SideBar    A Brief Background on Encoding and Encryption
DOWNLOAD THE CODE:
Download the Code 95728.zip

Action 1. Get the encoded text and object code length. In SQL Server 2000, execute the code that you see in Listing 1. For SQL Server 2005 (in DAC mode), you can run the code in Web Listing 1 (http:// www.sqlmag.com, InstantDoc ID 95728).

Action 2. Build a CREATE statement for a fake object with the same owner/ schema and name as the original item. The actual code of the fake object must have the WITH ENCRYPTION clause, and it must be at least as long as the original encrypted stored procedure, as the code in Listing 2 shows. You can meet this requirement by filling the text body with dashes (or any other valid T-SQL syntax). In addition, we keep the CREATE statement in a variable for later use.

Action 3. Prepare an ALTER statement with the same fake content as in the last action, as the code in Listing 3 shows. Then, execute this statement to obtain the encrypted hex value for the fake item. When the ALTER statement is run, the original object will be overwritten. To ensure that the database isn't changed, the ALTER PROC operation is run within a transaction and is quickly rolled back after the needed information is retrieved.

Action 4. Decode the desired text by applying an XOR operator on the encrypted version of the original object, the CREATE statement of the fake object, and the hex stream of the encrypted fake item, as the code in Listing 4 shows. And that's it. The variable @ContentOfDecryptedObject now holds the decrypted content of dbo.uspMyEncProc.

Encrypted Isn't Always Inaccessible
In the SQL Server 2000's Help files associated with the CREATE PROC statement, the documentation says, "ENCRYPTION indicates that SQL Server encrypts the syscomments table entry containing the text of the CREATE PROCEDURE statement." This description, which is somewhat misleading, has been updated and corrected in SQL Server 2005 Books Online (BOL) and on the MSDN forums to say, "[ENCRYPTION] indicates that SQL Server will convert the original text of the CREATE PROCEDURE statement to an obfuscated format… However, the text will be available to privileged users." As I've shown, this is indeed the case in practice. For those who really want to protect their code, I offer words of wisdom from long-time SQL Server MVP BP Margolin, who once said, "Your intellectual property is better protected with legal agreements."

End of Article

Prev. page     1 2 [3]     next page -->



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

The code does not work. It only returns Null when using the 2000 code on a 2000 machine.

pjcwik- July 25, 2007

Article Rating 1 out of 5

Disregard the above, I fat fingered.

pjcwik- July 25, 2007

Article Rating 5 out of 5

I found a bug in the 2005 version: The line that reads

PRINT(SUBSTRING(@ContentOfDecryptedObject, 1 + 2000*@i, 2000*(@i + 1)))

should read

PRINT(SUBSTRING(@ContentOfDecryptedObject, 1 + 2000*@i, 2000))

because the third parameter to the subsctring is length not position

mevenson- August 13, 2007

Article Rating 5 out of 5

The procedure works for procedure but with my instance (SQL2005 SP2) doesn't with views. Everytime i receive the error Syntax not correct near 'AS'

infante@gigasrl.it- August 11, 2008

Article Rating 5 out of 5