How do I change the hard-coded database password of a Delphi program that I can't recompile? [closed]

M

2

5

I have a Delphi application that I cannot recompile.

In the process of moving the database to a new SQL Server version, I want to change the database password so it's no longer blank. The problem is that the application has the database credentials embedded in the .exe.

Is there any way that I can change the password?

Server name and database name are configurable.

Mount answered 9/7, 2015 at 9:32 Comment(7)

Does your newer SQL Server version not allow blank passwords? Otherwise, I don't understand the issue. – Decimal 9/7, 2015 at 12:58

i dont want to make my sa password blank as the new server is a big one... – Mount 9/7, 2015 at 13:6

@RobKennedy: Might be worth mentioning for readers who do not know, traditionally, the sa account on Sql Server has had unfettered access to the entire server, which is why a blank pwd is not such a good idea, and why one certainly wouldn't want to remove the sa pwd just to allow an app access to it. In recent versions, it's not so easy to leave it blank, fortunately. – Iconolatry 9/7, 2015 at 16:24

You've got bigger problems. How did you find yourself reliant on bespoke software that cannot be modified? – Professionalize 9/7, 2015 at 18:30

I fail to see how this is a programming (or Delphi) question. It's a question about altering an executable program for which you have no source, which by definition is not related to programming. (No code, no access to code - not a programming question.) The fact that the app in question was written in Delphi doesn't change it to a programming question, any more than having it written in C, C++, or any other language would. – Ammoniate 10/7, 2015 at 3:1

@KenWhite: I'm not sure I agree that it's not relating to Delphi programming. It helps to come up with a solution to know how Ado is programmed in Delphi, and in particular how it often involves a connection string stored in the .Exe. – Iconolatry 10/7, 2015 at 11:56

@MartynA: Certainly, as would a connection string stored in a resource in a C application, or a string constant in C++, etc. Being written in Delphi makes no difference; the Delphi tag means the Delphi programming language or IDE, the question concerns changing a binary and not program source. – Ammoniate 10/7, 2015 at 12:30

I

5

Below is a screenshot of part of a D7 .Exe of mine showing the relevant part of its Ado ConnectionString.

I used an antique file viewer (from the example apps accompanying an old TurboPower library) to take the screenshot. I just loaded the file into it, entered "persist" as the search string and skipped a couple of TPersistent instances to locate it.

Of course, you could use any old hex file-editor to do similar and change it, provided the .Exe isn't compressed or protected against tampering by checksums, etc.

You'll probably need to experiment a bit, & compare with another app which has a non-blank password so that you can come up with some new credentials that'll fit into the space available in the .Exe's disk image.

enter image description here

Iconolatry answered 9/7, 2015 at 9:50 Comment(9)

I will go with this answer as i need also to change some combo box strings also.... – Mount 9/7, 2015 at 11:2

I suggest you try the ResourceHacker utility in the other answer first. It's much easier to use than hacking it yourself. – Iconolatry 9/7, 2015 at 11:5

I did it with your way! I changed the conneciton string PLUS combobox values that i needed. – Mount 9/7, 2015 at 11:8

This will not work if the new data (string) is longer than the old. – Schurman 9/7, 2015 at 18:3

@Johan: Well, quite. That's why I said in my answer "so that you can come up with some new credentials that'll fit into the space available in the .Exe's disk image". – Iconolatry 9/7, 2015 at 18:13

Yes, except the OP mentioned that the old password is blank. In which case your idea will never work. – Schurman 10/7, 2015 at 10:19

@Johan: I think you may have overlooked the format in which the connection string is stored in the .Exe (I used one compiled with D7 for my test). A blank pwd is stored as two consecutive double-quote characters, whereas a non-blank one isn't surrounded by quotes. So, one can replace a blank pwd by a 2-character one. I have done this and it works fine. I'm not saying it's a great solution, but it does work. And, if one needed more space, one might overwrite the "Initial Catalogue" part of the connection string. – Iconolatry 10/7, 2015 at 11:40

@martyna, security as a 2 char passwd.... I rest my case. – Schurman 10/7, 2015 at 14:13

@Johan; You are not resting the same case as you asserted ('.. never work ...'). In any case, I just tested it and the AdoConnection ignores the "Persist Security Info" setting which is stored in the connection string immediately following the password, so it can be overwritten by a much longer password. – Iconolatry 10/7, 2015 at 14:44

S

16

If the connection string was saved in the TADOConnection component in design mode, Your best choice is to use Resource editor such as Resource Hacker.

The forms or data modules DFM are found in the RCData section. just change the connection string and use "Compile script". This will save your changes back to the EXE file without the worry of corrupting the EXE.

I assume your EXE is not packed (PE packer) or digitally signed.

enter image description here

Sumter answered 9/7, 2015 at 10:39 Comment(4)

Thanks. Just for the Op's info, I used this to change the password on my example app and it worked fine. – Iconolatry 9/7, 2015 at 11:4

For anyone with the same problem. This is the correct answer. Do not muck around with a hex-editor. – Schurman 9/7, 2015 at 18:2

This is the correct answer if the ONLY thing you need is to only change the connection – Mount 10/7, 2015 at 5:13

@Mount the majority of application data is accesible to the resource editor, because of the way delphi program are structured. For that data this is the correct answer as well. – Schurman 10/7, 2015 at 10:21