[fpc-pascal] Resource strings, passwords etc.

Mark Morgan Lloyd markMLl.fpc-pascal at telemetry.co.uk
Thu Jul 14 16:30:42 CEST 2016

Lukasz Sokol wrote:
> On 13/07/16 08:31, Mark Morgan Lloyd wrote:
>> Michael Van Canneyt wrote:
>>> On Tue, 12 Jul 2016, Mark Morgan Lloyd wrote:
>>>> Please excuse one of my regular silly questions. Elsewhere, a (former) Delphi programmer is uneasy having found that his binaries have had embedded SQL queries, passwords and so on visible "in clear" for the last 20 years or so.
>>>> Can FPC be told to obfuscate ResourceStrings?
>>> No. The default value for resourcestrings is stored as-is in the binary.
>>> To solve this, I store the username/password encrypted in the binary as consts, and they are decrypted when needed.
>> Sometimes it's difficult to avoid having to do that sort of thing, or obfuscating them in an external file.
> Could it help to try doing this after linking the program binary, to build the resources and scramble them
> using the program binary part checksum (or have it seed a PRNG and/or derive an encryption key / key pair from it) ?
> Not that I know how ;) and whether such a thing is viable at all - or desirable (since an executable would
> always have to be distributed with matching resources build). But how would that be for an idea ? ;)

Thinking this sort of thing through, and focussing on reasonable 
obfuscation rather than rigorous encryption, one possibility would be to 
put a passphrase in the executable stored with (say) nibbles reversed, 
then to subtract each letter of this from obfuscated resourcestrings 
when they were needed.

Subtracting a couple of test paragraphs (start of Genesis, start of the 
American declaration of independence) gives a fairly even distribution 
of bytes in the range -84 through +87 (this would need to be tested with 
a much larger corpus). This would probably be good enough to deter 
people who thought they might be able to find passwords using a simple 
file viewer.

Can anybody comment on what effect using UTF8 would have rather than 
simple ASCII?

Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]

More information about the fpc-pascal mailing list