Raised This Month: $ Target: $400
 0% 

String Decompilation.. help!


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
johnally
Member
Join Date: May 2011
Location: Mauritius
Old 06-18-2011 , 11:14   String Decompilation.. help!
Reply With Quote #1

I did NOT want to bother you guys with this question but I sent a PM to someone competent here since 10 hours and till now.. no answer.

Basically, I wish to prevent my strings being readable(hard to decrypt etc) if someone tries to decompile my plugin. Plugin will be for a small cs community and can be seen as a 'web auth system'. I did not want to rely on steamID only and added the steamID <---> webusername as a bonus ..
e.g
username : nickname : steamID : ip

The plugin cannot be released to the community there! how can I make my strings encrypted.

Rot13, xtea are not what I find better. Both can be reversed easily !

I'm ready to send my plugin to moderators here...
__________________
No allowed!


Last edited by johnally; 06-18-2011 at 11:19.
johnally is offline
ConnorMcLeod
Veteran Member
Join Date: Jul 2006
Location: France (95)
Old 06-18-2011 , 12:37   Re: String Decompilation.. help!
Reply With Quote #2

You can use md5.

Type the word you want here : http://www.md5encryption.com/
Add the encrypted one in the plugin or in a .ini file w/e

Tested with string "ConnorMcLeod" and works.

Don't use existing word for passwords else it is easy to find them.

PHP Code:
#include <amxmodx>

#define VERSION "0.0.1"
#define PLUGIN "Encrypt Test"

public plugin_init()
{
    
register_plugin(PLUGINVERSION"ConnorMcLeod")
    
register_clcmd("test_encrypt""test_encrypt")
}

public 
test_encryptid )
{
    static 
encrypted_word[] = "ea8a91a618b679e5a5ddbfd8610de0a5"
    
new szArg[32], szMd5[34]
    
read_argv(1szArgcharsmax(szArg))
    
md5(szArgszMd5)
    if( 
equal(szMd5encrypted_word) )
    {
        
client_print(idprint_console"Arg matches !!!")
    }
    return 
PLUGIN_HANDLED

__________________
- tired and retired -

- my plugins -
ConnorMcLeod is offline
johnally
Member
Join Date: May 2011
Location: Mauritius
Old 06-18-2011 , 12:44   Re: String Decompilation.. help!
Reply With Quote #3

md5 + salt is great.. I use it to encrypt data on my socket connection or use as some "CRC" check system for strings being transmitted(though I keep it mind TCP is very reliable but some untrustworthy hosters might tap the packets). I also used md5 for amxx file self-check!

so you are proposing that I store the strings as usual but add an md5 check to it to see if it was modified?

Cheers,
__________________
No allowed!

johnally is offline
rhelgeby
Veteran Member
Join Date: Oct 2008
Location: 0x4E6F72776179
Old 06-18-2011 , 16:19   Re: String Decompilation.. help!
Reply With Quote #4

As a general tip; anything confidential (passwords, IDs, or even host names) should not be hard coded into a plugin. That info should be stored in a separate config file (or a database).

If you don't want other servers using the plugin, that's a bit more tricky. You could do something similar to public key authorization, but I'm not good at the technical details there.

A solution like ConnorMcLeod described would also work, but once the secret password is revealed it's too late to do anything further.
__________________
Richard Helgeby

Zombie:Reloaded | PawnUnit | Object Library
(Please don't send private messages for support, they will be ignored. Use the forum.)
rhelgeby is offline
Send a message via MSN to rhelgeby
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 06-18-2011 , 17:09   Re: String Decompilation.. help!
Reply With Quote #5

I don't see how it would help to have encrypted string just with md5. String can still be grabbed easily from decompilation and all you have to do is to decrypt it with existing software/site web.
__________________
Arkshine is offline
johnally
Member
Join Date: May 2011
Location: Mauritius
Old 06-18-2011 , 18:06   Re: String Decompilation.. help!
Reply With Quote #6

sorry not in same timezone.. was sleeping.

well hardcoded stuff can be retrieved so i thought storing the data on a webserver and using http GET under TCP over socket would be good BUT.. How I encrypt the actual socket connection..

