Announcement

**Roger Garstang** · 5 Jul 2008, 12:42 PM

Cool idea Wayne, that beats my old method. In PBDOS I used to hide with CHR$(...) which seems to hide things somewhat by converting to numbers, etc. Then I used various XOR "encryption" methods since they can be reversed easily.

This adds little overhead too. I've often seen other apps when looking at them with a HEX editor contain the complete alphabet, number sequences, days of the week, month names, etc. The compilers may do this to only store whatever the user puts in once, and could even be doing what you mentioned to speed up normal processes.

**John Gleason** · 7 Jul 2008, 01:35 PM

Here is a ready-made sub with chrs from 32 to 126:

Code:

SUB str()
   LOCAL a AS STRING
   a = " "&"!"&"#"&"$"&"%"&"&"&"'"&"("&")"&"*"&"+"&","&"-"&"."&"/"&"0"& _
       "1"&"2"&"3"&"4"&"5"&"6"&"7"&"8"&"9"&":"&";"&"<"&"="&">"&"?"&"@"& _
       "A"&"B"&"C"&"D"&"E"&"F"&"G"&"H"&"I"&"J"&"K"&"L"&"M"&"N"&"O"&"P"& _
       "Q"&"R"&"S"&"T"&"U"&"V"&"W"&"X"&"Y"&"Z"&"["&"\"&"]"&"^"&"_"&"`"& _
       "a"&"b"&"c"&"d"&"e"&"f"&"g"&"h"&"i"&"j"&"k"&"l"&"m"&"n"&"o"&"p"& _
       $DQ&"q"&"r"&"s"&"t"&"u"&"v"&"w"&"x"&"y"&"z"&"}"&"|"&"{"&"~"
END SUB
'this would allow for most other commonly used chrs, eg.
    x = "the password is: " & ","&"3"&"("&")"&"d"&"s"&"n"&$DQ

added: another thought: since it is somewhat difficult to type your strings you want to hide in the format above, copy the actual strings above and put in your own letters.
I'll test the theory now:

Code:

       "y"&"e"&"p"&" "&"t"&"h"&"i"&"s"&" "&"i"&"s"&" "&"n"&"o"&"t"&" "& _
       "t"&"o"&"o"&" "&"h"&"a"&"r"&"d"&" "&"t"&"o"&" "&"d"&"o"

and it'd be even easier if the INSERT key worked like it does in the PB editor.

**Aslan Babakhanov** · 8 Jul 2008, 07:17 AM

Very simple string encoding/decoding functions.

Encoded string properties are:
1. Lenght multiplied by 2
2. Char code range between 32 and 126. (like MIME/UUE)

PHP Code:


' Decode string

'

FUNCTION DE_SS (BYVAL e AS STRING) AS STRING

    LOCAL u, p AS BYTE PTR, i,l,j,k AS LONG

    l = LEN(e)

    j = l/2

    DIM rez(0 TO j) AS BYTE

    u = VARPTR(rez(0))

    p = STRPTR(e)

    k = 0

    FOR i = 0 TO j-1

        rez(i) = @p[k]

        ! inc k

        ! inc k

    NEXT i

    FUNCTION = PEEK$( u, j )

END FUNCTION



' Encode string

'

FUNCTION EN_SS (BYVAL e AS STRING ) AS STRING

    LOCAL i,j,l,k AS LONG, u,p AS BYTE PTR, n AS BYTE



    RANDOMIZE TIMER

    l = LEN(e)

    j = l * 2

    DIM rez(0 TO j) AS BYTE

    u = VARPTR(rez(0))

    p = STRPTR(e)

    k = 0

    FOR i = 0 TO L - 1

        n      = RND(33, 126)

        rez(k) = @p[i]

        ! inc k

        rez(k) = n

        ! inc k

    NEXT i

    FUNCTION = PEEK$( u, j )

END FUNCTION

Code:

Input String: The key is: ADMIN
Result:       S3ggd|>j)doxN[[email protected]$CgLHH%MG

**Wayne Diamond** · 8 Jul 2008, 07:34 AM

Aslan, nice, but that requires a second program to do the encrypting, which is what I was trying to avoid

And if using a second program to do the encryption I'd go with a stronger algorithm, although I guess it doesn't matter so much seeing as any string can be intercepted at the point it has been decrypted, regardless of the encryption algorithm used, which is why I build the strings at runtime - it's really no less secure than encrypted strings because of that fact that they can both be intercepted at the point where they've been decrypted/rebuilt.

