Conversion from byte array to string when compiling revealing string in compiled code in C

1

I'm using the function below to do the conversion from byte array to string , but when parsing the compiled code I notice that string is shown clearly ( using a hex editor ) , which I do not want.

char arr_code[] = {79, 99, 117, 108, 116, 97, 100, 111, 32, 110, 111, 32, 99, 195, 179, 100, 105, 103, 111, 32, 99, 111, 109, 112, 105, 108, 97, 100, 111};
char *byte_arr = (char*)malloc(sizeof(char));
memcpy(byte_arr, arr_code, sizeof arr_code);
char *str_code = byte_arr;

In the case of string of byte array is Ocultado no código compilado and is exposed in compiled code even though it is not clearly defined in script C, why does this occur?

How can I get the code to be compiled without the result of byte array being exposed?

    
asked by anonymous 16.09.2016 / 07:54

2 answers

2

It is clearly defined in C code. A string is an array , so it is set right there. It not only does not protect anything, it is wrong (unless another patch fixes the missing string ). The copy is not doing anything useful other than trying to copy the supposed string to another location in memory (it may cause a problem because it does not have a terminator) and you still have a # since only byte has been allocated in memory, the rest will be allocated in unreserved memory and will blend objects into messy mess.

These codes generate exactly the same binary code:

char array[] = { 65, 66, 67, 0 };
char string[] = "ABC";

See showing how they match ideone .

"Solutions"

You can spread the bytes by code and give the false sense that it hid something. Besides being complicated, doing so is innocuous. Maybe you'll find out what's in there.

The basic rule is that you can not put anything that needs to be protected inside the executable. Compiling does not protect anything. If the executable is in someone's hand nothing can be done to protect the information.

You can even create the encrypted string , which would be the best way, though possibly questionable. Of course I would need to look at the context.

SO has a cryptographic answer . Obviously it has simpler techniques. You can use a basic XOR technique . It already gives a confused one, but it does not really protect.

Not even encryption since at some point the decryption should be used to use the information. Remember that information from a customer is never trusted . It does not matter if it's web or otherwise.

    
16.09.2016 / 08:17
1
void sendPassword(void)
{
   char arr_code[x]; // x: constante a determinar  
   arr_code[0] = 79;
   arr_code[1] = 99;
   // etc

   // usa arr_code

   memset(arr_code, 0, x);
}

In this way your "secret code" will not be so visible in a brief visual inspection. Your code is mounted byte byte at the beginning of the function, then you use the code for whatever is needed, and before exiting the function you clear the code.

    
16.09.2016 / 16:13