Looking for the easiest way to hide char* from reverse engineer. Doesn't have to be strong encryption, but something simple. It has to happen in header, and here is my code:
#pragma once
const char * pw = "test";
#define PASS pw;
where PASS is used in the source.
I already tried reverse string and hex to text and vice versa but didn't succeed. Someone please post some easy solution for this.
Edit: This is just an example. The user will not input anything, I only have to hide a char pointer from debugger. What is the best way to do that?
The standard way would be to store only the hash of your string (computed offline and outside the code) in the code and to hash any user input with which you want to compare it during runtime and then compare the hashes instead of the plain passwords
You could store the XOR value of the password, and then XOR the user input to compare. Refer to this answer for the code.
Then the problem becomes someone can run a debugger or dis-assembler to reveal what your program is doing when it checks the password.
Related
I have been wondering quite a bit on String functions such as replace().
My objective is simple. I have a logger, that logs strings into a text file, that contains passwords which needs to be masked before writing it to the log file.
For example:
str = "-field_value=userId=1,-field_value=password=pass123,-field_value=location=London,-field_value=day=Tuesday,-field_value=emailPassword=pass123,-field_value=fbPassword=pass1234";
Which approach would be the best in this case? The string may or may not end with any password "field_value".
I need to mask all the occurring "Passwords" with their exact length, in this string to get the following output:
str = "-field_value=userId=1,-field_value=password=*******,-field_value=location=London,-field_value=day=Tuesday,-field_value=emailPassword=*******,-field_value=fbPassword=********";
Which would be a more suitable option to use? Normal string handling (using substrings/replaceAll/indexOf) or StringBuilder functions?
Also, how effective is using Regular Expressions in this case? I've never used Regex extensively, so I have little idea on using it for this scenario.
I assume this is C#, but this answer is valid for many other languages.
You must not have passwords in clear text. Just now you do. So that is a huge security concern and it doesn't matter if you put "*" instead of the password. It is there in memory and little skill is needed to extract passwords from memory (given attacker has access to the machine).
A standard approach is that you only store password hash and salt. Now the problem would be how do you convert a password into the hash and how do you securely dispose original password. For this purpose you should use SecureString which encrypts the password string in memory and securely removes it from memory when it is no longer needed.
To give a direct answer to your question: you do not use any approach to replace a password character with a star. Any approach in this case is insecure.
I used String.replaceAll(regex, replace) method, to search for password or emailPassword etc and did the masking. Not sure, if that's the most ideal method to do the masking in this case.
I am in high school and it is mandatory to use Turbo C++ compiler, I know it is a very old compiler but please understand my situation.
So I was writing a code on a employee database. The code snippet:
userdb user;
fstream fil;
while(fil.read((char*)&user,sizeof(userdb)))
{
cout<<user.name;
cout<<user.pass;
cout<<user.age;
cout<<user.address;
}
fil.close();
Now the problem is that if a user doesn't have his address inputted in the database, the compiler displays garbage.
How can I check if a value has nothing(garbage) so as to not print it on the screen?
(I have tried address[0]='\0' and strcmp("",address)==0 and this is not working)
Empty field does not mean anything in this context. Indeed, you are reading N bytes from a file, storing them into memory. You tell the computer to interpret this portion of memory as a string. There's nothing to be done to know whether the field is empty or not.
Your best bet, would be to look at this memory, and to try to guess whether is looks like an actual address or not.
Maybe first could you look at whether this address string, stored into a character array of a fixed size, has a termination character in it. If not, you could guess that it is invalid, and possibly add this termination character at the end of the character array.
I am making a RPG game in C++ and DirectX.
I store all the data for the game in .txt files and read/write it using `ifstream/ofstream. this has worked well for me so far when talking about creature stats and I have a hack together for creature names but this is becoming a problem.
I can store strings in the txt file and read them but I am having trouble using them. for single words I have a hack but now I am up to the story line where characters are talking to each other it is a real problem.
I asked on gamedevelopment.stackexchange how to put text on screen and was told to use D3Dtext but that only accepts C-style strings and I can only read C++ strings from the text file. This is such a big problem now that I am willing to go back and re-factor what need sit as no progress can be made until this is sorted.
So now I have a bunch of questions and I dont know which to ask first:
I want a way to draw the letters like graphics. I was told this is what D3Dtext does but I want to implement it my self if I can I just need info on how if someone knows?
If I am to use D3Dtext like so called experts advise I have to use C-style strings. so how can I convert C-style strings to C++ strings? I have a method now but that requires the new and delete operator for every string and I can see the being a big problem as it grows in complexity?
Is there a way to read C-style strings? Maybe a replacement for ifstream. I would like to keep the txt files as I really dont want to use xml but I could change the file format if it was a viable solution?
Premature optimisation I know but I plan to use the same function for every piece of text in the game so what would be a good way of doing this in terms of speed (why I dont want new/delete for every string)?
I am happy to provide any information that would be needed to help me, just ask.
std::string mystr = "Hello World.";
mystr.c_str(); // gets a null terminated const char* C-style string
Read your file as you are currently doing then if you need to access the c strings as above.
You can convert freely between C-style strings and C++'s std::string. Just use my_cpp_string.c_str() to get the C-string representation of a C++ string, and std::string my_cpp_string(my_c_string) to initialize a new std::string from a C-style string.
