Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Let's say your application uses a web service "www.example.com" and authenticates with the password, "letmein". Compile the program and examine it with <code>strings</code>, <code>objdump</code>, or whatever:</p> <pre> $ make $ objdump -j .rodota -s program a.out: file format elf64-x86-64 Contents of section .rodata: 4005f8 01000200 7777772e 6578616d 706c652e ....www.example. 400608 636f6d00 6c65746d 65696e00 com.letmein. $ strings program /lib64/ld-linux-x86-64.so.2 __gmon_start__ ... www.example.com letmein </pre> <p>This is pretty easy. If you obfuscate it, you still need to put the plain text somewhere in memory before you can use it, so instead the attacker does one of the following:</p> <ul> <li>Intercepts network packets (easy, takes 5 minutes with basic knowledge Wireshark)</li> <li>Uses a debugger (easy, takes 10 minutes with basic knowledge of GDB)</li> <li>Reverse engineers your source code (hard, takes hours or days)</li> </ul> <p>Note that the obfuscation tools make it harder only for attackers that are already doing it the hard way. What's the sense in that? All you've done is make it take 15 minutes instead of say, 5 minutes for an attacker to get the password from your executable. Since that's pretty much the best you can do, don't work too hard on it. Just XOR the password with some easy pattern and hope that the attackers are very lazy or stupid.</p> <blockquote> <p><strong>C-3PO:</strong> Master Luke, sir. Pardon me for asking, but what should R2 and I do if we're discovered here?<br> <strong>Luke:</strong> Lock the door.<br> <strong>Han Solo:</strong> And hope they don't have blasters.<br> <strong>C-3PO:</strong> That isn't very reassuring. </p> </blockquote> <p>(You will probably end up spending more time on this than your attacker will.)</p> <p><strong>On the other hand:</strong> If you are trying to prevent non-root users from accessing the password on a trusted system, you can do that with permissions &amp; setuid binaries.</p> <p><strong>Footnote:</strong> The purpose of obfuscators in general is to hide program <em>code</em>, not data. For example, if your application uses an algorithm that is a trade secret, that is when you would want to use an obfuscator.</p>
    singulars
    1. This table or related slice is empty.
    1. POHow can I obfuscate a string into a C++ binary?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USDietrich Epp
    1. USDietrich Epp
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POHow can I obfuscate a string into a C++ binary?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload