Security Oracle - Unwrapping PL/SQL code - bug share your point of view

Hi all

This is a very abnormal case to unwrap PL/SQL wrapped codes. Is this a bug in Oracle security, or... And how it is possible to unpack the code that is wrapped by the #1 database system and which ensured that "the encapsulated code is not possible to be désencapsulé.

Please send us your review

- - - - - - - - - - - - - - - - - - - - -
Kamran Agayev a. (OCP 9i / 10g)
Author of the forthcoming book--"Oracle Backup & Recovery: Expert secrets to use RMAN and Data Pump.
http://www.rampant-books.com/book_1002_rman_backup_recovery.htm

Hi guys,.

Some interesting points in this thread. First wrap Oracle deal is pre - 10g and 10g post (both methods are very different) is not encryption, its simple obfuscation (your opinion on the definition of 'simple' may vary). Oracle do not specify in their documentation, that it is a secure solution, they say its obfuscation. There are unwrappers there for two types of film. A comment on the thread suggests that only the structure of the code is possible to get by using an unwrapper. Is not true, and the misconception is perhaps because some of the unwrappers there have been created for security researchers/consultants so that they could find bugs and in these cases the recovery of the real source code was not necessary.

Is this a bug there is a possibility to reveal? in theory, probably 'no' because Oracle never told code recovery was impossible. Can they do the packing process harder? -probably, it is worth? not sure, which is being implemented would probably be broken. A better solution might be a customer solution based, that is, Oracle provides the mechanism of the envelope and we as customers provide our own key? It is defective although, as the needs of database to decipher (UN-hide) the code so it can be loaded. The pcode would be always available and should not "too long" for someone to go straight from pcode back to PL/SQL.

see you soon

Pete

Tags: Database

Similar Questions

  • Bug from the point of view of culture in CC?

    As you can see that Photoshop is a weird behavior in the current version. Any ideas on that? Thank you!! Hannes
    ttVvxXv.png

    Have you tried Edit > Perspective Warp?

    https://helpx.Adobe.com/Photoshop/using/perspective-warp.html

    Usually works better and has more control that the old crop of perspective.

    With prospect of harvest if you rotate the cube first before harvest of Perspective, then you will get better results.

  • Extensions: Convert T - SQL code

    Hello

    Do we not have an extension for SQL Developer that converts the Oracle in T - SQL code?

    Thank you

    Do we not have an extension for SQL Developer that converts the Oracle in T - SQL code?

    There is such an extension. It is called a "consultant."

    See you soon,.

    Brian

  • How normalization code in oracle 10 in sql/pl-sql

    If any body help manage how the standaridazation code in oracle 10g in sql/pl-sql.

    post your coding standards

  • BUG: Wrong Getting sql code when generating types in jDeveloper 1.1.1.3.0

    I am getting fake SQL code when generating types in JDevelper 11.1.1.3.0.

    Process:

    1. create a new application: Test
    2. create a new project: Project1
    3. create the database offline: ECIS
    4. create a contact schema
    5 create a type:
    CREATE OR REPLACE TYPE HAS_REASON_OF_CETYPE AS OBJECT
    (
    has_reason_of varchar2 (36)
    )

    6 create a table based on the previous type type:
    CREATE OR REPLACE TYPE HAS_REASON_OF_CETYPE_LIST
    AS THE contact.has_reason_of_cetype TABLE;

    7. generate SQL script. Results:

    CREATE THE HAS_REASON_OF_CETYPE_LIST TYPE
    AS_REASON_OF_CETYPE_LIST <-this is the wrong code
    AS THE contact.has_reason_of_cetype TABLE;
    /

    CREATE THE HAS_REASON_OF_CETYPE TYPE
    AS_REASON_OF_CETYPE AS OBJECT <-fact here too
    (
    has_reason_of varchar2 (36)
    )
    /

    I have not seen this error with type names in our project, or this error in the previous version. Someone has seen this before and knows a way around it?

