是否可以隐藏 C++ 中定义的密码?代码

发布于 2024-10-22 03:15:34 字数 149 浏览 6 评论 0原文

...这样浏览反汇编代码不会立即暴露密码(声明为静态变量)。举个例子,想象一个程序附加了一个 zip 文件,必须打开该文件才能获取资源,但不易被窥探者访问。

我知道不可能完全隐藏或保护该拉链,但我很好奇有什么方法可以至少阻止一个不经意的窥探者。

谢谢!

... so that browsing the disassembly won't immediately expose the password (declared as a static variable). As an example, imagine a program that has a zip file attached that it must open for assets but is not easily accessible to prying eyes.

I know that it is impossible to completely hide or protect that zip but I'm curious what means are available to at least hold off a casual snooper.

Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

走走停停 2024-10-29 03:15:34

如果您的程序是 Windows 程序,则只需使用“此程序无法在 DOS 模式下运行”。作为密码。该字符串几乎存在于每个 Windows 可执行文件中。

我只是半开玩笑,因为它可能几乎和用程序中其他地方的密钥对密码进行异或一样安全,并且维护它的麻烦几乎为零。

If your program is a Windows program, just use "This program cannot be run in DOS mode." as the password. That string is in nearly every Windows executable.

I'm only half kidding, since it's probably nearly as secure as XOR-ing the password with a key that's elsewhere in the program and there will be pretty much zero headaches maintaining it.

再见回来 2024-10-29 03:15:34

不,但是你可以采取一些措施来让它变得更难。

将密码存储为一系列数字,对它们进行一些计算以生成实际密码,将部分密码存储在图标等资源中。

No but there are things you can do to make it harder.

Store the password as a series of numbers, do some calculations on them to generate the actual password, store parts of the password in resources such as icons etc.

み格子的夏天 2024-10-29 03:15:34

简而言之,不,任何破解者都会在打开 zip 文件的函数上设置一个断点,并从那里的 RAM 中获取密码。

In short, no, Any cracker would just set a breakpoint on the function that opens the zip file, and get the password from RAM there.

廻憶裏菂餘溫 2024-10-29 03:15:34

将密码的 XOR 加密版本存储为静态变量,而不是实际密码。当您需要使用它时,只需应用简单的异或解密即可检索实际密码。

http://en.wikipedia.org/wiki/XOR_cipher

Instead of the actual password store the XOR encrypted version of the password as static variable. When you need to use it you just apply simple XOR decryption to retrieve the actual password.

http://en.wikipedia.org/wiki/XOR_cipher

一影成城 2024-10-29 03:15:34

一种解决方案是将静态密码与另一个常量甚至另一个字符串进行异或。这会将您的密码分散到需要组合多个部分才能取回的密码。编译后的二进制文件上的字符串不显示 pw 字符串。

#include <stdio.h>

char pw[8] = {124, 109, 127, 127, 123, 99, 126, 104};

int main(int argc, char** argv) {
  for (int i = 0; i < 8; i++) {
    pw[i] = pw[i] ^ 12;
  }
  printf("%s\n", pw);  // => 'password'
}

有很多方法可以保护数据免受随意检查,而坚定的对手则完全是另一回事(只需询问从事 DRM 的人员即可。)

One solution would be to xor the static password with another constant or even another string. This would spread your password out between however many parts need to be combined to get it back. A strings on the compiled binary doesn't show the pw string.

#include <stdio.h>

char pw[8] = {124, 109, 127, 127, 123, 99, 126, 104};

int main(int argc, char** argv) {
  for (int i = 0; i < 8; i++) {
    pw[i] = pw[i] ^ 12;
  }
  printf("%s\n", pw);  // => 'password'
}

There are a number of ways to protect data from a casual inspection, a determined adversary is another matter altogether (just ask the folks doing DRM.)

断爱 2024-10-29 03:15:34

您可以将密码与从程序的某些数据派生的另一个密码进行异或,例如字段(在打包结构/类中)相对于结构/类开头的相对位置,或者可能使用一些“常量”数据(当前的世纪和千年在接下来的 89 年里是相当恒定的:-)),或者将某些字符从一个代码页转换为另一个代码页,或者可能将某些数字转换为浮点或双精度(甚至可能是一些简单的除法,例如2/3、3/5、5/7 in double 用作密码,请务必“强制”编译器不优化它们(可能从其他“可测量”的事物中得出数字,例如某些字符串的长度)) 。尤其是第一个可能是最容易隐藏的:“测量”字段的相对位置是很常见的。这些方法都无法在黑客攻击 5 分钟后存活下来……它们只能防止“使用十六进制编辑器进行随意窥探”。

You could xor the password with another password derived from some data of your program, for example the relative position of a field (in a packed struct/class) relative to the beginning of the struct/class, or perhaps use some "constant" data (the current century and millennium are quite constant, for the next 89 years :-) ), or the conversion of some characters from one codepage to another, or perhaps the conversion of some numbers to float or double (perhaps even some simple divisions like 2/3, 3/5, 5/7 in double used as a password. Be sure to "force" the compiler to not optimize them (probably deriving the number from other "measurable" things, like the length of some strings)). Especially the first one is probably the easiest to hide: it's quite common to "measure" the relative position of a field. None of these methods will survive 5 minutes of an hacker... They'll only protect against "casual snooping with an hex editor".

