AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Scripting Help (https://forums.alliedmods.net/forumdisplay.php?f=11)
-   -   String Decompilation.. help! (https://forums.alliedmods.net/showthread.php?t=159524)

johnally 06-18-2011 11:14

String Decompilation.. help!
 
I did NOT want to bother you guys with this question but I sent a PM to someone competent here since 10 hours and till now.. no answer.

Basically, I wish to prevent my strings being readable(hard to decrypt etc) if someone tries to decompile my plugin. Plugin will be for a small cs community and can be seen as a 'web auth system'. I did not want to rely on steamID only and added the steamID <---> webusername as a bonus :)..
e.g
username : nickname : steamID : ip

The plugin cannot be released to the community there! how can I make my strings encrypted.

Rot13, xtea are not what I find better. Both can be reversed easily :(!

I'm ready to send my plugin to moderators here...

ConnorMcLeod 06-18-2011 12:37

Re: String Decompilation.. help!
 
You can use md5.

Type the word you want here : http://www.md5encryption.com/
Add the encrypted one in the plugin or in a .ini file w/e

Tested with string "ConnorMcLeod" and works.

Don't use existing word for passwords else it is easy to find them.

PHP Code:

#include <amxmodx>

#define VERSION "0.0.1"
#define PLUGIN "Encrypt Test"

public plugin_init()
{
    
register_plugin(PLUGINVERSION"ConnorMcLeod")
    
register_clcmd("test_encrypt""test_encrypt")
}

public 
test_encryptid )
{
    static 
encrypted_word[] = "ea8a91a618b679e5a5ddbfd8610de0a5"
    
new szArg[32], szMd5[34]
    
read_argv(1szArgcharsmax(szArg))
    
md5(szArgszMd5)
    if( 
equal(szMd5encrypted_word) )
    {
        
client_print(idprint_console"Arg matches !!!")
    }
    return 
PLUGIN_HANDLED



johnally 06-18-2011 12:44

Re: String Decompilation.. help!
 
md5 + salt is great.. I use it to encrypt data on my socket connection or use as some "CRC" check system for strings being transmitted(though I keep it mind TCP is very reliable but some untrustworthy hosters might tap the packets). I also used md5 for amxx file self-check!

so you are proposing that I store the strings as usual but add an md5 check to it to see if it was modified?

Cheers,

rhelgeby 06-18-2011 16:19

Re: String Decompilation.. help!
 
As a general tip; anything confidential (passwords, IDs, or even host names) should not be hard coded into a plugin. That info should be stored in a separate config file (or a database).

If you don't want other servers using the plugin, that's a bit more tricky. You could do something similar to public key authorization, but I'm not good at the technical details there.

A solution like ConnorMcLeod described would also work, but once the secret password is revealed it's too late to do anything further.

Arkshine 06-18-2011 17:09

Re: String Decompilation.. help!
 
I don't see how it would help to have encrypted string just with md5. String can still be grabbed easily from decompilation and all you have to do is to decrypt it with existing software/site web.

johnally 06-18-2011 18:06

Re: String Decompilation.. help!
 
sorry not in same timezone.. was sleeping.

well hardcoded stuff can be retrieved so i thought storing the data on a webserver and using http GET under TCP over socket would be good BUT.. How I encrypt the actual socket connection..

An external module[ques mark]..

fysiks 06-18-2011 19:33

Re: String Decompilation.. help!
 
Seems to me that you are being overly paranoid.

Exolent[jNr] 06-18-2011 20:27

Re: String Decompilation.. help!
 
I prefer base64 encoding using custom tables.

Then, if you want to hide the actual string from being seen in the decompilation process, then you can build it instead of declaring it.
Example:
PHP Code:

new const szString[] = "Exolent"

// build it:
new szString[8]
szString[0] = 0x45;
szString[1] = 0x78;
szString[2] = 0x6f;
szString[3] = 0x6c;
szString[4] = 0x65;
szString[5] = 0x6e;
szString[6] = 0x74

Of course that wouldn't be hard to decompile if you knew how to decompile plugins.
That method is really only good for the people who don't know how to decompile and only look at the defined strings.
To trick the people who can decompile, you can get more fancy at building strings than the obvious way that I showed in the example.

Another method if you wanted to use sockets would be to access a PHP script on your website that would give a string result.
In that PHP script, you can check to see if the given IP address is allowed to access that string and if not then output a random different string.

There's a lot of things you can do to make it very complicated.
It just depends on what approach you want to take.

rhelgeby 06-18-2011 21:19

Re: String Decompilation.. help!
 
johnally: What strings are stored in the plugin? And why are they hard coded? I'm not sure if I understand what you want your plugin to do.

As suggested above, storing this data externally (a database somewhere) and retrieving the result using sockets might be a safer solution.

johnally 06-19-2011 05:24

Re: String Decompilation.. help!
 
fysiks I guess you are right.. but the punks on 'my website'(moderator there) are very paranoid at decompiling the plugin and finding flaws(stress me out!)

Exolent[jNr] I shall use the socket IP check method. At least.. Send an md5 key from amx to php and check for auth :) .. I also saw your very old thread about file(test.txt) send and receive with socket_hz.. Really find it very interesting. Might give it a try ;) .. Cheers and thanks. If you want, you might consider the PM i sent you. But I guess, you are quite busy.. If you want .. rep back.. thanks!

rhelgeby I worked a bit with assembler since 3 years now. And the strings I stored might reveal true functioning behind some procedures/functions I used. e.g seeing a string saying "Welcome %s to server" might hint that PROC A8CDD28A73351 deals with auth. But I'm glad the amxmodx compiler keeps the structure of the plugin intact "DEFINES - FUNC 1 - FUNC 2 - FUNC XXX" With some fake functions call, I might confuse some eyes.

Yes I'm considering using socket, but I'm paranoid that the hoster would sniff the tcp packets.. ahhhh x_x .. what's wrong with me?

Thanks to you guys, I'll combine socket and base64 custom tables! Not in mood of doing a RSA module for http encryption!

Ohh last question! Can they recompile the plugin after decompiling or they will have to guess and re-write the amx?

Plugin info: medium sized 14xx lines(excl. PHP files and webadmin)! I can't post it here publicly but I will send to any moderator requesting it (I rely on the ethic here) cheers


All times are GMT -4. The time now is 23:30.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.