Important: Big Security Issue

[John Pl]

Hi There, I want to distribute Delphi compiled software to 3rd parties that connect to our online MYSQL DB to check for registrations, payments, and generally access and update the database.

However, I don't want anyone to get hold of the MYSQL connection settings. These settings are currently within the TMyConnection
Database = 'XXXX'
Username = 'XXXX'
Password = 'XXXX'
Server = 'XXXX'

By using a simple and free code decompiler on the exe I was able to get hold of these settings in the code within about 2 minutes ! Scary stuff. Once someone's gotten this they could, in theory, drop the database !!

Has anyone any sugestions for hiding these settings in an encrypted file or the registry, or using a 3rd party code obfuscating package, or some other way ?

I'm sure there must be an obvious fix on this, but I've been Googling round in circles for 2 days !!

Thanks

J

[eduardosic]

Hi There, I want to distribute Delphi compiled software to 3rd parties that connect to our online MYSQL DB to check for registrations, payments, and generally access and update the database.

However, I don't want anyone to get hold of the MYSQL connection settings. These settings are currently within the TMyConnection
Database = 'XXXX'
Username = 'XXXX'
Password = 'XXXX'
Server = 'XXXX'

By using a simple and free code decompiler on the exe I was able to get hold of these settings in the code within about 2 minutes ! Scary stuff. Once someone's gotten this they could, in theory, drop the database !!

Has anyone any sugestions for hiding these settings in an encrypted file or the registry, or using a 3rd party code obfuscating package, or some other way ?

I'm sure there must be an obvious fix on this, but I've been Googling round in circles for 2 days !!

Thanks

J

This is a Know and old Security Issue, you don't put the informations direct in tmyconnection, set this parameters in run time, reading data of a encripted file or windows registry. i use ini files with encripted data.

in Delphi you can use
Password := Chr( 65 ) + Chr( 66 ) + Chr( 67 ); //ABC
to make a string...

[John Pl]

This is a Know and old Security Issue, you don't put the informations direct in tmyconnection, set this parameters in run time, reading data of a encripted file or windows registry. i use ini files with encripted data.

in Delphi you can use
Password := Chr( 65 ) + Chr( 66 ) + Chr( 67 ); //ABC
to make a string...

I understand this but if you are decrypting you MYSQL DB connection settings in your application, then all a hacker has to do is read your decompiled code on how to decrypt the settings and then they will have your connection details. That's not secure is it ?

Again thanks.

[eduardosic]

This is a Know and old Security Issue, you don't put the informations direct in tmyconnection, set this parameters in run time, reading data of a encripted file or windows registry. i use ini files with encripted data.

in Delphi you can use
Password := Chr( 65 ) + Chr( 66 ) + Chr( 67 ); //ABC
to make a string...

I understand this but if you are decrypting you MYSQL DB connection settings in your application, then all a hacker has to do is read your decompiled code on how to decrypt the settings and then they will have your connection details. That's not secure is it ?

Again thanks.

All decompile programs, Dede, FormExtract and others dont's return a complet .pas file, this decompile a DFM .pas is returned in assembly with
code + memory garbage.

the option for

MyConnection.Password := chr(65) + chr(70) + chr(75) + chr(XX);

is most secury then

MyConnection.Password := 'myPassword can be viewed';

open exe file in edit/notepad, you can locate any String.

example:

part of exe file

BorderIconsbiSystemMenu BorderStylebsSingleCaption" DRD SISTEMAS -- Agenda Versão 2.0 ClientHeightîClientWidthColor clBtnFaceFont.CharsetDEFAULT_CHARSET
Font.ColorclWindowTextFont.Heightõ Font.NameTahoma
Font.Style FormStylefsStayOnTop
KeyPreview OldCreateOrderPositionpoScreenCenterVisible
Image.Data R+ TBitmapF+ BMF+ 6 ( d

[John Pl]

Ahhh, got it. Thanks