    Published by: user13324293 on July 20, 2010 11:48

    It's a regression in the PS2 (11.1.1.3.0) during our generation of DDL has been rewritten. The problem, in a nutshell, is that while determining if the generated DDL must precede the name of the object with a differnet scheme, there are some erroneous (simpler) made of string manipulation. So if the name (or schema.name) in the source contains the token of what follows (ie the ACE or IS) has the problem. This problem is fixed in 11.1.2.0.0 and 11.1.1.4.0 streams.

    There are two possible solutions.

    You can use instead OF as in the above case (in the STATE does not appear in the name) or simply change the case of ACE so that it is not the same as in the name - that is to say use "beneath", 'As' or 'Sub '.

    I hope this helps.

    Pete - team JDeveloper DB

  • Security problem for the source code

    Hello guys '

    I have a question about the safety of coding. So, I know that anyone can create .jar .java or .class file.

    And my question:

    Is it possible to create the .cod file .java file? I think the best solution to save the source code uses secure obfuscator.

    Do you use the Java obfuscator? What obfuscator is the best?

    Please share your knowledge with me ' guy

    TNX'

    You would like to read the following Article:

    How to-obfuscate code in a BlackBerry application
    Article number: DB-00438

    http://www.BlackBerry.com/knowledgecenterpublic/livelink.exe/fetch/2000/348583/800901/How_To_-_Obfus...

    I know that a BlackBerry development company using Proguard.

  • Dynamic Action run PL/SQL Code runs is not after 4.2.5 upgrade

    APEX 4.2.4 to 4.2.5 11.2 database upgrade

    I have a button to click on DA who owns shares run of PL/SQL Code and update point who worked in version 4.2.4 which is no longer running after the 4.2.5 patch.

    The PL/SQL procedure has been tested autonomous and it runs correctly.

    I tested him DA is actually shot on the click event by adding an alert "DA xxxx pulled" action before the execution of work of PL/SQL action and action alert.

    There is also a similar on DA click which makes the action opposite to the DA problem and it works both are configured in the same way:

    Static DA, run Code PL/SQL - check waiting for result, and not repress with the same Submit and return items.

    Any ideas on a possible cause/solution much appreciated

    Fixed it, the question was the Page elements of return of goods on the action of PL/SQL Code:

    If the target element was empty the action failed, by adding a value in the database through a normal SQL insert then the insert DA completed successfully.

    Removing Page elements at the point of return of the action of PL/SQL and together action update the target element after the DA fires in all scenarios.

    But thanks for the lead

  • Wrap the PL/SQL code

    First of all, Hi everyone.

    I need to encrypt my PL/SQL code at run time. I thought using the wrap.exe, but it won't be a good option, once maybe I need to change something in the code and I'll not can send the code wrapped to the final customer. So, I'll use the DBMS_DDL. WRAP, but I have a doubt, I understand that my object will be encrypted in the database, but how can I prevent software this capture SQL (like SQL STATEMENTS TRACE) get the source when creating the object?


    Thank you very much.

    Agree with SomeoneElse, having a license legally correct contract protects your code.

    The package code is not a bad thing if that's what you are providing to the customer and that you have in place adequate source code controls, so you do not lose the source for yourself.  Although there are "unwrappers" out there, it may depend on the version of Oracle as to how well they work, and if they can achieve.  There are tools out there too which can obscure the PL/SQL code by doing things such as the conversion of all the variable names to things without meaning as a0001, a0002, a0003,... and deletes all comments etc before you wrap, so even if someone manages to undo what they are presented with the code that is more difficult to follow.

    Regarding the customer can see SQL running, you won't really be able to do something that, if the customer has access of type DBA to the database; the only thing you can do to avoid this is to provide a managed service where your company has total control of provides a full support for the server, database and applications and the client does not have access to all but the front end of the application.  Of course, if the customer has access to the database and can see running SQL code, then who can actually be beneficial if they have problems, because they can do their own initial analysis to determine the cause and determine if they should send the question to yourselves.

