0

I use gcc (on Ubuntu) to compile a c program that had few string values that I don't want the end user to know. Like strings used in authentication , a passcode file path / passcode etc. but when I compile the program the object file has these string values in readable (text) format. there are other machine only readable characters but these strings are also present in the file. Is this expected ? is there a way to tell the compiler not to print the values as plain text. I thought of having the strings encrypted within the program, but that looks like over engineering.

iexploremysql
  • 11
  • 6
  • 1
    Constant values like string literals are stored in literal area of executable code file usually. To use encrypted strings in the source code and put encryption routine in the code may be most strait-forward way to solve your problem. – Fumu 7 Apr 10 '15 at 05:44
  • gcc can not do it for you. Encrypting it within your program is not overkill - that is the way to do it. – kaylum Apr 10 '15 at 05:45
  • I'm going with encrypting the strings and may be further restrict the access to the executable .. thanks for the helpful comments .. – iexploremysql Apr 10 '15 at 17:24

2 Answers2

0

...but these strings are also present in the file. Is this expected ?

Yes, it is expected. String literals are saved in executable. And you can see tham all. For example, GNU strings prints the printable character sequences that are at least 4 characters long...

See How to hide strings in a exe or a dll?

Community
  • 1
  • 1
Anto Jurković
  • 11,188
  • 2
  • 29
  • 42
  • thank you. the link explains different approaches. doing MD5 to hash will prevent anybody from knowing the actual passcode store in the code. – iexploremysql Apr 10 '15 at 18:49
0

And even if you hide the strings in some way - even if you encrypt them - your executable has to reassemble or decrypt the strings to use them.

And you're giving your executable to people you don't want to know those authentication strings?

That's not going to work.

"Here a book with all my banking data in it. I've put a rubber band around it to keep everyone from reading it."

Would you give that book out?

Well, that's what you're doing when you hardcode authentication strings - even if you obfuscate or encrypt them. Because you also have to provide the tool to produce the actual strings so they can be used.

Andrew Henle
  • 32,625
  • 3
  • 24
  • 56
  • that is true , but don't that require some expertise in hacking system calls etc. right now just doing a Vi on the executable file reveals the connection details. – iexploremysql Apr 10 '15 at 13:25
  • Expertise? Such as running strace to capture the entirety of IO streams? Or running "strings" against a core file captured with gcore? Or "snoop" to capture the contents of network traffic? If you do distribute such data in your executables and no one digs that data out, that means no one cares. Yet. Be successful to even the smallest degree, and someone will care. Do you really want to start out from a position where only failure keeps your data safe? – Andrew Henle Apr 10 '15 at 13:41