Do you encrypt your debugview output at sites?

Yes he means MyTable from CapeSoft. I even did a webinar on it. https://clarionlive.com/BrowseEpisodes/ww! 613

But youte asking the wrong question regarding debugview. The right question is “do you clean up your app between releases do it doesn’t output to debugview?”

Debugview is for debugging, and it’s hard to debug when there’s already lots of noise in debugview. So it’s really important to clean up your debugview messages when you’ve solved a problem. Keeping your debugview clean is good form, and will make your life easier.

That said, I judiciously leave in small amounts of debugview code, in areas where I know it’s useful on end user sites. Like if there’s an error on startup, or in the case of web servers some small amount of data on startup to help be sure everything is secure, and so on.

But do yourself a favour, and remove as much debug as you can as you go.

3 Likes

So do you encrypt that to keep the info away from prying eyes? Lets face it, most command line settings are simple enough for end users to run at their end and then data gets logged and sent back, even gpf reports are plain text when I last used them.

When I was looking around for what others did, IBM changed some commands so their debug output was encrypted around 2017 or 2018, and thats all I’ve really been able to find and yet I remember what some people do, they poke around with programs to see what they can learn from them, and I dont think its a good idea to make it easy for them with plain text debug output.

I had thought about doing a command line switch which is a sort of one time command line switch as I’ve seen that in use, but it still doesnt get around the problem of debugoutput is a good source of intelligence for working out how a program work if its in plain text.

The problem with encrypting your debug output is that it is no longer readable (to state the perfectly obvious).

I was thinking of making a version of UltimateDebugView that could decrypt and display the ud.Debug messages. But this would require me to ship the new UltimateDebugView to the client, defeating the whole point. Or am I missing something?

Until you get the data back onto your machine and decrypt it in order to see what the debug output is.

You only need the encryption in ultimate debug and a standalone app to decrypt on the dev machine.

I dont want you to think I’m having a stealth dig at you because of the timing of the post, its just I check out apps and you’d be surprised how bad some of them are, and considering the templates and classes, I think this is an easy win for Clarion users.

Have a look at this image of this debugview template I wrote Control debugview messages going to specific instance of debugview. Possible? - #6 by anon23294430

It lets you use debugview at live.sysinternals.com and its sending debugview output over the internet, probably unencrypted so everyone with infrastructure access can view whats going on, ie the spooks.

So I’m just as guilty of not encrypting debugview output. :worried:

That didn’t occur to me, but it did make me think about the stuff I put in my debug messages :grinning:

I was thinking of another way to keep the messages secret: add a password as a parameter, eg

LCLesson.exe /DEBUG=OpenSesame

where “OpenSesame” is the password to produce decrypted messages. So even if the hacker guesses the /DEBUG parameter from inspecting the code, he will not be able to understand the messages.

The other option would be to include a /LOG option to write the (encrypted) messages to a log file, and then retrieve them and decrypt them on my PC. That would require writing an app to do that.

No, it is downloading and executing the dbgview.exe file locally on the machine where the messages are being generated, according to the screenshot in the other thread.

That would make life more convenient, but if you have downloaded and used decompilers like ghidra, its less than a 5 min job tracking down the password for the command line. I used to use PCTool’s hex editor to go through apps and workout strings etc in the DOS days.

I was thinking something like PGP with a public key stored in the app and the public key being unique for each instance of the app. I dont know how many public keys PGP works with.
Potentially, this way if an app popped up on a warez site, and I’ve seen some clarion addons appear on warez sites like @BoxSoft, then you know the client who uploaded it, or has poor IT security, if it wasnt the developer themselves. :wink:

Another point is, when looking at infosec advice like this example Codesigning - Need alternative to Comodo - #9 by anon23294430
in general, there arent really any discussions or focus on how to make an app more secure for the software company or their end users.

This discussion/thread is one example of looking at making an app more secure for both.

For example, we are predominantly creating end user database apps, yet there is no regulatory compliance to ensure we have employed best practices in the design of said software.

Now if you were in the financial world, there is so much compliance paperwork its almost a joke. So Govt’s obviously demonstrate their ignorance or priorities.

Edit.

Is it really that easy to download code onto someone’s machine from the internet? :crazy_face:

It used to be that easy a few years ago. Now you have to jump through a few more hoops: https://live.sysinternals.com/Dbgview.exe instead of \\live.sysinternals.com\Dbgview.exe

Of course sysinternals dbgview is showing it’s age. It’s substandard when compared to debugViewPP aka debugView++

1 Like

Having experimented a bit further with debug messages I think the only practical way of encrypting debug messages is not to have them at all. Just comment them all out when you ship a production version.

if you write ud.debug('This is my debug message') then even if it appears in debug view as 54686973206973206D79206465627567206D657373616765 it still appears in the EXE as the string ‘This is my debug message’, so what’s the point? Anyone analysing the EXE is going to find the messages included in the code as being extremely useful, along with the names of procedures and functions, etc.

So if you don’t want your code analysed by someone else, you’ll have to write obfuscated code. Good luck with that.

I have been reviewing my app that uses Capesoft MyTable for encryption, and it requires 2 secrets. If you provide them as literals, e.g. ‘OpenSesame’ then they are stored as such in the EXE. Not particularly secure. You could store it as ‘4F70656E536573616D65’ which is the Hex version, and this will defeat the casual observer, but ‘ukROzIObFmzITL8xwxzI’ is probably better. (It’s the output of xHide(‘OpenSesame’), a function I use in Access VBA. But then don’t call the de-obfuscation function something like “UnHide” because it will give the game away to a determined hacker.)

Has @CarlBarnes or anyone else written a class to obfuscate/de-obfuscate text strings? I’m wary of reinventing the wheel.

My scrambler class re-arranges the existing text. I do have more robust solutions, but they’re not appropriate to make public. GitHub - jslarve/AmbleScrayLite: Scramble text by way of a password

I’m contemplating posting a version that also does substitution, though.

1 Like

You can play with the javascript version here, without having to clone it.

https://htmlpreview.github.io/?https://github.com/jslarve/AmbleScrayLite/blob/main/JavaScript_POC/index.html

Thanks, I’ll take a look. I love the name :smiley:

My minds doing overtime, whats inappropriate about them?

Edit. Anyone else finding the poll results dont seem to work?

Maybe a template that encrypts the debugview message when its released for production?

This is something I’ve been toying with my debugview template, its partly why I’ve asked on here what others think but it means calling dll’s from the template to encrypt the messages before its compiled and would mean having to use code templates which can admittedly break up sections of embed code, but its the only way I can see that would make it quick and easy to encrypt the debugview output.

As the source code for Debugview++ is on github, I think it would be possible to fork it and modify it to automatically decrypt the debugview output to make it as seamless as possible.
The main thing is the code templates would be storing the debugview output encrypted inside the exe, affording a level of protection from those using reverse compilers like the NSA Ghidra.

Is it possible for a template to modify handwritten code in insert points? If so, what template code would I need to comment out lines beginning with " ud.debug"

I’ll be interested to see if anyone has a way to do that.

At first I thought “why not just have a wrapper around ud.debug() that checks some switch?” but then I read earlier in the thread and saw you did not want the output strings to be in the exe.

if it is not possible at code generation time, perhaps you can write a simple “post generation” program to process the code before it is compiled and put it in the project. You would need to be careful if any of your debug statements were split over more than one line.

I seem to recall the #PROJECT system has pre and post build events but do not know much about that - hopefully someone else can help with that if you end up going down that route.

An alternative is to wrap all your ud.debug() statements in either COMPILE or OMIT statements with a compile time switch - but that might be a bit tedious. Mind you a code template could do that easily.

1 Like

No template currently on the market that I know of :wink:, but export to a TXA and then search and replace, then reimport the TXA. Job done.

I think I may have found a way to hide “secrets” in plain sight. These are generally the Achilles Heel of any encryption system.
Firstly, I defined some local variables in the Main routine of my generated app:

strSecret       string(16)
strAlpha        string(96)

Then I ran this code in the Open Window embed point:

!                    1         2         3         4         5         6          7         8          9
!           123456789012345678901234567890123456789012345678901234567890123456 78901234567890123456789 01
strAlpha = ' AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz1234567890[.<<(+!&]$*);^-/|,%_>?`:#@''="'
!                                                                            <                       '
strSecret = strAlpha[32] ! P
strSecret = clip(strSecret) & strAlpha[3] ! a
strSecret = clip(strSecret) & strAlpha[39] ! s
strSecret = clip(strSecret) & strAlpha[39] ! s
strSecret = clip(strSecret) & strAlpha[55] ! 2
strSecret = clip(strSecret) & strAlpha[47] ! w
strSecret = clip(strSecret) & strAlpha[31] ! o
strSecret = clip(strSecret) & strAlpha[37] ! r
strSecret = clip(strSecret) & strAlpha[9] ! d
glo:secret1 = clip(strSecret)
!ud.debug(strSecret) ! Don't blab it to the world

The result is “Pass2word” which you save to the (global) variable that needs to store the secret. This takes a bit more work than storing it as a literal string, but the extra effort is worth it IMHO.