  • frmcmp cannot compile the modules containing SQL code that connected to the database

    Hello

    I checked several hundred messages of the forum on the net without finding a solution.

    I have a Linux server with 11.1 WebLogics (11 GR 1 material) and FormsRuntime installed.

    I am logged in as root.

    I put all the environment variables based on the values in default.env.

    In addition, I updated TERM and ORACLE_TERM vt220. And TNS_ADMIN to the location of the sqlnet.ora and tnsnames.ora.

    I compiled a simple .pll containing only the following code:

    IS test PROCEDURE

    an INTEGER: = 0;

    BEGIN

    a: = 1;

    END;

    command:

    frmcmp_batch module = TESTLIBPLAIN.pll userid=myuser/mypassword@mydb module_type = LIBRARY output_file = TESTLIBPLAIN.plx compile_all = Yes = Yes = No. batch connection

    result: successful compilation. generated .plx.

    now, I'm trying to compile an another .pll containing just the following code:

    IS test PROCEDURE

    an INTEGER: = 0;

    BEGIN

    Select 1 in the doubles.

    END;

    command:

    frmcmp_batch module = TESTLIBSQL.pll userid=myuser/mypassword@mydb module_type = LIBRARY output_file = TESTLIBSQL.plx compile_all = Yes = Yes = No. batch connection

    result: error:

    "

    11 forms (form of the compiler) Version 11.1.1.3.0 (Production)

    Copyright (c) 1982, 2010, Oracle and/or its affiliates.  All rights reserved.

    Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

    With partitioning, OLAP and Data Mining options

    PL/SQL Version 11.1.0.7.0 (Production)

    Oracle V11.1.1.3.0 - Production procedure generator

    Oracle virtual graphics system Version 11.1.1.3.0 (Production)

    Oracle Multimedia Version 11.1.1.3.0 (Production)

    Oracle tools integration Version 11.1.1.2.0 (Production)

    Common tools Oracle area Version 11.1.1.3.0

    Oracle CORE Production 11.1.0.7.0

    Compile the library TESTLIB.

    Invalidate the body TEST procedure...

    Compilation of body TEST procedure...

    ERROR on line 5, column 1 0

    Ignored SQL statement

    Library TESTLIB closing...

    Errors on TEST:

    PL/SQL ERROR on line 5, column 1 0

    Ignored SQL statement

    Could not generate the library.

    FRM-30312: unable to compile the library.

    "

    the two libraries differ by having used SQl commands or not.

    I tried to compile some more complex .pll and .fmb containg the SQL code. I get similar error messages. The messages that I receive for each module are the same, I would get when compiling the module with FormBuilder 9i (Windows) without being connected to the database.

    So my first thought was, this frmcmp_batch is unable to connect to the database.

    BUT:

    From frmcmp_batch with an invalid user, password, or database name not existing (resp. not in tnsnames.ora), results in appropriate error messages (not found TNS, refusal to sign etc.).

    With myuser/mypassword@mydb I don' t get this kind of messages.

    sqlplus myuser/mypassword@mydb works.

    myuser can access all objects in the database mydb.

    mydb tnsping works.

    When I check v$ session on mydb while (!) frmcmp_batch is running, I see that it is in fact a db session, created from myuser: DB-User = myuser, terminal = myappsever, osuser = root, remote process = frmcmp_batch.  And State of the current session of the db is ACTIVE.

    As a result, frmcmp_batch fails with error messages that I expect that when there is no connection to the base, if it is connected!

    Any ideas what could be wrong with my setup?

    Help appreciated.

    Jean

    I found the solution. Seems, fmrcmp 11g can connect to, but compiles not on the 9i database. With the help of a Database 11 g resolves the problem :-)

  • want to understand the stages of executing pl/sql code

    Hello all;

    I want to know the logic of programming for the pl/sql code, what I have written;

    because I was late yesterday to resolve the simple error.

