Thanks for your answer.
Francisco Mtz., June 08, 2006 - 4:15 pm UTC
Thanks a lot Tom for your quick answer.
So, it would be practically impossible to take a look on this code.
Kind regards,
Francisco Mtz.
June 08, 2006 - 7:57 pm UTC
correct.
A reader, June 18, 2008 - 8:22 pm UTC
There are utilities that can unwrap code. Use google to find REWRAP.EXE or unwrap10.exe
A reader, February 07, 2009 - 1:32 pm UTC
You can find it here
A reader, February 26, 2009 - 5:09 pm UTC
Is it really possible?
Mukesh Agrawal, March 30, 2010 - 4:11 am UTC
Dear Tom,
Though you have clearly stated that it's not possible to un-wrap, I just want to be doubly sure about it.
I've heard a lot about un-wrapping the pl/sql code. And, in particular this article
http://technology.amis.nl/blog/4753/unwrapping-10g-wrapped-plsql is most talked about in this regard. However, I wanted to test this but unfortunately have no familiarity with Java language.
I've few questions, I'd be glad if you can answer-
1. Can wrapped pl/sql code be un-wrapped? Has anyone, actually, done that? (Please take out some time to browse the link above)
Next question is valid only if it is remotely possible to un-wrap.
2. I agree with you comment-
You cannot unwrap wrapped code, it would entirely defeat the purpose of wrapping!
..will Oracle Corp be improving it's wrap utility so that purpose is not defeated?
Another link on un-wrapping
http://www.petefinnigan.com/weblog/archives/00001298.htm
April 05, 2010 - 10:39 am UTC
Is there a documented format, is there a supported way to do this?
no, there is not
have others done it in various specific dot releases of the database? Yes, they have. Can you rely on this to work in order to recover your code? Absolutely not - since the format can and will (and has) change over time.
Is it a good Idea to Wrap?
Mukesh Agrawal, March 30, 2010 - 4:35 am UTC
From the question of original poster...
If I deliver code today and client has a different vendor for DBA. Application is running dead slow but it's not possible to investigate on DB side properly because everything (code) is wrapped..
or take another scenario...
If I deliver wrapped code today to client, years later, client changes vendor (very possible)...new vendor is requested an enhancement and boom!!...he gets no clue what's going on in the grave...
So, is it really a good idea of wrapping the code?
If Yes, how to overcome above limitations (or similar ones)?
or When to actually wrap code?
If No, why a wrap utility exist?
Thanks for your time, Tom.
--Mukesh
April 05, 2010 - 10:41 am UTC
I've never seen the point in wrapping code myself. That is my personal opinion.
People will claim "it makes my code more secure", that but it totally 'security by obscurity'. If knowing your algorithm would allow me to subvert your code - guess what, that means your code is subvertable in the first place.
Finally you can Un Wrap
Mukesh Agrawal, March 30, 2010 - 5:10 am UTC
...maybe I posted my questions a bit earlier (I would still appreciate if you answer those).
Just found a page where you can unwrap code...
http://hz.codecheck.ch/UnwrapIt/Unwrap.jsp I successfully unwrapped the code from 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production.
create procedure my_proc wrapped
a000000
369
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
7
55 96
31bDYS7LBvfWrPYNgPeyVG+5c1Uwg5nnm7+fMr2ywFyFO1+WFpeuK6V0K7jAMv7SXrhSm7JK
/iiyveeysx0GMCyuJOqyMnLTAl3begIawwIlNJtR26ysd45E1bJE6enpMi726iQf9i72OabD
0gT0
So it's easy to unwrap.
My question is Why Oracle corp doesn't improve it's wrap utility then?Thanks.
Oracle Wrap with Key
sherif, October 18, 2010 - 10:11 am UTC
Dear All ,
Do any one fine a solution for wraping with key .
so it cannot be hacked .
Regards
sherif
October 25, 2010 - 9:03 am UTC
then you have key management - how does plsql itself unwrap the data - unless the key is stored somewhere. And if the key is stored - who has the key to the key.
Using the latest wrap would provide the highest degree of "protection". That is all.
I put "protection" in quotes because I've always been amused by 'wrapping' code.
Security Basics
APH, October 25, 2010 - 10:19 am UTC
I get the feeling that people who ask about unwrapping wrapped code or having public key encryption applied to code don't fully grasp the security concepts involved.
When you wrap a package, what is really happening? It is encryption of plain-text using some algorithm. It is NOT a one-way hash, as you expect that the user who receives the wrapped package will be able to execute the package as originally written. You are encrypting a message with the intent of having it decrypted.
In traditional encryption, you have Alice wanting to send a message (an email for example) to Bob without Carol being able to see the message. Strong encryptions with public/private keys work well here. Alice has a Bob's public key, Bob keeps his private key, and Carol can't figure out what the message is without the private key (even with Bob's public key). Perfect.
