Is the only point of string encryption is to hide a hardcoded string from being scanned and found in memory/binaryfile? I dont see how string encryption works 100% of the time seems if any string that needs to be used will be stored in memory. For example, i can encrypt a string...then when i wanna use it i will decrypt it using my decrypt function....but in order for me to use it it must be stored in memory...therefore if the program happens to scan the stack segment/heap the moment i try to use me unencrypted string this it will be revealed correct?

more simply....

Does string encryption only work for hideing hardcoded strings? if u want to use ANY string no matter what it must be stored somewhere in memory before you can use it. Therefore Before doing any type of string processing it must be stored in memory and if this string happens to be decrypted at the time of a defense scanner does a string scan it will surely find the string correct

You do not necessarily have to decrypt a string to use it; it depends what you are using it for.

If your string is some kind of password, for example, then you don't need to decrypt it. You can simply encrypt the password the user submits and check that the two encrypted versions match. If a malicious user examines your code and gets a copy of the encrypted string, she still does not know what the decrypted string is so still does not know the password.

This allows you to store the encrypted passwords in the open, perhaps in a text file, and pass them around, making them much easier to use and change.

It's not without risk; see "Rainbow Tables". This can be alleviated by choosing sensible passwords.

And of course that other guy should have rights to read your memory block and access to the system in first place.

This article has been dead for over six months. Start a new discussion instead.