迄今,解密全经过马到功成,命令行格局下运转:EXEC
[DECODE_DATABASE]GO在C盘根目录下,解密后的蕴藏进度文本生成成功。运营前别忘记张开xp_cmdshell使用权力,同开荒DAC相通:大概命令行形式下敲如下命令:sp_configure
‘show advanced options’,1reconfiguregosp_configure
‘xp_cmdshell’,1reconfigurego

DECLARE @real_decrypt_01 nvarchar(max)
   ,@real_decrypt_01a nvarchar(max)
   ,@real_decrypt_02 nvarchar(max)
   ,@real_decrypt_02a nvarchar(max)
   ,@real_decrypt_03 nvarchar(max)
   ,@real_decrypt_03a nvarchar(max)
   ,@real_decrypt_04 nvarchar(max)
   ,@real_decrypt_04a nvarchar(max)  
   ,@real_decrypt_05 nvarchar(max)
   ,@real_decrypt_05a nvarchar(max)  

CREATE TABLE [dbo].[SQL_DECODE]( [ID] [int] IDENTITY(1,1) NOT NULL, [SQLTEXT] [nvarchar](max) NOT NULL, CONSTRAINT [ID] PRIMARY KEY CLUSTERED ( [ID] ASC)) ON [PRIMARY]GO

select @real_decrypt_01a = ”
   ,@real_decrypt_02a = ”
   ,@real_decrypt_03a = ”
   ,@real_decrypt_04a = ”
   ,@real_decrypt_05a = ”

末尾是改建后的积攒进度:

–one byte at a time.
SET @intProcSpace=1

CREATE PROCEDURE [dbo].[DECODE_DATABASE]ASSET NOCOUNT ONBEGIN DECLARE @PROC_NAME VARCHAR(256) SET @PROC_NAME = '' DECLARE @ROWS INT DECLARE @TEMP TABLE( NAME VARCHAR(256) ) INSERT INTO @TEMP SELECT NAME FROM sysobjects WHERE TYPE = 'P' AND NAME NOT IN ( 'DECODE_DATABASE', 'DECODE_PROC' ) SET @ROWS = @@ROWCOUNT WHILE @ROWS  0 BEGIN SELECT @PROC_NAME = NAME FROM ( SELECT ROW_NUMBER() OVER (ORDER by NAME) AS ROW, NAME FROM @TEMP ) T WHERE ROW = @ROWS EXEC [DECODE_PROC] @PROC_NAME PRINT @PROC_NAME SET @ROWS = @ROWS - 1 END RETURN EXEC master..xp_cmdshell 'bcp SELECT [SQLTEXT] FROM TEST.dbo.[SQL_DECODE] queryout C:decode.txt -c -T -S PC2011043012JUJ'ENDGO

INSERT INTO #output (real_decrypt)
SELECT @real_decrypt_01
UNION ALL
SELECT @real_decrypt_02
UNION ALL
SELECT @real_decrypt_03
UNION ALL
SELECT @real_decrypt_04
UNION ALL
SELECT @real_decrypt_05
— select real_decrypt AS ‘#output chek’ from #output — Testing

