Tuesday, March 25, 2008

Decrypt the stored procedure, and etc

When you try to hide something from someone, people always have their own way to dig it out. Just like you thought 128-bit encryption is un-decryptable, especially on symmetric encryption , people still can know you initialization vector (IV) by de-compiling your source-code using deflector, if you did not obfuscate it (Oops, or even obfuscation is not safe too?). Then all your effort on encryption/information-hiding is wasted. Same goes to MSSQL 2000 built-in encryption for stored procedures (SPs/sprocs), etc.

The syntax for MSSQL 2000 built-in encryption on CREATE PROCEDURE is:

CREATE PROC [ EDURE ] procedure_name [ ; number ]
[ { @parameter data_type }
[ VARYING ] [ = default ] [ OUTPUT ]
] [ ,...n ]
[ WITH
{ RECOMPILE ENCRYPTION RECOMPILE , ENCRYPTION } ]
[ FOR REPLICATION ]
AS sql_statement [ ...n ]

To decrypt it, for novice user, you can download the freeware (Unless you wanna pay the money for this software?) called "dSQLSRVD", just log in and find those SPs with checkboxes checked, highlight it and click "Save", you can get the content of the stored procedure you desire. Easy, huh?



For average developer, maybe you can go to this site (please take note this method seems have limitation on the size of nvarchar(4000), you might need to roll back if your encrypted SP is long), or this site, and try to come out your version of freeware, though you can find a ready-made workable sql script if through a thorough search.

Final piece, Windows applications is too common and thus make it too popular for developers to crack it. You better depend on your own.

p/s: In MSSQL 2005, there's few new features added,
1) EncryptByAsymKey
2) EncryptByCert
3) EncryptByKey
maybe it's worth for try.

2 comments:

david santos said...

Untuk mengelak tragedi sama berulang kembali, dan demi keselamatan anak-anak kita, kami sedang menganjurkan kempen ke seluruh dunia, memaparkan gambar NURIN JAZLIN JAZIMIN di blog-blog di seluruh dunia pada 25 April 2008. Janganlah kita melupakan NURIN JAZLIN.

Optillect™ Team said...

As an alternative way, we strongly recommend to use our modern freeware named SQL Decryptor