<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: LulLaS</title>
    <description>The latest articles on DEV Community by LulLaS (@rolanfreeman6png).</description>
    <link>https://dev.to/rolanfreeman6png</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4018557%2F88d64be5-89e4-41a4-ad56-0af90066a98a.png</url>
      <title>DEV Community: LulLaS</title>
      <link>https://dev.to/rolanfreeman6png</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/rolanfreeman6png"/>
    <language>en</language>
    <item>
      <title>How to hide strings in C++ binaries with consteval</title>
      <dc:creator>LulLaS</dc:creator>
      <pubDate>Tue, 07 Jul 2026 02:06:48 +0000</pubDate>
      <link>https://dev.to/rolanfreeman6png/how-to-hide-strings-in-c-binaries-with-consteval-1bkh</link>
      <guid>https://dev.to/rolanfreeman6png/how-to-hide-strings-in-c-binaries-with-consteval-1bkh</guid>
      <description>&lt;h1&gt;
  
  
  How to hide strings in C++ binaries with consteval — and why it beats xorstr
&lt;/h1&gt;

&lt;h2&gt;
  
  
  The problem
&lt;/h2&gt;

&lt;p&gt;Every C++ binary has strings. &lt;code&gt;strings.exe&lt;/code&gt; reads them. Competitors see your API keys. Reverse engineers find your logic. Anti-cheat detects your function names.&lt;/p&gt;

&lt;h2&gt;
  
  
  The old way — xorstr (constexpr XOR)
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;
cpp
auto key = xorstr_("my_api_key");

Problem: constexpr depends on the optimizer. MSVC doesn't fold it — plaintext leaks to .rodata. Also: dangling pointer in xorstr_() macro (returns char* from temporary).

StealthLib — consteval (compiler-independent)
auto key = S("my_api_key");
consteval forces compile-time evaluation on every compiler. Plaintext is consumed during translation — never emitted. Verified by binary_scan_test on MSVC + GCC + Clang.

Differential testing
Same strings, same compiler, same platform:

StealthLib: 7/7 PASS
xorstr:     3/7 FAIL (dangling pointer)
What else is inside
Hash-based API resolution (no API names in binary)
4-channel anti-debug (PEB + NtQuery + rdtsc + DR registers)
IAT/EAT integrity checks
VM detection (CPUID + DMI + disk)
FIPS-180-4 SHA-256
Per-build key rotation (16 variants)
RAII auto re-encrypt guards
Quality
6 SAST tools clean: PVS-Studio (0 findings), SonarCloud (A ratings), CodeQL, Coverity (0.17 density), Semgrep, Codacy.

4.5 billion fuzz executions, 0 crashes. 40 mutation tests, 100% killed. 94.6% coverage.

GitHub
https://github.com/rolanfreeman6-png/stealthlib
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

</description>
      <category>cpp</category>
      <category>security</category>
      <category>programming</category>
      <category>showdev</category>
    </item>
  </channel>
</rss>
