Home -> Mailing Lists -> Oracle-L -> Re: package body

Re: package body

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Thu, 20 Aug 2009 20:51:16 +0100
Message-ID: <4A8DA934.4050907_at_petefinnigan.com> 





Hi Brian,



If its wrapped then you can tell this easily by quering DBA_SOURCE for
the PL/SQL in question. i.e.;



SQL> edit


Wrote file afiedt.buf



  1  select substr(text,1,80) from dba_source
  2  where name='TEST_PROC'


  3* and rownum=1


SQL> /


SUBSTR(TEXT,1,80)





procedure test_proc wrapped


0


abcd


abcd


abcd


abcd


abcd


abcd


abcd


abcd


abcd


abcd




1 row selected.



SQL>


if the word wrapped is there then the code is not stored on the clear in
the data dictionary. It can be unwrapped. 10g is easier to unwrap
because the algorithm is weaker. The wrap mechanism is not encryption
but obfuscation. In 10g its a reversable algorithm. If you search my
blog http://www.petefinnigan.com/weblog/entries/index.html you will see
that there have been 10g unwrappers released written in Java.



For 9i and lower its actually harder to unwrap as the wrapped code is
actually the internal state of the PL/SQL compiler after the lexical
analysis and static semantic analysis phases. Its possible to unwrap 9i
code also (for the same procedure as above):



SQL> _at_unwrap_c



unwrap_c: Release 1.4.0.0.0 - Production on Mon Jun 01 14:07:13 2009
Copyright (c) 2008, 2009 PeteFinnigan.com Limited. All rights reserved.


NAME OF OBJECT TO CHECK                 [P1]: TEST_PROC
OWNER OF OBJECT TO CHECK               [SYS]: SYS
TYPE OF THE OBJECT               [PROCEDURE]: PROCEDURE
OUTPUT METHOD Screen/File                [S]: S
FILE NAME FOR OUTPUT              [priv.lst]:


OUTPUT DIRECTORY [DIRECTORY  or file (/tmp)]:



create or replace procedure TEST_PROC( PV_NUM in NUMBER,
 PV_VAR in VARCHAR2, PV_VAR3 in out INTEGER) is
 L_NUM NUMBER:=3;



 L_VAR NUMBER;



 J NUMBER:=1;



procedure NESTED( PV_LEN in out NUMBER) is
 X NUMBER;



begin


 X:= PV_LEN * 5;



end;


begin


case L_NUM


 when 1 then


 L_VAR:=3;


 DBMS_OUTPUT. PUT_LINE('This is a header');
 DBMS_OUTPUT. PUT_LINE('The number is ' ||  L_VAR);
 DBMS_OUTPUT. PUT_LINE('The case var is ' ||  L_NUM);


 when 2 then


 L_VAR:=4;


 DBMS_OUTPUT. PUT_LINE('This is a header');
 DBMS_OUTPUT. PUT_LINE('The number is ' ||  L_VAR);
 DBMS_OUTPUT. PUT_LINE('The case var is ' ||  L_NUM);


 when 3 then


 L_VAR:=6;


 DBMS_OUTPUT. PUT_LINE('This is a header');
 DBMS_OUTPUT. PUT_LINE('The number is ' ||  L_VAR);
 DBMS_OUTPUT. PUT_LINE('The case var is ' ||  L_NUM);


else


 DBMS_OUTPUT. PUT_LINE('wrong choice');


end case;


if ( ( J = 1) and ( J = 3)) then


 DBMS_OUTPUT. PUT_LINE('here is IF');


elsif ( ( J = 2) or ( J != 3)) then


 DBMS_OUTPUT. PUT_LINE('The elsif clause');
else


 DBMS_OUTPUT. PUT_LINE('else clause');


end if;


 J:=4;


 NESTED( J);



 DBMS_OUTPUT. PUT_LINE('nested=:' ||  J);
for J in reverse 1.. PV_NUM loop


if MOD( J,2) = 0 then


 DBMS_OUTPUT. PUT_LINE('for loop with reverse');
end if;


end loop;


end;


/



INFO: Elapsed time = [.1 Seconds]



PL/SQL procedure successfully completed.



For more information please visit http://www.petefinnigan.com



SQL>


This is unwrapped with an unwapper written in PL/SQL and it does a 100%
source code retrieval. DIANA was designed to be unwrapped as the tools
of the day had littel memory to play with and the idea was to store code
as DIANA/IDL and then  to retrieve the source from the IDL. I have
written and presented about unwrapping PL/SQL - see
http://www.petefinnigan.com/orasec.htm for a paper on unwrapping




cheers



Pete



Zelli, Brian wrote:


> It says it is wrapped.  So that means I can't see it at all?

> 

> ciao,

> Brian

> 

> Brian J. Zelli, Ed.M.

> Sr. Database Administrator

> Enterprise Application/Systems Integration

> Information Technology - Roswell Park Cancer Institute

> phone: (716) 845-4460 email: brian.zelli_at_roswellpark.org<mailto:brian.zelli_at_roswellpark.org>

> 

> 

> 

> ________________________________

> From: Blanchard, William [mailto:wblanchard_at_societyinsurance.com]

> Sent: Thursday, August 20, 2009 2:20 PM

> To: Zelli, Brian; Oracle L

> Subject: RE: package body

> 

> Is the package wrapped?  If not, Select text from all_source where name = 'PROCEDURE NAME';

> 

> 

> WGB


> 

> ________________________________

> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Zelli, Brian

> Sent: Thursday, August 20, 2009 1:17 PM

> To: Oracle L

> Subject: package body

> 

> I have a developer who asked me what was in the body of a package.   I seem to remember being able to look at a package but can't for the life of me think of what it was.  I tried dba_source but that spits out a bunch of numbers.  What shows the code?

> 

> 

> 

> ciao,

> Brian

> 

> 

> -

> 

> This email and any information, files, or materials transmitted with it

> are confidential and are solely for the use of the intended recipient.

> If you have received this email in error, please delete it and notify

> the sender.

> 

> 

> 

> This email message may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for the delivery of this message to the intended recipient(s), you are hereby notified that any disclosure, copying, distribution, or use of this email message is prohibited. If you have received this message in error, please notify the sender immediately by e-mail and delete this email message from your computer. Thank you.

> 

> 

> This email message may contain legally privileged and/or confidential information.  If you are not the intended recipient(s), or the employee or agent responsible for the delivery of this message to the intended recipient(s), you are hereby notified that any disclosure, copying, distribution, or use of this email message is prohibited.  If you have received this message in error, please notify the sender immediately by e-mail and delete this email message from your computer. Thank you.



-- 

Pete Finnigan
Director
PeteFinnigan.com Limited

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7742 114223
email: pete_at_petefinnigan.com
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940 6681 14

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
http://www.freelists.org/webpage/oracle-l


Received on Thu Aug 20 2009 - 14:51:16 CDT












Original text of this message