I am looking for a way to store a string in a C++ program, preferably in code, without making it visible in a hex editor that opens the executable. I can think of many different ways to do this, but if any simple standard way of doing this exists, that would be better. I don't know much about “secure strings” but these seem to be focused on zeroing memory after the string goes out of scope, which is not the primary issue I am trying to solve.

How can I prevent a string from being visible when a program is opened in a hex editor or similar tool?

ROT13 if you want fast and easy. LOL. RSA is another algorithm, but not so fast, and not so easy.

If you're main goal is to simply hide from string dumpers, just add a preprocessor step to your project. Put all the readable strings into a JSON file or something. Have a script/program read that file and dump all of them to a C++ source file with the strings already encoded. Then you just need a decode function in your actual program.

Use a pseudo-random number generator with a known start-value or apply a CRC function on the string, and XOR the characters with a part of that number.

Well, any form of encryption as mentioned causes a need for annoying conversations.

So instead this:

vector string props = "health", "xp", "dlc_obtained"

I would use this:

enum props {health, xp, dlc_obtained}

Ooh !

I thought you had text to display but didn't want it trivially readable (eg in an text adventure game).

For names of properties etc, I fully agree with JoeJ. A number beats any string literal any day.

If you just want to hide text, there's nothing wrong with using a simple XOR function:

std::string
XORString(std::string & in) {

char key = 23;

std::string out = in;

for(int i=0; i < in.size(); i++) {
   out[i] = in[i] ^ key;
}

return out;
}

The same function encrypts and decrypts. Key can anything (one or more chars). You didn't mention the word “password”, so this is obviously not secure for that particular purpose. The key is only 1 character, it can easily be reversed by brute-force in less than a second. 🙂

This is a gaming forum. If we're talking about text in game resources and not passwords, then I choose obscurity over security.

If you obfuscate strings with weak encryption (e.g. ROT13) an hex editor or statistical analysis tool can see through it.

If you obfuscate strings with stronger but still insecure means (e.g. any current stream cypher with a key somewhere in your file) you are putting the encrypted blobs in your program in the limelight, guiding even relatively inexpert hackers in their attempts to extract strings.

If you obfuscate strings with annoying techniques (e.g. convoluted assemblage of disparately encoded fragments) the hacker's effort is at most proportional to your own.

So if you want to prevent casual spoilers and editing, minimum effort scrambling is a good choice; if something needs to be secure you cannot put keys in your program in any case. Anything in the middle is just a collateral game you are entertaining hackers with.

Show me code, please! :D

https://github.com/sjhalayka/RSA