Obsfucation / Stored Procedure wrapping

  • Hi All,

    We often need to send scripts and stored procedures to our clients (both 2000 and 2005) to make changes to their data, fix data issues etc. etc. etc. In this case we need to send a couple of statements that changes some fairly critical data that ideally we don't want them vieing. In Oracle you can use a wrapped package to provide this kind of security, and Steve Jones wrote an article about C obsfucation found here:

    http://www.sqlservercentral.com/articles/Editorial/61757/

    Any ideas if this is possible for our T-SQL queries, funtions, procedures etc?

    There's one simple delete statement:

    DELETE FROM table

    And one simple insert:

    INSERT INTO table (t_col1, t_col2) VALUES (1234, 12345.765)

    Cheers all!

    Jim.

    SQL SERVER Central Forum Etiquette[/url]

  • First there is the ENCRYPTION option for CREATE PROCEDURE.

    Secondly, you can take a page from the Injection hackers,

    try this:

    declare @_ as varbinary(max)

    set @_ =0x0D000A005000520049004E0054002000270054006800690073002000620069006E00610072007900200073007400720069006E0067002000770069006C006C002000650078006500630075007400650020002200530045004C0045004300540020002A002000460052004F004D0020005300590053002E004F0042004A00450043005400530022003A0027000D000A00530045004C0045004300540020002A002000460052004F004D0020005300590053002E004F0042004A0045004300540053000D000A00

    exec (@_)

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • Thanks Barry!

    This won't so much apply to the stored procedures, rather to queries we send. So the second part of your answer was exactly what I'm after..

    How did you produce the string? And exactly what does it do before I run it?

    Jim.

    SQL SERVER Central Forum Etiquette[/url]

  • It's safe, it just does a PRINT and Selects from SYS.OBJECTS.

    I'll post how to make in a minute...

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • Here's an example of how to generate the hex string:

    Declare @cmds Nvarchar(MAX)

    Declare @obfoo varbinary(MAX)

    Set @cmds = '

    PRINT ''This binary string will execute "SELECT * FROM SYS.OBJECTS":''

    SELECT * FROM SYS.OBJECTS

    '

    Set @obfoo = CAST(@cmds as varbinary(MAX))

    Select @obfoo

    Make sure your output is in grid mode, replace the text above with your own SQL commands. Execute it, then copy the binary hex string from the output grid cell

    and paste into the EXEC command in my previous post.

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • That works a treat! I just had all the guys in the office standing around watching how awesome that is! Untill we cast the string back to an Nvarchar! haha.

    In anycase that's solved my problem. Thank you very much, you're a gent and a scholar!!!

    Jim.

    SQL SERVER Central Forum Etiquette[/url]

  • Jim (8/27/2008)


    That works a treat! I just had all the guys in the office standing around watching how awesome that is! Untill we cast the string back to an Nvarchar! haha.

    Thats great Jim. anytime I can cause a commotion is a good day for me. 😛

    Thank you very much, you're a gent and a scholar!!!

    Well, you're probably half right, but you're certainly welcome anyway! 😀

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply