String Decompilation.. help!
I did NOT want to bother you guys with this question but I sent a PM to someone competent here since 10 hours and till now.. no answer.
Basically, I wish to prevent my strings being readable(hard to decrypt etc) if someone tries to decompile my plugin. Plugin will be for a small cs community and can be seen as a 'web auth system'. I did not want to rely on steamID only and added the steamID <---> webusername as a bonus :).. e.g username : nickname : steamID : ip The plugin cannot be released to the community there! how can I make my strings encrypted. Rot13, xtea are not what I find better. Both can be reversed easily :(! I'm ready to send my plugin to moderators here... |
Re: String Decompilation.. help!
You can use md5.
Type the word you want here : http://www.md5encryption.com/ Add the encrypted one in the plugin or in a .ini file w/e Tested with string "ConnorMcLeod" and works. Don't use existing word for passwords else it is easy to find them. PHP Code:
|
Re: String Decompilation.. help!
md5 + salt is great.. I use it to encrypt data on my socket connection or use as some "CRC" check system for strings being transmitted(though I keep it mind TCP is very reliable but some untrustworthy hosters might tap the packets). I also used md5 for amxx file self-check!
so you are proposing that I store the strings as usual but add an md5 check to it to see if it was modified? Cheers, |
Re: String Decompilation.. help!
As a general tip; anything confidential (passwords, IDs, or even host names) should not be hard coded into a plugin. That info should be stored in a separate config file (or a database).
If you don't want other servers using the plugin, that's a bit more tricky. You could do something similar to public key authorization, but I'm not good at the technical details there. A solution like ConnorMcLeod described would also work, but once the secret password is revealed it's too late to do anything further. |
Re: String Decompilation.. help!
I don't see how it would help to have encrypted string just with md5. String can still be grabbed easily from decompilation and all you have to do is to decrypt it with existing software/site web.
|
Re: String Decompilation.. help!
sorry not in same timezone.. was sleeping.
well hardcoded stuff can be retrieved so i thought storing the data on a webserver and using http GET under TCP over socket would be good BUT.. How I encrypt the actual socket connection.. An external module[ques mark].. |
Re: String Decompilation.. help!
Seems to me that you are being overly paranoid.
|
Re: String Decompilation.. help!
I prefer base64 encoding using custom tables.
Then, if you want to hide the actual string from being seen in the decompilation process, then you can build it instead of declaring it. Example: PHP Code:
That method is really only good for the people who don't know how to decompile and only look at the defined strings. To trick the people who can decompile, you can get more fancy at building strings than the obvious way that I showed in the example. Another method if you wanted to use sockets would be to access a PHP script on your website that would give a string result. In that PHP script, you can check to see if the given IP address is allowed to access that string and if not then output a random different string. There's a lot of things you can do to make it very complicated. It just depends on what approach you want to take. |
Re: String Decompilation.. help!
johnally: What strings are stored in the plugin? And why are they hard coded? I'm not sure if I understand what you want your plugin to do.
As suggested above, storing this data externally (a database somewhere) and retrieving the result using sockets might be a safer solution. |
Re: String Decompilation.. help!
fysiks I guess you are right.. but the punks on 'my website'(moderator there) are very paranoid at decompiling the plugin and finding flaws(stress me out!)
Exolent[jNr] I shall use the socket IP check method. At least.. Send an md5 key from amx to php and check for auth :) .. I also saw your very old thread about file(test.txt) send and receive with socket_hz.. Really find it very interesting. Might give it a try ;) .. Cheers and thanks. If you want, you might consider the PM i sent you. But I guess, you are quite busy.. If you want .. rep back.. thanks! rhelgeby I worked a bit with assembler since 3 years now. And the strings I stored might reveal true functioning behind some procedures/functions I used. e.g seeing a string saying "Welcome %s to server" might hint that PROC A8CDD28A73351 deals with auth. But I'm glad the amxmodx compiler keeps the structure of the plugin intact "DEFINES - FUNC 1 - FUNC 2 - FUNC XXX" With some fake functions call, I might confuse some eyes. Yes I'm considering using socket, but I'm paranoid that the hoster would sniff the tcp packets.. ahhhh x_x .. what's wrong with me? Thanks to you guys, I'll combine socket and base64 custom tables! Not in mood of doing a RSA module for http encryption! Ohh last question! Can they recompile the plugin after decompiling or they will have to guess and re-write the amx? Plugin info: medium sized 14xx lines(excl. PHP files and webadmin)! I can't post it here publicly but I will send to any moderator requesting it (I rely on the ethic here) cheers |
| All times are GMT -4. The time now is 23:30. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.