Skip to Main Content

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, Francisco .

Asked: June 08, 2006 - 1:47 pm UTC

Last updated: November 12, 2021 - 4:52 am UTC

Version: 10.1.0.4

Viewed 100K+ times! This question is

You Asked

Hi Tom,

I am analyzing a database using OEM (Database Control) console with ADDM.

Some Huge SQL statemente are procedures used by the application running on this database.

Unfortunately some packages and procedures are encripted (wrapped).

So I would to know if it is possible to look on this code (unwrapping it) obviously?

Any information about that will be really appreciated.

And just another one question, is it possible to monitor 9i databases using 10g Grid Control?

I would like to take advantage of ADDM to monitor 9i databases.

Thanks in advance.

Kind regards,

Francisco Mtz.

and Tom said...

We don't provide a native mechanism for unwrapping PL/SQL, but there are tools on the internet. We don't support or guarantee the correctness of validity of such tools.

So there is no way to see the code out of the box, just the SQL.

You cannot use ADDM on 9i since most of ADDM is actually "in the database". So, while you can use 10g Grid control on 9i, you would still be using the 9i tuning pack against 9i for tuning.

Most all of the functionality (true functionality - not the GUI stuff you see, but the real work) is in the database.

Rating

  (18 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Thanks for your answer.

Francisco Mtz., June 08, 2006 - 4:15 pm UTC

Thanks a lot Tom for your quick answer.

So, it would be practically impossible to take a look on this code.

Kind regards,

Francisco Mtz.

Tom Kyte
June 08, 2006 - 7:57 pm UTC

correct.

A reader, June 18, 2008 - 8:22 pm UTC

There are utilities that can unwrap code. Use google to find REWRAP.EXE or unwrap10.exe

A reader, February 07, 2009 - 1:32 pm UTC

The purpose of wrapping has now really been defeated...

http://technology.amis.nl/blog/4753/unwrapping-10g-wrapped-plsql

What is Oracle's opinion on this?

(one unhappy vendor selling wrapped code).

You can find it here

A reader, February 26, 2009 - 5:09 pm UTC

http://oracle-rewrap.narod.ru/

Tutorial:
set echo off heading off headsep off linesize 1000 feedback off pagesize 0 trimspool on
spool o1
select text from dba_source
where owner = 'SYS'
and name = 'DBMS_MONITOR'
and type = 'PACKAGE BODY'
order by line;
spool off;
host unwrap10.exe o1.lst o2.lst
host type o2.lst

On the end of this link (although it's in russian) you can find an example:

http://www.sql.ru/forum/actualthread.aspx?bid=3&tid=107197&pg=7

Cheers

Is it really possible?

Mukesh Agrawal, March 30, 2010 - 4:11 am UTC

Dear Tom,

Though you have clearly stated that it's not possible to un-wrap, I just want to be doubly sure about it.

I've heard a lot about un-wrapping the pl/sql code. And, in particular this article http://technology.amis.nl/blog/4753/unwrapping-10g-wrapped-plsql is most talked about in this regard. However, I wanted to test this but unfortunately have no familiarity with Java language.

I've few questions, I'd be glad if you can answer-
1. Can wrapped pl/sql code be un-wrapped? Has anyone, actually, done that? (Please take out some time to browse the link above)

Next question is valid only if it is remotely possible to un-wrap.
2. I agree with you comment-
You cannot unwrap wrapped code, it would entirely defeat the purpose of wrapping!

..will Oracle Corp be improving it's wrap utility so that purpose is not defeated?
Another link on un-wrapping
http://www.petefinnigan.com/weblog/archives/00001298.htm


Tom Kyte
April 05, 2010 - 10:39 am UTC

Is there a documented format, is there a supported way to do this?

no, there is not

have others done it in various specific dot releases of the database? Yes, they have. Can you rely on this to work in order to recover your code? Absolutely not - since the format can and will (and has) change over time.



Is it a good Idea to Wrap?

Mukesh Agrawal, March 30, 2010 - 4:35 am UTC

From the question of original poster...

If I deliver code today and client has a different vendor for DBA. Application is running dead slow but it's not possible to investigate on DB side properly because everything (code) is wrapped..

or take another scenario...