**Aslan Babakhanov** · 8 Jul 2008, 07:46 AM

Agree.
I'm also researching for methods to avoiding second subs.
How about this piece of code? String bytes pushed onto stack...

Code:

FUNCTION PBMAIN () AS LONG

    LOCAL a AS STRING, d AS BYTE PTR

    a = SPACE$(7)
    d = STRPTR(a)

    ! push 65
    ! push 66
    ! push 67
    ! push 68
    ! push 69
    ! push 70
    ! push 71

    ! mov cx, 7
    ! mov ebx, d

    l:
    ! pop eax
    ! mov byte ptr [ebx], al
    ! inc bl
    ! loop l

    ? a

END FUNCTION

**John Gleason** · 8 Jul 2008, 07:20 PM

Aslan, unfortunately the characters appear in order. Here is a copy from the compiled executable: jAjBjCjDjEjFjGjHf

**Aslan Babakhanov** · 9 Jul 2008, 02:13 AM

The example above is just a "starter code".
Here are some ways to hide characters using this code:

1. You can replace 1 byte values with 2 bytes -- see code below.
2. Incremetally XOR each character and use them in PUSH, then read insode loop with XOR.
3. Put senseless commands between PUSH. i.e. mov eax,eax etc.
4. Create 32 and 64 bit long values and read them respectively.

Code:

    ! push &H410A
    ! push &H4200
    ! push &H4301
    ! push &H44EB
    ! push &H45BB
    ! push &H46CC
    ! push &H47EE

    ! mov ecx, 7
    ! mov ebx, d

    l:
    ! pop eax
    ! shr eax, 8
    ! mov byte ptr [ebx], al
    ! inc bl
    ! loop l

**John Gleason** · 9 Jul 2008, 03:40 PM

Interestingly Aslan, the compiler seems to be doing your above suggestions automatically in Wayne's
technique. Additionally, it likely uses a positional reference rather then the exact value, as !PUSH does.
The positional referencing means we can quickly add one extra pinch of obfuscation: shuffling
the SUB reference string (kind of a lookup table). Here are five below to pick from.

Code:

SUB obStr()
   LOCAL a AS STRING
   a = "m"&"/"&"~"&"P"&"*"&"X"&"-"&"{"&"l"&"g"&"%"&"i"&"N"&"R"&"C"&"5"&"j"& _
       "V"&"S"&"@"&"M"&"o"&"+"&"#"&"_"&"'"&"Z"&"="&"H"&"$"&"["&"6"&"}"& _
       "]"&"I"&"2"&"?"&"1"&"d"&")"&"O"&"D"&"B"&"p"&"T"&"b"&"v"&"x"&"4"& _
       ">"&"L"&"J"&"K"&"G"&"<"&"A"&"f"&"Y"&"h"&" "&"n"&"s"&"e"&"r"&"Q"& _
       "t"&"7"&"a"&"3"&"y"&"."&"w"&"8"&"W"&"!"&","&"U"&"&"&"c"&"F"&"|"& _
       "`"&"9"&"u"&"z"&":"&"^"&"0"&"("&"E"&"k"&"q"&"\"&$DQ&";"
END SUB

SUB obStr2()
   LOCAL a AS STRING
   a = "."&"i"&"T"&"#"&"W"&","&"}"&";"&"N"&"I"&"d"&"'"&"5"&"%"&"Z"&"F"&"{"& _
       "n"&"~"&"8"&"f"&"`"&"U"&"v"&"("&"y"&"2"&"C"&"M"&"|"&"Q"&"S"&"h"& _
       "!"&"$"&"?"&"H"&"["&"k"&"*"&"X"&"t"&"o"&"="&"R"&"j"&">"&"q"&"]"& _
       "b"&$DQ&"z"&"P"&"0"&"V"&"1"&"/"&"a"&"x"&"7"&"\"&"l"&"m"&"g"&"G"& _
       "J"&"9"&"&"&"D"&"L"&"A"&"K"&"_"&"+"&"w"&"^"&"p"&"3"&"r"&"e"&")"& _
       "Y"&" "&"@"&"4"&"6"&"O"&"s"&"E"&":"&"-"&"u"&"c"&"<"&"B"
END SUB

