Recent

Author Topic: Securing a string against decompilation?  (Read 1797 times)

TheLastCayen

  • Jr. Member
  • **
  • Posts: 74
Re: Securing a string against decompilation?
« Reply #30 on: February 24, 2020, 12:07:10 am »
Like mentioned before, I can be wrong so no offense ;) I just tough that was a fun way of doing it;)

440bx

  • Hero Member
  • *****
  • Posts: 1821
Re: Securing a string against decompilation?
« Reply #31 on: February 24, 2020, 12:26:16 am »
I can be wrong so no offense
None taken.

;) I just tough that was a fun way of doing it;)
For fun... go for it!
FPC v3.0.4 and Lazarus 1.8.2 on Windows 7 64bit.

RAW

  • Hero Member
  • *****
  • Posts: 827
Re: Securing a string against decompilation?
« Reply #32 on: February 24, 2020, 03:45:17 am »
Of course there is a 100% way to protect your software! Every beginner can handle this ...

WRITE BAD SOFTWARE !!! EDIT:  :D
« Last Edit: March 07, 2020, 02:48:22 am by RAW »
Windows 7 Pro (x64 Sp1) And Windows XP Pro (x86 Sp3) - LAZARUS 2.0.8 FPC 3.0.4 - TRUNK 2.1.0 FPC 3.3.1
// This is polarity (hell) and hell is reigned by lies, nothing but lies. Be careful what you believe ...
// There are 10 types of people in this world, those who understand mind control and ...

krexon

  • Jr. Member
  • **
  • Posts: 72
Re: Securing a string against decompilation?
« Reply #33 on: February 24, 2020, 09:57:24 pm »
You can split password characters into multiple variables

winni

  • Hero Member
  • *****
  • Posts: 1338
Re: Securing a string against decompilation?
« Reply #34 on: February 24, 2020, 10:45:10 pm »
Hi!

There are a lot of properties which are stored as ASCII in your binary.

Use a hex editor to have a look at them.

With Linux you just use: strings MyBinary

A list with things like this appear:

Code: Text  [Select][+][-]
  1. TImage
  2. Image1
  3. OnMouseDown
  4. Image1MouseDown
  5. OnMouseMove
  6. Image1MouseMove OnMouseUp
  7. Image1MouseUp
  8. TBitBtn
  9. BitBtn1
  10. Left
  11. Height
  12. Width
  13. Caption
  14. Color
  15. BitBtn1Click
  16. TabOrder
  17. TBGRASpriteAnimation
  18.  

Chose one of them as password. Fetch the offset byte count.
Then you can look at this byte if the password matches.

Problem 1: If you add code to your app the offset byte changes

Problem 2: Everyone who knows how to work with a depiler will recognize this. Perhaps a little bit later than other solutions.


Winni

ASBzone

  • Sr. Member
  • ****
  • Posts: 346
  • Automation leads to relaxation...
    • BrainWaveCC Utilities
Re: Securing a string against decompilation?
« Reply #35 on: February 25, 2020, 05:02:40 am »
You can split password characters into multiple variables

Take some time to look at the reverse engineering of malware which uses advanced obfuscation techniques, to get a sense of the many ways in which critical code or content can be obfuscated, and yet how well these tactics can be uncovered.

https://sensorstechforum.com/advanced-obfuscation-techniques-malware/

https://www.vadesecure.com/en/malware-analysis-understanding-code-obfuscation-techniques/

-ASB: https://www.BrainWaveCC.com

Lazarus v2.0.9 r63081 / FPC v3.2.0-beta-r45317 (via FpcUpDeluxe) -- Windows 64-bit install w/32-bit cross-compile
Primary System: Windows 10 Pro x64, Version 1909 (Build 18363.778)
Other Systems: Windows 10 Pro x64, Version 1909 or greater

Mr.Madguy

  • Sr. Member
  • ****
  • Posts: 486
Re: Securing a string against decompilation?
« Reply #36 on: February 25, 2020, 10:41:56 am »
It's standard situation. There is no ideal lock. Every lock can be opened. Better lock just takes more time, more experience and better instruments to open it. So it's always about one question. Is it worth hacker's time and effort? Just use some sort of cipher. It will protect your password from naive hacking, i.e. will require decompilation and/or debugging. This will take away 90% of possible hackers. There are tools to make decompilation and debugging much harder. Such tools usually add extra code to make code logic understanding much harder. May be also some anti-debugging measures. Funny thing, but even simple custom anti-decompilation/debugging measures can be more effective, than standard ones, cuz standard ones can already be cracked and your custom tools will require some time to research. In this case it would take too much effort for hacker to crack your password, so he'll most likely give up.
« Last Edit: February 25, 2020, 11:12:20 am by Mr.Madguy »
DynamicData 3.0 is released!
Since now development is frozen - only optimization passes will be made at some point.
Lack of multiple inheritance turns it into abomination.

Thaddy

  • Hero Member
  • *****
  • Posts: 10098
Re: Securing a string against decompilation?
« Reply #37 on: February 25, 2020, 01:23:43 pm »
Stick to https://forum.lazarus.freepascal.org/index.php/topic,48627.msg350317.html#msg350317 if you are a beginner, it is good enough.
Learn to NEVER EVER do that professionally, you will look silly.

Hackers do not know a magic want, they know mathematics.
« Last Edit: February 25, 2020, 01:26:16 pm by Thaddy »
I am more like donkey than shrek

 

TinyPortal © 2005-2018