Thread Subject: p-coded files - a caveat on hiding vital information...

in a recent thread
http://www.mathworks.com/matlabcentral/newsreader/view_thread/271662
luca cerone worried about the safety/encryption level of P-coded M-files...

here are some thoughts and an example...
while - outside of TMW - they cannot be
- read and interpreted using low-level io functions or a snooping software
- reverse engineered
(at least according to this poster's current knowledge),
a malicious user can still gain plenty of information from it - if (vital) information is NOT hard-coded...

an EXAMPLE

% 1) create a file FOOP.M with content
function varargout=foop(varargin)
     password='12'; %#ok: test / NEVER hide information this way!
if nargin
if isequal(varargin{1},'abc') % <- hard-coded
     varargout{1}='xyz'; % <- hard-coded
     varargout{2}='aaa'; % <- ...
end
end
end
% 2) close the editor!!!!!
% 3) P-code then remove the M-file
     pcode foop;
     delete foop.m;
% 4) create a file FOO.M with content
function foo
     foop;
end
% 5) at the command line
     dbstop in foop;
     foo;
% K>>
     dbstack
%{
> In PATH\foop.p>foop at 2
  In foo at 2
%}
% now type DBSTEP until you see
     dbstep
% ...
% End of function foop.
% now retrieve information about all vars used AND their content
     fh=@(x) x; % <- a dummy function handle
     w=functions(fh);
     w.workspace{2} % <- which contains information about vars
%{
    varargin: {}
    password: '12' % <- !
          fh: @(x)x
%}
% however, you cannot see the hard-coded CHAR strings 'abc',...

just a thought...
us

Dear us!

> if isequal(varargin{1},'abc') % <- hard-coded
> ...
> % however, you cannot see the hard-coded CHAR strings 'abc',...

Built-in functions are shadowed by functions in the current folder. (This was not the case in Matlab 6.5, BTW). So create the function isequal.m in the same folder:

% isequal.m --------------------------
function Eq = isequal(a, b)
disp(a);
disp(b);
Eq = builtin('isequal', a, b);
return;
% ---------------------------------------

Do the same for STRCMP, @cell/STRCMP, @char/EQ, etc. and you can get some information about the hard coded strings in P-files.
A command which cannot be shadowed is SWITCH. So prefer this to keep secrets:
  switch varargin{1}, case 'asd', ... end

Another thought: The debugger does not stop inside a line, but just at the beginning. This allows to use variables, which do not appear in the workspace, if the P-function is inspected with the debugger:
  Var = 'password'; if isequal(Var, UserInput); disp('open'); end; clear('Var');
*in one line*

But: DBSTEP IN let you jump into subfunctions even inside a line. Then you can inspect the variables again from there, eg. with EVALIN('caller', 'whos').

My impression is, that it is really hard to keep secrets in P-files.

Kind regards, Jan