Re: hide my code
- From: rossum <rossum48@xxxxxxxxxxxx>
- Date: Mon, 30 Jun 2008 22:53:26 +0100
On Tue, 1 Jul 2008 03:56:47 +0800, "Elliot"
<elliot_barclay@xxxxxxxxxxxxx> wrote:
That's good.An obfuscator may well obfuscate your variable names, it may not
Use obfuscator may be easier for me, a beginner.
"Ken Foskey" <foskey@xxxxxxxxxxxxxxxx> wrote in message
news:486809dc$1@xxxxxxxxxxxxxxxxxxxx
On Sun, 29 Jun 2008 22:40:57 +0800, Elliot wrote:
My codes contain several URLs which are supposed to be not disclosed. As
some programs such as Luxx Roxxxx's .NET Reflector can 'disclose' my
codes almost completely.
Any suggestion to 'hide' those URLs?
Use gnupg to encrypt the file and then decrypt at runtime and load into a
memory table.
Other comments apply, there are plenty of ways to find the info other
ways.
Ken
obfuscate your URLs. It is possible that you will have to obfuscate
the URLs yourself and just obfuscate the decoding function.
Any hardcoded string in the source code will be visible to anyone who
wants to look at it. The general way round the problem is not to put
the actual URL string into the source code, but to put a different
string (or array of char, array of byte etc.) which can be
programatically transformed to give the correct URL.
How you want to do this will depend on how secure you want things to
be. Your main decision is if the transformation of the non-URL into
the URL is transparent to the user or if the user needs to enter some
secret password to allow the transformation to proceed. THe method
you pick should be determined by who you are trying to protect
against: your Aunt Edna, someone with as many resources as yourself,
Nasty Megacorp Inc with a few hundred thousand dollars to spend or a
three letter government agency with millions.
The simplest option is something like Base64: you can either have a
text of "elephant" with the text in your source of "ZWxlcGhhbnQ=", or
the other way round. Various hash functions, or the unix crypt()
function could be substituted for Base64, depending on what is
available, though these will only work one way round, not both ways
like Base64. All of these methods are vulnerable to someone who can
disassemble the executable file. Aunt Edna only.
Base64 and hash functions do not take a key. The next level of
security involves using a keyed cypher. If you want this to be
transparent to the user then the key needs to be kept somewhere. If
the key is hard coded into the executable then the key is vulnerable
to disassembling the executable. If kept in a separate file, then
again it will be possible to discover the filename from the executable
and lead the attacker to the file containing the key. Delivering the
key over the internet is vulnerable to network sniffing. Probably
anything short of Nasty Megacorp Inc.
The securest way is for the user to enter the key when the password
transformation is required.
This is a pseudocode example of the middle option, in this case a
password encrypted with a key held on a separate file:
string codedPassword <- "elephant";
string keyFileName <- "keyfile.txt";
function DecodePassword(string cyphertext) : returns string
byte[] key <- ReadKeyFrom(keyFileName);
string plaintext;
int i <- 0;
foreach char c in cyphertext do
plaintext[i] <- c XOR key[i];
i <- i + 1;
end foreach
return plaintext;
end function
If the key file reads:
0x16, 0x1D, 0x10, 0x19, 0x1A, 0x13, 0x0B, 0x18
then the real password is not "elephant", but a different animal
altogether. This example uses a simple XOR encryption. I
deliberately made the coded password look like a real word as an added
level of misdirection. The real password does not appear anywhere in
the program file.
rossum
.
- Prev by Date: Linq to xml question
- Next by Date: Available dotnet Consultants : 217-241-2015
- Previous by thread: Linq to xml question
- Next by thread: Re: hide my code
- Index(es):
Relevant Pages
|
