Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I obfuscate a string into a C++ binary?

Tags:

c++

string

passwords

obfuscation

If I have a C++ code containing strings, that can be password or anything, what's the best way to obfuscate them to make very difficult the reverse engineering? I've found some tools online, but all are not opensource.

like image 633
user1056635 Avatar asked Nov 26 '11 20:11

user1056635

1 Answers

Let's say your application uses a web service "www.example.com" and authenticates with the password, "letmein". Compile the program and examine it with strings, objdump, or whatever:

$ make
$ objdump -j .rodota -s program
a.out:     file format elf64-x86-64

Contents of section .rodata:
 4005f8 01000200 7777772e 6578616d 706c652e  ....www.example.
 400608 636f6d00 6c65746d 65696e00           com.letmein.  

$ strings program
/lib64/ld-linux-x86-64.so.2
__gmon_start__
...
www.example.com
letmein

This is pretty easy. If you obfuscate it, you still need to put the plain text somewhere in memory before you can use it, so instead the attacker does one of the following:

  • Intercepts network packets (easy, takes 5 minutes with basic knowledge Wireshark)
  • Uses a debugger (easy, takes 10 minutes with basic knowledge of GDB)
  • Reverse engineers your source code (hard, takes hours or days)

Note that the obfuscation tools make it harder only for attackers that are already doing it the hard way. What's the sense in that? All you've done is make it take 15 minutes instead of say, 5 minutes for an attacker to get the password from your executable. Since that's pretty much the best you can do, don't work too hard on it. Just XOR the password with some easy pattern and hope that the attackers are very lazy or stupid.

C-3PO: Master Luke, sir. Pardon me for asking, but what should R2 and I do if we're discovered here?
Luke: Lock the door.
Han Solo: And hope they don't have blasters.
C-3PO: That isn't very reassuring.

(You will probably end up spending more time on this than your attacker will.)

On the other hand: If you are trying to prevent non-root users from accessing the password on a trusted system, you can do that with permissions & setuid binaries.

Footnote: The purpose of obfuscators in general is to hide program code, not data. For example, if your application uses an algorithm that is a trade secret, that is when you would want to use an obfuscator.

like image 184
Dietrich Epp Avatar answered Oct 15 '22 01:10

Dietrich Epp
Sign in to Comment

Related questions

Handle object in c++
Question about Types Conformity in C++?
How do I reinterpret an unsigned long (DWORD) as a signed long in C++?
C++ class member function pointer to function pointer
Number of precision digits for double in C++ different in windows and Linux. Why? Linux shows more than 20 non-zero precision digits
What's the lifetime of the object returned by typeid operator?
Can a call delete on the pointer which is allocated with the placement new?
Gaussian Blur with FFT Questions
Unexpected Output when adding two float numbers
friend function of std::make_shared() in Visual Studio 2010 (not Boost)
Byte-for-byte copies of types in C++11?
Why do we not pass POD by reference in functions?
C++ namespace.... anonymous namespace is legal?
lambda with templates
C++ Error: No match for 'operator='
How to test if a file exists before creating it
MSVCP100D.dll missing
include "file.h" vs <file> what is the difference?
how to remove a line from a string with large content in C++?
Advantages of anonymous mmap over malloc under memory pressure

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!