Board index » delphi » How to hide internal strings from prying eyes?

How to hide internal strings from prying eyes?

I created a small application that lauches an external program if the
user enters the correct password - I simply compare the user's entry
with an internal string value. I was unpleasantly surprised to open the
single .exe file composing the program with the MS-DOS text editor and
see all my stings lined up neatly together near the bottom of the file
(surrounded by lots of binary garbage of course).

Does anyone have a suggestion about how to easily get around this? I
guess I could break the "password" up into several smaller strings and
throw in a few fake ones, but that still seems to be only delaying the
inevitable. Any helpfull ideas or experience would be appreciated.

---
Dave

 

Re:How to hide internal strings from prying eyes?


Quote
>Does anyone have a suggestion about how to easily get around this?

Yes, store the encrypted form of the password in the program.  When
the user enters their password, you encrypt it and compare the two.

Here's a simple encryption function I got off the Delphi web site:

function Encrypt(const S: String; Key: Longint): String;

const
  C1 = 52845;
  C2 = 22719;

var  I: byte;

begin
  Result := S;
  for I := 1 to Length(S) do
    begin
      Result[I] := char(byte(S[I]) xor (Key shr 8));
      Key := (byte(Result[I]) + Key) * C1 + C2;
    end;
end;

I have a simple program that encrypts and decrypts if you want to see
it.  

Re:How to hide internal strings from prying eyes?


Encryption is the solution:  but if your encryption algorithm is reversible,
the encrypted form of your password will be reversible too!  So, anyone with
your EXE could (theoretically) find out the password.

The trick in a case like this is to use a "one-way" encryption algorithm.
This means that tyou only use an encryption function - no decryption
function is necessary.  The function should convert the password to some
string, but there should be NO WAY to convert the string back to the
password.  Win95 uses this technique to store each user's password in a PWL
file in the windows directory.

All you have to do then, is determine what the encrypted form of your
pssword is, and store this in your EXE.  When the user enters his password,
simply encrypt it and compare it to the stored string.

What is important to note here - is the variety of issues involved in
cryptology - in other words, "how safe is your password?".  If you're
developing a very security-sensisitve application, I'd read up a bit on the
basic principles of cryptology to ensure I employ "transposition" and
"permutation" in my encryption function.  (You should at least find out more
about these two principles)

Good luck.  If you have any further questions, email me or post!

Digit

Quote
Dave Watt wrote in message <35AE9C41.7...@unixg.ubc.ca>...
>I created a small application that lauches an external program if the
>user enters the correct password - I simply compare the user's entry
>with an internal string value. I was unpleasantly surprised to open the
>single .exe file composing the program with the MS-DOS text editor and
>see all my stings lined up neatly together near the bottom of the file
>(surrounded by lots of binary garbage of course).

>Does anyone have a suggestion about how to easily get around this? I
>guess I could break the "password" up into several smaller strings and
>throw in a few fake ones, but that still seems to be only delaying the
>inevitable. Any helpfull ideas or experience would be appreciated.

>---
>Dave

Re:How to hide internal strings from prying eyes?


On Fri, 17 Jul 1998 02:04:25 GMT, jwel...@mindspring.com wrote the
magic words:

Quote
>>Does anyone have a suggestion about how to easily get around this?
>Yes, store the encrypted form of the password in the program.  When
>the user enters their password, you encrypt it and compare the two.
>Here's a simple encryption function I got off the Delphi web site:

>function Encrypt(const S: String; Key: Longint): String;

<snip>

The idea is good. Only I wouldn't use a XOR algorithm. It can easily
be broken (unless it's a one time pad - i know, no fups please). I
would suggest a SHA component. This makes a hash of your password. And
a hash cannot be decrypted. Look at the delphi super page for a sha
component.

And even when you do it like this, a decent hacker can hack your
program without much effort. They decompile your exe and look for
certain comparison routines and patch them...

Anyway, good luck with protecting your app.

Phranc
--
=================
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true.
=================

http://huizen.dds.nl/~phranc/

Re:How to hide internal strings from prying eyes?


Also...

Placing the encrypted string(s) in a system/hidden external database
provides one extra layer of protection from prying eyes.  Plus, if
you encrypt the name of the database file within your program AND
explicitly load the database at runtime, you should be in good shape.

Good luck,
-Jim Rofkar.

Re:How to hide internal strings from prying eyes?


yep - compute a hash value for the password and store that.
when you read in the password, hash it and compare with the
stored hash value. if it matches, there's a good chance the
user typed the right password. it is virtually impossible to
reverse-engineer a hash value to make a string which gives
the right value, at least it is if you use a good hash function.

you might try crc-32, which is simpla and quite
secure. this url is a zip of a load of crc16/32 bits :
http://infomaster.net/external/efg/Mathematics/CRCDelphi.ZIP

if you want something a little stronger, try md5, this is a real
industrial-strength hash algorithm (specified in rfc 1321!), which
will give you more security:
http://advicom.net/~gnome/MD5Pas/MD5pas.zip

rfcs themselves, incidentally, can be got from:
http://andrew2.andrew.cmu.edu/rfc/rfc-front.html

In article <35AE9C41.7...@unixg.ubc.ca>

Quote
Dave Watt <dw...@unixg.ubc.ca> wrote:
> Does anyone have a suggestion about how to easily get around this? I

Tom Anderson
Cardinal and Master of the Rolls of the Church of Spumante
http://members.xoom.com/tom_anderson

Re:How to hide internal strings from prying eyes?


Quote
Phranc wrote:
> On Fri, 17 Jul 1998 02:04:25 GMT, jwel...@mindspring.com wrote the
> magic words:

> >>Does anyone have a suggestion about how to easily get around this?

> >Yes, store the encrypted form of the password in the program.  When
> >the user enters their password, you encrypt it and compare the two.

> >Here's a simple encryption function I got off the Delphi web site:

> >function Encrypt(const S: String; Key: Longint): String;
> <snip>

> The idea is good. Only I wouldn't use a XOR algorithm. It can easily
> be broken (unless it's a one time pad - i know, no fups please). I
> would suggest a SHA component. This makes a hash of your password. And
> a hash cannot be decrypted. Look at the delphi super page for a sha
> component.

> And even when you do it like this, a decent hacker can hack your
> program without much effort. They decompile your exe and look for
> certain comparison routines and patch them...

> Anyway, good luck with protecting your app.

> Phranc
> --
> =================
> The optimist thinks this is the best of all possible worlds.
> The pessimist fears it is true.
> =================

> http://huizen.dds.nl/~phranc/

  Well I guss you right..... but  if you put some comperation that do not
do a thing ... it calls a non useable procedure function .... etc... it
will be hurder...... but not imposible ... (well i read some Pertzon Crew
texts... and in the end you can breack any code you been given ...... the
problome is to find it..... and it can take few weeks even but in the end
you breack it :(

But any how ........ hope you will seecceed with it .....

Ido

Re:How to hide internal strings from prying eyes?


Quote
Ido Kanner wrote:

> Phranc wrote:

> > On Fri, 17 Jul 1998 02:04:25 GMT, jwel...@mindspring.com wrote the
> > magic words:

> > >>Does anyone have a suggestion about how to easily get around this?

> > >Yes, store the encrypted form of the password in the program.  When
> > >the user enters their password, you encrypt it and compare the two.

> > >Here's a simple encryption function I got off the Delphi web site:

> > >function Encrypt(const S: String; Key: Longint): String;
> > <snip>

> > The idea is good. Only I wouldn't use a XOR algorithm. It can easily
> > be broken (unless it's a one time pad - i know, no fups please). I
> > would suggest a SHA component. This makes a hash of your password. And
> > a hash cannot be decrypted. Look at the delphi super page for a sha
> > component.

> > And even when you do it like this, a decent hacker can hack your
> > program without much effort. They decompile your exe and look for
> > certain comparison routines and patch them...

> > Anyway, good luck with protecting your app.

> > Phranc
> > --
> > =================
> > The optimist thinks this is the best of all possible worlds.
> > The pessimist fears it is true.
> > =================

> > http://huizen.dds.nl/~phranc/

>   Well I guss you right..... but  if you put some comperation that do not
> do a thing ... it calls a non useable procedure function .... etc... it
> will be hurder...... but not imposible ... (well i read some Pertzon Crew
> texts... and in the end you can breack any code you been given ...... the
> problome is to find it..... and it can take few weeks even but in the end
> you breack it :(

> But any how ........ hope you will seecceed with it .....

> Ido

Let's be realistic, folks -- an embedded password does not have to be
uncrackable, it just has to look like machine-code when the user browses
the EXE-file with the editor.  No doubt he is not going to do more than
that.

You can also write a short subroutine to assemble the password a
character at a time, rearranging bytes and so-forth a couple of times
until the string is prepared.  Just glance through the resulting EXE to
be sure that the traces of the string are sufficiently obscured.

Re:How to hide internal strings from prying eyes?


Quote
Sundial Services wrote:
> Let's be realistic, folks -- an embedded password does not have to be
> uncrackable, it just has to look like machine-code when the user browses
> the EXE-file with the editor.  No doubt he is not going to do more than
> that.

This is really the best solution to this problem, and it won't be more unsecure
than using a strong encryption for this kinda work, unless you're going to
invest a huge amount of time on this.

If you use a cryptographic strong message digest algorithm to create a checksum
or just hash up the password a little bit, the problem is still that in both
cases you probably have something like this:

if ValidatePass then ok;

In this case, the result machine code looks like this (pseudo-code):

call ValidatePass
was ok ?
if yes, do ok;
if no, do something else;

In this case, there isn't a problem for an experienced hacker to simply replace
the call to ValidatePass with code that will fool the "if yes do ok" part.

So the best thing to do is just scramble the password a bit, so that it isn't
readable by prying eyes. An experienced hacker will eventually find the weak
point anyhow.

--
Lasse V?gs?ther Karlsen
lasse.karl...@stavanger.online.no
http://home.sol.no/~lassevk/

Re:How to hide internal strings from prying eyes?


Hello,
some 'ligth solution'

PswdStr := 'abcdefg';   // string appears

PswdStr := 'a';
PswdStr := PswdStr + 'b';   // appears too !!
PswdStr := PswdStr + 'c';   // appears too !!

...

PswdStr := ''; // null string
PswdStr := PswdStr + #065;     // 'a'             // Comment to know what
you are doing !!
PswdStr := PswdStr + #066;     // 'b'             // Comment don't appears
in coding exe
PswdStr := PswdStr + #067;     // 'c'
PswdStr := PswdStr + #068;     // 'd'
PswdStr := PswdStr + #069;     // 'e'
PswdStr := PswdStr + #070;     // 'f'
PswdStr := PswdStr + #071;     // 'g'

take attention
 PswdStr := #065 + #066+ #067+ #068+ #069+ #070+ #071 ; // visible due to
optimization !!

very ligth method, but usefull for first level of protection, for
copyrigth,..for verifying an ligth embedded password
but NOT for an uncrackable and sensible Data

the only good (?) solution i know against crackers (and not all crakers), is
to combine hard protection key with data in, with crypting of data inside
the key ...and so with important use of different data inside
(for exemple value of Pi in geometric program inside key, initialized to
another false value in program !! before reading key...)

Quote
>Let's be realistic, folks -- an embedded password does not have to be
>uncrackable, it just has to look like machine-code when the user browses
>the EXE-file with the editor.  No doubt he is not going to do more than
>that.

>You can also write a short subroutine to assemble the password a
>character at a time, rearranging bytes and so-forth a couple of times
>until the string is prepared.  Just glance through the resulting EXE to
>be sure that the traces of the string are sufficiently obscured.

Other Threads