Reverse Engineering a Data Model using the Oracle Data Dictionary Reverse Engineering a Data ModelUsing the Oracle Data DictionarybyThis article shows you how to use the Oracle Data Dictionary to obtain:. Table definitions. Constraints. Indexes. Views. Sequences. Triggers.
PL/SQL functions and proceduresThe ProblemLet's say you have to work with an Oracle database, using adata model that somebody else wrote. Maybe you're extending the data model or building anapplication that references it. There's only one problem: whomever createdthe original data model left without writing a line of documentation.What do you do? How to you reverse engineerthe data model to unearth the table definitions, constraints, indexes,views, sequences, triggers, and PL/SQL functions and procedures?This ends up being an easy task if you use the Oracle data dictionary.The Oracle Data DictionaryJust like you use Oracle tables to store your data, Oracle uses tables to storeits data. Sims 2 models male.
![]()
There was an interesting questuion on my forum a couple of days ago titled '; bear in mind the title means the opposite, i.e. Is it illegal not its illegal. These semantics do not alter the question though! The poster wants to host a free unwrapper, its an interesting question that is already answered at one level. Someone else has already done it.There is already a Swiss site that hosts a 10g unwrapper for free -I am myself unsure what the legal position would be in hosting an unwrapper as you would have no control over what people could unwrap. If you unwrap privately for clients as a paid service then as Gary suggests in his reply in the forum you can put in place contracts where the client has to show that he has legal ownership of the code he wants unwrapping but as the poster suggests he wants to host a free service.
A contracted service which is of course more controlled is then a source recovery service and companies do have a genuine need for this where they have lost the original source code. Just because someone else has done it already doesnt make it legal!I was at the UKOUG conference Monday and Tuesday and with clients yesterday and today so had littlke time to blog but one of the things I was going to talk about as it happens was unwrapping as I was cornered twice at the UKOUG conference by people asking me about unwrapping and the paper I wrote a few years ago for the that i presented at Black Hat in Las Vegas.
![]() Pl Sql Substr Instr
Of course more recently Anton made available some details on on his blog. David also talked about unwrapping in his Oracle Hackers Handbook - book, interestingly he had a view on the legality in that he refrained from publishing the lookup table used in the wrap process but this was actually about trade secrets and reverse engineering and not about using an unwrapper. I published a simple demo unwrapper that used the DIANA and PIDL packages to show how Oracle unwraps as part of the pstub code used for remote PL/SQL calls. This needs to work with wrapped and unwrapped code hence the need for it to work with DIANA.
This is how 9i wrap works, 10g is different but both still use DIANA under the hood of course. The code is called but it wont unwrap anything real as its simply demonstrating the use of DIANA and PIDL and those mechanisms only expose the signatures of packages and nothing else.I also have unwrappers for 10g and 9i and lower completely written in PL/SQL of course.
Here is a little demo of it running on some 9i PL/SQL code. First create a simple procedure to use for this test case.
HACKVent 2014 - Day 12 writeup 12 Dec 2014I’ve sign up for the made by the guys from, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).Here’s the write-up for the mid-point challenge at day 12, concerning reverse engineering SQL scripts.
Investigation Part:For the Day 12 Hackvent challenge, we were given the following instructions:There are some “clues”/red herrings in this page:. The “oracle” word in the title can mean either the Oracle company (Java, SQL and so on) or an oracle attack, the latter being highly unlikely to be a good lead. “Wrap it up”: it didn’t mean anything specific, but it looks suspiscious. The ciphertext “617B7E0A0870637F710.” is not a base32-64 string. It has 64 characters and is hex-encoding compliant, but the ascii equivalent representation isn’t readable. the ciphertext counts 64 characters, possibly indicating a sha-256 hash, but then I would be out of luck since it’s not known to be easily breakable. In ascii representation, the ciphertext counts 32 characters, possibly indicating a md5 hash, but again the representation includes non-printable chars.Now let’s take a look at the attached file: AwesomeCryptTools.pls.
![]()
Changing the line to: outputstring:= UTLI18N.RAWTOCHAR (decryptedraw);Result on sqlplus empty screen.With sqlclient:coranew:/home/oracle cat dec.sql sql / as sysdbaSQLcl: Release 12.2.0.1.0 RC on Mon May 27 11:Copyright (c) 1982, 2019, Oracle. All rights reserved.Connected to:Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 – 64bit ProductionProcedure DBLINKPASSWORDDECRYPT compiledPL/SQL procedure successfully completed.129Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 – 64bit Productioncoranew:/home/oracle The initial problem comes from UTLRAW I guess. I think you have to cast it.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |