What is the most efficient way to make string literals not appear in compiled code?

Asked

Viewed 241 times

-5

What is the most efficient way to make literals of string do not appear in compiled code? I want to prevent reverse engineering. To do this, I tried the following code. However, I am concerned about the performance:

#include <stdio.h>

static const volatile char a = 'a', s = ' ';
int main(int argc, char *argv[]) {
    puts((const char[]){a-32, a+17, a+1, a+8, a+19, a+17, a, a+17, a+24, s, a+18, a+19, a+17, a+8, a+13, a+6, s, a+19, a+7, a, a+19, s, a+18, a+7, a+14, a+20, a+11, a+3, s, a+13, a+14, a+19, s, a+18, a+7, a+14, a+22, s, a+8, a+13, s, a+2, a+14, a+12, a+15, a+8, a+11, a+4, a+3, s, a+2, a+14, a+3, a+4, 0});
    return 0;
}

This should print a sequence, and this sequence is never found in the compiled executable. Is there another way to prevent reverse engineering by these means? I’m expecting some kind of code.

c performance security-guard
  • 5

    I have often commented this here on the site (I’ll see if I find the reference), but the basic rule is: practically always the concern with reverse engineering is inversely proportional to the quality of the product questioned, so it is "protected by nature itself". It pays to save energy for the development of the product itself. When this becomes a real problem, the very technological maturity of the person will have already filtered the essential problems, there you can look for some more specific technologies that would not even fit on the site. The essential thing is what has already been answered here.

  • 6

    You could "specialize" the question according to the selected concern. For example, "how do I protect the DB password in the executable?" - It does not protect, the error is by in the executable. Usually nothing justifies it. " How do I change my credits in the software?" - ai do not need to hide the string, just check if there has been a change in the code (can still be cracked, but already complicates). The question of how it is and what we call XY problem

  • 2

    Depending on the nature and use of this string, you could perhaps search for it on a server of your property, using login and password entered by the user. Because hardcodar the credentials would give in the same problem. If this is not a viable solution, maybe a string that represents such importance in its executable is not the ideal solution.

1 answer

7

Not putting on executable. The only way to prevent a string Do not be caught by any form of reverse engineering is it not existing. If you need the data at any time within the application, whether on the executable or not, you will not be safe.

You can do something to dim it slightly, but it doesn’t stop reverse engineering.

Forget the performance, this code is more than fast, it is impossible to make a code faster than that except taking arithmetic, because it is very simple, and gives protection zero content. Everything is commitment (tradeoff), did not want to be safe and fast at the same time, there is no miracle. Not that it matters in this case.

Do not try to give security, a naive person tried to do this against a knowledgeable person can be disloyal and more insecure than even trying, because he thinks he has given some security. And if you try to do it the simplest way, don’t put in information that can’t be picked up by one person, find another way to do it. Or accept that the information will be accessible. The only real security you can give there is not to put sensitive information on the executable. And what you’re doing is naive, it’s not safe.

I would be slightly safer if I made a much more complex algorithm, if I used a reliable encryption algorithm, but who knows how to get information will get it the same way because one can see the execution and especially the final decrypted result, clean, the way she needs to know to take out the security, she doesn’t even have to count. This is an innocuous job, don’t waste time on it. And by not doing this you won’t have the performance problem.

I will repeat, this is a job for you to feel safe, not to be safe. And feeling is different indeed.

Other than that’s what Bacco said, it’s XY problem.

  • If I compile C, the output file will normally contain the string if I use the command cat.

  • 4

    @Asadefa Certo, but what Maniero is saying is that even with this little trick of advances and retreats in asciis characters, someone with a little more experience in C and/or Assembly discovers his string in an instant. Conclusion: you think you are safe when you are not. If this was the password to access your server, you have already been hacked.

  • @Asadefa the language of the community is natively Portuguese, which means "well it is not"?

Browser other questions tagged c performance security-guard

You are not signed in. Login or sign up in order to post.