Sensitive data in code ...

Sensitive data in code ...
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Sensitive data in code ... jodo710 02-28-2006
Posted by on February 28, 2006, 2:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello Everyone,

I was wondering if there was any way to protect sensitive data in plane
text hard coded into the application?

If you open up a .exe file you will be able to see various pieces of
information layed out in plain text and I was wondering if you could
avoid this. This would allow any who decompile or reverse engineers
my application to view my hard coded password. Is there any way around
this?

Thank you for any ideas and help in advance.

Joey


Posted by Dan Baker on February 28, 2006, 5:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hello Everyone,
>
> I was wondering if there was any way to protect sensitive data in plane
> text hard coded into the application?
>
> If you open up a .exe file you will be able to see various pieces of
> information layed out in plain text and I was wondering if you could
> avoid this. This would allow any who decompile or reverse engineers
> my application to view my hard coded password. Is there any way around
> this?
>
> Thank you for any ideas and help in advance.

One method is to write an "Obfuscate" routine, that decodes an encrypted
text string:

CString Obfuscate::decrypt(LPCTSTR pStr)
{
// decrypt the string and return it (make sure your encrypt function returns
a good ol' string, not binary data)
}

THEN, in your actual code:

CString msg;
msg.AppendFormat("Password=%s", Obfuscate::decrypt("hjuis87s"));
#ifdef _DEBUG
CString tmp = Obfuscate::enctypt("MySecretPassword");
trace("Password encrypts to: %s \r\n", tmp);
#endif


Hope this makes sense.
DanB



Posted by Scherbina Vladimir on March 1, 2006, 1:48 am
If you were  Registered and logged in, you could reply and use other advanced thread options
There is no absolute solution for this problem. If someone wants to find
needed data in executable (or in any file) he/she will achieve - that it's
just the matter of time.

There are several rules that might delay the time spent to find data in your
executable:

1. Store data in a coded way. When you need it - decode, use and then encode
again.
2. Crypt/Uncrypt procedures "on fly" that works with your data. Your data
also should be crypted.
3. Use 3rd party applications such as packers, protectors (Aspack,
Asprotect, Themida).

--
Vladimir

> Hello Everyone,
>
> I was wondering if there was any way to protect sensitive data in plane
> text hard coded into the application?
>
> If you open up a .exe file you will be able to see various pieces of
> information layed out in plain text and I was wondering if you could
> avoid this. This would allow any who decompile or reverse engineers
> my application to view my hard coded password. Is there any way around
> this?
>
> Thank you for any ideas and help in advance.
>
> Joey
>



Similar ThreadsPosted
Using ISP webspace to store Encrypted sensitive data. Comments ?? November 6, 2007, 6:16 pm
Re: what does the "Microsoft data access" "remote data services" add-in do? October 18, 2007, 3:17 am
what does the "Microsoft data access" "remote data services" add-in do? October 17, 2007, 5:40 am
cygwin security in sensitive production March 13, 2007, 6:00 am
Code signing a "Flash" .EXE file issue / Code sign any .EXE? March 6, 2008, 6:48 am
executable code versus non-executable code September 9, 2008, 8:57 pm
RE: Data decryption EFS June 17, 2005, 7:42 am
Re: Data Miner October 4, 2005, 12:19 pm
Data decryption EFS June 16, 2005, 4:39 am
Data Protection June 18, 2006, 9:44 am

The site map in XML format XML site map

Contact Us | Privacy Policy