This won't work for encrypting code that you want a user to be able to execute. In this case, Alice wrote the code, and Bob wants to run that code. Where is Carol? You are essentially making Bob and Carol the same person! You WANT Bob to be able to decrypt Alice's message (which is necessary to execute the code), but you do NOT WANT him to be able to decrypt the message (as there are trade secrets or whatever). These are mutually exclusive, and yet you expect both. Just like most DRM schemes, the attacker possesses, in some form, the key and/or algorithm to decrypt the message. They have to, and so they fail to provide ironclad protection.
The WRAP utility keeps the less motivated attackers at bay, but it isn't unbreakable (and I don't believe anyone ever said it was). It keeps the honest people honest as it provides a thin veil of protection from "curious" eyes.
Then they have defeated our purpose
Mike, October 23, 2011 - 6:51 pm UTC
http://www.codecrete.net/UnwrapIt You can enter a block of wrapped PL/SQL code at the site above (copy/paste), and it instantly spits back the unwrapped resulting content. Very decisive, very accessible, and very disconcerting to anyone who thinks that wrapping their code will prevent misuse.
Different Way to Wrapping
Mohan Raj Kumar, September 18, 2015 - 5:39 am UTC
Hi,
Please let us know if there is a special way to wrap the code. When we copy+paste the code in
http://www.codecrete.net/UnwrapIt/ it is giving me the unwrapped code directly.
Is there any other way to encrypt the code ?
September 18, 2015 - 9:33 am UTC
Are you wrapping standalone procedures and functions ? or wrapping packages ?
All of your wrapped code should *always* be in packages - which in general, makes them harder to unwrap.
Each version of Oracle makes the wrapping process "tighter" but its never been claimed that we are wrapping as a means of locking down your code. From the docs:
"You can wrap the PL/SQL source text for any of these stored PL/SQL units, thereby preventing anyone from displaying that text with the static data dictionary views *_SOURCE:"
"Wrapping PL/SQL source text is not a secure way to hide passwords or table names."
using codecrete unwrapping site
bill, June 03, 2016 - 1:10 pm UTC
JServer or any other idea
Joe, April 28, 2019 - 1:58 am UTC
We're looking for an encription to prevent one of our procedure body text from being crack. wrap come to us, however, even in 12c it could unwrapped by
http://www.codecrete.net/UnwrapIt . Maybe wrap is good but not good enough to us.
Last week we turned to Oracle JServer which allows Java to be stored and executed from within the database. Our java coder translate Oracle procedure to encripted JAVA code then pack the code into jar, then we load the jar into Oracle and execute the jar via Oracle JVM.
Still looking for other ideas. it would be great if any other easy ways could prevent our encryption procedure text from being steal.
looking forward to your reply!
this aged poorly
Elie, April 21, 2020 - 7:06 pm UTC
see codecrete.net/UnwrapIt it is entirely unwrappable.
April 22, 2020 - 4:03 am UTC
Agreed. We've updated the question
The Salvis Unwrap add-in is a life saver
Jeff M, April 20, 2021 - 5:15 pm UTC
I can confirm that
https://www.salvis.com as an add-in for SQL Developer still works. What life-saver too! We were struggling with a problem in Oracle's ASP.NET membership provider whereas the ASP Personalization details (stored in a blob field) were not being copied between users as they should (the SQL Server version worked, Oracle's didn't). After installing Salivis' add-in the wrapped proc became visible and we located and fixed a bug that we were unable to see while wrapped.
Unwrapping pre 10g
rste, November 11, 2021 - 1:03 pm UTC
I know I'm late to the unwrapping party.
Unwrapping 10g and later is well known.
Unwrapping 9i is known to be possible, but not publicly available. The are some infos out there, even shareware program, which you can no longer license.
So here is my 9i unwrapper:
https://github.com/rstenet/9i-unwrapper/tree/main/v1 It is far from perfect and complete, but with it I was able to recover couple of thousands lines of code - functions and procedures.
November 12, 2021 - 4:52 am UTC
9i ... man... you got bigger issues than unwrapping if you're on 9i :-)
9i in 2021
rste, November 12, 2021 - 12:01 pm UTC
After unwrapping of 10g is possible lot of people are trying to hide code with the 9i format.
The parameter permit_92_wrap_format defaults to false first in 21c. This will make further deployments harder. In next releases 9i format support could be removed, but right now a lot of such code is around.
Actually, the biggest issue was to find 9i to play with.
hi tom
A reader, December 11, 2021 - 6:07 pm UTC
think u for your code unwrap 9i but can you complete it
because the node of update, inserte and delete not implemented