c++securityobfuscationreverse-engineeringdefensive-programming

How to hide strings in a exe or a dll?


I discovered that it is possible to extract the hard-coded strings from a binary.
For example the properties view of Process Explorer displays all the string with more than 3 characters.

Here is the code of a simple executable that I wrote to simply test it:

#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0501
#endif
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>

int _tmain(int argc, _TCHAR* argv[])
{
    _TCHAR* hiddenString1 =_T("4537774B-CC80-4eda-B3E4-7A9EE77991F5");
    _TCHAR* hiddenString2 =_T("hidden_password_or_whatever");
    for (int i= 0; i<argc; i++) {
        if (0 == _tcscmp(argv[i],hiddenString1)) {
            _tprintf (_T("The guid argument is correct.\n")); }
        else if (0 == _tcscmp(argv[i],hiddenString2)) {
            _tprintf (_T("Do something here.\n")); }
    }

    _tprintf (_T("This is a visible string.\n"));
    //Keep Running
    Sleep(60000);
    return 0;
}

The strings can clearly be extracted from the corresponding executable:
alt text

I think that it is a little too easy to find the strings.

My questions are:

  1. How to simply hide hiddenString1 or hiddenString2 in the executable?
  2. Is there a more secure way to use "cheat code" than with some obscure hidden input?

Solution

  • Welcome to the wider world of defensive programming.

    There are a couple of options, but I believe all of them depend on some form of obfuscation; which, although not perfect, is at least something.

    1. Instead of a straight string value you can store the text in some other binary form (hex?).

    2. You can encrypt the strings that are stored in your app, then decrypt them at run time.

    3. You can split them across various points in your code, and reconstitute later.

    Or some combination thereof.

    Bear in mind, that some attacks go further than looking at the actual binary. Sometimes they will investigate the memory address space of the program while it's running. MS came up with something called a SecureString in .Net 2.0. The purpose being to keep the strings encrypted while the app is running.

    A fourth idea is to not store the string in the app itself, but rather rely on a validation code to be submitted to a server you control. On the server you can verify if it's a legit "cheat code" or not.