antispy 101 - String Encryption

antispy 101: How to use the String Encryption?

In this example of the antispy 101 series, we show how the string Encryption works in antispy.


While we explain the basics of the string encryption feature in antispy on the C/C++ Encrypted String page, we would like to use this post to go through a small example of how to use the feature. There are many approaches to encrypt strings in a binary. We are trying to make a good compromise between use and efficiency. That’s why we implement a very flexible run time encrypted string class in ::libantispy::string. For encryption at compilation time, the class ::libantispy::const_string must be used. The simplest way to use it is the TEXT macro.

Usage

The TEXT macro was developed in close reference to the TEXT macro found in winnt.h. When adding antispy to your solution the TEXT macro will be overwritten after libantispy.h is included. As a result, adoption to existing Windows applications requires only minimal changes to the existing code base.

In the string classes, we defined conversions to many STL string classes. Conversions to string classes from other frameworks can be activated by CMake option. Should you need a conversion to a special string class then contact us.

The use of ::libbantispy::const_string is very easy for the developer.

We start with a simple platform independent example.

#include <iostream>

int main(int argc, char** argv) {
  std::cout << "Hello World" << std::endl;
  return 0;
}

A simple adjustment activates the use of the encrypted ::libantispy::const _ string.

#define TCHAR char
#include <libantispy/libantispy.h>

int main(int argc, char** argv) {
    std::cout << TEXT("Hello World") << std::endl;
    return 0;
}

Encryption is activated by including the header and using the TEXT macro.

The result

When compiling, the static string is no longer inserted into the binary as such. antispy encrypts the string during compilation using modern C ++ Standards. Encryption changes after each build. This allows valuable information to be hidden in static analysis. At run time, the plain text version of the string exists only on the stack and thus is very short lived, after the usage it will be overwritten by other data.

Comparison in disassembler: Before and after

Before, the string is clearly visible. It is referenced in the disassembly and stored in a constant read-only segment of the binary.

Antispy 101-Main Without String Encryption

After using antispy, the same code looks like this. Oh what happened here? It’s magic.

Antispy 101-Main with String Encryption

Example: Magic Values in the Code? No problem…

In a project, we read the header of a file. To protect ourselves from reverse engineering of the proprietary file format, we use antispy. The “Magic” is normally present in the source code-but is becomes untraceable during static analysis.

char buf[7]{ 0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
if (read_data(hMemoryStream, static_cast<LPVOID>(&buf[0]), 7, &actual))
{
   // Using the antispy TEXT macro to hide magic value here.
   // > strcmp is inlined.
   result = strcmp(buf, TEXT("secret")) == 0;
}

Were we able to arouse your interest?

If you are interested in antispy, get in touch with us or sign up for our newsletter now to stay informed about future updates.

You can also unsubscribe at any time.

We will send you updates on our articles on Tuesday and Thursday.

Leave a Reply

Your email address will not be published.