View Full Version : methods to obfuscate strings from hexdumps
rcourtney
26th July 2016, 04:18
Anybody have a secure method of hiding sensitive
text constants in program executables?
alainstgt
26th July 2016, 15:22
you must code your string. The simplest way is to use Base64 encoding.
QByteArray has 2 methods:
::toBase64(..) // use function to get the byte array to be inserted in source code.
::fromBase64(..) // use function to decode the string in your application code
run this part of code during code editing and replace the result in the source code:
QByteArray str("secret"); // the variable you want to hidden
qDebug() << str.data() << "-->" << str.toBase64(); // the encoded variable in Base64
in your application:
// declare and initialize your variable
QByteArray encoded("c2VjcmV0"); // this is your encoded string
// use your variable
QByteArray decoded = QByteArray::fromBase64( encoded ); // this is your decoded string as QByteArray
QString decodedString = QString( QByteArray::fromBase64( encoded )); // alternatively as QString
qDebug() << encoded.data() << "-->" << decoded.data();
the debug output is:
secret --> "c2VjcmV0"
c2VjcmV0 --> secret
d_stranz
27th July 2016, 00:13
Of course, any clever hacker would recognize a Base64 string in the data section of code and run a decoder on it... if you really want it to be secure, encrypt it.
rcourtney
28th July 2016, 03:49
Agreed. The constant must be processed by the same method beforehand.
I was hoping someone had came up with a script or precompile step to automate the obfuscation.
Thanks for responding!
d_stranz
28th July 2016, 16:27
You might be able to automate this by putting your strings into a file that is compiled into a resource (qrc) file. Your precompile step would be to take the plain-text string file, encrypt it into a second file, and that second file is compiled into the resource file. You can treat a file in resources pretty much like any other file, so you could load that file at run-time into a QMap or similar that looks up encrypted strings by keyword. The only place the plain-text strings live is on your development system; the resource file is compiled into your program binary and contains only the encrypted version.
You could look at using an INI-formatted QSettings bound to a file in the resources as a convenient way to do the lookup by key. Your encryption step converts one QSettings file into another containing the encrypted values.
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.