 12:15:15 am »
Hi!

So as everybody sees: resistance is futile. The Borgs took over.

So use obfusication. Change your password to

enter your password and press enter

Winni
« Last Edit: February 23, 2020, 12:17:25 am by winni »

laznewb

  • New Member
  • *
  • Posts: 20
Re: Securing a string against decompilation?
« Reply #24 on: February 23, 2020, 01:19:48 am »
Hi!

So as everybody sees: resistance is futile. The Borgs took over.

So use obfusication. Change your password to

enter your password and press enter

Winni
I think that's actually a really neat trick! Just change the password to another unassuming string!

TheLastCayen

  • Jr. Member
  • **
  • Posts: 81
Re: Securing a string against decompilation?
« Reply #25 on: February 23, 2020, 06:25:29 am »
I can be wrong but a funny thing you can do, instead of typing the string, you can use the location of the character from another text, then you encrypt it. For example, if you wrote your license in your about form, using a memo,  you can spell your password with letters from that memo... I don't think this is 100% hacker proof but at least it can't be open with a text file and it would need some extra work to hack.

Something like

Code: Pascal  [Select][+][-]
  1. use base64
  2. ...
  3. With fabout.Memo1 do
  4.   password := EncodeStringBase64(Lines[1].Chars[1]+Lines[3].Chars[0]+Lines[0].Chars[5])
  5.  

But don't forget, your password will change if you change your license ;)

Otto

  • Full Member
  • ***
  • Posts: 226
Re: Securing a string against decompilation?
« Reply #26 on: February 23, 2020, 08:56:09 am »
@ TheLastCayen
_____________

Hello TheLastCayen.

Are you referring to Steganography?

Otto.
« Last Edit: February 23, 2020, 09:08:05 am by Otto »
Kind regards.

Roland57

  • Sr. Member
  • ****
  • Posts: 421
    • msegui.net
Re: Securing a string against decompilation?
« Reply #27 on: February 23, 2020, 09:42:55 am »
Hello!

Interesting links:

https://forum.lazarus.freepascal.org/index.php/topic,36438.msg242909.html#msg242909
https://forum.lazarus.freepascal.org/index.php/topic,36438.msg242920.html#msg242920
https://forum.lazarus.freepascal.org/index.php/topic,33013.msg213192.html#msg213192

And my own humble contribution.  :)

Quote
Encrypt and decrypt a string using a using two tables.

The first table associates each possible value of a byte to an unique other value. The second table associates the second value to the first one.

The tables are generated by the program tablebuilder.pas.
My projects are on Gitlab and on Codeberg.

TheLastCayen

  • Jr. Member
  • **
  • Posts: 81
Re: Securing a string against decompilation?
« Reply #28 on: February 23, 2020, 10:30:51 pm »
Hi Otto,

Not really. This is just a way I tough to avoid using a plain text string... Instead, you use character from another string in a different order... kind of an anagram... This idea is to make it harder to read when you decompile in assembler... The more jump you do, the less attractive it is for a hacker to go through it...  You can also be more creative and use a bunch of trim with some "space" character... just to add extra work... and you can use a different series of addresses when you decrypt the string just to avoid repetition in your code... As long as the character match...   it's become almost like a locker combination... 

Everything can be hack... when I build protections, I try to make it more costly to hack then the value of what I try to protect...

440bx

  • Hero Member
  • *****
  • Posts: 3946
Re: Securing a string against decompilation?
« Reply #29 on: February 23, 2020, 11:27:21 pm »
Everything can be hack... when I build protections, I try to make it more costly to hack then the value of what I try to protect...
I don't want to be negative but... what you described is child's play to break, an exercise for newbies, hacking 0.001, the kid will graduate to a chocolate ice cream.

You'll spend a lot more time encoding and decoding and, who knows what else, than someone who knows what he's doing is going to spend breaking it.

Big companies, Adobe and Autodesk among others have protection mechanisms that are really difficult to break and they are routinely broken.  As I stated in the previous sentence, you'll spend more time building the protection than the hacker is going to spend breaking it.  Save your time.

If you don't want them to be readable in a hex file viewer, just use a simple xor algorithm like Thaddy suggested.  The point isn't to "protect" the strings, only to make them unreadable with the most trivial of tools.

For the record, it isn't my intention to criticize.
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

 

TinyPortal © 2005-2018