2

I'm developing a C++ application that includes extensive logging and I noticed that the strings in the log messages are visible in plain text when opening the binary from Windows process manager. This may reveal the logic behind the application, or at least function names that show what mathematical formulas are used.

I'm studying the alternatives about what to do in this situation and I thought about using a string class in the logger that at compile time will convert std::wstring parameters into hex arrays (if that is possible), however I'm interested in other kind of solutions.

Is there any idiomatic way of getting through this? My knowledge of templates is not very extensive so I don't feel like I can take an informed decision going down that road...

Additionally, is not C++ compiled to machine code? How is it possible that those strings are visible in the .exe?

pabloxrl
  • 285
  • 2
  • 12
  • 1
    Can't the user just look at the logs anyway? And if the secret stuff is not needed for the logs, why is it in the binary in the first place? – Baum mit Augen Jun 11 '15 at 12:42
  • Also stuff that your application needs on the client system cannot really be hidden from said client. For the application to work, the secret to decrypt the strings would have to be on the client system at some point, which the user can then steal and abuse, All you can do is make it somewhat harder. – Baum mit Augen Jun 11 '15 at 12:45
  • 1
    Also duplicate here http://stackoverflow.com/questions/12456816/make-resources-inaccessible-for-user –  Jun 11 '15 at 13:00

2 Answers2

1

Use encrypted strings in your application. Before using them in application logic (e.g. display them), they must be first decrypted.

Very simple\quick encryption (but not safe) is to declare your strings as character array, and the type of array is int not char.

int helloString[] = { 'H', 'e', 'l', 'l', 'o' };

You can build some simple tool to convert strings to arrays, using your own powerful encryption algorithms.

  • Won't a hex editor/debugger reveal these as well (I guess they are stored in some contiguous block in the binary anyway)? – stijn Jun 11 '15 at 13:17
  • @stijn Yes, ofcourse they will be revealed easily in many ways including a hex editor. That is why I said `but not safe` in my answer. It should use a more complex encryption method, and implement some tool for the purpose of encrypting strings to use in the main application –  Jun 11 '15 at 13:20
  • And after that it can still be known while the application is running, by detaching the application to a debugger. –  Jun 11 '15 at 13:27
0

You could have an xml file with every text inside it.

This way, you only need to open the file during the initialization, put everything in memory and that's it. You'll call variables instead of strings from your code, nothing will be visible in your executable.

To prevent any alteration of the xml file, you can validate it using an MD5 hash.

On the other hand, you could use an encryption technique on your string. The problem with encryption is that you'll need to have your key somewhere to decrypt it.

Gary Olsson
  • 1,207
  • 22
  • 33