    > > It's link https://forums.Oracle.com/thread/2565867

    OK now that I have written my code same lineup, but few changes:

    now it's working.  as I said above, I want to know the programming logic "flow of execution steps" of pl/sql code

    1 DECLARE

    2 a number: = 10;

    3 number of b: = 20;

    Number 4 c;

    5 procedure findmin (x IN number, are there in numbers, number of Z OUT) IS

    6 BEGIN

    7 < < BLOCK1 > >

    8 x if you can

    9 z: = x;

    10 other

    11 z: = y;

    12 end if;

    13 END;

    BEGIN 14

    15 < < BLOCK2 > >

    16 findmin(a, b, c);

    17 DBMS_OUTPUT. Put_line (c);

    18 * END;

    19.

    10

    PL/SQL procedure successfully completed.

    > > Is this process flow?  > >

    1. the declaration part.

    2 during playback findmin online no 5 then control passes to the line not 16.

    3. after receving input values, control passes back to 5

    4. then compiler executes the code accordingly.

    Question: how many compiler Oracle will execute code written?

    8f953842-815B-4D8C-833d-f2a3dd51e602 wrote:

    1. the declaration part.

    2 during playback findmin online no 5 then control passes to the line not 16.

    3. after receving input values, control passes back to 5

    4. then compiler executes the code accordingly.

    Question: how many compiler Oracle will execute code written?

    1. any declaration section is processed in order to declare and allocate the space/memory etc.  Including declaring the procedure in scope in memory (the procedure is not executed)

    2 execution block to get the code begins with the first statement after BEGIN

    3. the procedure is called in memory with the parameters passed to it.

    4. when the procedure completes execution returns to the statement in the main execution block, after the procedure call.

    Note:

    The compiler is not executing code, it compiles just in memory or stored in the database (depending on whether it is an anonymous block or the stored procedure / package etc..)

    The code isn't really jump 'line by line', because at the time when it is run, it is compiled down to a pcode (or native code if this is allowed), and which may contain several intermediate statements to run the underlying process.  The compiled code however keep track of line numbers of source code of error for the purposes of statement internally.

  • Examples of pl/sql code that can be used in training for new developers

    Hello

    I'm working on a training ride on the pl/sql to some developers who are totally new to PL/SQL. Although they are experienced in another language. I have power point on pl/sql presentations, but they especially the theory oriented with just a few examples. I'm looking for more help to have a few example pl/sql that can be given to interns as the code for example and also to practice. It should be a bit detailed and like to print the odd numbers or print "hellp world." Can anyone help to suggest if there is an example of code that is a bit detailed with a kind of complex problem which will give students a hands good example? I see a nice example at this link: http://tucano.tucanowebdesign.com/oracle/tutorial5.html - on an inventory system. It gives the feeling of being one on the issue of real-world work. So that if anyone knows of some other example say about 150 t0 300 lines or so of the code, I'll be grateful if it is shared.

    Thank you

    OrauserN

    That said, I feel again (my perception) that more code a person writing/comments the better he gets. So, I want students to examine several code examples. I guess I need to see some books to bring out some really long piece of PL/SQL - like case studies.

    . . .
    But these guys are too busy and so I try to find the net / books some really detailed examples.

    But you seem to be overlooking that PL/SQL is supposed to be used for: PL means "procedural language.

    So, PL/SQL must be used to 'procedure' treatment; This is typically several process steps. For example, when you want to run three applications as a "TRANSACTION". If all three completed successfully you COMMIT and if any of the three you don't ROLLBACK.

    You can do this by using SQL only. And a developer doesn't have to write the code until they have a technical requirements doc that explains what problem the code is supposed to solve and the constraints and requirements that the code must implement.

    So, my suggestion is the following:

    1. identify and teach the types of issues that PL/SQL is used to help solve. Multi-step transactions, I mentioned above is an example

    2. use the documentation and the code of your own organization in the form of samples. These 'guy' is perhaps too busy, but they should be able to provide to you all the documents for the code they wrote and that you use which would be good to use as examples. If they have no documents technical requirements so you just identify a MAJOR gap in the operations of your org that you must bring to the attention of management.

    3. you can provide value added a lot more if you use code from your own org as a basis for what you are doing. A very useful training exercise is to ask students to perform 'code review' of a code (a procedure or function) and write simple comments, one line that explain, in plain English, what makes each piece of code.

    4 comments, students create to step #3 can actually be incorporated into your code then existing so that future developers can use these comments to understand what the code actually does.

    5 part of your 'education' should be on the way to 'test' correctly a piece of code PL/SQL to make sure it is doing what it is supposed to do. Again, if your students actually your own org code allows to create tests, these tests can then be added as a result of 'test' for this application and that adds value. A lot of times those developers 'busy' will not create the actual test cases and that your students can help remedy that. In addition, it does no good to know how to write PL/SQL code if you don't know how to test properly.

  • PL/SQL code help

    Morning all,

    I need assistance with regard to the PL/SQL code.

    Question: How many cases was activated from Direct treatment information/advice within 8 weeks?

    Sample data:

    MEMBER_IDCASE_IDSP_CODESP_NAMESP_SUBTYPE_CODESP_SUBTYPE_NAMEREFERRAL_DATESERVICE_DATE
    00000000120138581001Info & advice1001Information-25/09/2012
    00000000120138581005Direct treatment1022Seamless10/01/201210/01/2012

    I need to count the number of the place where CASE_ID SP_CODE = '1001 ' and then a SP_CODE = '1005' as the program installation, then the difference between SERVICE_DATE for ' 1001' and for '1005' REFERRAL_DATE is within 8 weeks? I hope this makes sense?

    Hello

    One way is to use a Sun-query EXISTS, like this:

    SELECT COUNT (case_id) AS cnt - or COUNT (DISTINCT case_id)

    FROM table_x m

    WHERE sp_code = 1005

    AND THERE ARE)

    SELECT 1

    FROM table_x

    WHERE sp_code = 1001

    AND case_id = m.case_id

    AND service_date > = m.service_date - (8 * 7)

    AND service_date< >

    )

    ;

    I hope that answers your question.

    If not, post a small example of data (CREATE TABLE and INSERT statements) and the results desired from these data.  Point where the query above will not and explain how to get good results in these places.

    See the FAQ forum: https://forums.oracle.com/message/9362002#9362002

    The combination (case_id, sp_code) is unique?  What happens if a case_id has, say, 1001 multiple s all less than 8 weeks before the same 1005?

    Member_id (or one of the other columns not in the above query) plays no role in this problem?

  • The call to the Workflow background process explicit in the pl/sql code

    Hi all

    We have a requirement where we need to call the "Workflow background process" explicitly in the pl/sql code.
    Our wish is that we have an application that runs via a competing program, but before the end of this application we want to put that on the wait and run the 'Workflow background process"explicitly in the code itself (user must not go and run it manually).
    Can someone please advice me how to do this in a PL/SQL code that is called via a concurrent program.

    Kind regards
    Shruti

    PL post Details of the operating system, database and versions EBS.

    One solution is to use the FND_SUBMIT API

    The most common FND API in APPS customizations [ID 221549.1]
    Code example for call Customer Interface RACUST program using the Api FND_SUBMIT 11i and R12 [429278.1 ID]

    https://forums.Oracle.com/forums/search.jspa?threadID=&q=FND_SUBMIT&objid=C3&DateRange=all&userid=&NumResults=15

    HTH
    Srini

  • PL/SQL formatter bug (line breaks)?

    Hello

    Developer SQL 3.0.04

    I'm trying to format my PL/SQL code.
    I have a problem of code written as a formatting string (between ") and containing line breaks.

