loading...
Cover image for How to encrypt strings & files in your source code?

How to encrypt strings & files in your source code?

pelock profile image PELock ・5 min read

I would like to introduce you to my Visual Studio Code extension - StringEncrypt. I've been working last week to make it work and I really enjoyed discovering Visual Studio Code ecosystem and its extensions API.

StringEncrypt Extension for Visual Studio Code

Encrypt and hide plain text strings & files contents within your source code in a secure & encrypted form with the help of a polymorphic engine, generating random-looking decryption code every time.

https://marketplace.visualstudio.com/items?itemName=PELock.stringencrypt

What it does?

It can turn your plain text strings or file contents into a random-looking encrypted mess. Take a look.

Before:

var superSecretPhrase = "Easy string encryption for developers!";

After StringEncrypt:

// encrypted with https://www.stringencrypt.com (v1.4.0) [JavaScript]
// superSecretPhrase = "Easy string encryption for developers!"
var superSecretPhrase = "\uBF59\uC4DE\uE963\uF128\uE48D\u0172\u0917\uF2DC" +
                        "\uFB41\u0A66\u0BCB\u1CF0\u1C95\u23BA\u2B5F\u3A44" +
                        "\u5929\u430E\u6953\u5378\u623D\u63A2\u74E7\u74AC" +
                        "\u8251\u8A37\u943C\u94C1\u9CE6\u830B\uACF0\uB3D5" +
                        "\uC23A\uCA5F\uCC44\uDA69\uBB0E\uEDD3";

for (var rOnpR = 0, FiuqR = 0; rOnpR < 38; rOnpR++)
{
        FiuqR = superSecretPhrase.charCodeAt(rOnpR);
        FiuqR -= rOnpR;
        FiuqR ^= 0xFFFF;
        FiuqR += 0x82A3;
        FiuqR = ((FiuqR << 5) | ( (FiuqR & 0xFFFF) >> 11)) & 0xFFFF;
        FiuqR += 0xE87C;
        FiuqR += rOnpR;
        FiuqR -= 0x7CB9;
        FiuqR = (((FiuqR & 0xFFFF) >> 7) | (FiuqR << 9)) & 0xFFFF;
        FiuqR ^= 0x4928;
        FiuqR += rOnpR;
        FiuqR --;
        FiuqR ^= 0xFC14;
        FiuqR -= 0x406C;
        FiuqR = (((FiuqR & 0xFFFF) >> 3) | (FiuqR << 13)) & 0xFFFF;
        superSecretPhrase = superSecretPhrase.substr(0, rOnpR) + String.fromCharCode(FiuqR & 0xFFFF) + superSecretPhrase.substr(rOnpR + 1);
}

How to use it in Visual Studio Code?

StringEncrypt is available as an extension to the context menu activated with a right-mouse click on the active editor window.

1. Insert Encrypted String

  1. Open the right-click menu in the active editor window
  2. Click on the Insert Encrypted String
  3. A dialog box will ask you to enter the string label e.g. encryptedStringLabel
  4. A second dialog box will ask you to enter the string to be encrypted e.g. "Hello, world!" (enter it without the quotes)

Insert Encrypted String Example

Note: In demo mode, label and an encrypted string length is only 6 characters max.

2. Encrypt Selected String

  1. Select any text in the active editor window (we recommend entering it on a new line)
  2. Open the right-click menu in the active editor window
  3. Click on the Encrypt Selected String
  4. A dialog box will ask you to enter the string label e.g. encryptedStringLabel

Encrypt Selected String Example

Note: This menu option is shown only if you select a string in your active editor window.

3. Insert Encrypted File

  1. Open the right-click menu in the active editor window
  2. Click on the Insert Encrypted File
  3. A dialog box will ask you to select a file for encryption (it can be a binary file or a text file)
  4. A second dialog box will ask you to enter the string label e.g. encryptedStringLabel

Insert Encrypted File Example

Note: This option is available only in the full version.

Say hello to polymorphic encryption!

Forget about simple xor encryption! StringEncrypt comes with a unique encryption engine.

It's a polymorphic encryption engine, similar to the encryption methods used by the software protection solutions and advanced computer viruses.

How it works?

Let me explain how the polymorphic encryption process works.

  1. A random set of encryption commands is selected (xor, addition, subtraction, bit rotations, bit shifts, logical negation etc.).
  2. A random set of helper encryption keys is generated.
  3. Every byte of the input string is encrypted with every encryption command in the random set.
  4. The decryption code in the selected programming language is generated with a reverse set of encryption commands.

More about polymorphic engines:

What does it mean?

The encrypted content is different every time you apply StringEncrypt encryption to it.

The algorithm is always unique, the encryption keys are always randomly selected and the decryption code is also unique for every time you use our encryption.

Features

  • Out of box support for UNICODE (WideChar type in C/C++ languages), UTF-8 (multibyte) & ANSI (single byte) strings encodings
  • Configurable minimum & maximum number of encryption commands
  • Different ways to store the encrypted string (as a global or local variable if the selected programming language supports it)
  • Wide array of supported programming languages
  • You can automate encryption process in your builds using our WebAPI interface

Supported programming languages

StringEncrypt engine supports code generation for the following programming languages:

Note: Visual Studio Code might not support some of the listed languages by default, you might install the extension first to support it (e.g. for Python), but you can always use our online interface to encrypt strings for it anyway.

Available editions

StringEncrypt can be used:

Extension settings

You can fine-tune encryption settings in the extension Settings page.

Free demo version limitations

The free demo version comes with some limitations.

