this post was submitted on 21 Jul 2023
10 points (100.0% liked)
C++
1806 readers
2 users here now
The center for all discussion and news regarding C++.
Rules
- Respect instance rules.
- Don't be a jerk.
- Please keep all posts related to C++.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Think of password protected access to something, anything. Instead of checking
if(password == some_constant){...}
orif(hash(password) == precomputed_hash){...}
you encrypt that something. The first variant has disadvantage thatsome_constant
is stored inside your binary, thus password visible to anybody. The second variant ... the same, hash of the password is stored inside the binary and could be brute-forced or rainbow-tabled. Both variants have the disadvantage, that there is a run-time check refusing access to some data, but those data are available in the binary anyway. Just open the program in debugger or in hex editor andNOP
theif
out. With my approach the data is unreadable without the correct password. The app could not be convinced / persuaded to provide the data in any way without the password.Think of advanced features of WinRAR not being accessible without valid licence key. Ehm, WinRAR distributes the same binary for both licensed and unlicensed users, unlocking the features with license key or with a crack (equivalent of
NOPing
theif
). What if instead WinRAR distributed different binary for each licensed user, advanced features encrypted by per-user key. Crack or keygen would need to use some particular user's binary with theirs license. Easily trackable. Or crack would need need to be applied once and then distribute the un-encrypted features / code.