methods to obfuscate strings from hexdumps

**rcourtney** · 26th July 2016, 04:18

Anybody have a secure method of hiding sensitive
text constants in program executables?

**alainstgt** · 26th July 2016, 15:22

you must code your string. The simplest way is to use Base64 encoding.
QByteArray has 2 methods:
::toBase64(..) // use function to get the byte array to be inserted in source code.
::fromBase64(..) // use function to decode the string in your application code

run this part of code during code editing and replace the result in the source code:

Qt Code:

Switch view

QByteArray str("secret");   // the variable you want to hidden
qDebug() << str.data() << "-->" << str.toBase64();   // the encoded variable in Base64

QByteArray str("secret");   // the variable you want to hidden
qDebug() << str.data() << "-->" << str.toBase64();   // the encoded variable in Base64

To copy to clipboard, switch view to plain text mode

in your application:

Qt Code:

Switch view

// declare and initialize your variable
QByteArray encoded("c2VjcmV0");   // this is your encoded string
// use your variable
QByteArray decoded = QByteArray::fromBase64( encoded );   // this is your decoded string as QByteArray
QString decodedString = QString( QByteArray::fromBase64( encoded ));   // alternatively as QString
qDebug() << encoded.data() << "-->" << decoded.data();

// declare and initialize your variable
QByteArray encoded("c2VjcmV0");   // this is your encoded string
// use your variable
QByteArray decoded = QByteArray::fromBase64( encoded );   // this is your decoded string as QByteArray
QString decodedString = QString( QByteArray::fromBase64( encoded ));   // alternatively as QString
qDebug() << encoded.data() << "-->" << decoded.data();

To copy to clipboard, switch view to plain text mode

the debug output is:
secret --> "c2VjcmV0"
c2VjcmV0 --> secret

**d_stranz** · 27th July 2016, 00:13

Of course, any clever hacker would recognize a Base64 string in the data section of code and run a decoder on it... if you really want it to be secure, encrypt it.

**rcourtney** · 28th July 2016, 03:49

Agreed. The constant must be processed by the same method beforehand.
I was hoping someone had came up with a script or precompile step to automate the obfuscation.

Thanks for responding!

**d_stranz** · 28th July 2016, 16:27

You might be able to automate this by putting your strings into a file that is compiled into a resource (qrc) file. Your precompile step would be to take the plain-text string file, encrypt it into a second file, and that second file is compiled into the resource file. You can treat a file in resources pretty much like any other file, so you could load that file at run-time into a QMap or similar that looks up encrypted strings by keyword. The only place the plain-text strings live is on your development system; the resource file is compiled into your program binary and contains only the encrypted version.

You could look at using an INI-formatted QSettings bound to a file in the resources as a convenient way to do the lookup by key. Your encryption step converts one QSettings file into another containing the encrypted values.