How secure are compiled executables?

Quick question for you folks: if secure information - let’s say something like a hashcode or a plaintext password - is in the raw code of your program, how secure is it once the program is compiled? Could the executable simply be decompiled somehow, revealing the sensitive materials? I don’t have a realistic situation where this an issue as of now, but I’m still curious nonetheless.

Any suggestions on protecting said hypothetical sensitive text?

Decompiled - back to Xojo code - no
Back to assembler that someone can read - yes
But even without doing that there are commands a person can runs that will dump “strings” or things that look like strings

So if you have such things in your code I’d start with

  1. dont store them as one big chunk - break it into pieces
  2. hide them in plain sight - make it something that looks like the rest of the strings you might find in an app

I’m sure others will chime in with other tidbits

if your app contains sensitive information in the form of database tables, text files, images etc that you drag in to the IDE, then I highly suggest looking into some type of encryption method that you app will use on that data.

Remember, for OS X, ANY file you drag into the IDE as a “resource” can be extracted by anyone in about 10 seconds (Open as Package/Show Contents)… Windows compiled apps might be a tad bit more difficult but there are still easy way to extract those resources.

I have one app that reads an encrypted text file into a string, decrypts the string and uses that… the data in the resource bundle stays encrypted. Is that 100% secure? Not at all, there are sniffers that can find the string that the app is using internally as well… it all boils down to how sensitive is you data, and how much work do you want to invest to “protect” it.

grab the key from a ssh session to somewhere in the world. then you can monitor in real time if the key usage is valid.

You can use our library aguilapro to protect your app. There is a free version too. Antidebugging tamper checks antidumper crc checks, and more stuff. Licensing and trial options are avalaible. Visit www.aguilapro.com for more information.

I’ve download the product, but Aguila ide for mac is missing.

luciano

It looks interesting, but I’d suggest getting a native English speaker to check over your text. You’ve got quite a few spelling mistakes on the website, which makes me feel like the product quality might be similarly compromised! (I’m not saying that the product isn’t anything other than great, just that that’s what the text makes me feel.)

@Jose: looks interesting. What is a tamper? According to dict.leo.org this is a machine and synonyms are masher, pounder or rammer.

I’ll also wait for the Mac version.

[quote=220413:@Dave S]Remember, for OS X, ANY file you drag into the IDE as a “resource” can be extracted by anyone in about 10 seconds (Open as Package/Show Contents)… Windows compiled apps might be a tad bit more difficult but there are still easy way to extract those resources.
[/quote]

Actually, the most recent versions of Windows executables come with a Resources folder just like Mac,

It is too bad, especially since the graphic design of the whole site shows care.

I have messaged José with the same concern. Indeed going live without a solid spell checking is IMHO the best way to have visitors move away silently. Especially when an error is in the header ! The kind of errors he has are easily picked up by any spell checker.

Then the language barrier is yet another thing. There are very awkward expressions throughout the main page that show an insufficient command of English. It would indeed greatly benefit from the eye of a native speaker.

Not that I would be perfect. I routinely correct mistakes on my own sites. Sometimes simply due to typing too fast. I am always grateful when someone points them to me.

There was at one point a thread I cannot locate at this moment about users helping users, especially about localization. Could be a good case study.

@Jose Navarro : Why don’t you add Spanish pages ? We have quite a few Spanish speaking developers on this forum. I am sure they would enjoy shopping en Español.

Tamper is a verb.

‘To tamper with something’ means to make amendments to it, such as cutting wires in a security system, or changing the copyright notice in a software package.
The kind of thing which code signing is there to prevent.

For Windows desktop projects I sometimes use Boxed App . You get just one portable executable with everything in it which is quite hard to crack and easy to distribute.
I just tested the newest Boxed App beta with the new GUI. Looks promising.

[quote=220434:@luciano monti]I’ve download the product, but Aguila ide for mac is missing.

luciano[/quote]

It will be available for MacOS in two or three days.

We appreciate your comments about the translation. We have updated our website to solve translation problems found.

[quote=220441:@Michel Bujardet]
@Jose Navarro : Why don’t you add Spanish pages ? We have quite a few Spanish speaking developers on this forum. I am sure they would enjoy shopping en Español.[/quote]

Soon we put a link in Spanish but for us it was more important to start our journey with a website in English for obvious reasons. Thank you very much at all of the aid received.

[quote=220444:@Joost Rongen]For Windows desktop projects I sometimes use Boxed App . You get just one portable executable with everything in it which is quite hard to crack and easy to distribute.
I just tested the newest Boxed App beta with the new GUI. Looks promising.[/quote]

boxedapp does not work with the latest versions of Xojo. Xojo is very strict with its internal loader and checks that everything is in place and packers modifiers always change something because they insert its loader and decrypter routines in headers. Any change in Xojo header structure or library folder will not works. Today, no packer works with Xojo, we’ve tested everyone (Enigma, Themida, Boxedapp, ASprotect, etc…) and no luck.
BTW: Boxedapp does not protect against hackers, single packs and encrypts everything in memory. Using a simple dumper, all binary is obtained because it does not destroy import table or OEP (original entry point).

The newest beta works with fine with Xojo 2015R2.4. (I have it installed and working)

Yes, you are right, if you dump the memory to files, you are at the same level as having the plain EXE.
For data, you can have encrypted resource-files packed with the EXE.
It.s always a balance: effort / value of the result.

For me there are three kinds of users: Those who know nothing of reversing for which there is no need to take any action, other users, the least, that can work in a team and will be able, if your program has a World wide interests, to break any protection and a third group of users, very large, that are able to use plugins, scripts ready to go, and do an average use of debuggers and for which there is always a script available for tools like appboxed. That’s where our library wants to put it on impossible.

Impossible to crack is impossible - someone skilled with a debugger will be able to figure it out even if the data is only in memory
Unlikely or difficult to crack is more possible

The thing is… of the 3 groups you describe… it is the group that would have the most interest and/or gain from you app that you need to protect if from… The other two groups most likely won’t even notice your apps existence… And the more you tout how “uncrackable” it is, the more people you will find that will try to prove you wrong…

As Norman said… never use “application protection” and “impossible to crack” in the same discussion

I used to use plain text on my apps until I saw a youtube video of this kid who showed how to hack apps with a simple debugger editor. For example when he found the string “insert password” he modified the code adding a jump instruction so to skip that passage.

Now I always encrypt text.

There is also an important consideration : is it worth it for the hacker to crack ? Is there any interest in reverse engineering ? No offence, we may all be geniuses, but am not so sure the whole world is after our source code.

It all comes down to the PITA factor vs whats it worth to do.
How big a Pain in the Ass will it be for someone to steal etc.
Lots of times the PITA is so low is just easy to do & say “Hey look what I did”.
The IDE has gone through various stages where it was hacked, we made some changes, it was hacked and so on.

One thing I learned when I worked for the police department was the higher the risk of being caught or PITA the faster you dropped out the usually honest folks and got to true hard core folks.

Few would try knocking over Fort Knox.
More will try robbing a corner store.
And a lot more would take 5 out of a pot full of cash saying “Please dont take the money” thats unsupervised.

They used this fact for some very interesting ways to arrest a LOT of wanted people :slight_smile: