private key visible as String in compiled file

Hi,
I have passwords for mapping network drives in my source code. I encrypt them with a public key with the function “Crypto.RSAEncrypt( msg, publicKey)” I need my private key to decrypt them in my program. But it is visible as a string in my compiled file. How can I hide him?

Best regards

Obfuscate from Bkeeney Software: https://bkeeney.com/downloads/ .

kem’s free obfuscate ide script :

Function RndInRange (startIndex As Integer, endIndex As Integer) As Integer
dim d as Double = Rnd
dim range as Integer = endIndex - startIndex
return Round( range * d ) + startIndex
End Function

dim origString as String = SelText
if origString.Trim = "" then
print "Select some text first."
return
end if

origString = origString.ReplaceAll("""""", """")
dim chars() as String = Split(origString, "")

dim startQuote as boolean = chars(0) = """"
dim endQuote as boolean = chars(chars.Ubound) = """"

if endQuote then
chars.Remove chars.Ubound
end if

if chars.Ubound <> -1 and startQuote then
chars.Remove 0
end if

if chars.Ubound = -1 then
print "Select some valid text first."
return
end if

dim stringToEncode as String = Join(chars, "")

dim index as Integer
dim codeArr() as String
dim indexArr() as String
dim addArr() as String
dim randomizerArr() as Integer
for index = 0 to chars.Ubound
dim thisAdd as Integer = RndInRange(64001, 100000)
codeArr.Append Str( Asc(chars(index)) + thisAdd)
indexArr.Append Str(index)
addArr.Append Str(thisAdd)
randomizerArr.Append RndInRange(0, chars.Ubound * 100)
next index

randomizerArr.SortWith(codeArr, indexArr, addArr)

// Construct the code
dim eol as String = EndOfLine
dim resultArr() as String

resultArr.Append "dim decodedString as String"
resultArr.Append eol
resultArr.Append eol

resultArr.Append "// Encoding for value: "
resultArr.Append stringToEncode
resultArr.Append eol

resultArr.Append "if true then"
resultArr.Append eol

resultArr.Append "dim codeArr() as integer = array("
resultArr.Append Join(codeArr, ", ")
resultArr.Append ")"
resultArr.Append eol

resultArr.Append "dim adderArr() as integer = array("
resultArr.Append Join(addArr, ", ")
resultArr.Append ")"
resultArr.Append eol

resultArr.Append "dim indexArr() as integer = array("
resultArr.Append Join(indexArr, ", ")
resultArr.Append ")"
resultArr.Append eol

resultArr.Append "indexArr.SortWith codeArr, adderArr"
resultArr.Append eol

resultArr.Append eol

resultArr.Append "dim decodedChars() as string"
resultArr.Append eol

resultArr.Append "for i as Integer = 0 to codeArr.Ubound"
resultArr.Append eol

resultArr.Append "decodedChars.append(chr(codeArr(i) - adderArr(i)))"
resultArr.Append eol

resultArr.Append "next"
resultArr.Append eol

resultArr.Append eol

resultArr.Append "decodedString = join(decodedChars, """")"
resultArr.Append eol

resultArr.Append "end if"
resultArr.Append eol

dim result as String = Join(resultArr, "")

// See if we need the initial declaration
if Text.InStr(resultArr(0)) <> 0 then
for index = 1 to 2
resultArr.Remove 0
next index
result = Join(resultArr, "")
end if

// Figure out where we should paste
dim curText as String = Text
dim curSelStart as Integer = SelStart
dim newSelStart as Integer
for index = curSelStart downto 1
dim curChar as String = curText.Mid(index, 1)
if curChar = Chr(13) or curChar = Chr(10) then
newSelStart = index
exit
end if
next index

SelText = "decodedString"
SelStart = newSelStart
SelLength = 0
SelText = result
SelText = eol

Thank you for your answers.
What’s the procedure?

  1. treat source code with obfuscate
  2. compile source code (with kem’s free obfuscate ide script integrated into Xojo)

Sorry, the whole principle is not quite clear to me yet.

