Conversion of byte array to string when compiling revealing the string in C compiled code

Asked

Viewed 82 times

3

I am using the function below to make the conversion of byte array for a string, but when analyzing the compiled code I note that the string is clearly shown (using an Hex editor), what I do not desire.

char arr_code[] = {79, 99, 117, 108, 116, 97, 100, 111, 32, 110, 111, 32, 99, 195, 179, 100, 105, 103, 111, 32, 99, 111, 109, 112, 105, 108, 97, 100, 111};
char *byte_arr = (char*)malloc(sizeof(char));
memcpy(byte_arr, arr_code, sizeof arr_code);
char *str_code = byte_arr;

In case the string of byte array is Ocultado no código compilado and is exposed in compiled code even though it is not clearly defined in the C script, because this occurs?

How can I get the code to be compiled without outworking of byte array stay exposed?

c array string security-guard

  • I think it was important to know why you need it, might not even need to hide in C.

  • The api url is being exposed, which would give a little foot so that someone would try to get more information and finally try to obtain or defraud a legitimate communication with the server. The false sense of security already helps, since the code is too long. @Jorgeb.

  • 3

    char *byte_arr = (char*)malloc(sizeof(char)); will only allocate 1 byte

  • I’ve already made the necessary changes to avoid this @pmg thanks for giving me that touch.

2 answers

3


It is clearly defined in code C. A string is a array of bytes, then it is set right there. It not only protects nothing, it is wrong (unless another stretch fixes the lack of completion of the string). The copy is doing nothing useful but trying to copy the supposed string to another memory location (may cause problem by not having a terminator. And you will still have a problem with buffer overflow since only 1 has been allocated byte in memory. The rest will be allocated in unreserved memory and will mix objects giving a darn mess.

These codes generate exactly the same binary code:

char array[] = { 65, 66, 67, 0 };
char string[] = "ABC";

Behold showing how they match in the ideone. And in the repl it.. Also put on the Github for future reference.

"Solutions"

You can spread the bytes by the code and give the false feeling that hid something. Besides being complicated, doing it is innocuous. Who knows will discover what is there.

The basic rule is that you cannot put anything that needs to be protected inside the executable. Compiling does not protect anything. If the executable is in someone’s hand nothing can be done to protect the information.

You can even create the string encrypted, would be the best way, albeit possibly questionable. Of course we would need to analyze the context.

The Only one answer with encryption. Obviously it has simpler techniques. It is possible to use a basic technique of XOR. It’s already confused, but it doesn’t really protect.

Not even encryption since at some point decryption should be used to use information. Remember that information from a customer is never reliable. It doesn’t matter if it’s web or otherwise.

  • I had been unaware of the lack of completion, so I removed the function that added this, I didn’t think it was necessary, beginner stuff right.

2

void sendPassword(void)
{
   char arr_code[x]; // x: constante a determinar  
   arr_code[0] = 79;
   arr_code[1] = 99;
   // etc

   // usa arr_code

   memset(arr_code, 0, x);
}

This way your "secret code" will not be so visible in a brief visual inspection. Your code is mounted byte by byte at the beginning of the function, then you use the code for whatever is needed, and before leaving the function you Zera the code.

  • It worked perfectly, although not a good method, it is effective.

Browser other questions tagged c array string security-guard

You are not signed in. Login or sign up in order to post.