当前位置:首页 -> AI编程基础 -> 数据库编程

Oracle 10g unwrap技术分析 By GENXOR(二)

2014-11-24 17:28:16 · 作者: · 浏览: 1
标签: Oracle 10g unwrap 技术 分析 GENXOR
如下:


通过对结果的排序,没有出现同一个BASE64编码对应不同的十六进制的情况,因此我们知道了可以用这个SQL为基础,通过用不同的SOURCE串来产生替换表的内容。


根据上面的SQL首先建一个表来存储替换表的内容,


CREATE TABLE SYS.IDLTRANSLATE


(


C_BASE64DECODE VARCHAR2(2) NOT NULL,


C_LZDEFLATECODE VARCHAR2(2) NULL


)


/


然后写一段PLSQL块来生成替换表的内容:


declare


nCnt integer;


nLoop integer;


nSLoop integer;


nCharmax integer;


nCharmin integer;


vChar Varchar2(3);


cursor getchar is


with src AS ( select ‘PACKAGE ‘||vChar txt from dual ),


wrap as ( select src.txt , dbms_ddl.wrap( ‘create ‘ || src.txt ) wrap from src ),


subst as (select substr( utl_encode.base64_decode( utl_raw.cast_to_raw(rtrim( substr( wrap.wrap, instr( wrap.wrap, chr( 10 ), 1, 20 ) + 1 ), chr(10) ) ) ), 41 ) x,


mycompress.deflate( wrap.txt || chr(0), 9 ) d


from wrap )


select substr( x, r * 2 – 1, 2 ) xr ,


substr( d, r * 2 – 1, 2 ) dr


from subst , ( select rownum r from dual connect by rownum <= ( select length( x ) / 2 from subst ) );


begin


nCharmax:=97;


nCharmin:=122;


For nLoop In 97..122 Loop


For nSloop In 0..99 Loop


vChar := chr(nLoop)||to_char(nSloop);


For abc In getchar Loop


Select Count(*) Into nCnt From sys.idltranslate WHERE c_base64decode = abc.xr;


If nCnt < 1 Then


Insert INTO sys.idltranslate VALUES (abc.xr,abc.dr);


Commit;


Else


Select Count(*) Into ncnt From sys.idltranslate WHERE c_base64decode = abc.xr AND c_lzdeflatecode=abc.dr;


If nCnt < 1 Then


DBMS_OUTPUT.PUT_LINE(‘wrong orginal char:’||vchar||’ hex base64:’||abc.xr);


End If;


End If;


End Loop;


End Loop;


End Loop;


end;


运行上面这段SQL大概会产生100多条记录,还未达到00-FF总共256条记录的要求,建议替换select ‘PACKAGE ‘||vChar txt from dual中的PACKAGE关健字为procedure或者function类似的,继续运行直到替换表中有不重复的256条记录为止。有了替换表的内容,unwrap出明文也就不再困难了。


五. 破解程序


利用前面得出的JAVA包以及转换表,结合下面这段代码unwrap出明文,如下


set serveroutput on;


create or replace procedure unwrap(o in varchar,n in varchar, t in varchar)


as


vWrappedtext Varchar2(32767);


vtrimtext Varchar2(32767);


vChar Varchar2(2);


vRepchar Varchar2(2);


vLZinflatestr Varchar2(32767);


nLen Integer;


nLoop Integer;


nCnt Integer;


code varchar(512);


Begin


code:=’3D6585B318DBE287F152AB634BB5A05F7D687B9B24C228678ADEA4261E03EB176F343E7A3FD2A96A0FE935561FB14D1078D975F6BC4104816106F9ADD6D5297E869E79E505BA84CC6E278EB05DA8F39FD0A271B858DD2C38994C480755E4538C46B62DA5AF322240DC50C3A1258B9C16605CCFFD0C981CD4376D3C3A30E86C3147F533DA43C8E35E1994ECE6A39514E09D64FA5915C52FCABB0BDFF297BF0A76B449445A1DF0009621807F1A82394FC1A7D70DD1D8FF139370EE5BEFBE09B97772E7B254B72AC7739066200E51EDF87C8F2EF412C62B83CDACCB3BC44EC069366202AE88FCAA4208A64557D39ABDE1238D924A1189746B91FBFEC901EA1BF7CE’;sys.idltranslate表内容存到字符数组


vtrimtext:=”;


select count(*) into ncnt from DBA_SOURCE


Where owner=o


And Name = n


And Type=t ;


if ncnt >0 and ncnt <=5 then


for i in 1..ncnt loop


if i=1 then


select rtrim(substr(TEXT,instr(TEXT,chr(10),1,20)+1),chr(10)) –保存去掉前边20行的BASE64码正文


into vLZinflatestr


from DBA_SOURCE


Where owner=o


And Name = n


And Type=t and line=i;


else


select text into vLZinflatestr


from DBA_SOURCE


Where owner=o


And Name = n


And Type=t and line=i;


end if;


vtrimtext:=vtrimtext||vLZinflatestr;


end loop;


end if;


vtrimtext:=replace(vtrimtext,chr(10),”);


nLen := Length(vtrimtext)/256 ;


vWrappedtext :=”;


for i in 0..nLen loop


–if i< nLen then


vWrappedtext:=vWrappedtext||utl_encode.base64_decode( utl_raw.cast_to_raw(substrb(vtrimtext,256*i+1 , 256 ))) ;


– else


–vWrappedtext:=vWrappedtext||utl_encode.base64_decode( utl_raw.cast_to_raw(substrb(vtrimtext,64*i+1 ))) ;


–end if;


–DBMS_OUTPUT.PUT_LINE(vWrappedtext);


End Loop;


–vWrappe