Android Question Hide password in code

[tsteward]

Many years ago I cam across a post that get this example to hide passwords in code. I know it is very simple to crack but I kinda liked the idea way back then although now I can't find the original post and I don't understand how it works.

Code is below. Hidden password is L0ckN!nja7691

Private Sub X() As String
    Dim b(13) As Byte
    b(0) = Bit.ShiftRight(27027,5)
    b(1) = Bit.ShiftRight(1595584,15)
    b(2) = Bit.ShiftRight(1634018,14)
    b(3) = Bit.ShiftRight(28026,5)
    b(4) = Bit.ShiftRight(8506,2)
    b(5) = Bit.ShiftRight(4334958,17)
    b(6) = Bit.ShiftRight(902532,13)
    b(7) = Bit.ShiftRight(54759,9)
    b(8) = Bit.ShiftRight(11307,5)
    b(9) = Bit.ShiftRight(28197,9)
    b(10) = Bit.ShiftRight(27058,3)
    b(11) = Bit.ShiftRight(956333050,24)
    b(12) = Bit.ShiftRight(1634339,15)
    Return BytesToString(b, 0, 13, "UTF8")
End Sub

 

[peacemaker]

Theoretically, a smart compiler can replace these operations over constants with the result string.

 

[tsteward]

I'm not saying it's secure just inconvenient I don't know how I did it.

 

[peacemaker]

IMHO, any operation where a password is needed - should be done via some server that should return some API key (hashed value) after receiving some initial string from a manual user's input, the unique input like email or phone number.

 

[tsteward]

IMHO, any operation where a password is needed - should be done via some server that should return some API key (hashed value) after receiving some initial string from a manual user's input, the unique input like email or phone number.

Not what I was asking for but I do get your point.
Do you have an example that I can see so I can understand better?
I have another password that is stored in an online SQL. Although this is not encrypted and the app downloads it on launching via a PHP script. I still feel this is poor practise but don't know how to make it better.

 

[peacemaker]

what I was asking

Indeed - what ?

The first question is why this password is needed. If it's static password not depending on each user - it's anyway non-secured to store it in the code.

 

[tsteward]

Where did I find this code? How does it work? What if I wanted to create a new password, how would I do it.

Sorry I often struggle to get my question across.

 

[peacemaker]

No idea what you need to ask.
Your code is just static sub to obfuscate some password string.

To try to understand what you need i already posted some question above.
And again - your initial post is without question mark at all.

 

[tsteward]

I'm sorry I don't know how to get my question across.

How do I delete this thread?

 

[Chris2]

The original thread you're looking for is:

Tool - Hide string constants from decompilation

Use this simple tool to "hide" string constants from decompilation. Obviously nothing is immune to decompilation this is just a simple way to hide sensitive strings in your code. Based on this code; https://github.com/shamanland/simple-string-obfuscator The dialog in the app generates a...

www.b4x.com

 

[emexes]

How do I delete this thread?

Rather than [Ctrl+X], try [Ctrl+C][Ctrl+V]  :

Sub PasswordToSubX(Pwd As String) As List
    Dim B() As Byte = Pwd.GetBytes("UTF8")
 
    Dim L As List
    L.Initialize
 
    L.Add("Private Sub X() As String")
    L.Add("    Dim b(" & B.Length & ") As Byte")

    RndSeed(DateTime.Now)
 
    For I = 0 To Pwd.Length - 1
        Dim ShiftBy As Int = Rnd(2, 24)    'will only shift by up-to 23, to avoid using sign bit
        L.Add("    b(" & I & ") = Bit.ShiftRight(" & Bit.ShiftLeft(Bit.And(B(I), 0xFF), ShiftBy) & ", " & ShiftBy & ")")
    Next
 
    L.Add("    Return BytesToString(b, 0, " & Pwd.Length & ", ""UTF8"")")
    L.Add("End Sub")

    Return L
End Sub

and test with:

Sub AppStart (Args() As String)
    Dim SubX As List = PasswordToSubX("L0ckN!nja7691")

    For Each L As String In SubX
        Log(L)
    Next
 
    Log(X)    'here's one I prepared earlier...
End Sub

'here's one I prepared earlier...
Private Sub X() As String
    Dim b(13) As Byte
    b(0) = Bit.ShiftRight(622592, 13)
    b(1) = Bit.ShiftRight(393216, 13)
    b(2) = Bit.ShiftRight(50688, 9)
    b(3) = Bit.ShiftRight(3424, 5)
    b(4) = Bit.ShiftRight(81788928, 20)
    b(5) = Bit.ShiftRight(16896, 9)
    b(6) = Bit.ShiftRight(3520, 5)
    b(7) = Bit.ShiftRight(3473408, 15)
    b(8) = Bit.ShiftRight(397312, 12)
    b(9) = Bit.ShiftRight(1760, 5)
    b(10) = Bit.ShiftRight(3456, 6)
    b(11) = Bit.ShiftRight(119537664, 21)
    b(12) = Bit.ShiftRight(200704, 12)
    Return BytesToString(b, 0, 13, "UTF8")
End Sub