1、并未删除原存款和储蓄重新建构,仅仅在决定台做了三个出口,拷贝出来非常不方便人民群众。2、对于长度大点的加密数据会解密退步。带着那多少个难题来改变此存款和储蓄过程。先做希图干活,首先供给领会DAC这么个东西,
指的是数据库教程专项使用管理员连接,为组织者提供的一种特殊的诊断连接。知道了后得先打开它,以SQL二零零六为例:右击对象浏览器,找到Facets,点击,如图:找到Sruface
Area
Configuration,选择RemoteDacEnabled,设为True:然后举行DAC登陆,CMD形式下敲如下命令,不通晓原理的能够自行钻研:sqlcmd
-A -S 192.168.1.101 -U sa -P 123456指令提醒行下展开需管理的数据库:USE
TESTGO构思伏贴,复制搜索获得的贮存进程,生成解密存款和储蓄程,然后大家筹算七个加密后的囤积进度,当中二个尺寸非常的大,验证得出结论,短小的存款和储蓄进度异常快即解密成功,并出口,但长度相当的大的却解密战败。接下来看看其如何解密的:先看那句select
@maxColID = max(subobjid卡塔尔国,@intEncrypted = imageval FROM sys.sysobjvalues
WHERE objid =
object_id(@procedureState of Qatar指的是加密后的多寡寄存在sys.sysobjvalues表中,其剧情寄存于imageval字段。知道了加密后的数据,就得举行解密,它定义了4个主要字段:DECLARE
@real_01 nvarchar(max)DECLARE @fake_01 nvarchar(max)DECLARE
@fake_encrypt_01 nvarchar(max)DECLARE @real_decrypt_01
nvarchar(max卡塔尔分别指的本来加密数据内容、原始加密存款和储蓄进度的CREATE语句、自个儿组织的假的积累进程加密后的数码、最终然密后的囤积进度。其情势是按位将@real_01、@fake_encrypt_01、@real_decrypt_01进行异或运算,此处为什么这么管理,原理不明!!!WHILE
@intProcSpace=(datalength(@real_01)/2)BEGIN –xor real fake fake
encrypted SET @real_decrypt_01 = stuff(@real_decrypt_澳门威斯尼人平台登陆,01,
@intProcSpace, 1, NCHAR(UNICODE(substring(@real_01, @intProcSpace, 1))
^ (UNICODE(substring(@fake_01, @intProcSpace, 1))
^UNICODE(substring(@fake_encrypt_01, @intProcSpace, 1卡塔尔State of QatarState of Qatar卡塔尔卡塔尔(قطر‎ SET
@intProcSpace=@intProcSpace+1END实际上到此停止,加密后的寄存进度已解密出来了。其下部还恐怕有一大段语句未有细心切磋,但大致是运用sp_helptext将内容输出,方法相比较繁索,并且未有完结我们要的成效,我们将换一种情势开展输出。基本上犹如此轻巧,除了原理不知晓外,基本桃月到达供给,接下去要缓和起来提议的七个难题。首先是长度难点,为啥长度一大就解密战败,来拜见@real_decrypt_01的概念并开展伊始化@real_decrypt_01的语句:DECLARE
@real_decrypt_01 nvarchar(max)SET @real_decrypt_01 = replicate(N’A’,
(datalength(@real_01卡塔尔国 /2
State of Qatar卡塔尔(قطر‎乍一看没什么难点,但我们应用LEN(@real_decrypt_01State of Qatar输出看看,最大出口长度为4000,或然问题就涌出NVARCHAEscort的尺寸上了,理论上NVARCHAXC90(MAX卡塔尔(قطر‎援救2G的分寸。为啥会出现这种意况并未有色金属商讨所究过,但有人给出理解决措施,举办展示转变:SET
@real_decrypt_01 = replicate(CONVERT(NVARCHAR(MAX), N’A’),
(datalength(@real_01卡塔尔 /2
State of Qatar卡塔尔其余的几还也有几处也是该原因,纠正后开展双重运维,难点解决,长度相当的大的存款和储蓄进程也解密成功。第2个难点一下子就解决了了,怎么着能有支持的出口呢,试验了删减重新建立,但未成功,那么就用最简易的方法呢,利用xp_cmdshell将内容输出到文本。先创立三个物理表,用于存款和储蓄解密后的数目:

WHILE @CurrentPos != 0
BEGIN
澳门威尼斯人登陆,–Looking for end of line followed by carriage return
SELECT @CurrentPos = CHARINDEX(char(13)+char(10), @SyscomText,
@BasePos)

接下来营造三个存款和储蓄进程,遍历全体加密过的蕴藏进程,调用解密存款和储蓄进度進展解密,解密后输出:

— Load the variables into #output for handling by sp_helptext logic

CREATE PROCEDURE [dbo].[DECODE_PROC]( @PROC_NAME SYSNAME = NULL)ASSET NOCOUNT ONDECLARE @PROC_NAME_LEN INT --存储过程名长度DECLARE @MAX_COL_ID SMALLINT --最大列IDSELECT @MAX_COL_ID = MAX(subobjid) FROM sys.sysobjvalues WHERE objid = OBJECT_ID(@PROC_NAME) GROUP BY imagevalSELECT @PROC_NAME_LEN = DATALENGTH(@PROC_NAME) + 29DECLARE @REAL_01 NVARCHAR(MAX) --真实加密存储过程数据DECLARE @FACK_01 NVARCHAR(MAX) --修改为假的存储过程,长度,原理不明?DECLARE @FACK_ENCRYPT_01 NVARCHAR(MAX) --伪加密存储过街程数据DECLARE @REAL_DECRYPT_01 NVARCHAR(MAX) --最终解密后的数据,初始化为原始加密长度的一半的A,原理不明?SET @REAL_01 = ( SELECT imageval FROM sys.sysobjvalues WHERE objid = object_id(@PROC_NAME) AND valclass = 1 AND subobjid = 1)DECLARE @REAL_DATA_LEN BIGINTSET @REAL_DATA_LEN = DATALENGTH(@REAL_01)--PRINT @REAL_DATA_LENDECLARE @FACK_LEN BIGINTSET @FACK_LEN = @REAL_DATA_LEN * 10 --改造:假的长度在原真实数据长度上放大10倍--此处需将NVARCHAR显示转换成NVARCHAR(MAX),不然将只能产生4K长度SET @FACK_01 = 'ALTER PROCEDURE ' + @PROC_NAME + ' WITH ENCRYPTION AS ' + REPLICATE(CONVERT(NVARCHAR(MAX), '-'), @FACK_LEN - @PROC_NAME_LEN)--PRINT '@FACK_01 = ' + STR(LEN(@FACK_01))EXECUTE (@FACK_01)SET @FACK_ENCRYPT_01 = ( SELECT imageval FROM sys.sysobjvalues WHERE objid = object_id(@PROC_NAME) AND valclass = 1 AND subobjid = 1)SET @FACK_01 = 'CREATE PROCEDURE ' + @PROC_NAME + ' WITH ENCRYPTION AS ' + REPLICATE(CONVERT(VARCHAR(MAX), '-'), @FACK_LEN - @PROC_NAME_LEN)SET @REAL_DECRYPT_01 = REPLICATE(CONVERT(NVARCHAR(MAX), N'A'), (DATALENGTH(@REAL_01) /2))--PRINT 'LEN(@REAL_DECRYPT_01) = ' + STR(LEN(@REAL_DECRYPT_01))--按位对 @REAL_01、 @FACK_01、 @REAL_DECRYPT_01 进行异或操作。DECLARE @INT_PROC_SPACE BIGINTSET @INT_PROC_SPACE = 1WHILE @INT_PROC_SPACE = (DATALENGTH(@REAL_01) /2 )BEGIN SET @REAL_DECRYPT_01 = STUFF( @REAL_DECRYPT_01, @INT_PROC_SPACE, 1, NCHAR(UNICODE(SUBSTRING(@REAL_01, @INT_PROC_SPACE, 1)) ^ (UNICODE(SUBSTRING(@FACK_01, @INT_PROC_SPACE, 1)) ^ UNICODE(SUBSTRING(@FACK_ENCRYPT_01, @INT_PROC_SPACE, 1)))) ) SET @INT_PROC_SPACE = @INT_PROC_SPACE + 1END--移除WITH ENCRYPTIONSET @REAL_DECRYPT_01 = REPLACE(@REAL_DECRYPT_01, 'WITH ENCRYPTION', '')INSERT INTO [SQL_DECODE] VALUES (@REAL_DECRYPT_01)--PRINT '@REAL_DECRYPT_01 = ' + @REAL_DECRYPT_01--PRINT 'LEN(@REAL_DECRYPT_01) = ' + STR(LEN(@REAL_DECRYPT_01))--删除原存储过程SET @FACK_01 = 'DROP PROCEDURE ' + @PROC_NAMEEXEC(@FACK_01)GO

–one byte at a time.
SET @intProcSpace=1

— We’ll begin the transaction and roll it back later
BEGIN TRAN
— alter the original procedure, replacing with dashes
SET @fake_01=’ALTER PROCEDURE ‘+ @procedure +’ WITH ENCRYPTION AS
‘+REPLICATE(‘-‘, 40003 – @procNameLength)

OPEN ms_crs_syscom

— Go through each @real_xx variable and decrypt it, as necessary
WHILE @intProcSpace<=(datalength(@real_01)/2)
BEGIN
–xor real & fake & fake encrypted
SET @real_decrypt_01 = stuff(@real_decrypt_01, @intProcSpace, 1,
NCHAR(UNICODE(substring(@real_01, @intProcSpace, 1)) ^
(UNICODE(substring(@fake_01, @intProcSpace, 1)) ^
UNICODE(substring(@fake_encrypt_01, @intProcSpace, 1)))))
SET @intProcSpace=@intProcSpace+1
END

–If carriage return found
IF @CurrentPos != 0
BEGIN
–If new value for @Lines length will be > then the
–set length then insert current contents of @line
–and proceed.


