Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

AppGameKit Classic Chat / Bycode, encryption and text$

Author
Message
Blendman
10
Years of Service
User Offline
Joined: 17th Feb 2014
Location: Arkeos
Posted: 29th Oct 2017 09:42
Link
Hi

I'm looking for a way to encrypt some datas (save file, media...).
A lot of technic use a key (string or array) to encrypt the datas.

But, I have seen that, in the bytcode, we can see the key.

Example of code :


If you compile this code, in the bycode you will see :


Yes, in the bycode, we can see the 2 keys, which isn't very protected ^^.

What do you think about this technic : to use chr() instead of the string.

For example :
"My_super_key" = Chr(77)+Chr(121)+Chr(95)+Chr(115)+Chr(117)+Chr(112)+Chr(101)+Chr(114)+Chr(95)+Chr(107)+Chr(101)+Chr(121)

The new code :


And now, in the bytecode, we don't see anything (no key$) .
It's a good idea to hide key$, sensible text, but event Ip$ for server for example

how to get those chr() ?

Like that :
// to change a text in a serie of chr()
tx$ = "A little text to test if you see it on the bytecode."

For i=1 To Len(tx$)
a = Asc(Mid(tx$,i,1))
result$ = result$ +"Chr("+Str(a)+")+"
Next

Log(result$) // here you can save it in a text file if you prefer.


What do you think about that ?

Cheers
AGK2 tier1 - http://www.dracaena-studio.com
Back to top
Profile PM Website
BatVink
Moderator
21
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 29th Oct 2017 11:09 Edited at: 29th Oct 2017 11:12
Link
I use a combination of methods, very similar to you. It isn't foolproof, but it stops the average person...

SHA1 - you can use this to create your key (you already do this).

Adding "salt" to your key - In your program, add additional data to the hash test, that is only available in the program (you already do this too, it is named key$).

Put the salt somewhere in the centre, not the beginning or end.

Use the hashkey to alter the logic. For example use the ascii value of the third character to set the position of the salt. Every file will then process the logic differently, and it makes it harder to find a pattern.

Splitting up the salt. In your program as you have seen, the data is readable. Create the salt value using different processes:
* CHR() as you have used
* ~~ Bitwise XOR operations (I think the forum is not showing the tilde symbol correctly) If you XOR something once, you get a different character. If you do the same bitwise calculation twice, you get the original character back.
* Building it up in different parts of your program

Adding misdirection - create variables named password, pass, key etc. I'm not sure if these variable names are visible or not.

Creating the key and deleting it quickly. This is to try and keep the full key in memory as little as possible.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Quidquid latine dictum sit, altum sonatur
TutCity is being rebuilt
Back to top
Profile PM Email
Conjured Entertainment
AGK Developer
18
Years of Service
User Offline
Joined: 12th Sep 2005
Location: Nirvana
Posted: 1st Nov 2017 19:44 Edited at: 1st Nov 2017 20:10
Link
I am glad I saw this thread right now, before I get too far into my current side project of hiding messages in images.

I now see a few flaws in what I have been doing in my own encryption and how to make it better.

Good points Blendman about people snooping in the bytecode. (I did not like what I discovered in my own!)

Great advice BatVink

I see that most strings in double quotes get passed so I need to do away with all of those, except the decoys.

Thanks guys! (here is an example image that has my encryption method for hidden messages)




Quote: "Adding "salt" to your key...

...Adding misdirection - create variables named password, pass, key etc. I'm not sure if these variable names are visible or not."


Yeah, add salt and pepper on your salad, and then toss it.

A nice tossed salad will go rather well with my spaghetti code!

Coding things my way since 1981 -- Currently using AppGameKit V2 Tier 1

Attachments

Login to view attachments
Back to top
Profile PM Website
puzzler2018
User Banned
Posted: 1st Nov 2017 19:59
Link
Interesting - the bytecode reveals the strings.. Ouch!!

Something to think about going forward.

I have noticed on here that nz0 has created a WAD packer? maybe have a peruse

https://forum.thegamecreators.com/thread/220121

But if you prefer to build your own then thats fine too

D
Back to top
Profile
Conjured Entertainment
AGK Developer
18
Years of Service
User Offline
Joined: 12th Sep 2005
Location: Nirvana
Posted: 2nd Nov 2017 00:42 Edited at: 2nd Nov 2017 00:45
Link
I have went back in and changed my code to reflect these suggestions.

It didn't take long to hide what I needed to, so I will take my time adding the decoys later.

Quote: "What do you think about this technic : to use chr() instead of the string ?"

Agreed.

chr() is the way to go.

Coding things my way since 1981 -- Currently using AppGameKit V2 Tier 1
Back to top
Profile PM Website
Kevin Picone
21
Years of Service
Recently Online
Joined: 27th Aug 2002
Location: Australia
Posted: 2nd Nov 2017 03:43
Link
Quote: "
What do you think about this technic : to use chr() instead of the string.

For example :
"My_super_key" = Chr(77)+Chr(121)+Chr(95)+Chr(115)+Chr(117)+Chr(112)+Chr(101)+Chr(114)+Chr(95)+Chr(107)+Chr(101)+Chr(121)
"


This only works in compilers that don't per-evaluate expressions, so CHR() functions are being exported as byte code to run at runtime. If it was solved at compile time the expression would still be "My_super_key"

what you could do is write a function(s) that builds a deterministic string.


PlayBASIC To HTML5/WEB - Convert PlayBASIC To Machine Code
Back to top
Profile PM Website
Blendman
10
Years of Service
User Offline
Joined: 17th Feb 2014
Location: Arkeos
Posted: 2nd Nov 2017 19:50
Link
Hi
On windows, when I use chr (), I dont see it on the bytecode. So it should be ok , right?
Your solution to write a function to build a string is interesting.
AGK2 tier1 - http://www.dracaena-studio.com
Back to top
Profile PM Website
Kevin Picone
21
Years of Service
Recently Online
Joined: 27th Aug 2002
Location: Australia
Posted: 4th Nov 2017 15:11
Link

Quote: "
On windows, when I use chr (), I dont see it on the bytecode. So it should be ok , right?
"


That means there's currently no pre- evaluation of expressions, so YEP for now your golden.

However if they update the compiler to support evaluation of CHR() functions say in the future, then that would reveal your ket string. As any Expression such as Key$ = Chr(1) + Chr(2) etc etc will being computed at compile time by the compiler, leaving your original string exposed .



PlayBASIC To HTML5/WEB - Convert PlayBASIC To Machine Code
Back to top
Profile PM Website
puzzler2018
User Banned
Posted: 5th Nov 2017 07:16 Edited at: 5th Nov 2017 07:17
Link
Its not much but will this do the trick

Back to top
Profile
Blendman
10
Years of Service
User Offline
Joined: 17th Feb 2014
Location: Arkeos
Posted: 6th Nov 2017 10:14 Edited at: 6th Nov 2017 10:16
Link
So another way should betouse mid() or getstringtoken (), with the use of an alphabet like : c_alpha$ = "abcdefghijklmnopqrstuvwxz"

Another better way could be to encode in an array the letters, and use this arrays like I use chr () :



After that, I can use
Mykey$ = chr[45] + chr[67]

That could work and not matter if the compiler change .

I will try that.

Thanks for your informations.
AGK2 tier1 - http://www.dracaena-studio.com
Back to top
Profile PM Website
Back to top

Login to post a reply

Server time is: 2024-04-26 03:48:12
Your offset time is: 2024-04-26 03:48:12