Let's say your application uses the web service "www.example.com" and is authenticated with the password "letmein". Compile the program and view it with strings
, objdump
or something else:
$ make
$ objdump -j .rodota -s program
a.out: file format elf64-x86-64
Contents of section .rodata:
4005f8 01000200 7777772e 6578616d 706c652e .... www.example.
400608 636f6d00 6c65746d 65696e00 com.letmein.
$ strings program
/lib64/ld-linux-x86-64.so.2
__gmon_start__
...
www.example.com
letmein
This is pretty easy. If you confuse it, you still need to put plain text in memory before you can use it, so instead, the attacker does one of the following:
- Intercepts network packets (easy, takes 5 minutes with basic knowledge of Wireshark)
- Uses a debugger (simple, takes 10 minutes with basic knowledge of GDB)
- Reverse engineering your source code (hard, takes hours or days)
Please note that obfuscation tools only make it more difficult for attackers who already do this with difficulty. What is the point of this? All you have done is do 15 minutes instead of saying 5 minutes for an attacker to get the password from your executable file. Since this is pretty much the best you can do, don't work too hard on it. Just a XOR password with a light pattern and hope that the attackers are very lazy or stupid.
C-3PO: Master Luke, sir. Forgive me for asking, but what should we do with R2, and I if they find us here? Luke: Lock the door.
Han Solo: And I hope they have no blasters.
C-3PO: This is not very encouraging.
(You will probably spend more time on this than your attacker.)
On the other hand:. If you are trying to prevent non-root users from accessing a password on a trusted system, you can do this with setuid permissions and binaries.
Footnote: The purpose of obfuscators in general is to hide program code, not data. For example, if your application uses an algorithm that is a trade secret, that is, when you want to use an obfuscator.
source share