我想在C中演示格式字符串漏洞。我想避免字符串命令泄露ASCII字符串sin我的二进制文件。c中隐藏char字符串
继承人我简单的代码:
#include <stdio.h>
static char secret[] = "mysecretstring";
int main(int argc, char *argv[]) {
char buf[64];
strncpy(buf, argv[1], sizeof(buf));
printf(buf);
}
你可以做一些数学与它例如:
static unsigned char secret[] = {'m' + 10, 'y' + 10, 's' + 10, 'e' + 10, 'c' + 10, 'r' + 10, 'e' + 10, 't' + 10, 's' + 10, 't' + 10, 'r' + 10, 'i' + 10, 'n' + 10, 'g' + 10};
为你的秘密字符串可能在RO段:
char *decode(const unsigned char *str, int c)
{
int len = 0;
char *ml, *cl;
while(*str != abs(c))
len++;
ml = malloc(len + 1);
if(ml != NULL)
{
cl = ml;
while(*str != abs(c))
*cl++ = *str++ + c;
*cl = 0;
}
return ml;
}
当然编写脚本会更容易,它将为您编写字符串文字。编码机制可能更为复杂 - 在例子中,我只是为一些小事
用C#define VNAMEMAX 20
#define VVALUEMAX 200
typedef struct
{
char vname[VNAMEMAX];
char vvalue[VVALUEMAX];
}VDEF_T;
VDEF_T varialbles[] =
{
{.vname = "mystring",.vvalue = "Something very secret"},
{.vname = "secret_var",.vvalue = "Something even more secret" },
{0,},
};
int code(VDEF_T *v, char *fname, int c)
{
FILE *fp = fopen(fname, "wt");
int result = (fp == NULL) * -1;
if (!result)
{
fprintf(fp, "#ifndef _MYSECRET\n#define _MYSECRET\n\n\n");
while (!result && v->vname[0])
{
fprintf(fp, "static unsigned char %s[] = {\n\t\t", v->vname);
for (int i = 0; i <= strlen(v->vvalue); i++)
{
if (fprintf(fp, "0x%02x,", v->vvalue[i] + c) < 0)
{
result = -1;
break;
}
}
if (fprintf(fp, "};\n\n") < 0) result = -1;
v++;
}
if(fprintf(fp, "#endif") < 0) result = -1;
fclose(fp);
}
return result;
}
而结果.h文件
例编码功能;
#ifndef _MYSECRET
#define _MYSECRET
static unsigned char mystring[] = {
0x5d,0x79,0x77,0x6f,0x7e,0x72,0x73,0x78,0x71,0x2a,0x80,0x6f,0x7c,0x83,0x2a,0x7d,0x6f,0x6d,0x7c,0x6f,0x7e,0x0a,};
static unsigned char secret_var[] = {
0x5d,0x79,0x77,0x6f,0x7e,0x72,0x73,0x78,0x71,0x2a,0x6f,0x80,0x6f,0x78,0x2a,0x77,0x79,0x7c,0x6f,0x2a,0x7d,0x6f,0x6d,0x7c,0x6f,0x7e,0x0a,};
#endif
我能隐藏文件中的字符串吗?例如: static const char * secret =“secret.txt”; – pizzaiolo
是的,你会的。当然,所有的字符串都必须如示例中所示进行编码 –
究竟是什么问题?此外,这看起来不像C++代码,所以为什么C++标签? – pmaxim98
如果我编译此代码并对编译后的二进制文件运行字符串,它将显示mysecretstring。我正在寻找隐藏变量的技巧。 – pizzaiolo
@ pmaxim98如果添加了包含,那么这是完全合法的C++代码。就像它是完全合法的C代码一样,如果你添加相同的包含。 – Deduplicator