All geek questions in one place

How can I confuse a string in a C ++ binary?

If I have C ++ code containing strings, could it be a password or something else, what is the best way to trick them into making reverse engineering very difficult? I found some tools online, but all of them are not open source.

+5
source share
3 answers

Let's say your application uses the web service "www.example.com" and is authenticated with the password "letmein". Compile the program and view it with strings , objdump or something else:

  $ make
 $ objdump -j .rodota -s program
 a.out: file format elf64-x86-64

 Contents of section .rodata:
  4005f8 01000200 7777772e 6578616d 706c652e .... www.example.
  400608 636f6d00 6c65746d 65696e00 com.letmein.  

 $ strings program
 /lib64/ld-linux-x86-64.so.2
 __gmon_start__
 ...
 www.example.com
 letmein

This is pretty easy. If you confuse it, you still need to put plain text in memory before you can use it, so instead, the attacker does one of the following:

  • Intercepts network packets (easy, takes 5 minutes with basic knowledge of Wireshark)
  • Uses a debugger (simple, takes 10 minutes with basic knowledge of GDB)
  • Reverse engineering your source code (hard, takes hours or days)

Please note that obfuscation tools only make it more difficult for attackers who already do this with difficulty. What is the point of this? All you have done is do 15 minutes instead of saying 5 minutes for an attacker to get the password from your executable file. Since this is pretty much the best you can do, don't work too hard on it. Just a XOR password with a light pattern and hope that the attackers are very lazy or stupid.

C-3PO: Master Luke, sir. Forgive me for asking, but what should we do with R2, and I if they find us here? Luke: Lock the door.
Han Solo: And I hope they have no blasters.
C-3PO: This is not very encouraging.

(You will probably spend more time on this than your attacker.)

On the other hand:. If you are trying to prevent non-root users from accessing a password on a trusted system, you can do this with setuid permissions and binaries.

Footnote: The purpose of obfuscators in general is to hide program code, not data. For example, if your application uses an algorithm that is a trade secret, that is, when you want to use an obfuscator.

+7
source

You should avoid putting passwords as constants inside the binary. It must be customizable (for example, using the configuration file passed in the argument).

If you really need to put some kind of password in a binary file, encrypt this password and put the encrypted form as a constant in your executable file. But this is not always safe (for example, it will not work against the NSA).

Do not trust any obfuscation methods, so do not use them.

On Linux and POSIX systems, it is common practice to use the default path to the configuration files (and how to install this configuration file using program arguments). Configuration files then use system permissions to hide sensitive passwords. Since the configuration file has a built-in default setting (usually in /etc or $HOME ), you can run the program without any arguments for the general case.

Please note that many programs are protected, even if their source code is freely available ( ssh is a good example).

Read about a reliable computing base

+6
source

How safe is it?

If you just want to hide the password (baby sister security), you can simply XOR with some random data. A certain attacker can reverse engineer the code and detect it, but they can do it, as if your decision was complicated

+3
source

Source: https://habr.com/ru/post/1383231/

More articles:


All Articles