tags:

views:

415

answers:

3
+1  Q: 

const/readonly vs. programs like Cheat Engine

I have a program, and in that program there is some variables (username and "privilege-level") that are only changed when the user logs on. Is there a way to "secure" these varaibles from memory-editing etc while the program runs, but the program is still able to change them if the user logs on with an other username.

I thought it would work (haven't tested) to use either const or readonly, but is it still possible to change them when the user relogs?

Also, is it possible to hash/encrypt strings used in the program, so that the user isn't able to find them by searching the memory (i.e. using Cheat Engine)?

A: 

There's no reliable way you could that. By encrypting the stuff you can just make it harder but never impossible. Worst case, user can attach a debugger and alter the memory directly.

Mehrdad Afshari  2009-07-01 23:54:14
+2  A: 

You can't modify a const (ever) or readonly (after initialization) variable, so that will not work.

The best option would probably be to wrap the logic that creates/initializes/sets those variables into a clean method and/or property that is set during the logon process. This will isolate that code, so it's at least easy to follow.

As for encrypting strings - you can use SecureString for handling that purpose at runtime. At compile time, you can obfuscate your code (many obfuscators support string encryption).

Reed Copsey  2009-07-01 23:55:54
+4  A: 

If the software and user credentials are running on the user's machine, it is impossible to stop the user from changing values.

If credentials and access are stored on a remote server, you can use that server and have the user only store a hashed token that expires after an arbitrary period of time. Use that token as a lookup to retrieve the user's profile information from the server.

You'll still run into issues because anything that is done client-side can be manipulated/hacked. If you keep all of your logic on a central server, you can be more confident that things won't be cracked, however your system's performance will suffer.

You need to weigh the pros and cons of a central server for security and performance and choose a balance that fits best for you.

Dan Herbert  2009-07-02 00:00:13

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?