Hi all,
first thread in here.
I usually don't open my executables with any sort of editor, but for the sake of curiosity I've tried opening one. And what I've found is not that funny: I've found myself able to edit every kind of string. Of course you have not to malform the strings too much, but that's it.
How to avoid this? The first idea I've thought about was to split my strings up and merge them all at runtime, but this isn't of course convenient nor quick.
Do you have an idea on this?

You could obscure the strings by changing the value of their characters.

Is that the only way to go? It sounds pretty unconvenient. Could you post a snippet, please?

>> Is that the only way to go?
I have no idea. I've never had the need.

string[offset] -= 1;

It appears there's no easy solution for this, as I don't want any internet connection or such methods. Hashes become useless for the program itself, though they remain still the last tool for the end user to check the validity of the program.
Anyone can think of a workaround?

I've seen the so-called obfuscators (google "C++ obfuscator") but I can't speak to their validity or effectiveness. A few I saw changed strings to their hex equivalent, but that will only get you so far.

Is there a connection string you don't want your end users to see? I think the nature of the data will define how it can best be hidden.

Comments
Good answer.

>How to avoid this?
Let's start by asking why you want to do it. I can think of a few reasons to obfuscate the executable, and for the most part those reasons are either paranoid and ineffective, or easily avoided with proper design.

I've seen the so-called obfuscators (google "C++ obfuscator") but I can't speak to their validity or effectiveness. A few I saw changed strings to their hex equivalent, but that will only get you so far.

Is there a connection string you don't want your end users to see? I think the nature of the data will define how it can best be hidden.

Hi jonsca,
the hex conversion seems to be the easist way to prevent noobs from touching the actual strings, you are right.
I would like to hide strings containing the general usage of the program, hints, and other things.

>How to avoid this?
Let's start by asking why you want to do it. I can think of a few reasons to obfuscate the executable, and for the most part those reasons are either paranoid and ineffective, or easily avoided with proper design.

Hi Narue,
with all due respect, I think your reply is not helpful. The reason I want to hide my strings is something you should not consider. The reasons can be paranoid, ineffective, stupid, ridiculous or what else, that's *not* the point. :)

>The reason I want to hide my strings is something you should not consider.
Then I won't consider helping you. Bye.

>The reasons can be paranoid, ineffective, stupid, ridiculous or what else, that's *not* the point.
The reason can be anything, but there must be a reason. If it turns out that your reason is stupid and you don't realize it, I can help you understand and save you a lot of wasted time.

Hi Narue,

>The reason I want to hide my strings is something you should not consider.
Then I won't consider helping you. Bye.

Can't you troll other threads, please?

>The reasons can be paranoid, ineffective, stupid, ridiculous or what else, that's *not* the point.
The reason can be anything, but there must be a reason. If it turns out that your reason is stupid and you don't realize it, I can help you understand and save you a lot of wasted time.

I have already stated that I don't want others to edit my strings, as this is something anyone can do by just opening the executable with an editor.

To the OP,

How can responding to help in such a way (and it WAS help, it wasn't trolling) possibly get you closer to the answer, which presumably is what you are looking for?

There are twenty million ways of writing any program. HOW you write it depends on WHAT you are trying to accomplish and WHY.

As to the HOW, since you're unwilling to elaborate more on WHAT and WHY, a couple of generic answers:

  1. Don't store the real strings. Encrypt them, stick the encrypted strings in the raw code, then have a decryption function that decrypts them.
  2. Store the real strings, but store a bunch of fake ones that have no purpose so people get confused.
  3. Your method depends on who is trying to break this. The NSA or some 13 year old?

But back to the larger issue. You'll get way more help if you don't flame people like Narue, whether you think she deserved it or not. If you had simply answered her questions, you probably would have gotten a good response from her.

I don't want others to edit my strings. It appears there's no easy solution for this, as I don't want any internet connection or such methods

Here's one (stand alone, without network etc.) way to do it; this might help to get you started. It assumes that all you are seeking is 'security through obscurity' (steganography), rather than cryptography proper.

the hex conversion seems to be the easist way to prevent noobs from touching the actual strings

Yes. Other than by using cryptographic techniques, you cannot stop a determined expert hacker.

a. Create a header file with declarations of identifiers for string literals to be used in the program; for example mystrings.h

extern const char* const url ;
extern const char* const message ;
// ...

b. Create a text file containing the string literals. The example assumes that these literals start with the char sequence (" and end with ") . For brevity, it is assumed that these char sequences are not present anywhere else (in comments, in quoted strings, etc.). For example, mystrings.p

#include "mystrings.h"

const char* const url = ("http://www2.research.att.com/~bs/C++0xFAQ.html") ;

const char* const message = ("hello world!") ;

// ...

c. Write a program to read such a file and generate a C++ file containing equivalent obfuscated strings. Again, for brevity, all error handling is elided and a toy obfuscation algorithm is used. obfuscate.cc

#include <iostream>
#include <fstream>
#include <string>
#include <sstream>

std::string obfuscate( const std::string& str )
{
    std::ostringstream stm(str) ;
    stm << std::hex ;
    for( std::string::size_type i = 0 ; i < str.size() ; ++i )
         stm << int(str[i]) + i*i*i << ' ' ;
    return stm.str() ;
}

int main( int argc, char** argv )
{
    std::ifstream fin( argv[1] ) ;
    std::ofstream fout( argv[2] ) ;
    std::string line ;
    while( std::getline( fin, line ) )
    {
        std::string::size_type a = line.find( "(\"" ) ;
        std::string::size_type b = line.rfind( "\")" ) ;
        if( ( a != std::string::npos ) && ( b != std::string::npos ) )
        {
            line = line.substr( 0, a+2 ) +
                   obfuscate( std::string( line.begin()+a+2, line.begin()+b ) ) +
                   line.substr(b) ;
        }
        fout << line << '\n' ;
    }
}

d. Compile and run the program to generate the C++ file containing obfuscated strings.
> g++ -Wall -std=c++98 -pedantic -Werror -oobfuscate obfuscate.cc
> ./obfuscate mystrings.p mystrings.cc
> cat mystrings.cc
#include "mystrings.h"

const char* const url = ("68 75 7c 8b 7a ac 107 1ce 277 350 41a 561 732 8fa b2b d94 1061 13a3 172b 1b33 1f6e 248e 2a0c 2ffb 362e 3d6c 4517 4d50 55ef 5fc3 69da 74d2 802f 8ca4 99b3 a7a6 b670 c655 d69e e7f8 fa51 10d67 121d0 13707 14d2d 16461 ") ;

const char* const message = ("68 66 74 87 af 9d 14f 1c6 272 345 44c 554 ") ;

// ...

e. In the program, write a function to unobfuscate a given string, include the header and use the function to unobfuscate the strings in the program binary. Compile and link the program with the generated C++ file containing obfuscated strings. For example, myprogram.cc

#include <iostream>
#include <string>
#include <sstream>
#include "mystrings.h"

std::string unobfuscate( const std::string& str )
{
    std::istringstream stm(str) ;
    stm >> std::hex ;
    std::string result ;
    int i = 0 ;
    int ch ;
    while( stm >> ch )
    {
        result += char( ch - i*i*i ) ;
        ++i ;
    }
    return result ;
}

int main()
{
    std::cout << "url: " << unobfuscate(url) << '\n'
              << "message: " << unobfuscate(message) << '\n' ;
}

> g++ -Wall -std=c++98 -pedantic -Werror -omyprogram myprogram.cc mystrings.cc
> ./myprogram
url: http://www2.research.att.com/~bs/C++0xFAQ.html
message: hello world!

f. To make it easy to do this repeatedly, write a make file to automate these steps.

Comments
Above and beyond the call of duty
Valued answer.

To the OP,

How can responding to help in such a way (and it WAS help, it wasn't trolling) possibly get you closer to the answer, which presumably is what you are looking for?

How can responding in such a way (Then I won't consider helping you. Bye.) possibly get me closer to the answer, which presumably is what I am looking for? I call it trolling, but you can call it help, I really don't care about your idea of "help".

There are twenty million ways of writing any program. HOW you write it depends on WHAT you are trying to accomplish and WHY.

Isn't it simple? I want to hide some of my strings, no matter I'm writing the next big OS or a fancy hello world program, as I'd like to prevent mostly noobs to edit them.

As to the HOW, since you're unwilling to elaborate more on WHAT and WHY, a couple of generic answers:

  1. Don't store the real strings. Encrypt them, stick the encrypted strings in the raw code, then have a decryption function that decrypts them.
  2. Store the real strings, but store a bunch of fake ones that have no purpose so people get confused.
  3. Your method depends on who is trying to break this. The NSA or some 13 year old?

This is what I call "help". Thank you for your input.

But back to the larger issue. You'll get way more help if you don't flame people like Narue, whether you think she deserved it or not. If you had simply answered her questions, you probably would have gotten a good response from her.

I don't think I have flamed anyone, VernonDozier. I don't answer questions I consider useless for the subject matter.

Here's one (stand alone, without network etc.) way to do it; this might help to get you started. It assumes that all you are seeking is 'security through obscurity' (steganography), rather than cryptography proper.


Yes. Other than by using cryptographic techniques, you cannot stop a determined expert hacker.

a. Create a header file with declarations of identifiers for string literals to be used in the program; for example mystrings.h

extern const char* const url ;
extern const char* const message ;
// ...

b. Create a text file containing the string literals. The example assumes that these literals start with the char sequence (" and end with ") . For brevity, it is assumed that these char sequences are not present anywhere else (in comments, in quoted strings, etc.). For example, mystrings.p

#include "mystrings.h"

const char* const url = ("http://www2.research.att.com/~bs/C++0xFAQ.html") ;

const char* const message = ("hello world!") ;

// ...

c. Write a program to read such a file and generate a C++ file containing equivalent obfuscated strings. Again, for brevity, all error handling is elided and a toy obfuscation algorithm is used. obfuscate.cc

#include <iostream>
#include <fstream>
#include <string>
#include <sstream>

std::string obfuscate( const std::string& str )
{
    std::ostringstream stm(str) ;
    stm << std::hex ;
    for( std::string::size_type i = 0 ; i < str.size() ; ++i )
         stm << int(str[i]) + i*i*i << ' ' ;
    return stm.str() ;
}

int main( int argc, char** argv )
{
    std::ifstream fin( argv[1] ) ;
    std::ofstream fout( argv[2] ) ;
    std::string line ;
    while( std::getline( fin, line ) )
    {
        std::string::size_type a = line.find( "(\"" ) ;
        std::string::size_type b = line.rfind( "\")" ) ;
        if( ( a != std::string::npos ) && ( b != std::string::npos ) )
        {
            line = line.substr( 0, a+2 ) +
                   obfuscate( std::string( line.begin()+a+2, line.begin()+b ) ) +
                   line.substr(b) ;
        }
        fout << line << '\n' ;
    }
}

d. Compile and run the program to generate the C++ file containing obfuscated strings.
> g++ -Wall -std=c++98 -pedantic -Werror -oobfuscate obfuscate.cc
> ./obfuscate mystrings.p mystrings.cc
> cat mystrings.cc
#include "mystrings.h"

const char* const url = ("68 75 7c 8b 7a ac 107 1ce 277 350 41a 561 732 8fa b2b d94 1061 13a3 172b 1b33 1f6e 248e 2a0c 2ffb 362e 3d6c 4517 4d50 55ef 5fc3 69da 74d2 802f 8ca4 99b3 a7a6 b670 c655 d69e e7f8 fa51 10d67 121d0 13707 14d2d 16461 ") ;

const char* const message = ("68 66 74 87 af 9d 14f 1c6 272 345 44c 554 ") ;

// ...

e. In the program, write a function to unobfuscate a given string, include the header and use the function to unobfuscate the strings in the program binary. Compile and link the program with the generated C++ file containing obfuscated strings. For example, myprogram.cc

#include <iostream>
#include <string>
#include <sstream>
#include "mystrings.h"

std::string unobfuscate( const std::string& str )
{
    std::istringstream stm(str) ;
    stm >> std::hex ;
    std::string result ;
    int i = 0 ;
    int ch ;
    while( stm >> ch )
    {
        result += char( ch - i*i*i ) ;
        ++i ;
    }
    return result ;
}

int main()
{
    std::cout << "url: " << unobfuscate(url) << '\n'
              << "message: " << unobfuscate(message) << '\n' ;
}

> g++ -Wall -std=c++98 -pedantic -Werror -omyprogram myprogram.cc mystrings.cc
> ./myprogram
url: http://www2.research.att.com/~bs/C++0xFAQ.html
message: hello world!

f. To make it easy to do this repeatedly, write a make file to automate these steps.

Hi vijayan121,
thank you very much. You've been very complete. Thanks for your time.

fstream or istream seem to me unsecure coz another can see where it used inside .exe
better use createfile..readfile.. any system("...") unsecure..
and obfuscate good for app "hello word" and against 13 y.o. kids better use MD5 custom or create ur own .. and last thing unhided string is not so bad.. coz the biggest problem is Revers Engineers.. (assembly language can learn even 13 y.o. after 3-5 month he can be pro.. coz assembly language is easy learn.. not like c /c++
so ur "heloo world" app can be reversed and u out of the game ... if u dont know how to hide string so u will not understand how to make app more secure from hackers.. r.a.

Really guys you don't need to hide your strings very often. Encryption is meant to hide data at rest, not something meant to run in a program on strings which are typically used for prompts. Ultimately if somebody is in a position to reverse your exe, then even if you do crypt the strings somebody with enough experience to do reversing will ultimately just step through your code until he finds the crypto functions, and the keys you used to crypt the strings. Any strings that should be crypted should be kept in a secure container like a database, or a cypered file. If you are intersted in crypting your exe, then you should probably look into finding something that obfuscates, or crypts the entire executable. Just understand that ultimately all executables are reversable with enough effort. The only things that are not reversable are operations which take place on a company server because they can be controlled.

Edited 1 Year Ago by overwraith

This question has already been answered. Start a new discussion instead.