An external module[ques mark]..
__________________
No allowed!

johnally is offline
fysiks
Veteran Member
Join Date: Sep 2007
Location: Flatland, USA
Old 06-18-2011 , 19:33   Re: String Decompilation.. help!
Reply With Quote #7

Seems to me that you are being overly paranoid.
__________________
fysiks is online now
Exolent[jNr]
Veteran Member
Join Date: Feb 2007
Location: Tennessee
Old 06-18-2011 , 20:27   Re: String Decompilation.. help!
Reply With Quote #8

I prefer base64 encoding using custom tables.

Then, if you want to hide the actual string from being seen in the decompilation process, then you can build it instead of declaring it.
Example:
PHP Code:
new const szString[] = "Exolent"

// build it:
new szString[8]
szString[0] = 0x45;
szString[1] = 0x78;
szString[2] = 0x6f;
szString[3] = 0x6c;
szString[4] = 0x65;
szString[5] = 0x6e;
szString[6] = 0x74
Of course that wouldn't be hard to decompile if you knew how to decompile plugins.
That method is really only good for the people who don't know how to decompile and only look at the defined strings.
To trick the people who can decompile, you can get more fancy at building strings than the obvious way that I showed in the example.

Another method if you wanted to use sockets would be to access a PHP script on your website that would give a string result.
In that PHP script, you can check to see if the given IP address is allowed to access that string and if not then output a random different string.

There's a lot of things you can do to make it very complicated.
It just depends on what approach you want to take.
__________________
No private work or selling mods.
Quote:
Originally Posted by xPaw View Post
I love you exolent!
Exolent[jNr] is offline
rhelgeby
Veteran Member
Join Date: Oct 2008
Location: 0x4E6F72776179
Old 06-18-2011 , 21:19   Re: String Decompilation.. help!
Reply With Quote #9

johnally: What strings are stored in the plugin? And why are they hard coded? I'm not sure if I understand what you want your plugin to do.

As suggested above, storing this data externally (a database somewhere) and retrieving the result using sockets might be a safer solution.
__________________
Richard Helgeby

Zombie:Reloaded | PawnUnit | Object Library
(Please don't send private messages for support, they will be ignored. Use the forum.)
rhelgeby is offline
Send a message via MSN to rhelgeby
johnally
Member
Join Date: May 2011
Location: Mauritius
Old 06-19-2011 , 05:24   Re: String Decompilation.. help!
Reply With Quote #10

fysiks I guess you are right.. but the punks on 'my website'(moderator there) are very paranoid at decompiling the plugin and finding flaws(stress me out!)

Exolent[jNr] I shall use the socket IP check method. At least.. Send an md5 key from amx to php and check for auth .. I also saw your very old thread about file(test.txt) send and receive with socket_hz.. Really find it very interesting. Might give it a try ;) .. Cheers and thanks. If you want, you might consider the PM i sent you. But I guess, you are quite busy.. If you want .. rep back.. thanks!

rhelgeby I worked a bit with assembler since 3 years now. And the strings I stored might reveal true functioning behind some procedures/functions I used. e.g seeing a string saying "Welcome %s to server" might hint that PROC A8CDD28A73351 deals with auth. But I'm glad the amxmodx compiler keeps the structure of the plugin intact "DEFINES - FUNC 1 - FUNC 2 - FUNC XXX" With some fake functions call, I might confuse some eyes.

Yes I'm considering using socket, but I'm paranoid that the hoster would sniff the tcp packets.. ahhhh x_x .. what's wrong with me?

Thanks to you guys, I'll combine socket and base64 custom tables! Not in mood of doing a RSA module for http encryption!

Ohh last question! Can they recompile the plugin after decompiling or they will have to guess and re-write the amx?

Plugin info: medium sized 14xx lines(excl. PHP files and webadmin)! I can't post it here publicly but I will send to any moderator requesting it (I rely on the ethic here) cheers
__________________
No allowed!


Last edited by johnally; 06-19-2011 at 05:32.
johnally is offline
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 23:30.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode