Walker News

Better Way To Hardcode Password In Program Source Code

Instead of simply using string literal to hardcode SMTP password in the mailsend source code, I use string array to store the credential character by character.

The purpose of using such “inconvenient” approach is not for fun, but it’s because a string literal can be easily exposed by the strings command output!
The GNU strings program finds and shows printable character sequences that are at least 4 characters long (default) and are followed by an unprintable character.

There is also a strings for Windows, provided by Mark Russinovich (one of the founder of Winternals Software, now called Windows Sysinternals).

Here is an example of how the strings command analyze the binary file (tstStr, the program compiled from C source file tstStr.c):

Uses strings program to retrieve printable characters embedded in a binary file.

NOTE: Storing sensitive value (e.g. password) in string array character by character (such as the tpswd[]) can only upset an average attacker. It CANNOT avoid the advanced attackers from retrieving valuable information from a memory dump (core dump file)!

Custom Search

2018  •  Privacy Policy