SQL SERVER 2008 cracked encrypted stored procedure (fixed the problem that the stored procedure is too long decrypted to be blank)

The stored procedures created with the encryption option in SQLServer2005 are still the same as those in sqlserver2000, which are encrypted using XOR. Unlike 2000, encrypted ciphertexts have not been found in the syscomments system table in 2005. To check the ciphertext, you must use DAC (dedicated administrator connection) to connect to the database, query in the system table sys.sysobjvalues, the column imageval of this table stores the corresponding ciphertext. Specifically, you can use the following query: SELECT imageval FROM sys.sysobjvalues WHERE objid = object_id (@procedure) AND valclass = 1 AND subobjid = 1

  Notes on using DAC connection:
1. Only the members of the system administrator (sysadmin) role can use the DAC connection to access the SQL Server (Local) local connection

2. Only one DAC can exist in an execution instance.

3. The use of DAC usually allows the DBA to query and resolve SQL Server problems (when the instance cannot be properly connected),

4. It is like executing sp_who2, Kill SPID, DBCC SQLPERF, DBCC DROPCLEANBUFFERS ... etc., when using DAC connection, do not execute commands that consume a lot of resources, such as DBCC CHECKDB, DBCC SHRINKDATABASE .. etc.

5. Use DAC to log in to modify the system table or view the system table. In the previous SQL2000, you can modify the system table at will. When SQL2005 begins, you will be restricted

6. The sql server browse service must be enabled
Open DAC SQL

 1 USE master
 2 GO
 3 sp_configure ‘show advanced options’, 1
 4 GO
 5 sp_configure ‘remote admin connections’, 1
 6 GO
 7 RECONFIGURE WITH OVERRIDE
 8 GO
 9 
10
11 SELECT * FROM sys.configurations where name = ‘remote admin connections’
Can also be opened in the peripheral application configurator

 

Log in using DAC from the command line
sqlcmd plus / A option dedicated management connection
sqlcmd / S JOE / E / A
1> DBCC DROPCLEANBUFFERS
2> GO
================================================== ==============

Create PROCEDURE [dbo]. [Sp_windbidecrypt] (@procedure sysname = NULL, @revfl int = 1) AS / ************************** ********************************* Note: DAC connection must be used for decryption (Enterprise Manager connection method: file -> New-> Database engine query, use ADMIN: instance name) Connect sqlcmd Syntax: sqlcmd -A -d databasename -oc: \ a.txt The calling form is: Run cmd first to execute: sqlcmd -A -d gzzywst -oc: \ a.txt Note: -AA must be capitalized, -d is the database to enter -o is the file output path and file name. This method is more complicated when connecting to the local SQL2008 remote login. The server IP is required to log in the user and password. The second step: enter exec sp_windbidecrypt 'Ts_b_InsertBillDetailDraft', 0 and then enter go. After entering, the contact will jump, and the jump will not The error shows that the decryption was successful during the storage process and can be viewed in the output path.
Or create a new-database engine query in sql manament studio: admin: 192.168.1.0 and then execute the statement
-------------------------------------------------- -------------
If the second parameter uses 1, it will give some tips for the stored procedure.
--Version 4.0 fixes the problem that the stored procedure is too long to decrypt and is blank
This version can completely decrypt the stored procedure under sql2008
************************************************** ************ /
SET NOCOUNT ON
IF @revfl = 1
BEGIN
PRINT ‘Warning: This stored procedure will delete and rebuild the original stored procedure. ‘
PRINT ‘Be sure to have a backup of your database before running the stored procedure. ‘
PRINT ‘The stored procedure should normally run in a backup non-product environment of the production environment. ‘
PRINT ‘In order to run this stored procedure, change the value of parameter @refl to 0. ‘
RETURN 0
END
DECLARE @intProcSpace bigint, @t bigint, @maxColID smallint, @procNameLength int
select @maxColID = max (subobjid) FROM
sys.sysobjvalues WHERE objid = object_id (@procedure)
--select @maxColID as ‘Rows in sys.sysobjvalues’
select @procNameLength = datalength (@procedure) + 29
DECLARE @ real_01 nvarchar (max)
DECLARE @ fake_01 nvarchar (max)
DECLARE @ fake_encrypt_01 nvarchar (max)
DECLARE @ real_decrypt_01 nvarchar (max), @ real_decrypt_01a nvarchar (max)
declare @objtype varchar (2), @ ParentName nvarchar (max)
select @ real_decrypt_01a = ‘‘
-If the type of the extracted object is a stored procedure or a function, if it is a trigger, you must also get the name of its parent object
select @ objtype = type, @ parentname = object_name (parent_object_id)
from sys.objects where [object_id] = object_id (@procedure)
-Extract encrypted imageval records from sys.sysobjvalues
SET @ real_01 = (SELECT top 1 imageval FROM sys.sysobjvalues WHERE objid =
object_id (@procedure) and valclass = 1 order by subobjid)
  