Feature Demo version Full version
String encryption
File encryption (text or binary file)
Max. label length (characters) 10 64
Max. string length (characters) 10 4096
Max. file length (bytes) 4 MB
Min. number of encryption commands 3 50
Max. number of encryption commands 3 50

Purchase activation code

To remove the limitations and support our project and its development, you need to buy an activation code at:

https://www.stringencrypt.com/buy/

You can enter the activation code in the extension settings page. Each activation code has an assigned number of usage credits. You can use the software in full version as many times as you have usage credits on your account balance.

How to get a free activation code?

You can get a free activation code (500 usage credits) if you can advertise StringEncrypt service with a link to the project site https://www.stringencrypt.com/ at:

  • Programming forums
  • Programming blogs
  • Technical articles
  • Twitter / Facebook / other social media site
  • ...or any other website related to programming and development

Send me all the details at my contact address and if it's legit - bam!, you got yourself a free code :)

Free activation code for dev.to readers

Since this is the first release I would like to share this free activation code with dev.to readers:

E23B-FACD-1040-3833

It has 1234 usage credits, use it before others do :)

Posted on by:

pelock profile

PELock

@pelock

Reverse engineering services (source code recovery, legacy software modification, recovering software algorithms). Software protection, monetization & licensing solutions for developers.

Discussion

markdown guide
 

Can you think of any examples of where someone would want to do this in the real world?

 

Most common usage is to hide messages you don't want people to find with a simple text editor or a hex-editor, but you can do more:

  • Quickly encrypt file contents of your own and NOT do it with simple xor encryption (you will have to write an encryptor yourself anyway)
  • Encrypt secret API endpoints (e.g. in Python code that will be compiled to exe format afterward
  • Obfuscate JS strings
  • Encrypt C/C++ strings used in some licensing code, I've seen this countless times ("Your license has expired.", "Serial number is invalid" etc.)
  • Encrypt shellcode strings in Python exploits

This engine is incorporated into a few source code obfuscators too to hide the strings and make it hard for automated tools to deobfuscate it.

 

Encrypting endpoints sounds like a bad idea to me. It's security through obfuscation, which is defeated by either sniffing the network traffic or running a debugger. If someone's prepared to look through your code to find an API endpoint, they're not going to be put off by that sort of thing, and hiding API endpoints sounds like a recipe for disaster - at the very least it implies that your API is insecure.

"obfuscare js strings" is a weird one. Malware does that, but I can't think of any legitimate reason a programmer would want to do it. Is this mainly a tool pitched at malware authors?

I have listed a good number of legitimate uses, why you didn't comment on those at all? You don't think there is a legitimate case for encrypting files or messages within your source codes? This tool is mainly dedicated to regular software developers who might need a simple encryption to hide stuff from prying eyes. If you think there is no point in doing that - you have the right to your own opinion.

 

Malware authors do this all the time. Quite frustrating

 

Everyone is using encryption, in one form or another. I have seen many, many legit applications with encryption for simple messages, just to hide it from prying eyes. Encryption is used everywhere. To hide configuration settings, to hide database contents, to hide proprietary project formats. Most deployed JavaScript source codes on the web are either obfuscated (with some sort of encryption for strings and variables) or minified.

Most deployed Javascript is minified, not obfuscated.
Encryption is used mostly to secure communication between two parties or to restrict who can play your media (like DRM). I can't think of any use case for it in things like hiding configuration settings or database contents. The fact is, if your client-side code has to decrypt something, then the decrypted version exists on the client's computer, rendering the encryption moot.

Well Ben you didn't understand the purpose of this extension, it's not meant to replace traditional encryption algorithms like AES but to provide quick help for regular developers to hide simple things from curious users who might want to sniff around your source codes.

Encryption is used everywhere Ben. I did native, web, mobile development and everyone is using some forms of encryption. Communication channels encryption, messages encryption, database encryption (in automotive software for example), executables encryption to prevent cracking of software, configuration files encryption to prevent someone from tampering with the settings (a lot of games is doing that, also for static configurations), secret endpoints encryption, database connection strings encryption in desktop apps, static project files encryption to prevent patching it or easily stealing its content. Plenty of encryption everywhere.

Every decryption code gets executed at some point, no matter if you use AES, external DLL libraries in native apps or my solution.

 

It looks cool, but by the time someone has access to your source code, no encryption could save your secrets. If you really need to encrypt your secrets, use a dedicated secret manager (and probably fetch them over an encrypted channel).

 

That's not the point of this extension. The point is to quickly hide simple strings you don't want people to see with a text or hex editor like licensing system messages, secret API endpoints. Sure you can do it with a debugger, but people use simple encryption all the time, with this extension you can do it much faster without writing your own encryption code and decryption code, even a simple xor encryption would require you to write a dedicated code. Now if you would like to do it for multiple programming languages you would have to write separate code generators or algorithms.

 

First of all, I would like you to know that I am completely respectful to you and your efforts. The idea of turning off the source code of the programs is entirely based on making money, and it is an idea that all of us must oppose fundamentally. Open source code does not mean free. Different types of licenses were developed for this. My goal is not to start a discussion here, but I think you have chosen the wrong place to promote your program. Encouraging the developers to turn off the source code obviously makes me crazy. Of course I am not a developer, there is no reason to take my words seriously. I am just one who is committed to the idea of open source.

 

This software has nothing to do with the idea of open source (where did you see that?) or "turning off" source code to anyone. It's just a simple string and files encryption extension.

 

How do you unencrypted the text/files?

 

It works like this Ian:

  1. You select the file you want to encrypt
  2. You choose the label for the encrypted file contents
  3. The extension encrypts the file content for you
  4. Encrypted file content is placed within your source code
  5. Decryption snippet code is added to this encrypted data
  6. And after you run it - you got your decrypted file at your hands
 

v1.0.1 has been released fixing missed dependencies.