Phil Endecott wrote:
Sid Sacek wrote:
Does boost have any compile-time classes for string encryption? Is it even possible?
When a hacker dumps an executable, they can see all of the strings the program might use, and some of those strings may contain sensitive information. Does boost have any classes that can encode the strings at compile-time? Ideally, the third string in the code below would never compile the "secret" string into the final binary.
Hi Sid,
I suggest that, like CAPTCHAs, this is something where it's better if everyone invents their own. If we all used the same string-obfuscation method, the crackers would only need to crack it once.
The one time I did this I think it was something like this:
#define C(x) x^0x42 const char secret[] = {C('s'), C('e'), C('c'), C('r'), C('e'), C('t')};
Maybe variadic templates would let you write that as obfus_string<'s','e','c','r','e','t'> - but watch out for that putting a less-obfuscated version in the symbol table.
If you have more strings I would use some sort of external script to do the munging for you.
(Not writing iPhone apps are you? Many apps now check if they are legitimate copies with something like: if (some_api_fn()=="signed_by_apple") - the cracker only needs to corrupt that string in the app to defeat the check.)
Phil.
No offense Phil, but the method of string encrpytion you chose will last no more than the 15 minutes it takes a hacker to write a script to automatically decrypt every string encrypted with the algorithm you chose and any other method based on DecryptString(encrypted_string_here).