--Create a temporary table
create table #output ([ident] [int] IDENTITY (1, 1) NOT NULL,
[real_decrypt] NVARCHAR (MAX))
--Start a transaction, roll back later
BEGIN TRAN
--Change the original stored procedure and replace with a dash
if @ objtype = ‘P’
  SET @ fake_01 = ‘ALTER PROCEDURE‘ + @procedure + ‘WITH ENCRYPTION AS select 1
  / ** // * ‘+ REPLICATE (cast (‘ * ‘as nvarchar (max)), datalength (@ real_01) / 2-@procNameLength) +‘ * / ‘
else if @ objtype = ‘FN’
  SET @ fake_01 = ‘ALTER FUNCTION‘ + @procedure + ‘() RETURNS INT WITH ENCRYPTION AS BEGIN RETURN 1
  / ** // * ‘+ REPLICATE (cast (‘ * ‘as nvarchar (max)), datalength (@ real_01) / 2-@procNameLength) +‘ * / END ’
else if @ objtype = ‘V’
  SET @ fake_01 = ‘ALTER view‘ + @procedure + ‘WITH ENCRYPTION AS select 1 as col
  / ** // * ‘+ REPLICATE (cast (‘ * ‘as nvarchar (max)), datalength (@ real_01) / 2-@procNameLength) +‘ * / ‘
else if @ objtype = ‘TR’
  SET @ fake_01 = ‘ALTER trigger‘ + @procedure + ‘ON‘ [email protected] + ‘WITH ENCRYPTION AFTER INSERT AS RAISERROR (‘ ‘N’ ‘, 16,10)
  / ** // * ‘+ REPLICATE (cast (‘ * ‘as nvarchar (max)), datalength (@ real_01) / 2-@procNameLength) +‘ * / ‘
EXECUTE (@ fake_01)
-Propose encrypted fake from sys.sysobjvalues
SET @ fake_encrypt_01 = (SELECT top 1 imageval FROM sys.sysobjvalues WHERE objid =
object_id (@procedure) and valclass = 1 order by subobjid)
if @ objtype = ‘P’
  SET @ fake_01 = ‘Create PROCEDURE‘ + @procedure + ‘WITH ENCRYPTION AS select 1
  / ** // * ‘+ REPLICATE (cast (‘ * ‘as nvarchar (max)), datalength (@ real_01) / 2-@procNameLength) +‘ * / ‘
else if @ objtype = ‘FN’
  SET @ fake_01 = ‘CREATE FUNCTION‘ + @procedure + ‘() RETURNS INT WITH ENCRYPTION AS BEGIN RETURN 1
  / ** // * ‘+ REPLICATE (cast (‘ * ‘as nvarchar (max)), datalength (@ real_01) / 2-@procNameLength) +‘ * / END ’
else if @ objtype = ‘V’
  SET @ fake_01 = ‘Create view‘ + @procedure + ‘WITH ENCRYPTION AS select 1 as col
  / ** // * ‘+ REPLICATE (cast (‘ * ‘as nvarchar (max)), datalength (@ real_01) / 2-@procNameLength) +‘ * / ‘
else if @ objtype = ‘TR’
  SET @ fake_01 = ‘Create trigger‘ + @procedure + ‘ON‘ [email protected] + ‘WITH ENCRYPTION AFTER INSERT AS RAISERROR (‘‘ N ’‘, 16,10)
  / ** // * ‘+ REPLICATE (cast (‘ * ‘as nvarchar (max)), datalength (@ real_01) / 2-@procNameLength) +‘ * / ‘
--Start counting
SET @ intProcSpace = 1
-Use characters to fill temporary variables
SET @ real_decrypt_01 = replicate (cast (‘A‘as nvarchar (max)), (datalength (@ real_01) / 2))
-Set each variable in a loop to create a real variable
-One byte at a time
SET @ intProcSpace = 1
-If necessary, traverse each @real_xx variable and decrypt
WHILE @intProcSpace <= (datalength (@ real_01) / 2)
BEGIN
--XOR processing of real and fake and encrypted fake
SET @ real_decrypt_01 = stuff (@ real_decrypt_01, @intProcSpace, 1,
NCHAR (UNICODE (substring (@ real_01, @intProcSpace, 1)) ^
(UNICODE (substring (@ fake_01, @intProcSpace, 1)) ^
UNICODE (substring (@ fake_encrypt_01, @intProcSpace, 1)))))
SET @ [email protected] +1
END
  
  
-Insert variables into table #output through sp_helptext logic
insert #output (real_decrypt) select @ real_decrypt_01
--select real_decrypt AS ‘#output chek’ from #output --Test
--------------------------------------
--Start extraction from sp_helptext
--------------------------------------
declare @dbname sysname
, @ BlankSpaceAdded int
, @ BasePos int
, @ CurrentPos int
, @ TextLength int
, @ LineId int
, @ AddOnLen int
, @LFCR int-Length of carriage return and line feed
, @ DefinedLength int
, @ SyscomText nvarchar (max)
, @ Line nvarchar (255)
Select @DefinedLength = 255
SELECT @BlankSpaceAdded = 0-Track the space at the end of the line. Note that the Len function ignores extra spaces
CREATE TABLE #CommentText
(LineId int
, Text nvarchar (255) collate database_default)
--Use #output instead of sys.sysobjvalues
DECLARE ms_crs_syscom CURSOR LOCAL
FOR SELECT real_decrypt from #output
ORDER BY ident
FOR READ ONLY
-Get text
SELECT @LFCR = 2
SELECT @LineId = 1
OPEN ms_crs_syscom
FETCH NEXT FROM ms_crs_syscom into @SyscomText
WHILE @@ fetch_status> = 0
BEGIN
SELECT @BasePos = 1
SELECT @CurrentPos = 1
SELECT @TextLength = LEN (@SyscomText)
WHILE @CurrentPos! = 0
BEGIN
--Find the end of the line by pressing Enter
SELECT @CurrentPos = CHARINDEX (char (13) + char (10), @SyscomText,
@BasePos)
--If you find Enter
IF @CurrentPos! = 0
BEGIN
--If the new value of the length of @Lines is greater than the set value, insert the current content of @Lines and continue
While (isnull (LEN (@Line), 0) + @BlankSpaceAdded +
@ [email protected] + @LFCR)> @DefinedLength
BEGIN
SELECT @AddOnLen = @ DefinedLength- (isnull (LEN (@Line), 0) +
@BlankSpaceAdded)
INSERT #CommentText VALUES
(@LineId,
isnull (@Line, N ‘‘) + isnull (SUBSTRING (@SyscomText,
@BasePos, @AddOnLen), N ‘‘))
SELECT @Line = NULL, @LineId = @LineId + 1,
@BasePos = @BasePos + @AddOnLen, @BlankSpaceAdded = 0
END
SELECT @Line = isnull (@Line, N ‘‘) +
isnull (SUBSTRING (@SyscomText, @BasePos, @ [email protected] + @LFCR), N ‘‘)
SELECT @BasePos = @ CurrentPos + 2
INSERT #CommentText VALUES (@LineId, @Line)
SELECT @LineId = @LineId + 1
SELECT @Line = NULL
END
ELSE
--If the carriage return is not found
BEGIN
IF @BasePos <= @TextLength
BEGIN
--If the new value of @Lines length is greater than the defined length
While (isnull (LEN (@Line), 0) + @BlankSpaceAdded +
@ [email protected] +1)> @DefinedLength
BEGIN
SELECT @AddOnLen = @DefinedLength-
(isnull (LEN (@Line), 0) + @BlankSpaceAdded)
INSERT #CommentText VALUES
(@LineId,
isnull (@Line, N ‘‘) + isnull (SUBSTRING (@SyscomText,
@BasePos, @AddOnLen), N ‘‘))
SELECT @Line = NULL, @LineId = @LineId + 1,
@BasePos = @BasePos + @AddOnLen, @BlankSpaceAdded = 0
END
SELECT @Line = isnull (@Line, N ‘‘) +
isnull (SUBSTRING (@SyscomText, @BasePos, @ [email protected] +1), N ‘‘)
if LEN (@Line) <@DefinedLength and charindex (‘‘,
@SyscomText, @ TextLength + 1)> 0
BEGIN
SELECT @Line = @Line + ‘‘, @BlankSpaceAdded = 1
END
END
END
END
FETCH NEXT FROM ms_crs_syscom into @SyscomText
END
IF @Line is NOT NULL
INSERT #CommentText VALUES (@LineId, @Line)
select Text from #CommentText order by LineId
CLOSE ms_crs_syscom
DEALLOCATE ms_crs_syscom
DROP TABLE #CommentText
--------------------------------------
--End extraction from sp_helptext
--------------------------------------
--Delete stored procedures created with dashes and rebuild the original stored procedure
ROLLBACK TRAN
DROP TABLE #output
go
SQL SERVER 2008 cracked encrypted storage process (fixed the problem that the storage process is too long to decrypt and it is blank)