SUB obStr3()
   LOCAL a AS STRING
   a = ">"&"m"&"o"&"d"&"c"&"|"&"A"&"/"&"b"&"Y"&"I"&"6"&"."&"E"&"T"&"<"&"Z"& _
       "U"&"V"&"("&"!"&"S"&"i"&"9"&"$"&"C"&"g"&"~"&"%"&"L"&"["&":"&"n"& _
       "#"&"R"&"&"&"j"&","&"M"&"1"&"{"&" "&"l"&"="&"a"&"r"&"'"&"}"&"N"& _
       "O"&"D"&"H"&"]"&"5"&"F"&"4"&"_"&"K"&"Q"&"@"&"\"&"W"&"x"&"8"&"y"& _
       "t"&"u"&"e"&$DQ&"^"&";"&"*"&"B"&"2"&"G"&"0"&"v"&"3"&"-"&"?"&"7"& _
       "p"&"f"&"`"&"+"&"J"&"z"&")"&"s"&"P"&"k"&"X"&"w"&"h"&"q"
END SUB

SUB obStr4()
   LOCAL a AS STRING
   a = "9"&"i"&"!"&"{"&"n"&"j"&"W"&"\"&"q"&"("&"5"&"k"&"%"&"6"&"0"&"["&"'"& _
       "x"&"g"&"m"&"t"&","&"b"&"Z"&"d"&"R"&"3"&"h"&"_"&"w"&"/"&"1"&"y"& _
       "2"&"#"&"A"&"P"&"B"&"8"&"H"&"l"&"v"&"4"&"K"&"^"&"`"&"J"&"c"&"-"& _
       "T"&"]"&" "&"~"&"C"&"7"&"S"&"Q"&"N"&"G"&"@"&";"&"V"&"E"&"+"&"a"& _
       "?"&"r"&"o"&"<"&"Y"&$DQ&"e"&"I"&"F"&")"&":"&">"&"."&"="&"z"&"O"& _
       "X"&"&"&"|"&"L"&"p"&"}"&"s"&"U"&"u"&"f"&"*"&"M"&"$"&"D"
END SUB

SUB obStr5()
   LOCAL a AS STRING
   a = "/"&"?"&"*"&"G"&"F"&"X"&"v"&"R"&"f"&"A"&"1"&")"&"n"&"!"&"|"&"("&"O"& _
       "T"&"7"&"}"&"u"&"4"&"_"&"i"&"I"&"Y"&"$"&"Z"&"^"&"j"&"U"&"8"&"l"& _
       "t"&"x"&"s"&"<"&"Q"&";"&"S"&"d"&"M"&"K"&","&" "&"g"&"E"&"P"&"L"& _
       "H"&"5"&"p"&"k"&"#"&"{"&"`"&"%"&"a"&"w"&"c"&"="&"0"&"b"&"e"&"y"& _
       "@"&"z"&"r"&"2"&"q"&"."&"~"&"C"&"B"&"h"&":"&"V"&"N"&"3"&"["&"W"& _
       "-"&"m"&"&"&$DQ&"6"&"J"&"9"&"'"&"\"&"+"&"]"&"o"&"D"&">"
END SUB

**Wayne Diamond** · 10 Jul 2008, 12:15 AM

Another aspect with how the strings are stored in the exe and referenced by the code is that there is a 2 byte header before the string which specifies the length of the string.

When the code references a string it doesn't reference the first byte of that string, it references the first byte of that 2 byte header. The indirect result of that is that disassemblers that search for strings by reference fail to recognise it as a string.

For example, the following program ...
FUNCTION PBMAIN() AS LONG
STDOUT "String1"&"String2"
END FUNCTION

Here you can see how the code references the strings:

The first line points at 00402464 (the first byte of the 2 byte header in front of "String1"), and if you consider the data at that address as a DWORD you get 07 00 53 74, or just 07 00 if you look at it as an ASCIIZ string.

So you won't see any Powerbasic strings as a string reference in Ollydbg, Win32dasm, and probably most other disassemblers. Even IDA 5 doesn't quite manage the job.... it sees the first as "ing1\a", but it does find "String2" ok. However, there are no references in the code to that string - the only references are to the 2-byte length header in front of it, which it doesn't know is a length field. (It could afterall just be any WORD variable)

Attached Files

**Wayne Diamond** · 8 Jul 2014, 05:27 AM

while browsing I noticed today is now 6 years 3 days since i started this thread! lol

so i just wanted to bump this to let newer PB coders aware of this simple but handy trick in regards to how you can use the PB compiler to hide sensitive strings from appearing in your executable binary file / disassemblies, while also keeping things very simple at the source-code level

</shameless bump>

**Joe Byrne** · 8 Jul 2014, 12:08 PM

Even ...

Some of us 'not so new' PB coders forget things occasionally! I spent about an hour a few weeks ago coming up with a way to do this very thing!

BTW, nice to see you back again Wayne. It's starting to feel like old-timers day around here

**Mike Doty** · 10 Jul 2014, 11:00 AM

Why does this seem to work?

Code:

#DIM ALL
#INCLUDE "win32api.inc"
$OutPutFile = "TEST.TXT"
'
FUNCTION PBMAIN () AS LONG 'FindString.bas
  LOCAL s AS STRING
  KILL $OutputFile
  s = CHR$("W","a","y","n","e") 'Search for Wayne on disk
  FindString s
  FindString CHR$("M","i","k","e")
  ShellExecute (0, "OPEN", $OutPutFile, BYVAL 0, CURDIR$, %SW_SHOWNORMAL)
END FUNCTION
'
FUNCTION FindString(SearchFor AS STRING) AS STRING
'
  LOCAL x,hFile,TimesFound AS LONG
  LOCAL sFileInMemory AS STRING
  LOCAL ShortString AS STRING
'
  hFile = FREEFILE
  OPEN EXE.FULL$ FOR BINARY AS #hFile
  GET$ #hFile, LOF(#hFile),sFileInMemory
  CLOSE #hFile
'
  hFile = FREEFILE
  OPEN $OutPutFile FOR APPEND AS hFile
  FOR x = 1 TO LEN(SearchFor)
    ShortString = LEFT$(SearchFor,x)
    TimesFound = TALLY(sFileInMemory,ShortString)
    PRINT #hFile, ShortString; " found" + STR$(TimesFound)
    IF TimesFound = 0 THEN EXIT FOR 'longer string won't find
  NEXT
  PRINT #hFile, STRING$(30,"-")
  CLOSE #hFile
END FUNCTION

**Wayne Diamond** · 10 Jul 2014, 11:42 AM

Mike, actually your code does not work - it fails because of reasons already mentioned in this thread.

Namely, you failed to provide any character randomisation before searching for your chars, so whatever you search for is naturally going to be seen in "plaintext" in any hex editor, with all characters that you entered in your source code appearing IN THE SAME ORDER in the binary.

**Mike Doty** · 10 Jul 2014, 11:56 AM

Without encrypting or randomizing I can't find "Wayne" or "Mike" in the executable.
Can't even find a close match.

W found 101
Wa found 0
------------------------------
M found 20
Mi found 0
------------------------------

**Berkley Tate** · 10 Jul 2014, 12:01 PM

I agree with Wayne.
Mike here are all of the strings from you example.

....................................................P...€...`.......TEST.TXT...Ç[email protected]Ç....e.......M.......i.......k..ô....OPEN...ÿ.... found..................

Took 1 minute to find them.
Not secure. It does not take much deduction to determine that Wayne and Mike are being used for some purpose.

**Mike Doty** · 10 Jul 2014, 01:55 PM

Thank you, Wayne and Berkley!
I need better eyes and a better hex editor.
s = CHR$("W","a","y","n","e") also seems to work if SUB PLACE_AT_TOP_OF_PROGRAM is at top?

Code:

#DIM ALL
GLOBAL gOutPutFile AS STRING

SUB PLACE_AT_TOP_OF_PROGRAM
 'Wayne Diamond 7/5/2008
 'http://www.powerbasic.com/support/pbforums/showthread.php?t=37873 LOCAL a AS STRING
 'Helper SUB by John Gleason  7/7/2008
  LOCAL a AS STRING
  a = " "&"!"&"#"&"$"&"%"&"&"&"'"&"("&")"&"*"&"+"&","&"-"&"."&"/"&"0"& _
       "1"&"2"&"3"&"4"&"5"&"6"&"7"&"8"&"9"&":"&";"&"<"&"="&">"&"?"&"@"& _
       "A"&"B"&"C"&"D"&"E"&"F"&"G"&"H"&"I"&"J"&"K"&"L"&"M"&"N"&"O"&"P"& _
       "Q"&"R"&"S"&"T"&"U"&"V"&"W"&"X"&"Y"&"Z"&"["&"\"&"]"&"^"&"_"&"`"& _
       "a"&"b"&"c"&"d"&"e"&"f"&"g"&"h"&"i"&"j"&"k"&"l"&"m"&"n"&"o"&"p"& _
       $DQ&"q"&"r"&"s"&"t"&"u"&"v"&"w"&"x"&"y"&"z"&"}"&"|"&"{"&"~"
END SUB

#INCLUDE "win32api.inc"
FUNCTION PBMAIN () AS LONG 'FindStr.bas
  LOCAL s AS STRING, result AS LONG
  gOutputFile = CHR$("T","E","S","T",".","T","X","T")
  s = CHR$("W","a","y","n","e")
  FindString s
  FindString CHR$("M","i","k","e")
  result = ShellExecute (0, CHR$("O","P","E","N"), gOutPutFile+$NUL, BYVAL 0, CURDIR$, %SW_SHOWNORMAL)
  'result of ShellExecute (0-32 Failure)
END FUNCTION

FUNCTION FindString(s AS STRING) AS STRING
END FUNCTION

**Theo Gottwald** · 10 Jul 2014, 04:47 PM

There is already a very good sollution available ...
Text mangling Tool for Powerbasic

**Berkley Tate** · 10 Jul 2014, 04:53 PM

Mike I use HxD as my hex editor. It is available in several languages. Give it a try as I think you will like it.
The English version is available here http://mh-nexus.de/en/hxd/.
It is free but does have donation link available in the about window.

For what it is worth PowerBASIC apparently stores all literal strings in the same region of the compilations irrespective of which SUB or FUNCTION they are in.

**Wayne Diamond** · 10 Jul 2014, 07:33 PM

For what it is worth PowerBASIC apparently stores all literal strings in the same region of the compilations irrespective of which SUB or FUNCTION they are in.

Correct! but the reason for having the randomised alphabet string at the very top of the source code is because of the way the PB compiler reads the source code when building the binary - storing strings in the order it finds them, and it essentially reads top-to-bottom. This trick is about exploiting the way the compiler builds its executables and stores & references strings

So in other words, if you put a protected string before (higher up in the source code) the random alphabet string, the protected string will still appear readable/unprotected in the compiled exe. So, just by switching the position of two strings can dramatically change the resulting binary in regards to the strings!

Example... (as they appear in the compiled exe)

Code:

sProtected = "a"&"d"&"m"&"i"&"n"   '// string to protect = "admin"
sAlphabet = "n"&"m"&"d"&"i"&"a"    '// pretend this is the whole alphabet (each char in random order)

Protected string placed BEFORE random alphabet in the source code (still insecure):
a.x.....d.......m.......i..u....n

Protected string placed AFTER random alphabet in the source code (now obscured):
n.x.....m.......d.......i..u....a

PB'ers should also be aware that each unique string is only stored once in the executable, regardless of how many times it is used; it is referenced by address.
So for example, "A"&"B"&"B"&"B"&"C"&"B"&"B" would look something like "A...B...C..." in the compiled exe. This is also at the heart of this simple string-obscuring trick.

Announcement

Forum Guidelines

Easy hide strings from casual viewing

Easy hide strings from casual viewing

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment