3

If we want to store critical information, like passwords and server addresses, inside the executable file generated by the Delphi compiler, how can we do that, without knowing the final executable size and binary structure, like at the end of the file for example?

Side note:

The text to be stored is already encrypted; and in some computers the windows don't give access to write in the registry, specially when the user is not administrator, and there are hacks to monitor registry changes and the smart user can find the new windows registry entry.

Comment

Why this question was down voted? This is achievable! Doesn't meter if not interesting for most people.

I think about the bios and other firmware upgradeable, like satelite tv signal decoders that update themselves. How is that possible?

NaN
  • 8,596
  • 20
  • 79
  • 153
  • The information which you want to store in the exe, must be modified or is read-only? – RRUZ Jul 03 '12 at 22:17
  • To be true, there are situations where I need only read-only information, but the most important is to be able to change that information at run-time, because read-only information I store inside the code, encrypted. – NaN Jul 03 '12 at 22:22
  • Similar question, [how to store settings in resource](http://stackoverflow.com/q/3267071/576719). – LU RD Jul 04 '12 at 04:43
  • As you can get from the other answers, this is not feasible. I suggest you read/write a separate file and use an encryption library with good cipher, like Turbopower LockBox 3 with Rijndael encryption. – Jan Doggen Jul 04 '12 at 12:35
  • How do **other** portable executables store their settings? Surely not by modifying the executable, right? – Rob Kennedy Jul 04 '12 at 14:17
  • 1
    This strikes me as the wrong question to ask. You should be asking for ways to store sensitive configuration data that will work reliably on both security lax and security hardened systems. Even a restricted user should have write access to their own user profile. This includes the HKCU hive as well as the folders under %APPDATA%. If a system is locked down more than this your looking at some kind of shared kiosk, in which case you need to work with the sys admin. – Kenneth Cochran Jul 05 '12 at 18:07
  • I think that maybe I am from old days when I remember seeing somewhere in DOS some executable files that stored information on themselves. But maybe it was just delirious... – NaN Jul 05 '12 at 18:51
  • 1
    There is no problem to read/write the HKCU registry (when the user is not administrator). There are hacks to monitor file i/o activity also (e.g. FileMonitor). – kobik Jul 10 '12 at 08:00

2 Answers2

4

You can use an .rc file to put your data into a custom resource inside the final .exe file. You can then access that resource at run-time, such as with a TResourceStream, and decrypt and use its content as needed. However, you cannot write new data into the resource while the .exe is running, as the file is locked by the OS. If you need to write new settings, and do not have write access to the Registry, you will have to use a separate file instead. Windows has special folders set aside that users have write access to within their user profiles.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • I thought about creating a second application to be executed from inside the main application, and then the main exits, allowing the second application to modify data at the end of the main executable file. But how to do that without corrupt the .exe and maintain a certain flexibility. – NaN Jul 03 '12 at 22:25
  • You would still use a custom resource for that. The second app can use the Win32 API `BeginUpdateResource()` and `UpdateResource()` functions to modify the resource data. – Remy Lebeau Jul 03 '12 at 23:04
  • 3
    @EASI - if you update the resource of a signed executable it will no longer be validly signed. And if your first executable resides in a folder under Program Files, your user will either have to run both applications elevated or turn off UAC (on Windows 6.x). – frogb Jul 04 '12 at 09:01
3

Create a string table resource is one way.

Create a text file. say secretstuff.rc (has to have .rc extension) with something like this in it.

STRINGTABLE
{
  1,"This is my encrypted password in say Base64"
}

Compile it to a .res file with BRCC32.

Include it in the relevant code with a compiler directive

{$R secretstuff.res}

After that you access with TResourceStream.

If you want to manage it a bit better might be wise to stuff them in a dll instead of an exe, then you can update things by delivering a new version of the dll.

There's an example with a it more detail, another purpose but same principle here

Tony Hopkinson
  • 20,172
  • 3
  • 31
  • 39
  • 3
    If you add the rc to the dpr, you don't have to compile it manually. Use `{$R 'secretstuff.res' '..\resources\secretstuff.rc'}`, or use the IDE. Quotes are used in case there c/would be spaces in the paths. – Marjan Venema Jul 04 '12 at 06:08
  • 2
    If the OP is using an ancient Delphi version like Delphi 2006, then the tip Marjan is sharing doesn't work (yet) for them. (It seems that they are using an old delphi version.) – Warren P Jul 05 '12 at 00:54
  • Marjan is talking about the {$R foo.res 'foo.rc'} syntax. That is NOT in D5, Kobik. – Warren P Aug 21 '14 at 15:03