饮惑 2024-10-29 03:15:34

那么为什么要存储它呢?为什么不使用第一个基于异或算法加密的第二个打包应用程序呢?这样就根本不需要存储密码了!

当然,这种方法有点困难,但我想说,您不仅可以从使用这种方法中受益匪浅,而且还可以学习使其发挥作用所需的必要知识。

Well why store it at all? Why not have a second packed application that your first encrypts based off of an xor algorithm? That way there is no need to store the password at all!

Of course this method is a little more difficult, But I would say you greatly benefit from not only using this method, but learning the necessary things required to make it work.

離人涙 2024-10-29 03:15:34

向用户显示带有另一个代码(斜体)的图片,并插入一个文本框,用户可以在其中输入图片中写入的代码。将 ZIP 文件的密码与图中的代码进行异或。结果可以通过硬编码来实现。该程序必须将硬编码代码与用户的输入进行异或以获得 ZIP 文件的代码。
或者,您可以使用另一个单向代码来验证输入的代码。

Show a picture with another code in italics to the user and insert a text box where the user can enter the code that is written in the picture. XOR the password of the ZIP file with the code in the picture. The result can be implemented hardcoded. The program has to XOR the hardcoded code with the input of the user to get the code of the ZIP file.
Optionally, you can verify the inputted code using another one-way-code.

盗梦空间 2024-10-29 03:15:34

使用 perl 脚本混淆密码。黑客仍然可以对您的机器代码进行逆向工程……但至少您的密码在十六进制编辑器中并不明显。

obfuscate_password("my_password434");

sub obfuscate_password($) {

  my $string = shift;
  my @c = split(//, $string);
  push(@c, "skip"); # Skip Null Terminator
                    # using memset to clear this byte
  # Add Decoy Characters
  for($i=0; $i < 100; $i++) {
    $ch = rand(255);
    next if ($ch == 0);
    push(@c, chr($ch));
  }                     
  my $count1 = @c;
  print "  int x1, x2, x3, x4, x5;\n";
  print "  char password[$count1];\n";
  print "  memset(password, 0, $count1);\n";
  my $count2 = 0;
  my %dict  = ();
  while(1) {
    my $x = int(rand($count1));
    $y = obfuscate_expr($count1, $x);
    next if (defined($dict{$x}));
    $dict{$x} = 1;
    last if ($count2+1 == $count1);
    if ($c[$x] ne "skip") {
      #print "  $y\n";
      print "  $y password[x4] = (char)" . ord($c[$x]) . ";\n";
    }
    $count2++;
  }
}

sub obfuscate_expr($) {
    my $count  = shift;
    my $target = shift;
    #return $target;

    while(1) {

       my $a = int(rand($count*2));
       my $b = int(rand($count*2));
       my $c = int(rand($count*2));
       next if (($a == 0) || ($b == 0) || ($c == 0));
       my $y = $a - $b;
       #print "$target: $y : $a - $b\n";
       if ($y == $target) {
          #return "$a - $b + $c";
          return "x1=$a; x2=$b; x3=$c; x4=x1-x2+x3; x5= +=x4;";
       }
    } 
}

obfuscate the password with a perl script. Hackers can still reverse engineer your machine code...but at least your password its not obvious from a hex editor.

obfuscate_password("my_password434");

sub obfuscate_password($) {

  my $string = shift;
  my @c = split(//, $string);
  push(@c, "skip"); # Skip Null Terminator
                    # using memset to clear this byte
  # Add Decoy Characters
  for($i=0; $i < 100; $i++) {
    $ch = rand(255);
    next if ($ch == 0);
    push(@c, chr($ch));
  }                     
  my $count1 = @c;
  print "  int x1, x2, x3, x4, x5;\n";
  print "  char password[$count1];\n";
  print "  memset(password, 0, $count1);\n";
  my $count2 = 0;
  my %dict  = ();
  while(1) {
    my $x = int(rand($count1));
    $y = obfuscate_expr($count1, $x);
    next if (defined($dict{$x}));
    $dict{$x} = 1;
    last if ($count2+1 == $count1);
    if ($c[$x] ne "skip") {
      #print "  $y\n";
      print "  $y password[x4] = (char)" . ord($c[$x]) . ";\n";
    }
    $count2++;
  }
}

sub obfuscate_expr($) {
    my $count  = shift;
    my $target = shift;
    #return $target;

    while(1) {

       my $a = int(rand($count*2));
       my $b = int(rand($count*2));
       my $c = int(rand($count*2));
       next if (($a == 0) || ($b == 0) || ($c == 0));
       my $y = $a - $b;
       #print "$target: $y : $a - $b\n";
       if ($y == $target) {
          #return "$a - $b + $c";
          return "x1=$a; x2=$b; x3=$c; x4=x1-x2+x3; x5= +=x4;";
       }
    } 
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文