Home » SQL & PL/SQL » SQL & PL/SQL » The wrap utility is not really hiding the source code (Oracle RDBMS server on Sun Solaris version 9i)
The wrap utility is not really hiding the source code [message #390052] Wed, 04 March 2009 14:41 Go to next message
Orna
Messages: 62
Registered: November 2008
Member
I have the following password encryption procedure where I out the encryption key inside the function

CREATE or REPLACE function sys.encrypt_pass
(v_password IN varchar2)
return varchar2
IS
key_string VARCHAR2(Cool := 'scottsco';
encrypted_string VARCHAR2(2048);

BEGIN

dbms_obfuscation_toolkit.DESEncrypt(
input_string => v_password,
key_string => key_string,
encrypted_string => encrypted_string);

return encrypted_string ;

END;
/

I then wrapped the function using the wrap utility :

wrap iname=enc.sql

and got a enc.plb wrapped function.
But when I look in the wrapped version, I can still see pretty clearly the source code, and most important - I see the encryption key :

CREATE or REPLACE function sys.decrypt_pass wrapped
0
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
3
8
9200000
1
4
0
d
2 :e:
1FUNCTION:
1DECRYPT_PASS:
1V_PASSWORD:
1VARCHAR2:
1RETURN:
1KEY_STRING:
18:
1scottsco:
1DECRYPTED_STRING:
12048:
1DBMS_OBFUSCATION_TOOLKIT:
1DESDECRYPT:
1INPUT_STRING:
0

0
0
35
2
0 a0 8d 8f a0 b0 3d b4
:2 a0 2c 6a a3 a0 51 a5 1c
6e 81 b0 a3 a0 51 a5 1c
81 b0 :2 a0 6b :2 a0 e :2 a0 e
:2 a0 e a5 57 :2 a0 65 b7 a4
b1 11 68 4f 1d 17 b5
35
2
0 3 7 23 1f 1e 2b 1b
30 34 38 3c 5e 44 48 4b
4c 54 59 43 7b 69 40 6d
6e 76 68 82 86 65 8a 8e
92 94 98 9c 9e a2 a6 a8
a9 ae b2 b6 ba bc c0 c2
ce d2 d4 d5 de
35
2
0 1 e 6 14 :2 6 :2 5 d
:2 1 6 1a 23 22 1a 2a 1a
:2 6 1a 23 22 :2 1a :2 6 :2 1f 17
27 :2 17 25 :2 17 2b 17 :2 6 4
b :3 4 :7 1
35
.......



You can see clearly :

1KEY_STRING:
18:
1scottsco:

in the wrapped version.
Is that how this suppose to work ?
I thought that by wrapping I will solve the key being visible from the database, but apparently it does not solve it
Is my only option to store the key outside the database ?

thanks
Orna
Re: The wrap utility is not really hiding the source code [message #390055 is a reply to message #390052] Wed, 04 March 2009 14:50 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10672
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
Known issue. It will not wrap strings in 9i.
Try later versions.
oracle@vault1#wrap iname=f1.sql

PL/SQL Wrapper: Release 11.1.0.6.0- 64bit Production on Wed Mar 04 15:31:30 2009

Copyright (c) 1993, 2004, Oracle.  All rights reserved.

Processing f1.sql to f1.plb
oracle@vault1#cat f1.plb
CREATE or REPLACE function encrypt_pass wrapped 
a000000
1
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
8
131 113
zQ57/SQ+Z7C2HXSv5wzwHf5HnKowgwHQcpmsfHaV2rtktC5EvS3L9wRHeYNL3zEoauvnKaPx
h5K7E3CIQjoV/u3Ghk7Aai3JrGoF7RC8Ra+fsbxbP3nVGnfpWuGIByrxzuORdqahDfcDpnXh
bHnYJfEIBtX4Exap+I4jEPgEOb80NmlKAV7e8m/uV4O5rDaRoHB2yIrY2IXAjHyrvthvBsNl
7RvDLpQicDRlkuu3HI9Z/fkGVxf5FWw3TrUqxn8ucRrGvRST7ftLmVxm

[Updated on: Wed, 04 March 2009 14:52]

Report message to a moderator

Re: The wrap utility is not really hiding the source code [message #390057 is a reply to message #390055] Wed, 04 March 2009 14:55 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10672
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
Quoting docs.
Quote:

Limitations of the Wrap Utility

String literals, number literals, and names of variables, tables, and columns remain in plain text within the wrapped file. Wrapping a procedure helps to hide the algorithm and prevent reverse-engineering, but it is not a way to hide passwords or table names that you want to be secret


http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96624/c_wrap.htm#138

As the doc suggests, it is a very bad idea to wrap passwords (specifically in 9i).
Even if 9i wrap can do it successfully, there are some covert methods to get most of the wrapped code back to plaintext.

[Updated on: Wed, 04 March 2009 15:03]

Report message to a moderator

Re: The wrap utility is not really hiding the source code [message #390060 is a reply to message #390055] Wed, 04 March 2009 15:07 Go to previous message
Orna
Messages: 62
Registered: November 2008
Member
thank you !

Orna
Previous Topic: Package inquiry...
Next Topic: Sql Database Dump... Please Help
Goto Forum:
  


Current Time: Sat Dec 03 18:25:29 CST 2016

Total time taken to generate the page: 0.09587 seconds