12.11 Hiding Strings

12.11.1 Problem

ASCII strings are a ready source of information about a compiled binary?so much so that the first response of many programmers to a foreign binary is to run the Unix utility strings on it to guess what it does. When viewing a file in a binary editor, ASCII strings are the only data structures that can be immediately recognized without prior knowledge of the file format or any familiarity with machine code.

12.11.2 Solution

Strings can be generated dynamically from a collection of substrings or random characters. Alternatively, strings can be encrypted in the binary and decrypted on the fly by the program as needed.

12.11.3 Discussion

The techniques for hiding strings presented in this recipe are intended to prevent their discovery from casual analysis, and should not be considered a secure way of hiding strings. In cases where a string must be hidden securely, you should treat the string as if it were a password, and use a strong encryption method.

The purpose of obfuscating data is to mislead the observer in such a way that he may not even realize that the obfuscation has taken place. Calling an encryption routine is a more secure way to hide data, but it defeats the purpose of obfuscation as it makes obvious the fact that the data is both encrypted and important.

An example of dynamically generating strings from a collection of substrings is presented below. In the example, the string "/etc/passwd" is created on the fly. A quick scan of the compiled version of the code will not reveal the string because the characters that compose it are stored out of order as separate strings. Routines like this one can be generated automatically by Perl or shell scripts as a separate C source code file, then linked in with rest of the program's object files.

#include <stdio.h>
#include <string.h>
   
char *get_filename(int n, char *buf, int buf_len) {
  int  x;
  char *p;
   
  buf[0] = 0;
  p = &((char *)&n)[0];
  for (x = 0;  x < 4;  x++, p++) {
    switch (*p) {
      case 1:   
        strncat(buf, "swd", buf_len - strlen(buf)); 
        break;
      case 2:   
        strncat( buf, "no", buf_len - strlen(buf));
        break;
      case 3:   
        strncat( buf, "/e", buf_len - strlen(buf));
        break;
      case 4:   
        strncat( buf, "as", buf_len - strlen(buf));
        break;
      case 5:   
        strncat( buf, "us", buf_len - strlen(buf));
        break;
      case 6:   
        strncat( buf, "tc/p", buf_len - strlen(buf));
        break;
      case 7:   
        strncat( buf, "mp", buf_len - strlen(buf));
        break;
      default:
        strncat( buf, "/", buf_len);
    }
  }
  buf[buf_len] = 0;
  return buf;
}
   
int main(int argc, char *argv[  ]) {
  char filename[32];
   
  /* 0x01040603 is 03 . 06 . 04 . 01 -- note that the number is passed as little
   * endian but read as big endian!
   */
  printf("get_filename(  ) returns \"%s\"\n",
         get_filename(0x01040603, filename, sizeof(filename)));
  return 0;
}

Strings can also be stored encrypted in the binary and in memory. You can achieve this by generating separate object files with the encrypted strings in them, by encrypting the strings in the binary after compilation, or by initializing the strings with encrypted characters. The following code demonstrates the last technique, using the A macro to subtract a constant value from each character in the string. Note that this is not a strong encryption method, but rather a quick and simple obfuscation of the value of each character.

#define A(c)            (c) - 0x19
#define UNHIDE_STR(str) do { char *p = str;  while (*p) *p++ += 0x19; } while (0)
#define HIDE_STR(str)   do { char *p = str;  while (*p) *p++ -= 0x19; } while (0)

Each character of the string must be initialized, which makes this method somewhat cumbersome, but it allows the obfuscation to take place at compile time:

#include <stdio.h>
   
int main(int argc, char *argv[  ]) {
  char str[  ] = {
    A('/'), A('e'), A('t'), A('c'), A('/'),
    A('p'), A('a'), A('s'), A('s'), A('w'), A('d'), 0
  };
   
  UNHIDE_STR(str);
  printf("%s\n", str);
  HIDE_STR(str);
   
  return 0;
}