Page 1 of 1
How to avoid readable strings in EXE file
Posted: Fri Nov 22, 2024 4:21 pm
by flashbob
Hi,
many strings and also SQL-Statements are stored as a readable string in an exe file. I want to avoid that.
Is there a workaround so that e.g. SQL statements are not recognizable as text ?
Re: How to avoid readable strings in EXE file
Posted: Fri Nov 22, 2024 4:44 pm
by spikey
The Cipher library contains
Base64Encoder and
Base64Decoder which should hinder casual snoopers. Or there are some ideas in
viewtopic.php?t=51055. But you'd need proper AES encryption if you're concerned about determined hackers. See
AESEncoder.
Re: How to avoid readable strings in EXE file
Posted: Sat Nov 23, 2024 1:26 am
by BarryG
I use this technique ->
viewtopic.php?p=584753#p584753
Works fantastic and I don't need to do anything - the compiler does it. You can't use the C compiler, though (only ASM).
Re: How to avoid readable strings in EXE file
Posted: Sat Nov 23, 2024 1:10 pm
by flashbob
Thanks for the answers, I'll test it out. But this helps ...
@BarryG
I think this solution is not working for MAC ?
Re: How to avoid readable strings in EXE file
Posted: Sat Nov 23, 2024 1:13 pm
by BarryG
Oh right... yeah it's Windows-only. You didn't mention Mac in your first post, and your title says "EXE" file. Macs are "APP" files.
Re: How to avoid readable strings in EXE file
Posted: Sat Nov 23, 2024 3:51 pm
by NicTheQuick
The real question is: Do you just want to obfuscate the strings so they are not easily readable or do you want perfect security? The latter is only possible by using an encryption key that does not exist in the executable but has to be entered every time you start the application or something similar.
Re: How to avoid readable strings in EXE file
Posted: Sat Nov 23, 2024 5:35 pm
by flashbob
NicTheQuick wrote: Sat Nov 23, 2024 3:51 pm
The real question is: Do you just want to obfuscate the strings so they are not easily readable or do you want perfect security? The latter is only possible by using an encryption key that does not exist in the executable but has to be entered every time you start the application or something similar.
Good question !
For me it is only important that you cannot read SQL-statements etc directly from the application (Win, Mac) with a simple (hex) editor.
Re: How to avoid readable strings in EXE file
Posted: Sat Nov 23, 2024 5:36 pm
by flashbob
BarryG wrote: Sat Nov 23, 2024 1:13 pm
Oh right... yeah it's Windows-only. You didn't mention Mac in your first post, and your title says "EXE" file. Macs are "APP" files.
sorry, my mistake
Re: How to avoid readable strings in EXE file
Posted: Sat Nov 23, 2024 8:41 pm
by flashbob
Hi, found another way to hide strings in exe file:
1. You can use constants instead of strings when possible (Win, Mac)
2. You can use packer for exe files like Molebox, Mpress, ... (Win)
I don't know if there is also a packer for Mac.
Regards
Re: How to avoid readable strings in EXE file
Posted: Sun Nov 24, 2024 2:11 pm
by blueb
Simply encrypt the whole SQLite database using 'DB Browser for SQLCipher'.
see:
https://sqlitebrowser.org/
Here's a sample starter example from my Password manager...
Code: Select all
;========================================================================
;
; Author: blueb
; Date: December 24, 2023
;
; Explain: Password Manager (using 'DB Browser for SQLCipher')
; (Only the sqlcipher.dll is actually required)
; Credits:
; DB Browser for SQLCipher (freeware)
; =================================================================
;
; DB Browser for SQLCipher is a powerful and user-friendly tool for working with SQLCipher-encrypted SQLite databases.
; If you need to manage and query such databases, this tool is a reliable and secure choice.
;
;Explanation: This program uses the 'sqlcipher.dll' And 'libcrypto-1_1-x64.dll' from the freeware
; program 'DB Browser for SQLCipher'. see: https://sqlitebrowser.org/
;
; For downloads visit: https://sqlitebrowser.org/dl/
;
; You do not need the full program unless you want to make changes to the 'SALT' password I have used to create the DB (e.g. 'Great tasting Pizza')
;
; PassKeeper is totally freeware, but I cannot be responsible for any problems you might encounter.
; Feel free to make any changes you see fit.
; =================================================================
; ****************************************************************************************************************************************
; HINT: Do NOT keep this source code any where near the EXE file.. anyone with the database SALT will find your passcodes!
; ****************************************************************************************************************************************
EnableExplicit
; Libraries required
UseSQLiteDatabase("sqlcipher.dll") ; Use the encryption DLL from 'DB Browser for SQLCipher'
Declare CheckDatabaseUpdate(Database, Query$)
Declare.s Requester(Title$,Message$,DefaultString$)
;- Globals
Global DatabaseFile.s = GetCurrentDirectory()+"PassKeeper.db"
Global theImage.s
Global Quit
If OpenDatabase(0, DatabaseFile, "", "")
CheckDatabaseUpdate(0, "PRAGMA key = 'Great tasting Pizza'") ; Database 'SALT' (Don't worry.. that's not the real salt haha)
If DatabaseQuery(0, "SELECT * FROM Keeper WHERE Website LIKE '%AAAA Passcode%';") ;get the password string from row selected (AAAA Passcode 'Item Name' should be unique)
While NextDatabaseRow(0)
theImage = GetDatabaseString(0, 3)
Wend
FinishDatabaseQuery(0)
EndIf
EndIf
Re: How to avoid readable strings in EXE file
Posted: Sun Nov 24, 2024 2:52 pm
by NicTheQuick
@blueb:
He does not want to encrypt the database, he just does not want the queries he is throwing against the database to be seen.
@flashbob:
But I do not understand why you want to obfuscate the queries. Who should be interested in seeing that? People could just have a look into the database anyway.
Re: How to avoid readable strings in EXE file
Posted: Mon Nov 25, 2024 7:24 pm
by flashbob
@NicTheQuick
... that is basically right, but my tables are encrypted. At the moment there is only one (readable) column for primary key and one
additional column for encrypted informations. So you cannot get any usable informations or column names from database.
The question was not only because of SQL statements, but also strings. Both cases can be solved using constants...as far as
I can realize.
Re: How to avoid readable strings in EXE file
Posted: Mon Nov 25, 2024 8:13 pm
by NicTheQuick
How do you hide keys to encrypt and decrypt the data?
Re: How to avoid readable strings in EXE file
Posted: Tue Nov 26, 2024 2:11 pm
by flashbob
... keys, salt etc. are generated at runtime and depend on the login and other mechanisms.
If you forget the password, the data will be lost.
Re: How to avoid readable strings in EXE file
Posted: Tue Nov 26, 2024 2:16 pm
by NicTheQuick
That sounds really good!