If I deliver wrapped code today to client, years later, client changes vendor (very possible)...new vendor is requested an enhancement and boom!!...he gets no clue what's going on in the grave...

So, is it really a good idea of wrapping the code?

If Yes, how to overcome above limitations (or similar ones)?
or When to actually wrap code?

If No, why a wrap utility exist?

Thanks for your time, Tom.

--Mukesh
Tom Kyte
April 05, 2010 - 10:41 am UTC

I've never seen the point in wrapping code myself. That is my personal opinion.

People will claim "it makes my code more secure", that but it totally 'security by obscurity'. If knowing your algorithm would allow me to subvert your code - guess what, that means your code is subvertable in the first place.

Finally you can Un Wrap

Mukesh Agrawal, March 30, 2010 - 5:10 am UTC

...maybe I posted my questions a bit earlier (I would still appreciate if you answer those).

Just found a page where you can unwrap code...
http://hz.codecheck.ch/UnwrapIt/Unwrap.jsp

I successfully unwrapped the code from 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production.

create procedure my_proc wrapped                                         
a000000                                                                  
369                                                                      
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
abcd                                                                     
7                                                                        
55 96                                                                    
31bDYS7LBvfWrPYNgPeyVG+5c1Uwg5nnm7+fMr2ywFyFO1+WFpeuK6V0K7jAMv7SXrhSm7JK 
/iiyveeysx0GMCyuJOqyMnLTAl3begIawwIlNJtR26ysd45E1bJE6enpMi726iQf9i72OabD 
0gT0



So it's easy to unwrap. My question is Why Oracle corp doesn't improve it's wrap utility then?

Thanks.

Oracle Wrap with Key

sherif, October 18, 2010 - 10:11 am UTC

Dear All ,

Do any one fine a solution for wraping with key .

so it cannot be hacked .

Regards
sherif
Tom Kyte
October 25, 2010 - 9:03 am UTC

then you have key management - how does plsql itself unwrap the data - unless the key is stored somewhere. And if the key is stored - who has the key to the key.

Using the latest wrap would provide the highest degree of "protection". That is all.

I put "protection" in quotes because I've always been amused by 'wrapping' code.

Security Basics

APH, October 25, 2010 - 10:19 am UTC

I get the feeling that people who ask about unwrapping wrapped code or having public key encryption applied to code don't fully grasp the security concepts involved.

When you wrap a package, what is really happening? It is encryption of plain-text using some algorithm. It is NOT a one-way hash, as you expect that the user who receives the wrapped package will be able to execute the package as originally written. You are encrypting a message with the intent of having it decrypted.

In traditional encryption, you have Alice wanting to send a message (an email for example) to Bob without Carol being able to see the message. Strong encryptions with public/private keys work well here. Alice has a Bob's public key, Bob keeps his private key, and Carol can't figure out what the message is without the private key (even with Bob's public key). Perfect.

This won't work for encrypting code that you want a user to be able to execute. In this case, Alice wrote the code, and Bob wants to run that code. Where is Carol? You are essentially making Bob and Carol the same person! You WANT Bob to be able to decrypt Alice's message (which is necessary to execute the code), but you do NOT WANT him to be able to decrypt the message (as there are trade secrets or whatever). These are mutually exclusive, and yet you expect both. Just like most DRM schemes, the attacker possesses, in some form, the key and/or algorithm to decrypt the message. They have to, and so they fail to provide ironclad protection.

The WRAP utility keeps the less motivated attackers at bay, but it isn't unbreakable (and I don't believe anyone ever said it was). It keeps the honest people honest as it provides a thin veil of protection from "curious" eyes.

Then they have defeated our purpose

Mike, October 23, 2011 - 6:51 pm UTC

http://www.codecrete.net/UnwrapIt
You can enter a block of wrapped PL/SQL code at the site above (copy/paste), and it instantly spits back the unwrapped resulting content. Very decisive, very accessible, and very disconcerting to anyone who thinks that wrapping their code will prevent misuse.