2) Use the c_str() method to pass your C++ strings to D3Dtext
some_D3Dtext_function(some_text.c_str())
3 and 4 then become non-issues.
I've been working with this for about 2 days now. I'm stuck, with a rather simple annoyance, but I'm not capable of solving it.
My programs basicly recieves a TCP connection from a PHP script. And the message which is send is stored in char buffer[1024];.
Okay this buffer variable contains an unique key, which is being compared to a char key[1024] = "supersecretkey123";
The problem itself is that these two does not equal - no matter what I do.
I've been printing the buffer and key variable out just above eachother and by the look they are 100% identical. However my equalisation test still fails.
if(key == buffer) { // do some thing here etc }
So then I started searching the internet for some information on what could be wrong. I later realized that it might be some escape characters annoying me. But I'm not capable of printing them, removing them or even making sure they are there. So that's why I'm stuck - out of ideas on how to make these equal when the buffer variable matches the key variable.
Well the key does not chance, unless the declaration of the key is modified manually. The program itself is recieving the information and sending back information "correctly".
Thanks.
If you're using null terminated strings use proper api - strcmp and its variants.
Additionally size in declaration char key[1024] = "supersecretkey123"; is not needed - either compiler will reduced it or stack/heap memory will be wasted.
If you are using C++ use std::string instead of char []. You cannot compare two char [] in way you try to do this (they are pointers to memory), but it's possible with std::string.
If it's somehow mandatory to use char[] in your case, use strcmp.
Try with if(!strncmp(key,buffer,1024)). See this reference on strncmp.
I know how to compile C and C++ Source files using GCC and CC in the terminal, however i would like to know if its safe to include passwords in these files, once compiled.
For example.. i check user input for a certain password e.g 123, but it appears compiled C/C++ programs is possible to be decompiled.
Is there anyway to compile a C/C++ source file, while keeping the source completely hidden..
If not, could anyone provide a small example of encrypting the input, then checking against the password e.g: (SHA1, MD5)
No you can't securely include password in your source file. Strings in executable file are in plain text, anyone with a text editor can easily look at your password.
A not so secure, but would trample some people, is to store the encrypted string instead. So, basically:
enc = "03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4"
bool check() {
pass = getPassFromUser();
encpass = myHashingFunction(pass);
return pass == encpass;
}
this will deter some people, but isn't really much more secure, it is relatively trivial for assembly hacker to replace the 'enc' string in your executable with another sha256-encoded string with a known cleartext value.
Even if you use a separate authentication server, it is not difficult to setup a bogus authentication server and fool your program connect to this bogus authentication server.
Even if you use SHA1 to generate a hash it is not really all that safe if you do it in a normal way (write a function to check a password) any determined or knowledgable hacker given access to the executable will be able to get around it (replace your hash with a known hash or just replace the checkPassword() call with a call that returns true.
The question is who are you trying to protect against? Your little brother, a hacker, international spies, industrial espionage?
Using SHA1 with the hash just contained within in the code (or a config file) will only protect against you little brother? (read casual computer users that can't be bothered to try and hack your program instead of paying the share ware price). In this case using plain text password or a SHA1 hash makes little difference (maybe a couple of percent more people will not bother).
If you want to make your code safe against anything else then you will need to do a lot more. A book on security is a good starting point but the only real way to do this is to take a security class where protection techniques are taught. This is a very specialized field and rolling your own version is likely to be counter productive and give you no real protection (using a hash is only the first step).
It is not recommended to keep any sensitive static data inside code. You can use configuration files for that. There you can store whatever you like.
But if you really want to do that first remember that the code can be easily changed by investigating with a debugger and modifying it. Only programs that user doesn't have access to can be considered safer (web sites for example).
The majority of login passwords (of different sites) are not stored in clear in the database but encrypted with algorithms MD5, SHA1, Blowfish etc.
I'd suggest you use one of these algorithms from OpenSSL library.
What I would do is using some public-key cryptographic algorithm. This will probably take a little longer to be cracked because in my opinion there is nothing 100% sure when talking about software protection.
It's not safe if you store them as plain text, you can just dump the file or use a utility like strings to find text in the executable.
You will have to encode them in some manner.
Here is a code sample that might help you, using OpenSSL.
#include <openssl/evp.h>
bool SHA256Hash(const char* buf, size_t buflen, char* res, size_t reslen)
{
if (reslen >= 32)
{
EVP_MD_CTX mdctx;
EVP_MD_CTX_init(&mdctx);
EVP_DigestInit_ex(&mdctx, EVP_sha256(), NULL);
EVP_DigestUpdate(&mdctx, buf, buflen);
EVP_DigestFinal_ex(&mdctx, res, &len);
EVP_MD_CTX_cleanup(&mdctx);
return (len == 32);
}
return false;
}
I took this sample from the systools library and had to adapt it. So i'm not sure it compiles without modifications. However, it should help you.
Please note that, to determine if storing a hash value of some password in your binary is safe, we must know what you want it for.
If you expect it to forbid some functionalities of your program unless some special password is given, then it is useless: an attacker is likely to remove the whole password-check code instead of trying to guess or reverse the stored password.
Try finding out Hashing Functions and Ciphering Methods for securing your passwords and their storage.