CapeSoft MyTable has two secrets like this, and its default (for simplicity’s sake) is to store it in a literal string, but you can see the literal strings in the EXE. Hence the need to hide it in plain sight.

With this method, it is a lot more difficult to figure out the secret, and all you see in the EXE is the following:
Capture

It gives no indication of what the password might be. Hidden in plain sight. A disassembler might find it, but a simple inspection of the text strings in the EXE will not.

A further way to make casual inspection a bit more difficult is to use UPX to compress the EXE. When I tried it, the resulting EXE was about a tenth of the size of the normal EXE, and it ran perfectly.

I realise this is all “security through obscurity”, but it does raise the bar a bit more than normal.

PE Format - Win32 apps | Microsoft Learn

Portable Executable - Wikipedia

If you know what to expect, it would be possible to work out that technique and use STRPOS and MATCH to load a pe file and pull that sort of stuff out automatically. Lee White had recommended something similar on the ngs back in the C6 days which I used to use myself.

Boot sector of an infected floppy from 1986 Thats 36 years ago.

Image file with encrypted code stored in it using xor. This exe is locating the malware from inside itself, like resource files that can include icons (stenography risk), cursors and other files, XORing itself and then running the malware.

AV scanners have to look for signatures, which can include “encrypted” strings inside a file.

Plus there are also different implementations of functions like CRC32 as noted here

So hypothetically, if you have an implementation of CRC32 which is not known to others or little used, then would AV scanners pick up an anomalous string inside a PE file and go to the effort of reverse engineering the string in order to find out what it might contain and then look elsewhere in the exe to see if there are any built in functions to decrypt said anomalous string?

My setup builder installations were always generating false positives, I wasnt along which became a bit of nuisance and I couldnt use capesoft’s cryptonite to encrypt data which could be decrypted by other apps and websites because there were different implementations of encryption algo’s used.

But the above will give you an idea of the process involved in trying to find viruses and malware hidden inside PE files. With that in mind, and the automatic submission of PE files to the AV company, if the AV scanners cant automatically reverse engineer a PE file using some of the techniques shown above, they have to manually reverse engineer it using tools like the NSA’s ghidra and what ever else they have developed themselves internally. I’m reminded of the fact that Stuxnet took over a year to reverse engineer by F-Secure because of the “engineering” or obfuscation that had gone into it.

Now with clarion, we have the appgen which generates the code for us, and then it automatically compiles it. Now one of the reasons for me to write some templates to edit templates is to have a template which will obfuscate the generated code before it gets compiled. The C7+ ide has the new command line interface (CLI) called ClarionCL where it would be possible to use this to control the generation and compilation process even further.

TLDR the techniques used by Basit and Amjit (the floppy boot sector 1986 guys) and the Russian chap in the 2nd ted talk link could be used to help protect your exe. Whats good for the goose is good for the gander! :wink:

One of the advantages of Clarion over virtually every other programming IDE is the templates, you can use them to do stuff automatically, like encrypt strings before compilation when an app is compiled in release mode. I cant think of anything in Visual studio or even Windev (considering its closed nature) where that level of flexibility and convenience to generate code for different situations and requirements exist. Do you?

Edit. There is also TUFO which is worth looking at. So this changes in different versions of clarion as noted here How to determine the passed Data Type in a ? (any) parameter? - #7 by anon23294430
but I’ve since written some code which can enumerate the TUFO structure automatically which can be handy as well for obfuscation purposes.

Here is allegedly an example of obfuscation in code, a single number for a backdoor
Sam Bankman-Fried’s ‘Secret Backdoor’ Worth $65 Billion, Court Hears (archive.ph)

Mr Wang created this back door by inserting a single number into millions of lines of code for the exchange, creating a line of credit from FTX to Alameda, to which customers did not consent," he added. "And we know the size of that line of credit. It was $65 billion.

Appear weak when you are strong, and strong when you are weak . - Sun Tzu

Edit. And lets not forget all the social engineering that goes on in plain sight either.

1 Like

Hi Donn - It’s nice to obfuscate stuff in the EXE, but if it’s decoded in memory then oftentimes you can see that stuff when you do a dump through process explorer or open the process with an editor that supports it, such as 010 editor. Not saying this isn’t useful to do, but you can’t stay too confident that it would actually protect your secrets.

Chilkat has a “Secure String” library. Haven’t done anything with it, but it would seem to me that it would be difficult to always have that data secure, even with that, because presumably you’d actually want to use that data somewhere.

1 Like