Best regards
(from Germany, translated by Deepl :wink: )

The Script will obfuscate the String so that it’s only visible in Memory while your App is using it.
So make sure you assign the String to an Object you can destroy right after using it. :wink:

Please excuse me while i’m answering this with a reply in german: :slight_smile:

Ich verwende das Skript so:

  1. Erstelle eine (private) Methode
  2. Diese Methode liefert einen String zurück
  3. In dieser Methode wird nur der zu verschleiernde String mit dem Skript in der Xojo IDE verschleiert
  4. Dort wo ich den String benötige erstelle ich eine lokale String Variable
  5. Ich hole mir den entschleierten String mit der o.a. Methode
  6. Direkt nach Verwendung des String, zerstöre ich das Objekt.

Versuche mal folgendes:

  1. Kopiere einen String in eine leere Methode.
  2. Markiere den String
  3. Führe den IDE Skript aus
    Dann wirst Du schnell erkennen wie man das Skript anwenden kann.

Grüße Sascha

Here is a web version that I use in preference as it produces much smaller Xojo code. It is based on Obfuscate from Bkeeney Software:
https://thezaz.com/code/obfuscate

Many thanks to all.
Und vielen Dank Sascha :wink:

[quote=399539:@Milko M.]Thank you for your answers.
What’s the procedure?

  1. treat source code with obfuscate
  2. compile source code (with kem’s free obfuscate ide script integrated into Xojo)

Sorry, the whole principle is not quite clear to me yet.

Best regards
(from Germany, translated by Deepl :wink: )[/quote]
for Kem’s script:
select the source text you want to obfusate.
run kem’s ide script from ide menu
source is modified, compile as you wish.

[quote=399547:@Jean-Yves Pochez]for Kem’s script:
select the source text you want to obfusate.
run kem’s ide script from ide menu
source is modified, compile as you wish.[/quote]

The resulting string is ASCII, if you want it to be UTF-8, then add this line after the script generates the new string:

MyString=MyString.ConvertEncoding(Encodings.UTF8)

Unfortunately, ConvertEncoding isn’t available in XojoScript.

You should never store real passwords in clear text or obsfucated text.
You should store only a hashed value (MD5 or something similar)
When the user attempts to log in

  • Accept their entered password
  • create a hash for it
  • compare it to the stored hashed value

This is more secure, and allows nobody to know what the original password was

Hi Dave,

[quote]
create a hash for it
compare it to the stored hashed value[/quote]

would you please explain the two steps for a beginner in more detail?

How do you create a hash?

User supplies password for very first time

  • User Enters their password (say it is “FQRZ93” for example)
  • your app uses some function (MD5 for example) stored_hash=MD5(password)
  • you store THIS value as the users password … it will look like gibberish

User is logging on to your app

  • User Enters their password (say it is “FQRZ93” for example)
  • your app uses some function (MD5 for example) hash=MD5(password)
  • retrieve previously saved value (stored_hash)
  • does hash = stored_hash?

This way the password that the user entered in the first step is NEVER stored, and nobody can ever figure out what it was (is)
MD5 is just an example, as it is supplied with Xojo, there are similar methods that can also be used.

[quote=399613:@Dave S]User supplies password for very first time

  • User Enters their password (say it is “FQRZ93” for example)
  • your app uses some function (MD5 for example) stored_hash=MD5(password)
  • you store THIS value as the users password … it will look like gibberish

User is logging on to your app

  • User Enters their password (say it is “FQRZ93” for example)
  • your app uses some function (MD5 for example) hash=MD5(password)
  • retrieve previously saved value (stored_hash)
  • does hash = stored_hash?

This way the password that the user entered in the first step is NEVER stored, and nobody can ever figure out what it was (is)
MD5 is just an example, as it is supplied with Xojo, there are similar methods that can also be used.[/quote]
Please don’t use MD5. SHA-1 / SHA-256 if you don’t have anything better but something like Argon2 or bcrypt should really be used these days.

and most likely more than enough for anything less than Classified data

How long is a hash? What type of variable and length would you use?

Thanks for the tip-off there, was actually thinking about this very topic over the last few days myself.

And Kevin - where does one get the code for those hashes?

Thanks.

length varies based on function used and data supplied, and datatype is string/text

Hmmm. Anyone nest-hash data? As in hash upon a hash?

[quote=399626:@Amy Barnes]And Kevin - where does one get the code for those hashes?

Thanks.[/quote]
MBS & Einhuger both have hashing plugins. I imagine you could find some C source code online and convert it.