[fpc-pascal] Resource strings, passwords etc.
Mark Morgan Lloyd
markMLl.fpc-pascal at telemetry.co.uk
Wed Jul 13 10:39:30 CEST 2016
Lukasz Sokol wrote:
> On 13/07/16 08:31, Mark Morgan Lloyd wrote:
>> Michael Van Canneyt wrote:
>>> On Tue, 12 Jul 2016, Mark Morgan Lloyd wrote:
>>>
>>>> Please excuse one of my regular silly questions. Elsewhere, a (former) Delphi programmer is uneasy having found that his binaries have had embedded SQL queries, passwords and so on visible "in clear" for the last 20 years or so.
>>>>
>>>> Can FPC be told to obfuscate ResourceStrings?
>>> No. The default value for resourcestrings is stored as-is in the binary.
>>>
>>> To solve this, I store the username/password encrypted in the binary as consts, and they are decrypted when needed.
>> Sometimes it's difficult to avoid having to do that sort of thing, or obfuscating them in an external file.
>>
>
> Could it help to try doing this after linking the program binary, to build the resources and scramble them
> using the program binary part checksum (or have it seed a PRNG and/or derive an encryption key / key pair from it) ?
>
> Not that I know how ;) and whether such a thing is viable at all - or desirable (since an executable would
> always have to be distributed with matching resources build). But how would that be for an idea ? ;)
I wonder whether this could this be handled by a step related to i18n.
The whole thing's a bit of a minefield, since there are hacking tools
out there which can scan a binary looking for regions which are more
random than expected on the basis that these might be things like crypto
keys.
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]
More information about the fpc-pascal
mailing list