Lukasz Sokol wrote:
On 13/07/16 08:31, Mark Morgan Lloyd wrote:
Michael Van Canneyt wrote:
On Tue, 12 Jul 2016, Mark Morgan Lloyd wrote:
Please excuse one of my regular silly questions. Elsewhere, a (former) Delphi programmer
is uneasy having found that his binaries have had embedded SQL queries, passwords and so
on visible "in clear" for the last 20 years or so.
Can FPC be told to obfuscate ResourceStrings?
No. The default value for resourcestrings is stored as-is in the binary.
To solve this, I store the username/password encrypted in the binary as consts,
and they are decrypted when needed.
Sometimes it's difficult to avoid having to do that sort of thing, or
obfuscating them in an external file.
Could it help to try doing this after linking the program binary, to build the
resources and scramble them
using the program binary part checksum (or have it seed a PRNG and/or derive an
encryption key / key pair from it) ?
Not that I know how ;) and whether such a thing is viable at all - or desirable
(since an executable would
always have to be distributed with matching resources build). But how would
that be for an idea ? ;)
Thinking this sort of thing through, and focussing on reasonable
obfuscation rather than rigorous encryption, one possibility would be to
put a passphrase in the executable stored with (say) nibbles reversed,
then to subtract each letter of this from obfuscated resourcestrings
when they were needed.
Subtracting a couple of test paragraphs (start of Genesis, start of the
American declaration of independence) gives a fairly even distribution
of bytes in the range -84 through +87 (this would need to be tested with
a much larger corpus). This would probably be good enough to deter
people who thought they might be able to find passwords using a simple
file viewer.
Can anybody comment on what effect using UTF8 would have rather than
simple ASCII?
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