Waiting for debugger to connect...
Program started.
Private Sub X() As String
    Dim b(13) As Byte
    b(0) = Bit.ShiftRight(159383552, 21)
    b(1) = Bit.ShiftRight(393216, 13)
    b(2) = Bit.ShiftRight(12672, 7)
    b(3) = Bit.ShiftRight(56098816, 19)
    b(4) = Bit.ShiftRight(159744, 11)
    b(5) = Bit.ShiftRight(264, 3)
    b(6) = Bit.ShiftRight(220, 1)
    b(7) = Bit.ShiftRight(868352, 13)
    b(8) = Bit.ShiftRight(194, 1)
    b(9) = Bit.ShiftRight(3520, 6)
    b(10) = Bit.ShiftRight(55296, 10)
    b(11) = Bit.ShiftRight(116736, 11)
    b(12) = Bit.ShiftRight(102760448, 21)
    Return BytesToString(b, 0, 13, "UTF8")
End Sub
L0ckN!nja7691
Program terminated (StartMessageLoop was not called).

 

[ac9ts]

How it works:

It is hiding the ASCII value of the letter using some math.

For the first letter, "L"

b(0) = Bit.ShiftRight(27027,5) is basically dividing 27027 by 2 five times, which gives 844 or 0x34C. Since the result is being stored into a byte array, the value stored is 0x4C. 0x4C is the ASCII code for "L".

To change the password, start with the ASCII code. You can add some value to it, to "hide it" a bit. Then take that value and multiply by 2 X number of times. Use the result and the X number of shifts to get back to where you were.

 

[emexes]

0x34C. Since the result is being stored into a byte

Good point. My example above doesn't add the spurious random bits before and after the shifted byte.

But is easy enough to add.

Fixed: Improved:

Sub PasswordToSubX(Pwd As String) As List  
    Dim B() As Byte = Pwd.GetBytes("UTF8")
   
    Dim L As List
    L.Initialize
   
    L.Add("Private Sub X() As String")
    L.Add("    Dim b(" & B.Length & ") As Byte")

    RndSeed(DateTime.Now)

    For I = 0 To Pwd.Length - 1
        Dim ShiftBy As Int = Rnd(2, 23 + 1)    'max shift 23, to avoid sign bit and negative numbers
        Dim ShiftedByte As Int = Bit.ShiftLeft(Bit.And(B(I), 0xFF), ShiftBy)
        Dim Mask As Int = Bit.Not(Bit.ShiftLeft(0xFF, ShiftBy))
        Dim Smoke As Int = Bit.And(Rnd(0, 200000), Mask)    'any number up to 2 billion is ok
       
        L.Add("    b(" & I & ") = Bit.ShiftRight(" & Bit.Or(Smoke, ShiftedByte) & ", " & ShiftBy & ")")
    Next
   
    L.Add("    Return BytesToString(b, 0, " & Pwd.Length & ", ""UTF8"")")
    L.Add("End Sub")

    Return L
End Sub

Waiting for debugger to connect...
Program started.
Private Sub X() As String
    Dim b(13) As Byte
    b(0) = Bit.ShiftRight(4999531, 16)
    b(1) = Bit.ShiftRight(25240249, 19)
    b(2) = Bit.ShiftRight(813273, 13)
    b(3) = Bit.ShiftRight(158558, 3)
    b(4) = Bit.ShiftRight(161742, 11)
    b(5) = Bit.ShiftRight(17179, 9)
    b(6) = Bit.ShiftRight(115360522, 20)
    b(7) = Bit.ShiftRight(1739763, 14)
    b(8) = Bit.ShiftRight(90615, 8)
    b(9) = Bit.ShiftRight(3627533, 16)
    b(10) = Bit.ShiftRight(178640, 15)
    b(11) = Bit.ShiftRight(478176268, 23)
    b(12) = Bit.ShiftRight(102901055, 21)
    Return BytesToString(b, 0, 13, "UTF8")
End Sub
L0ckN!nja7691
Program terminated (StartMessageLoop was not called).

 

[Alex_197]

IMHO, any operation where a password is needed - should be done via some server that should return some API key (hashed value) after receiving some initial string from a manual user's input, the unique input like email or phone number.

what about the middle man attack? Attacker will get the full access.

 

[epiCode]

what about the middle man attack? Attacker will get the full access.

Definitely!
I guess the objective is not to absolutely protect password but just make it a little difficult for the rookie attackers.

 

[tchart]

As per my original post the code was an implementation of something I found on GitHub.

The code just obfuscates text. This just helps avoid bad actors looking through your JAR file for strings.

Erels obfuscated release will obfuscate the function names but it doesn’t obfuscate text. Hence the tool.

There are commercial tools out there that do similar things but I just wanted something simple.

Plus I’ve noticed that some decompilers eg JD GUI it struggles to decompile the functions created by the tool when combined with Erels obfuscated release build.