Hacker News new | past | comments | ask | show | jobs | submit login

If you put something like

  if mySecretPassword == "Qwerty123" {
     ...
then "Qwerty123" will be easily seen by strings utility. Which is pretty obvious but I'm guessing some junior folks will be surprised.



You probably know this, but in C, if you wrote the comparison like this

  if (password[0] == 'Q'
   && password[1] == 'w'
   /* the rest of the letters... */
   && password[8] == '3'
   // C strings are 0 terminated
   && password[9] == '\0')
  {
      ...
  }
It will probably compile to something like this on x86-64, assuming a "password" is a pointer held in RDI (although I didn't look at a compiler's output):

  cmp byte [rdi], 0x51 ; 'Q'
  jne false
  ;; the rest of the letters...
  cmp byte [rdi + 9], 0x0 ; '\0'
  jne false
The benefit is that the strings utility wouldn't see the string "Qwerty123" anywhere in the binary.

Unicode and bounds checking code probably complicate this generated assembly in other languages.

It would be nice if there were some way to write a macro or an inline function so that you could write a comparison like

  if inlineStringEqualP(mySecretPassword, "Qwerty123") {
    ...
And then it would expand into something like the assembly I wrote above, so that way, the string literal "Qwerty123" isn't embedded in the final binary executable anywhere. I bet it's possible with C++ templates somehow, but it would be messy.


I think that was the very first crackmes i ever solved =)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: