March 10, 2016

When ugly code must be written IRL: i.e. putting password inside the code like a pr0

I got this idea a few days ago, because of a message on the ML
A friend of mine needed to embed a password in the source code of his software.

Everybody knows is a bad idea, but sometimes world imposes us bad design choices.

If you don't want to write your password ina configuration file, there are plenty of ways to encode a password in a source code, but some of them can involve randomness, which might make the reversing a little bit harder, but not impossibile.

The idea I got is to use a fixed point of a computation. Googling around I found this fancy example which involves only integer numbers. (If you algorithm is not stable: floating point + randomness => badness).

From Wikipedia:
  1.     Take any four-digit number, using at least two different digits. (Leading zeros are allowed.)
  2.     Arrange the digits in descending and then in ascending order to get two four-digit numbers, adding leading zeros if necessary.
  3.     Subtract the smaller number from the bigger number.
  4.     Go back to step 2.

So, your password will be ultimately the Krapekar constant :)
It is also a great idea for a CTF challange.