Different Way to Wrapping

Mohan Raj Kumar, September 18, 2015 - 5:39 am UTC

Hi,


Please let us know if there is a special way to wrap the code. When we copy+paste the code in http://www.codecrete.net/UnwrapIt/ it is giving me the unwrapped code directly.

Is there any other way to encrypt the code ?
Connor McDonald
September 18, 2015 - 9:33 am UTC

Are you wrapping standalone procedures and functions ? or wrapping packages ?

All of your wrapped code should *always* be in packages - which in general, makes them harder to unwrap.

Each version of Oracle makes the wrapping process "tighter" but its never been claimed that we are wrapping as a means of locking down your code. From the docs:

"You can wrap the PL/SQL source text for any of these stored PL/SQL units, thereby preventing anyone from displaying that text with the static data dictionary views *_SOURCE:"

"Wrapping PL/SQL source text is not a secure way to hide passwords or table names."


using codecrete unwrapping site

bill, June 03, 2016 - 1:10 pm UTC

when you are using http://www.codecrete.net/UnwrapIt/
I would suggest that you store the wrapped object into a file on your workstation and then use the load file option on the site. When you copy and paste you are not assured of integrity of what you paste. That being said the easiest thing to do is to load the add on

https://www.salvis.com/blog/2015/05/17/introducing-plsql-unwrapper-for-sql-developer/

into sql developer. It is a simple right click option to unwrap the code.

JServer or any other idea

Joe, April 28, 2019 - 1:58 am UTC

We're looking for an encription to prevent one of our procedure body text from being crack. wrap come to us, however, even in 12c it could unwrapped by http://www.codecrete.net/UnwrapIt . Maybe wrap is good but not good enough to us.
Last week we turned to Oracle JServer which allows Java to be stored and executed from within the database. Our java coder translate Oracle procedure to encripted JAVA code then pack the code into jar, then we load the jar into Oracle and execute the jar via Oracle JVM.

Still looking for other ideas. it would be great if any other easy ways could prevent our encryption procedure text from being steal.
looking forward to your reply!
Connor McDonald
April 30, 2019 - 3:07 am UTC

Wrapping is all we offer. No matter what tech you do, ultimately it *can* be disassembled (java etc included). It's just a matter of time and effort.

You could look at something like this:

http://www.pfclobfuscate.com/2014/04/pfclobfuscate-protect-your-plsql/

this aged poorly

Elie, April 21, 2020 - 7:06 pm UTC

see codecrete.net/UnwrapIt it is entirely unwrappable.
Connor McDonald
April 22, 2020 - 4:03 am UTC

Agreed. We've updated the question

The Salvis Unwrap add-in is a life saver

Jeff M, April 20, 2021 - 5:15 pm UTC

I can confirm that https://www.salvis.com as an add-in for SQL Developer still works. What life-saver too! We were struggling with a problem in Oracle's ASP.NET membership provider whereas the ASP Personalization details (stored in a blob field) were not being copied between users as they should (the SQL Server version worked, Oracle's didn't). After installing Salivis' add-in the wrapped proc became visible and we located and fixed a bug that we were unable to see while wrapped.

Unwrapping pre 10g

rste, November 11, 2021 - 1:03 pm UTC

I know I'm late to the unwrapping party.

Unwrapping 10g and later is well known.

Unwrapping 9i is known to be possible, but not publicly available. The are some infos out there, even shareware program, which you can no longer license.

So here is my 9i unwrapper: https://github.com/rstenet/9i-unwrapper/tree/main/v1

It is far from perfect and complete, but with it I was able to recover couple of thousands lines of code - functions and procedures.
Connor McDonald
November 12, 2021 - 4:52 am UTC

9i ... man... you got bigger issues than unwrapping if you're on 9i :-)

9i in 2021

rste, November 12, 2021 - 12:01 pm UTC

After unwrapping of 10g is possible lot of people are trying to hide code with the 9i format.

The parameter permit_92_wrap_format defaults to false first in 21c. This will make further deployments harder. In next releases 9i format support could be removed, but right now a lot of such code is around.

Actually, the biggest issue was to find 9i to play with.



hi tom

A reader, December 11, 2021 - 6:07 pm UTC

think u for your code unwrap 9i but can you complete it
because the node of update, inserte and delete not implemented

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library