const/readonly vs. programs like Cheat Engine

Question

I have a program, and in that program there is some variables (username and "privilege-level") that are only changed when the user logs on. Is there a way to "secure" these varaibles from memory-editing etc while the program runs, but the program is still able to change them if the user logs on with an other username.

I thought it would work (haven't tested) to use either const or readonly, but is it still possible to change them when the user relogs?

Also, is it possible to hash/encrypt strings used in the program, so that the user isn't able to find them by searching the memory (i.e. using Cheat Engine)?

Answer 1

If the software and user credentials are running on the user's machine, it is impossible to stop the user from changing values.

If credentials and access are stored on a remote server, you can use that server and have the user only store a hashed token that expires after an arbitrary period of time. Use that token as a lookup to retrieve the user's profile information from the server.

You'll still run into issues because anything that is done client-side can be manipulated/hacked. If you keep all of your logic on a central server, you can be more confident that things won't be cracked, however your system's performance will suffer.

You need to weigh the pros and cons of a central server for security and performance and choose a balance that fits best for you.

Answer 2

You can't modify a const (ever) or readonly (after initialization) variable, so that will not work.

The best option would probably be to wrap the logic that creates/initializes/sets those variables into a clean method and/or property that is set during the logon process. This will isolate that code, so it's at least easy to follow.

As for encrypting strings - you can use SecureString for handling that purpose at runtime. At compile time, you can obfuscate your code (many obfuscators support string encryption).