|
|
Boost : |
Subject: Re: [boost] [encrypted strings]
From: Raindog (raindog_at_[hidden])
Date: 2009-04-28 01:19:05
Phil Endecott wrote:
> Sid Sacek wrote:
>> Does boost have any compile-time classes for string encryption? Is it
>> even possible?
>>
>> When a hacker dumps an executable, they can see all of the strings the
>> program might use, and some of those strings may contain sensitive
>> information. Does boost have any classes that can encode the strings at
>> compile-time? Ideally, the third string in the code below would never
>> compile the "secret" string into the final binary.
>
> Hi Sid,
>
> I suggest that, like CAPTCHAs, this is something where it's better if
> everyone invents their own. If we all used the same
> string-obfuscation method, the crackers would only need to crack it once.
>
> The one time I did this I think it was something like this:
>
> #define C(x) x^0x42
> const char secret[] = {C('s'), C('e'), C('c'), C('r'), C('e'), C('t')};
>
> Maybe variadic templates would let you write that as
> obfus_string<'s','e','c','r','e','t'> - but watch out for that putting
> a less-obfuscated version in the symbol table.
>
> If you have more strings I would use some sort of external script to
> do the munging for you.
>
> (Not writing iPhone apps are you? Many apps now check if they are
> legitimate copies with something like: if
> (some_api_fn()=="signed_by_apple") - the cracker only needs to corrupt
> that string in the app to defeat the check.)
>
>
> Phil.
>
No offense Phil, but the method of string encrpytion you chose will last
no more than the 15 minutes it takes a hacker to write a script to
automatically decrypt every string encrypted with the algorithm you
chose and any other method based on DecryptString(encrypted_string_here).
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk