C++ pass encryption or hide

Hello, i have been some problems with passes in my c++ program. Simple pass verification can be done with this simple code:

#include <windows.h>

using namespace std;

int main()
{
string passwd;
cout << "Please enter password: ";
getline(cin, passwd);
if ( passwd == "abcde" );
{
cout << "The pass is correct";
}
else
{
cout << "The pass isn´t correct";
}
}

i know this.. sorry if this doesnt work this is just an example i´m writing it from head now… but there is little problem, if you try to disassemble it in ollydbg, win32dasm or something like this, you get pass abcde with no problems, and i want to decrypt it or hide it, so it cant be viewed in disassembler is there any way to do this? thanks ;) EDIT: smileys disabled

Use a numerical password, they are harder to find.

Also, the jump can be easily bypassed in Olly, so this kind of simple passwrd check isn't really much use.

In my remote admin tool, I put a md5 hash of the password in the source, rather than the actual password. Then I compare it to a hash of the password that they gave and see if they're the same. This is in python, but I'm sure you could do something similar, perhaps with a much more secure one way hash.

break it up some

var1 = "a";
var2 = "d";
var3 = "b";
var4 = "c";

if(input = var1 + var3 + var4 + var2)
{
//stuff
}

more complex, idk

{
    string enc;
    for ( int i = 0; i < password.length(); i++ )
    {
        enc += int(password[i]) + rand()%400 - password[i+1];
    }
    return enc;
}```

You should use something that can't be reversed for a good result, like one-way hashing or XOR'ing. you can also break it up into segments(like md5 does) and move things around, and even have a fixed length to throw them off even more. lots of possibilities. :)

You should use something that can't be reversed for a good result, like one-way hashing or XOR'ing

XORing??? XORing is plenty reversible.

but yeah you should perform some operations on both the right answer and the users input, preferably non reverable ones, so they just have a string in there that need to reverse engnineer for abit.

loving the encryption, i might have to use that one, simple but effective :D

sharpskater80: Your code won't work for all test cases because there are some flaws in your mathematical logic. They are easy enough to fix however. :)

e.g. Assuming the entered password value was "AacBd". Every iteration in the loop,except for the last one, has the potential of returning a negative value into your enc string as well as returning a value that exceeds a valid ASCII character.

65 + rand()%400 - 97… this would be the first iteration, but what would happen if the random number generated was 400? 400 mod 400 is 0, so the equation no just becomes 65 - 97 which is -32, this isn't a valid ASCII value.

Then of course there is always the potential to exceed any valid ASCII value because of this statement password[i] + rand()%400 - password[i+1].

In any of the iterations there is the possibility that rand() will generate a number mod 400 that will make it so the equation results in a value above 255.

In the last iteration of our test case the equation would amount to… 100 + rand()%400 - 0. This happens because password[i+1] will return the value of NULL which is 0, and if rand() generates a number like 399, well 399 mod 400 is 399 which leaves the equation at 100 + 399 now which of course will evaluate to 499 which isn't a valid character value.

-Nirucesis

ok thanx to all, sorry i writing too late, but i was for long time without connection ;)

and i have another question for this thread, i want to encrypt in XOR pass "daniel" (for example) saved in string pass how can i do this? thanx

sharpskater80 wrote: string encrypt(string password) { string enc; for ( int i = 0; i < password.length(); i++ ) { enc += int(password[i]) + rand()%400 - password[i+1]; } return enc; }

I don't think that'd work as each time you encrypt it it'll give a different output, so it's not one way and there's no way of checking

ok and is there any way to use XOR with checking ?? :)

Yeah but would be incredibly easy to figure out from disassembled file and incredibly easy to reverse

Happysmileman wrote: [quote]sharpskater80 wrote: string encrypt(string password) { string enc; for ( int i = 0; i < password.length(); i++ ) { enc += int(password[i]) + rand()%400 - password[i+1]; } return enc; }

I don't think that'd work as each time you encrypt it it'll give a different output, so it's not one way and there's no way of checking[/quote]

Your statement is pointless as I already pointed out the flaws in it with a detailed explanation.

dancuc: XOR'ing is accomplished in the following manner.

#include <iostream>
#include <string>

void xorPassword(std::string &oS, std::string &oK)
{
     int i = -1;
     while(++i<oS.length()) oS[i] ^= oK[i%oK.length()];
}

int main()
{
    std::string myPass = "daniel";
    std::string myKey = "key";
    
    xorPassword(myPass, myKey);
    
    std::cout << myPass << std::endl;

    std::cin.get();
    return 0;
}

P.S. - Sorry in advance for the crappy support of the [code] tags.

-Nirucesis

ok thanx very much for help ;)