Re: wrapping packages

From: Pete Finnigan <>
Date: Sun, 21 Sep 2003 09:39:50 -0800
Message-ID: <>

Hi Peter, Tanel and Jared,

Peter: I meant a public unwrap process not the internal mechanisms in the PL/SQL interpreter / VM.

Tanel: I would be more worried about Oracle coming after you in the legally sense if you did reverse engineer the wrap process!!

Jared: Are you sure that's how it works? do you have inside knowledge? - if it is this way, is it compiled P-Code or the intermediate DIANA representation? - if it were DIANA or p-code then Peter is wrong above as i would assume that instead of needing an un-wrapper that the VM / interpreter just loads p-code rather than calling the compiler first - if it is DIANA representation then that would mean loading somewhere in the middle of the normal process - or would it? - Is normal (non wrapped) pl/sql that is loaded into the cache held as p-code or DIANA - (or both?).

I understood that the wrap process encoded or rather obfuscated the PL/SQL not encrypted it - I am not sure storing it as P-Code or diana would be secure as it should then be possible to extract enough structural program info from the database with the diana packages? or from the tables where the diana - or p-code is held.

Anyway's Peter is right in some sense as I heard that some Russian guy is supposed to have reverse engineered the wrap process and un-encoded / decrypted all of the builtin packages and posted the code somewhere on the net - A guy from a security company in the states told me this some months ago but i haven't seen any discussion of it to confirm it.

kind regards



Pete Finnigan
Pete Finnigan
Web site: - Oracle security audit specialists


Author: Pete Finnigan

