Finding hidden strings like a pro

Every single program uses string to store file paths, labels, prompt text. But not everyone knows that plain text strings can be easily obtained with a debugger. Some programs even store passwords or any other important information in plain text strings. In this blog post I will go over the most popular ways of hiding/encrypting strings in programs.
Passwords should newer be stored as plain text (but we will do it anyways for demonstration purposes)! Better thing to do is to store a hash of the password and compare hashes.

First, let's demonstrate with an example what I mean by storing plain text strings:
Now, let's look at this program with the debugger. By searching for all referenced strings in the program we can easily discover what the password is, no need for advanced techniques:
Now, let's look at something more interesting. In this case we have an alphabet (char array), where we have defined our char set. When it comes to checking the string - we compose it on the fly (*cough* hard code), thus making it a little less obvious. 
Now, instead of looking for the entire string containing a password we just need to look at the first character of each string.
Of course, we can make it better by having multiple char array, each storing a word that start's with the character we need, so that instead of displaying gibberish it would display real words. We could also define alphabet as an integer array to hide it. Nothing is good enough yet, moving on.

Next up is hard coding encrypted strings and decrypting them as needed.

The solution is obvious here: we can set a breakpoint right after the decryption function call and then we can see the decrypted sting.
The main issue we encounter is that the person debugging our program when seeing a function call to the 'strcmp' will know that something is up. Our best bet would be to make it less obvious where string comparison/output/input in code is happening. Lucky for us, there is nothing that can't be reverse engineered, all these techniques will make it harder to get to the plain text, but not impossible. Considering everything above said, here is a very good attempt at hiding intent of our code:
If we look at the disassembled code, 'strcmp' is nowhere to be found.
After looking at the 'sub_416930' function we could still tell what the password is, but it's not in plain text.
Hiding other strings and functions can make it even harder for the person debugging the program to discover the password, but like I said earlies there is nothing that can't be reverse engineered. If you know other techniques used to hide string, feel free to send me a message or post a comment, I will be glad to check it out!

References and useful links:
https://github.com/danielbohannon/Invoke-DOSfuscation
https://stackoverflow.com/questions/20365005/c-xor-encryption#20472972
http://www.cplusplus.com/forum/articles/38516/
https://stackoverflow.com/questions/1356896/how-to-hide-a-string-in-binary-code#1360175
https://create.stephan-brumme.com/hide-strings-executable/

Comments

Post a Comment

Popular Posts

Process memory exploitation and protection in runtime

Image
To begin understanding why process memory patching is a serious issue we need to understand what it is and how it works. So, without further ado let's answer these questions. Memory patching is modification of process memory in runtime (in this post I am not going to talk about patching binary files). To help you better understand, let's imagine the following scenario: you created a game that has a high score system, user's score is stored in a variable in memory and at game over it is sent to the server. Now, imagine if someone changes the variable in memory right before it is sent. Sounds unfair to other honest players, doesn't it? To better demonstrate how it works I wrote a simple demo in c++ (which you can compile and test on your system). It this post I will be only talking about how it's done in user mode . Target program: Attacker program: First we compile and run a target program, it will display it's process identifier (PID) and a memory loca...
Read more

DLL injection - detection and prevention

Image
Dynamically Loaded Libraries (DLL) are used in almost any project, because of their unique properties: modularity, ease to support, updatability. Unfortunately, this can be easily exploited and all it takes is for the attacker to simply replace the original DLL file with the malicious one (especially if project is no longer being maintained and does not have hashing to verify that the valid DLL is being loaded). Moreover attacker can load their DLL into a remote process (usually done to stay hidden, since after DLL is injected you can run malicious code "from within" a target process). To make is easier to visualize, here is a small diagram: For example, we have a program that displays number of seconds passed since it started (not to over complicate things): An attacker can create a malicious DLL that logs pressed keys, but in this case it simply displays a message box: And attacker also has an injector that will load their DLL into the target process: The way an...
Read more

Function Hooking

Image
Function hooking is a technique attackers use to modify/block/monitor original function calls and their intended purpose. There are a few ways to perform such an attack: Virtual Method Table hooking, Event hooks (ex: keyboard, implemented by Windows), Interception (by overwriting first bytes of the function with a jump) and Import Address Table (IAT) hooking (can be global or internal). This list in not comprehensive, but these methods are the most popular. Let's start with the relatively easy method: interception. To make it visual and simple to follow, let's apply this method to a small program which sums two numbers together and multiplies the result by 2: Once we compiled the program, we want to find magicSum function in the debugger: Here we can see, that after original setup, mathematical calculation is being performed and then we return back to the where this function was called from. In order to intercept this function we will allocate a memory block in the prog...
Read more