    Example (code by default without formatting):
    begin
    -- build the query
    l_query := l_query || 
      'select distinct
        col1 as "A",
        col2 as "B.",
        col3||''.''||col4||''.''||col5 as "C",
        col6 as "D",
        col7 as "E",
        col8 as "F"
      from
        table1 inner join table2 on tbl1_id = tbl2_id1
        left join table3 on tbl3_id = tbl2_id2
        '||l_from||'
      where
        '''||in_report_to_compute||''' = ''PIL''
        and col5 = ''P''
        '||point_ui.get_where_for_point_query(in_source, in_report_to_compute);
    return l_query;
end;
    When I have the format:
    begin
    -- build the query
    l_query := l_query || 'select distinct

col1 as "A",

col2 as "B.",

col3||''.''||col4||''.''||col5 as "C",

col6 as "D",

col7 as "E",

col8 as "F"

from

table1 inner join table2 on tbl1_id = tbl2_id1

left join table3 on tbl3_id = tbl2_id2

'||l_from||'

where

'''||in_report_to_compute||''' = ''PIL''

and col5 = ''P''

'||point_ui.get_where_for_point_query(in_source, in_report_to_compute) ;
    return l_query;
end;
    And once again the format:
    begin
    -- build the query
    l_query := l_query || 'select distinct



col1 as "A",



col2 as "B.",



col3||''.''||col4||''.''||col5 as "C",



col6 as "D",



col7 as "E",



col8 as "F"



from



table1 inner join table2 on tbl1_id = tbl2_id1



left join table3 on tbl3_id = tbl2_id2



'||l_from||'



where



'''||in_report_to_compute||''' = ''PIL''



and col5 = ''P''



'||point_ui.get_where_for_point_query(in_source, in_report_to_compute) ;
    return l_query;
end;
    It seems to double line breaks + 1 each time:
    jump to 1 line
    3 line breaks
    7 line breaks
    15 line breaks
    line breaks 31
    etc.

    I unchecked all the trainer configuration, with the exception of the CASE line crossings.
    Commas with line number: 1
    Width Max Line: 999
    Threashold for SQL small: 999

    How can I avoid this?

    Thank you.

    Yann.

    Hi Yann39

    Workaround: use Chr (10) instead of multiline strings.
    See Re: Trainer code break my literal "Asunder"

    Reproduced and connected
    Bug 14114689 - TRAINER of CODE BREAKING MY LITERAL ASUNDER (to the AID of MULTI LINE LITTERAUX)

    -Turloch
    SQLDeveloper forum

  • If I can revise the SQL code generated by OBIEE

    Hi all

    I had a problemetic SQL generated automatically by OBIEE. I have to rewrite or at least add a tip to make it complete within a fixed period.

    But I'm not sure if OBIEE offers us this feature to change or customize the SQLs it generates?

    Please help to give some advice.

    Thank you very much.
    Leon

    Hi leon,.

    OBIEE increases the performance of the aliases table, cz as he can't do oneself joined himself.
    Please visit this link this will solve your problem to improve performance
    http://www.iwarelogic.com/blog/performance-increasing-OBIEE-724
    (GOLD) http://www.rittmanmead.com/2008/11/thoughts-on-OBIEE-performance-optimization-Diagnostics/

    UPDATE POST
    @leon, you cannot change the SQL code generated by obiee, your obligation to use EXISTS instead of IN operator, then you can do this in the physical layer of RPD by accessing the properties of the table and select SQL problem and write your query with condition EXISTS on the relevant tables. So that in turn Bi server accepts and converts according to its methodology.

    UPDATE POST-2
    @leon, you can use rownum in your where clause, but check the query generated by OBIEE and the results obtained by rownum satisfied your requirment.

    Please follow label by awarding points to make it useful to others and even for us. Rules to be followed http://forums.oracle.com/forums/ann.jspa?annID=939

    hope responds to your question.mark points.

    See you soon,.
    KK

    Published by: Jocelyn on January 24, 2011 22:25

    Published by: Jocelyne 24 January 2011 22:27

    Published by: Jocelyn on January 25, 2011 02:13

    Published by: Jocelyne 25 January 2011 05:26

Maybe you are looking for