The Oracle wrap utility can be used to obfuscate PL/SQL code, to ensure it can't be easily read. Pete Finnigan described (pdf) the wrapping process for Oracle 9g, but for 10g and 11g it still remains a bit of a mystery. I decided to release my Python unwrapping utility (supports 10g and 11g).
The unwrapping steps for 10g are nicely described in the Oracle Hacker's Handbook, but the actual substitution table needed to decode the package is omitted. Nobody (as far as I know) has published it. A lot of people seem to know how to do it though, there is even an online unwrapper available (and I'm sure everyone seriously involved in Oracle security knows how to do it). A Russian-made closed source tool is also available, but tends to upset virus scanners.
So to save everyone a couple of hours of figuring it out, here it is: unwrap.py
It's easy to use (I've used the wrapped procedure from this article as an example):
$ ./unwrap.py wrapped.txt
=== Oracle 10g/11g PL/SQL unwrapper - by Niels Teusink - blog.teusink.net ===
PROCEDURE WRAP_IT (SEED_IN NUMBER)
IS
V_RAND INTEGER;
BEGIN
DBMS_RANDOM.INITIALIZE (SEED_IN);
FOR I IN 1..5 LOOP
V_RAND := MOD(ABS(DBMS_RANDOM.RANDOM),45);
DBMS_OUTPUT.PUT_LINE(I||': '||V_RAND);
END LOOP;
END;
$
Update: one excellent resource I forgot to mention is this blog post by Anton Scheffer from Amis. I did not use his code to create my script but he describes how to get the substitution table as well. I also noticed Oracle security expert Pete Finnigan has mentioned my script on his blog (his older blogpost Unwrapping PL/SQL is also a good source of information).
Friday, April 9, 2010
Subscribe to:
Posts (Atom)