+14  A: 

Welcome to the wider world of defensive programming.

There are a couple of options, but I believe all of them depend on some form of obfuscation; which, although not perfect, is at least something.

  1. Instead of a straight string value you can store the text in some other binary form (hex?).

  2. You can encrypt the strings that are stored in your app, then decrypt them at run time.

  3. You can split them across various points in your code, and reconstitute later.

Or some combination thereof.

Bear in mind, that some attacks go further than looking at the actual binary. Sometimes they will investigate the memory address space of the program while it's running. MS came up with something called a SecureString in .Net 2.0. The purpose being to keep the strings encrypted while the app is running.

A fourth idea is to not store the string in the app itself, but rather rely on a validation code to be submitted to a server you control. On the server you can verify if it's a legit "cheat code" or not.

Chris Lively
Nice options. Since the questioner is specifically concerned about hiding a Windows GUID string -- which is just a hexadecimal number -- that data could also be stored as a few ints.
Shmoopty
+4  A: 

In addition to those methods Chris mentions you could also use a hashing algorithm. If all you want to do is check if the correct ID was specified you don't actually need to store the whole ID in your program.

  • Create a hash (MD5, SHA, etc) of the string/password/id you want to compare against, maybe add a 'salt' value to it. Store this in your program
  • When the program is run, do the same algorithm on the input string/password/id and compare the two hashes to see if they match.

This way the actual text is never stored in your program and they cannot reverse engineer your program to find out what the original text was because hash algorithms are one-way only.

Andre Miller
be careful, collisions for some hashes (e.g. md5) can be found relatively easy these days..
Josef
I'm not sure that's a problem for this use.
Head Geek
+7  A: 

The simplest way is to encrypt them with something trivial like xor or rot-13, and then decrypt them on the fly when they're used. That will eliminate casual viewing of them, but it won't stop anyone with much experience at reversing.

Rob K
Nothing would really stop anyone with much experience at reversing, for that matter ;)
n3rd
Since they must have the decryption key in memory to run the program then AES isn't going to stop them either.
Martin Beckett
+1  A: 

If there's a specific string you don't want people to be able to see, then encrypt it and decrypt at runtime.

If you don't want people to see your GUID, then construct it from bytes, rather than constructed from a string:

const GUID SecretGuid = 
      { 0x4537774B, 0xCC80, 0x4eda, { 0x7A, 0x9E, 0xE7, 0x79, 0x91, 0xF5 } };
Ian Boyd
+2  A: 

Will all your secret codes be GUIDs or was that just an example?

Perhaps store your secret as a binary guid:

const GUID SecretGuid =
    { 0x4537774B, 0xCC80, 0x4eda, { 0x7A, 0x9E, 0xE7, 0x79, 0x91, 0xF5 } };

Then convert your supplied guid from string to binary format and compare the two binary guids.

Bing
The GUID was just an example. There are URLs for http requests that I would like to hide too.
Winz
Everyone who has the knowledge to look for strings in your excutable will be able to start a sniffer and watch for HTTP-Request from your app. In fact I would try the sniffer first before looking for strings.
Martin
+5  A: 

There are many ways to obscure data in an executable. Others here have posted good solutions -- some stronger than others. I won't add to that list.

Just be aware: it's all a cat-and-mouse game: it is impossible to guarantee that nobody will find out your "secret".

No matter how much encryption or other tricks you use; no matter how much effort or money you put into it. No matter how many "NASA/MIT/CIA/NSA" types are involved in hiding it.

It all comes down to simple physics:
If it were impossible for any user to pull out your secret from the executable and "unhide" it, then the computer would not be able to unhide it either, and your program wouldn't be able to use it. Any moderately skilled developer with enough incentive will find the way to unhide the secret.

The moment that you have handed your executable to a user, they have everything they need to find out the secret.

The best you can hope for is to make it so hard to uncover the secret that any benefits you can get from knowing the secret become not worth the hassle.

So, it's OK to try to obscure the data if it's merely "not-nice" for it to be public, or if the consequences of it becoming public would just be "inconvenient". But don't even think of hiding in your program "the password to your master client database", a private key, or some other critical secret. You just can't.

If you have truly critically secret information that your program will somehow need but should NEVER become public information (like a private key), then you will need to have your program talk to a remote server under your control, apply appropriate authentication and authorization controls (that is, make sure only the approved people or computers are able to make the request to the server), and have that server keep the secret and use it.

Euro Micelli
Well said. And true crackers are quite formidable, you won't be able to stop them with a small trick. They will notice the hotspot where you play with strings and patiently for the application to decrypt it to see the real thing.
toto
+1  A: 

The best you can do is to code your password or other string that you want to hide as char array. For example: std::string s1 = "Hello"; // This will show up in exe in hex editor char* s2 = "World"; // this will show up in exe in hex editor char s3[] = {'G', 'O', 'D'}; // this will not show up in exe in hex editor.

suprit chaudhary
A: 

Here is a tool that will preprocess your strings and obfuscate them as part of the build process.

paleozogt
A: 

There are URLs for http requests that I would like to hide too.

If your app is making the request, there is no point hiding this. Running an app like fiddler, http analyzer, or one of dozens of other free and readily available methods will show all the traffic your app is creating.

Chad