How to avoid readable strings in EXE file

[flashbob]

Hi,
many strings and also SQL-Statements are stored as a readable string in an exe file. I want to avoid that.

Is there a workaround so that e.g. SQL statements are not recognizable as text ?

[spikey]

The Cipher library contains Base64Encoder and Base64Decoder which should hinder casual snoopers. Or there are some ideas in viewtopic.php?t=51055. But you'd need proper AES encryption if you're concerned about determined hackers. See AESEncoder.

[BarryG]

I use this technique -> viewtopic.php?p=584753#p584753

Works fantastic and I don't need to do anything - the compiler does it. You can't use the C compiler, though (only ASM).

[flashbob]

Thanks for the answers, I'll test it out. But this helps ...

@BarryG
I think this solution is not working for MAC ?

[BarryG]

Oh right... yeah it's Windows-only. You didn't mention Mac in your first post, and your title says "EXE" file. Macs are "APP" files.

[NicTheQuick]

The real question is: Do you just want to obfuscate the strings so they are not easily readable or do you want perfect security? The latter is only possible by using an encryption key that does not exist in the executable but has to be entered every time you start the application or something similar.

[flashbob]

The real question is: Do you just want to obfuscate the strings so they are not easily readable or do you want perfect security? The latter is only possible by using an encryption key that does not exist in the executable but has to be entered every time you start the application or something similar.

Good question !
For me it is only important that you cannot read SQL-statements etc directly from the application (Win, Mac) with a simple (hex) editor.

[flashbob]

Oh right... yeah it's Windows-only. You didn't mention Mac in your first post, and your title says "EXE" file. Macs are "APP" files.

sorry, my mistake

[flashbob]

Hi, found another way to hide strings in exe file:

1. You can use constants instead of strings when possible (Win, Mac)

2. You can use packer for exe files like Molebox, Mpress, ... (Win)
I don't know if there is also a packer for Mac.

Regards

[blueb]

Simply encrypt the whole SQLite database using 'DB Browser for SQLCipher'.
see: https://sqlitebrowser.org/

Here's a sample starter example from my Password manager...

Code: Select all

;========================================================================
;
; Author:     blueb    
; Date:       December 24, 2023
;
; Explain:    Password Manager (using 'DB Browser for SQLCipher') 
;                (Only the sqlcipher.dll is actually required)
; Credits:
;             DB Browser for SQLCipher (freeware)
; =================================================================
;
; DB Browser for SQLCipher is a powerful and user-friendly tool for working with SQLCipher-encrypted SQLite databases.
; If you need to manage and query such databases, this tool is a reliable and secure choice.
;
;Explanation:  This program uses the 'sqlcipher.dll' And 'libcrypto-1_1-x64.dll' from the freeware 
;              program 'DB Browser for SQLCipher'. see: https://sqlitebrowser.org/
;              
;              For downloads visit: https://sqlitebrowser.org/dl/
;
;              You do not need the full program unless you want to make changes to the 'SALT' password I have used to create the DB (e.g. 'Great tasting Pizza')
;
;              PassKeeper is totally freeware, but I cannot be responsible for any problems you might encounter.
;              Feel free to make any changes you see fit.
; =================================================================

; ****************************************************************************************************************************************
; HINT:  Do NOT keep this source code any where near the EXE file.. anyone with the database SALT will find your passcodes!
; ****************************************************************************************************************************************

EnableExplicit

; Libraries required
UseSQLiteDatabase("sqlcipher.dll")   ; Use the encryption DLL from 'DB Browser for SQLCipher'

Declare CheckDatabaseUpdate(Database, Query$)
Declare.s Requester(Title$,Message$,DefaultString$)

;- Globals
Global DatabaseFile.s = GetCurrentDirectory()+"PassKeeper.db"
Global theImage.s
Global Quit

If OpenDatabase(0, DatabaseFile, "", "") 
   CheckDatabaseUpdate(0, "PRAGMA key = 'Great tasting Pizza'")  ; Database 'SALT' (Don't worry.. that's not the real salt haha)
   
   If DatabaseQuery(0, "SELECT * FROM Keeper WHERE Website LIKE '%AAAA Passcode%';") ;get the password string from row selected (AAAA Passcode 'Item Name' should be unique)
      While NextDatabaseRow(0)
         theImage = GetDatabaseString(0, 3) 
      Wend
      
      FinishDatabaseQuery(0)
   EndIf
   
EndIf

[NicTheQuick]

@blueb:
He does not want to encrypt the database, he just does not want the queries he is throwing against the database to be seen.

@flashbob:
But I do not understand why you want to obfuscate the queries. Who should be interested in seeing that? People could just have a look into the database anyway.

[flashbob]

@NicTheQuick

... that is basically right, but my tables are encrypted. At the moment there is only one (readable) column for primary key and one
additional column for encrypted informations. So you cannot get any usable informations or column names from database.

The question was not only because of SQL statements, but also strings. Both cases can be solved using constants...as far as
I can realize.

[NicTheQuick]

How do you hide keys to encrypt and decrypt the data?

[flashbob]

... keys, salt etc. are generated at runtime and depend on the login and other mechanisms.
If you forget the password, the data will be lost.

[NicTheQuick]

That sounds really good!