Skip to main content

It's not paranoia if they're really out to get you

· 2 min read

In this post I wish to present my string schema, which has been perceived by many as excessively paranoid. It incorporates compile-time obfuscation, whereby the strings are deobfuscated upon utilisation and nullified from the stack when they are no longer required.

For the purposes of obfuscation, a simple substitution cipher is sufficient.

constexpr WCHAR SubstitutionMap[][2] =
{
	{L'\0', L'\0'}, {L',', L')'}, {L'1', L','}, {L'a', L'Z'}, // And so on ... 
}

template <std::size_t N>
consteval std::array<WCHAR, N> EncodeString(CONST WCHAR(&String)[N])
{
	std::array<WCHAR, N> EncodedString = {};

	for (SIZE_T Index = 0; Index < N - 1; ++Index)
	{
		BOOLEAN Found = FALSE;

		for (CONST AUTO& Pair : SubstitutionMap)
		{
			if (Pair[0] == String[Index])
			{
				EncodedString[Index] = Pair[1];
				Found = TRUE;
				break;
			}
		}
		if (!Found)
		{
            // If no substitution is found, just XOR it. Alternatively, simply omit the substitution
			EncodedString[Index] = String[Index] ^ 0x5;
		}
	}

	EncodedString[N - 1] = L'\0';
	return EncodedString;
}

The following object is then initialised, with the constructor deobfuscating the string and the destructor setting it to zero. All this ensures that strings live for as short a time as possible.

class ObfString
{
public:

    explicit ObfString(IN CONST LPCWCHAR Source, IN CONST USHORT Size) noexcept : Buffer{ Source }, Length{ Size }
    {
		for (USHORT Index = 0; Index < Length; ++Index)
		{
				BOOLEAN Found = FALSE;
		
				for (CONST AUTO& Pair : SubstitutionMap)
				{
					if (Pair[1] == Content.Buffer[Index])
					{
						Content.Buffer[Index] = Pair[0];
						Found = TRUE;
						break;
					}
				}
				if (!Found)
				{
					Content.Buffer[Index] ^= 0x5;
				}
		  }
     }

	[[nodiscard]] PWSTR buf() CONST
	{
		return Buffer;
	}

	[[nodiscard]] USHORT len() CONST
	{
		return Length;
	}

	~ObfString()
	{
		__builtin_memset(Buffer, 0, Length);
	}

private:
	PWSTR  Buffer{};
	USHORT Length{};
};

Example usage:

// Original: LVhi&Y0AgY61;1
// Deobfuscated: Luci4 was here
// After going out of scope:

auto String = EncodeString(L"Luci4 was here");

 printf("Original: %ws\n", String.data());

{
     ObfString Message(String.data(), String.size());

     printf("Deobfuscated: %ws\n", Message.buf());
}

printf("After going out of scope: %ws\n", String.data());