DECLARE @fake_encrypt_澳门威尼斯人,01 nvarchar(max)
DECLARE @fake_encrypt_02 nvarchar(max)
DECLARE @fake_encrypt_03 nvarchar(max)
DECLARE @fake_encrypt_04 nvarchar(max)
DECLARE @fake_encrypt_05 nvarchar(max)

SET @fake_01=’CREATE PROCEDURE ‘+ @procedure +’ WITH ENCRYPTION AS ‘
    + REPLICATE(‘-‘, 40003 – @procNameLength)
–start counter
SET @intProcSpace=1
–fill temporary variable with with a filler character
SET @real_decrypt_01 = replicate(N’A’, (datalength(@real_01) /2 ))

— use #output instead of sys.sysobjvalues
DECLARE ms_crs_syscom CURSOR LOCAL
FOR SELECT real_decrypt
from #output
ORDER BY ident
FOR READ ONLY

While (isnull(LEN(@Line),0) + @BlankSpaceAdded +
@CurrentPos-@BasePos + @LFCR) > @DefinedLength
BEGIN
SELECT @AddOnLen = @DefinedLength-(isnull(LEN(@Line),0) +
@BlankSpaceAdded)
INSERT #CommentText VALUES
( @LineId,
isnull(@Line, N”) + isnull(SUBSTRING(@SyscomText,
@BasePos, @AddOnLen), N”))
SELECT @Line = NULL, @LineId = @LineId + 1,
@BasePos = @BasePos + @AddOnLen, @BlankSpaceAdded = 0
END
SELECT @Line = isnull(@Line, N”) +
isnull(SUBSTRING(@SyscomText, @BasePos, @CurrentPos-@BasePos + @LFCR),
N”)
SELECT @BasePos = @CurrentPos+2
INSERT #CommentText VALUES( @LineId, @Line )
SELECT @LineId = @LineId + 1
SELECT @Line = NULL
END
ELSE
–else carriage return not found
BEGIN
IF @BasePos <= @TextLength
BEGIN
–If new value for @Lines length will be > then the

Select @DefinedLength = 255
SELECT @BlankSpaceAdded = 0 –Keeps track of blank spaces at end of
lines. Note Len function ignores trailing blank spaces
CREATE TABLE #CommentText
(LineId int
,Text nvarchar(255) collate database_default)

DECLARE @real_01 nvarchar(max)
DECLARE @real_02 nvarchar(max)
DECLARE @real_03 nvarchar(max)
DECLARE @real_04 nvarchar(max)
DECLARE @real_05 nvarchar(max)

select @maxColID = max(subobjid)
   –//,@intEncrypted = imageval
FROM sys.sysobjvalues
WHERE objid = object_id(@procedure)
GROUP BY imageval

CREATE PROCEDURE dbo.sp__procedure$decrypt
(@procedure sysname = NULL, @revfl int = 1)
AS
SET NOCOUNT ON

–loop through each of the variables sets of variables, building the
real variable
–one byte at a time.
SET @intProcSpace=1

EXECUTE (@fake_01)

— extract the encrypted imageval rows from sys.sysobjvalues
SELECT @real_01=substring(imageval,1,8000)
   ,@real_02=substring(imageval,8001,16000)
   ,@real_03=substring(imageval,16001,24000)
   ,@real_04=substring(imageval,24001,32000)
   ,@real_05=substring(imageval,32001,40000)
FROM sys.sysobjvalues
WHERE objid = object_id(@procedure) and valclass = 1 and subobjid = 1

Author

发表评论

电子邮件地址不会被公开。 必填项已用*标注