How to read a password protected zip file

[dehseth]

yeah but the more compression I use, the longer loading time, right?

[Murloc992]

Dunno srsly, I use no compression I have even managed to load files for irrklang from my archives, I mean sound files

[hybrid]

No, the loading times will be smaller. The file is much smaller, and decompression is usually way faster than compression. Hence you won't see much difference between the decompression methods. Some may take more memory while decompressing, though (bzip2 is known for this).

[Bate]

Isn't that a little too obvious?

Also, I don't understand why the exact source code is visible since the test exe was compiled in release mode (VC++ 2008) with all debug options disabled.

[hybrid]

Yes, that's why the password member was made public, which allows arbitrary access with any obscurity measures you want. However, I've been one of those who always warned that encryption does not help much to protect your assets.

[Bate]

Indeed, so in this respect : Why does IrrLicht support encryption at all if it doesn't protect anything?

[Acki]

well, to store the password as a complete string isn't a good idea (obviously)...
when I use passwords then I build up the password along the source code and I don't use obvious names...

example (the password shall be "ABCDEFG"):

Code: Select all

stringc entityName("A"); // don't name the string "password" ;))
... some other code lines ...
entityName += "BC";
... some other code lines ...
entityName += "D";
... some other code lines ...
entityName += "E";
... some other code lines ...
entityName += "FG";
... some other code lines ...
// use the password now...
entityName = ""; // delete the password after use

I know this isn't realy save, too...
but it's more secure than storing the whole word at once...
this way you won't see the password with an hex editor, you'll have to trace the memory to get it and as it's just temporary created and deleted right after usage it's also not too easy to get the password...

[dehseth]

I think there's no way to protect any resource/game. Even PS3 hacked! Every game/application has a serial and/or crack

[hybrid]

The idea is to give all users complaining about lack of encryption support the ability to do what they think is nice. And the rest simply should think about it and do what they always did. Anyway, it's a nice feature that we will also extend to arbitrary encryption functions etc.
Acki: Debuggers can easily trace memory areas, so you just need to check changes to the address of the pw field. So your code will only prohibit some more script kiddies to access the zip file. Although exactly that's the idea I had in mind when making the pw member public. Another idea would be to define a salt value in IrrCompileConfig, and XOR the pw with that value. But I guess everyone needs to define his own level of security and obscurity.

[Lambda]

Isn't that a little too obvious?

Also, I don't understand why the exact source code is visible since the test exe was compiled in release mode (VC++ 2008) with all debug options disabled.

You see the line because you have the source code in your computer and ollydbg reads the PDB, if you give the exe without the PDB to other user it can't see the line, however the password will show in the dissasembly.

[omaremad]

Sorry to bump this thread, but Im also seeking peoples opinion on this.
It is possible to protect the assests 100% problem is almost always there is a way to reveal the keys due to some exploit than to go in and rob the comapny safe

Ackis trick is quite good, but may be optimised by the compiler at compile time and the result string is still stored in the excutable... another way would be to do his trick with the variables assigned volatile so the compiler doesnt mess with the optimisation and has to do it in realtime.

Still anyone can use a mem dumper or diasm and work out the sequence of comamnds to generate the code.

Anyone have any ideas how to foolproof this problem? Hashing would be the same as acki's solution except it would be one way... meaning even if you have the hash you cant make the password but... the zip file needs the password to be decoded...

[Lonesome Ducky]

If any of us here had a foolproof way of protecting assets, then we'd be rich by now. There's ways around everything. Even if you encrypt your meshes or textures in the most secure way possible, they could still be lifted from the graphics card. It's really only helpful to secure them in a small amount, so those with limited knowledge can't get them. But if someone knows what they're doing and they want it, they have plenty of ways of getting it.

[Radikalizm]

To protect my assets I use a home-made binary format which tries to obscure the data to anyone who does an attempt to parse the file on his/her own
I never use any form of password protection or hard encryption

To prevent people from modding my assets I use a simple magic number system and info about the file in the file header (which does not give away any info at all about the data it's storing), so the engine can do calculations about what it can expect about the data in the file
If this data does not match up with what the engine actually reads, the file will be ignored
I've let some people at it, and the conclusion was that it's pretty damn hard to get the engine to accept any external changes at all, let alone complex mods

This does not prevent people from hacking my asset files, modding them, or stealing information from them tho, it just makes it a lot harder so the little script kiddies stay away from it