|
|
Boost : |
Subject: Re: [boost] [encrypted strings]
From: Phil Endecott (spam_from_boost_dev_at_[hidden])
Date: 2009-04-27 13:32:53
Sid Sacek wrote:
> Does boost have any compile-time classes for string encryption? Is it
> even possible?
>
> When a hacker dumps an executable, they can see all of the strings the
> program might use, and some of those strings may contain sensitive
> information. Does boost have any classes that can encode the strings at
> compile-time? Ideally, the third string in the code below would never
> compile the "secret" string into the final binary.
Hi Sid,
I suggest that, like CAPTCHAs, this is something where it's better if
everyone invents their own. If we all used the same string-obfuscation
method, the crackers would only need to crack it once.
The one time I did this I think it was something like this:
#define C(x) x^0x42
const char secret[] = {C('s'), C('e'), C('c'), C('r'), C('e'), C('t')};
Maybe variadic templates would let you write that as
obfus_string<'s','e','c','r','e','t'> - but watch out for that putting
a less-obfuscated version in the symbol table.
If you have more strings I would use some sort of external script to do
the munging for you.
(Not writing iPhone apps are you? Many apps now check if they are
legitimate copies with something like: if
(some_api_fn()=="signed_by_apple") - the cracker only needs to corrupt
that string in the app to defeat the check.)
Phil.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk