June 14th, 2002, 09:47 AM
Problem with decompilers & passwords
I have made an app in Visual Basic that use cryptation to hide database passwords from the user. The encrypted password his hidden in a settings-file, and I use a well-known encryption algorithm. In the code that logs on to the database, I fetch the encrypted password from file and decrypt it using a key. The key is stored inside a string variable.
Now, if anyone can decompile the program they can access my database. That's BAD! What can be done with this problem? Are there decompilers that can decompile VB6? And how about anti-decompilers?
Does anyone know about decompilers that actually work? (Perhaps direct me with a link).
I've found there's easier to find anti-decompilers, so I'll look into that. But I would need a decompiler to see if my anti-decompiler actually works.
June 14th, 2002, 09:53 AM
You can use protective mechanisms on your compiled app. For example, some things encrypt or compress the app so that even if decompiled it will not make any sense. These kind of things decrypt or decompress on-the-fly as the app. runs, which still means that someone with a good debugger (e.g. SoftICE) can get the string if they know when and where to look whilst the program is running.
Debuggers are infinitely more useful than decompilers... Generally, decompilers leave you with a bunch of ASM code rather than the language the program was made in... Debuggers also give you ASM, but they do so whilst the program is active, so you can see what it's doing... try poking round your app with a debugger, and see if it throws up the key string at any point.
June 14th, 2002, 11:06 AM
Ok, that's a good advice. I'll check it out! Thanks!
June 17th, 2002, 06:22 AM
Hmmmm... That didn't work. Seems the SoftICE debugger can only handle C(++) code. The VB debugger comes up with the password alright, but I'm still not convinced. Think I gotta look for some kind of deconstructor or a hex-editor or something. Man, I hate this low level ****!
If anyone got hints, please let me know!
June 17th, 2002, 06:31 AM
I know that decompilers for VB do exist, though it's been a while since I've heard anything about them. I do know there are some which are specifically designed for VB.NET, but I'm assuming you're not using that? If you're using VB 6, you'll just have to search online to see if you can find anything. A quick Google, I found a lot of links for VB 3 and below, but not too much for 5 or 6. I did find this: http://www.tek-tips.com/gfaqs.cfm/le...d/222/sfid/939 which may be useful... Good luck.
June 17th, 2002, 07:57 AM
Finally I found the right tool for the job, a disassembler. I suppose that's what them guys use who crack games etc. The password's there, in clear-text, and so are all my sql-calls and other strings.
I guess it's time to sit back and find out how to patch this up!
June 17th, 2002, 06:06 PM
SoftICE can debug anything, not just C++!
June 17th, 2002, 06:17 PM
yea personally i use Hackman...it is awesome it has a dissassembler a hexeditor and many other things...u should probably do a google search for it....it is one of the most complete pieces of software for that type of stuff...good luck ...oh btw hackman also has a tool that encrypts things, in Skip Jack(official NSA encryption algorythm) DES and some others...u really should check it out
\"\"A weak mind is like a microscope, which magnifies trifling things but cannot receive great ones.\" — G.K. Chesterton, 19th-century English essayist and poet\"