Friday, February 27, 2015

How to encrypt strings in your applications

I have seen many examples and available solutions for string encryption, but they mostly force you to bloat your code with a lot of garbage. Usually it's something in form of randomly generated lines of code that will fill a buffer with the desired string or something in form of:
XorString("\xf0\xdb\x5c\xc3\x6e\xd3\x0d\xd6\x90\xde", 0x6b1c485a, 10)

While these truly are string encryptions and they do their job, it's very hard to quickly modify such strings in your code. In either of those two examples you would have to go back to the application/site that generates the code for you, plus it also makes the code very hard to read.

Writing a string encryption tool takes literally not more than 15-20 minutes and you get to decide how it behaves, which type of encryption you want, etc.

I've written some code quickly to make an easy to understand example. I wanted it to be easy to read and change strings in the code, like this:


After compiling this code, you need to pass it to the string encryption tool:

I won't be explaining the code in details, it's really nothing special and should be easy to understand. Please note that this is just a PoC and that normally you would add a better encryption than simple xor, you would make sure it doesn't leak memory (se_decrypt returns malloc'd memory which is not freed - or you'd make it not allocate new memory, but replace the encrypted string with decrypted, but it involves usage of VirtualProtect), etc.

Download: string_encrypt.zip

No comments: