破解sqlserver存储过程

这个版本已经在sqlserver20008中破解成功 操作方法： 1.先copy下面这段sql在查询分析器里执行一下，此即为解密存储过程 create PROCEDURE [ dbo ] . [ sp_decrypt ] ( @procedure sysname = NULL ) AS SET NOCOUNT ON BEGIN DECLARE @intProcSpace bigint ,

这个版本已经在sqlserver20008中破解成功

 

操作方法：

1.先copy下面这段sql在查询分析器里执行一下，此即为解密存储过程

<span>create</span> <span>PROCEDURE</span> <span>[</span><span>dbo</span><span>]</span>.<span>[</span><span>sp_decrypt</span><span>]</span> <br><br>(<span>@procedure</span> sysname <span>=</span> <span>NULL</span>)  <br><br><span>AS</span>  <br><br><span>SET</span> NOCOUNT <span>ON</span>  <br><br><span>BEGIN</span><br><br><span>DECLARE</span> <span>@intProcSpace</span> <span>bigint</span>, <span>@t</span> <span>bigint</span>, <span>@maxColID</span> <span>smallint</span>,<span>@intEncrypted</span>  <br><br><span>tinyint</span>,<span>@procNameLength</span> <span>int</span>  <br><br><span>select</span> <span>@maxColID</span> <span>=</span> <span>max</span>(subobjid),<span>@intEncrypted</span> <span>=</span> imageval <span>FROM</span>  <br><br>sys.sysobjvalues <span>WHERE</span> objid <span>=</span> <span>object_id</span>(<span>@procedure</span>)  <br><br><span>GROUP</span> <span>BY</span> imageval  <br><br> <br><br><span>select</span> <span>@procNameLength</span> <span>=</span> <span>datalength</span>(<span>@procedure</span>) <span>+</span> <span>29</span>  <br><br><span>DECLARE</span> <span>@real_01</span> <span>nvarchar</span>(<span>max</span>)  <br><br><span>DECLARE</span> <span>@fake_01</span> <span>nvarchar</span>(<span>max</span>)  <br><br><span>DECLARE</span> <span>@fake_encrypt_01</span> <span>nvarchar</span>(<span>max</span>)  <br><br><span>DECLARE</span> <span>@real_decrypt_01</span> <span>nvarchar</span>(<span>max</span>),<span>@real_decrypt_01a</span> <span>nvarchar</span>(<span>max</span>)  <br><br><span>declare</span> <span>@objtype</span> <span>varchar</span>(<span>2</span>),<span>@ParentName</span> <span>nvarchar</span>(<span>max</span>)  <br><br><span>select</span> <span>@real_decrypt_01a</span> <span>=</span> <span>''</span>  <br><br><span>--</span><span>提取对象的类型如是存储过程还是函数，如果是触发器，还要得到其父对象的名称  </span><span><br></span><br><span>select</span> <span>@objtype</span><span>=</span>type,<span>@parentname</span><span>=</span><span>object_name</span>(parent_object_id)  <br><br><span>from</span> sys.objects <span>where</span> <span>[</span><span>object_id</span><span>]</span><span>=</span><span>object_id</span>(<span>@procedure</span>)  <br><br><span>--</span><span> 从sys.sysobjvalues里提出加密的imageval记录  </span><span><br></span><br><span>SET</span> <span>@real_01</span><span>=</span>(<span>SELECT</span> <span>top</span> <span>1</span> imageval <span>FROM</span> sys.sysobjvalues <span>WHERE</span> objid <span>=</span>  <br><br><span>object_id</span>(<span>@procedure</span>) <span>and</span> valclass <span>=</span> <span>1</span> <span>order</span> <span>by</span> subobjid)  <br><br><span>--</span><span>创建一个临时表  </span><span><br></span><br><span>create</span> <span>table</span> #output ( <span>[</span><span>ident</span><span>]</span> <span>[</span><span>int</span><span>]</span> <span>IDENTITY</span> (<span>1</span>, <span>1</span>) <span>NOT</span> <span>NULL</span> ,  <br><br><span>[</span><span>real_decrypt</span><span>]</span> <span>NVARCHAR</span>(<span>MAX</span>) )  <br><br><span>--</span><span>开始一个事务，稍后回滚  </span><span><br></span><br><span>BEGIN</span> <span>TRAN</span>  <br><br><span>--</span><span>更改原始的存储过程，用短横线替换  </span><span><br></span><br><span>if</span> <span>@objtype</span><span>=</span><span>'</span><span>P</span><span>'</span>  <br><br><span>SET</span> <span>@fake_01</span><span>=</span><span>'</span><span>ALTER PROCEDURE </span><span>'</span><span>+</span> <span>@procedure</span> <span>+</span><span>'</span><span> WITH ENCRYPTION AS  <br><br></span><span>'</span><span>+</span><span>REPLICATE</span>(<span>'</span><span>-</span><span>'</span>, <span>40003</span> <span>-</span> <span>@procNameLength</span>)  <br><br><span>else</span> <span>if</span> <span>@objtype</span><span>=</span><span>'</span><span>FN</span><span>'</span>  <br><br><span>SET</span> <span>@fake_01</span><span>=</span><span>'</span><span>ALTER FUNCTION </span><span>'</span><span>+</span> <span>@procedure</span> <span>+</span><span>'</span><span>() RETURNS INT WITH ENCRYPTION AS BEGIN RETURN 1  <br><br>/*</span><span>'</span><span>+</span><span>REPLICATE</span>(<span>'</span><span>*</span><span>'</span>, <span>datalength</span>(<span>@real_01</span>) <span>/</span><span>2</span> <span>-</span> <span>@procNameLength</span>)<span>+</span><span>'</span><span>*/ END</span><span>'</span>  <br><br><span>else</span> <span>if</span> <span>@objtype</span><span>=</span><span>'</span><span>V</span><span>'</span>  <br><br><span>SET</span> <span>@fake_01</span><span>=</span><span>'</span><span>ALTER view </span><span>'</span><span>+</span> <span>@procedure</span> <span>+</span><span>'</span><span> WITH ENCRYPTION AS select 1 as col  <br><br>/*</span><span>'</span><span>+</span><span>REPLICATE</span>(<span>'</span><span>*</span><span>'</span>, <span>datalength</span>(<span>@real_01</span>) <span>/</span><span>2</span> <span>-</span> <span>@procNameLength</span>)<span>+</span><span>'</span><span>*/</span><span>'</span>  <br><br><span>else</span> <span>if</span> <span>@objtype</span><span>=</span><span>'</span><span>TR</span><span>'</span>  <br><br><span>SET</span> <span>@fake_01</span><span>=</span><span>'</span><span>ALTER trigger </span><span>'</span><span>+</span> <span>@procedure</span> <span>+</span><span>'</span><span> ON </span><span>'</span><span>+</span><span>@parentname</span><span>+</span><span>'</span><span>WITH ENCRYPTION AFTER INSERT AS RAISERROR (</span><span>''</span><span>N</span><span>''</span><span>,16,10)  <br><br>/*</span><span>'</span><span>+</span><span>REPLICATE</span>(<span>'</span><span>*</span><span>'</span>, <span>datalength</span>(<span>@real_01</span>) <span>/</span><span>2</span> <span>-</span> <span>@procNameLength</span>)<span>+</span><span>'</span><span>*/</span><span>'</span>  <br><br><span>EXECUTE</span> (<span>@fake_01</span>)  <br><br><span>--</span><span>从sys.sysobjvalues里提出加密的假的  </span><span><br></span><br><span>SET</span> <span>@fake_encrypt_01</span><span>=</span>(<span>SELECT</span> <span>top</span> <span>1</span> imageval <span>FROM</span> sys.sysobjvalues <span>WHERE</span> objid <span>=</span>  <br><br><span>object_id</span>(<span>@procedure</span>) <span>and</span> valclass <span>=</span> <span>1</span> <span>order</span> <span>by</span> subobjid )  <br><br><span>if</span> <span>@objtype</span><span>=</span><span>'</span><span>P</span><span>'</span>  <br><br><span>SET</span> <span>@fake_01</span><span>=</span><span>'</span><span>Create PROCEDURE </span><span>'</span><span>+</span> <span>@procedure</span> <span>+</span><span>'</span><span> WITH ENCRYPTION AS  <br><br></span><span>'</span><span>+</span><span>REPLICATE</span>(<span>'</span><span>-</span><span>'</span>, <span>40003</span> <span>-</span> <span>@procNameLength</span>)  <br><br><span>else</span> <span>if</span> <span>@objtype</span><span>=</span><span>'</span><span>FN</span><span>'</span>  <br><br><span>SET</span> <span>@fake_01</span><span>=</span><span>'</span><span>CREATE FUNCTION </span><span>'</span><span>+</span> <span>@procedure</span> <span>+</span><span>'</span><span>() RETURNS INT WITH ENCRYPTION AS BEGIN RETURN 1  <br><br>/*</span><span>'</span><span>+</span><span>REPLICATE</span>(<span>'</span><span>*</span><span>'</span>, <span>datalength</span>(<span>@real_01</span>) <span>/</span><span>2</span> <span>-</span> <span>@procNameLength</span>)<span>+</span><span>'</span><span>*/ END</span><span>'</span>  <br><br><span>else</span> <span>if</span> <span>@objtype</span><span>=</span><span>'</span><span>V</span><span>'</span>  <br><br><span>SET</span> <span>@fake_01</span><span>=</span><span>'</span><span>Create view </span><span>'</span><span>+</span> <span>@procedure</span> <span>+</span><span>'</span><span> WITH ENCRYPTION AS select 1 as col  <br><br>/*</span><span>'</span><span>+</span><span>REPLICATE</span>(<span>'</span><span>*</span><span>'</span>, <span>datalength</span>(<span>@real_01</span>) <span>/</span><span>2</span> <span>-</span> <span>@procNameLength</span>)<span>+</span><span>'</span><span>*/</span><span>'</span>  <br><br><span>else</span> <span>if</span> <span>@objtype</span><span>=</span><span>'</span><span>TR</span><span>'</span>  <br><br><span>SET</span> <span>@fake_01</span><span>=</span><span>'</span><span>Create trigger </span><span>'</span><span>+</span> <span>@procedure</span> <span>+</span><span>'</span><span> ON </span><span>'</span><span>+</span><span>@parentname</span><span>+</span><span>'</span><span>WITH ENCRYPTION AFTER INSERT AS RAISERROR (</span><span>''</span><span>N</span><span>''</span><span>,16,10)  <br><br>/*</span><span>'</span><span>+</span><span>REPLICATE</span>(<span>'</span><span>*</span><span>'</span>, <span>datalength</span>(<span>@real_01</span>) <span>/</span><span>2</span> <span>-</span> <span>@procNameLength</span>)<span>+</span><span>'</span><span>*/</span><span>'</span>  <br><br><span>--</span><span>开始计数  </span><span><br></span><br><span>SET</span> <span>@intProcSpace</span><span>=</span><span>1</span>  <br><br><span>--</span><span>使用字符填充临时变量  </span><span><br></span><br><span>SET</span> <span>@real_decrypt_01</span> <span>=</span> <span>replicate</span>(N<span>'</span><span>A</span><span>'</span>, (<span>datalength</span>(<span>@real_01</span>) <span>/</span><span>2</span> ))  <br><br><span>--</span><span>循环设置每一个变量，创建真正的变量  </span><span><br></span><br><span>--</span><span>每次一个字节  </span><span><br></span><br><span>SET</span> <span>@intProcSpace</span><span>=</span><span>1</span>  <br><br><span>--</span><span>如有必要，遍历每个@real_xx变量并解密  </span><span><br></span><br><span>WHILE</span> <span>@intProcSpace</span><span>(<span>datalength</span>(<span>@real_01</span>)<span>/</span><span>2</span>)  <br><br><span>BEGIN</span>  <br><br><span>--</span><span>真的和假的和加密的假的进行异或处理  </span><span><br></span><br><span>SET</span> <span>@real_decrypt_01</span> <span>=</span> <span>stuff</span>(<span>@real_decrypt_01</span>, <span>@intProcSpace</span>, <span>1</span>,  <br><br><span>NCHAR</span>(<span>UNICODE</span>(<span>substring</span>(<span>@real_01</span>, <span>@intProcSpace</span>, <span>1</span>)) <span>^</span>  <br><br>(<span>UNICODE</span>(<span>substring</span>(<span>@fake_01</span>, <span>@intProcSpace</span>, <span>1</span>)) <span>^</span>  <br><br><span>UNICODE</span>(<span>substring</span>(<span>@fake_encrypt_01</span>, <span>@intProcSpace</span>, <span>1</span>)))))  <br><br><span>SET</span> <span>@intProcSpace</span><span>=</span><span>@intProcSpace</span><span>+</span><span>1</span>  <br><br><span>END</span>  <br><br><span>--</span><span>通过sp_helptext逻辑向表#output里插入变量  </span><span><br></span><br><span>insert</span> #output (real_decrypt) <span>select</span> <span>@real_decrypt_01</span>  <br><br><span>--</span><span> select real_decrypt AS '#output chek' from #output --测试  </span><span><br></span><br><span>--</span><span> -------------------------------------  </span><span><br></span><br><span>--</span><span>开始从sp_helptext提取  </span><span><br></span><br><span>--</span><span> -------------------------------------  </span><span><br></span><br><span>declare</span> <span>@dbname</span> sysname  <br><br>,<span>@BlankSpaceAdded</span> <span>int</span>  <br><br>,<span>@BasePos</span> <span>int</span>  <br><br>,<span>@CurrentPos</span> <span>int</span>  <br><br>,<span>@TextLength</span> <span>int</span>  <br><br>,<span>@LineId</span> <span>int</span>  <br><br>,<span>@AddOnLen</span> <span>int</span>  <br><br>,<span>@LFCR</span> <span>int</span> <span>--</span><span>回车换行的长度  </span><span><br></span><br>,<span>@DefinedLength</span> <span>int</span>  <br><br>,<span>@SyscomText</span> <span>nvarchar</span>(<span>4000</span>)  <br><br>,<span>@Line</span> <span>nvarchar</span>(<span>255</span>)  <br><br><span>Select</span> <span>@DefinedLength</span> <span>=</span> <span>255</span>  <br><br><span>SELECT</span> <span>@BlankSpaceAdded</span> <span>=</span> <span>0</span> <span>--</span><span>跟踪行结束的空格。注意Len函数忽略了多余的空格  </span><span><br></span><br><span>CREATE</span> <span>TABLE</span> #CommentText  <br><br>(LineId <span>int</span>  <br><br>,<span>Text</span> <span>nvarchar</span>(<span>255</span>) collate database_default)  <br><br><span>--</span><span>使用#output代替sys.sysobjvalues  </span><span><br></span><br><span>DECLARE</span> ms_crs_syscom <span>CURSOR</span> LOCAL  <br><br><span>FOR</span> <span>SELECT</span> real_decrypt <span>from</span> #output  <br><br><span>ORDER</span> <span>BY</span> ident  <br><br><span>FOR</span> <span>READ</span> <span>ONLY</span>  <br><br><span>--</span><span>获取文本  </span><span><br></span><br><span>SELECT</span> <span>@LFCR</span> <span>=</span> <span>2</span>  <br><br><span>SELECT</span> <span>@LineId</span> <span>=</span> <span>1</span>  <br><br><span>OPEN</span> ms_crs_syscom  <br><br><span>FETCH</span> <span>NEXT</span> <span>FROM</span> ms_crs_syscom <span>into</span> <span>@SyscomText</span>  <br><br><span>WHILE</span> <span>@@fetch_status</span> <span>>=</span> <span>0</span>  <br><br><span>BEGIN</span>  <br><br><span>SELECT</span> <span>@BasePos</span> <span>=</span> <span>1</span>  <br><br><span>SELECT</span> <span>@CurrentPos</span> <span>=</span> <span>1</span>  <br><br><span>SELECT</span> <span>@TextLength</span> <span>=</span> <span>LEN</span>(<span>@SyscomText</span>)  <br><br><span>WHILE</span> <span>@CurrentPos</span> <span>!=</span> <span>0</span>  <br><br><span>BEGIN</span>  <br><br><span>--</span><span>通过回车查找行的结束  </span><span><br></span><br><span>SELECT</span> <span>@CurrentPos</span> <span>=</span> <span>CHARINDEX</span>(<span>char</span>(<span>13</span>)<span>+</span><span>char</span>(<span>10</span>), <span>@SyscomText</span>,  <br><br><span>@BasePos</span>)  <br><br><span>--</span><span>如果找到回车  </span><span><br></span><br><span>IF</span> <span>@CurrentPos</span> <span>!=</span> <span>0</span>  <br><br><span>BEGIN</span>  <br><br><span>--</span><span>如果@Lines的长度的新值比设置的大就插入@Lines目前的内容并继续  </span><span><br></span><br><span>While</span> (<span>isnull</span>(<span>LEN</span>(<span>@Line</span>),<span>0</span>) <span>+</span> <span>@BlankSpaceAdded</span> <span>+</span>  <br><br><span>@CurrentPos</span><span>-</span><span>@BasePos</span> <span>+</span> <span>@LFCR</span>) <span>></span> <span>@DefinedLength</span>  <br><br><span>BEGIN</span>  <br><br><span>SELECT</span> <span>@AddOnLen</span> <span>=</span> <span>@DefinedLength</span><span>-</span>(<span>isnull</span>(<span>LEN</span>(<span>@Line</span>),<span>0</span>) <span>+</span>  <br><br><span>@BlankSpaceAdded</span>)  <br><br><span>INSERT</span> #CommentText <span>VALUES</span>  <br><br>( <span>@LineId</span>,  <br><br><span>isnull</span>(<span>@Line</span>, N<span>''</span>) <span>+</span> <span>isnull</span>(<span>SUBSTRING</span>(<span>@SyscomText</span>,  <br><br><span>@BasePos</span>, <span>@AddOnLen</span>), N<span>''</span>))  <br><br><span>SELECT</span> <span>@Line</span> <span>=</span> <span>NULL</span>, <span>@LineId</span> <span>=</span> <span>@LineId</span> <span>+</span> <span>1</span>,  <br><br><span>@BasePos</span> <span>=</span> <span>@BasePos</span> <span>+</span> <span>@AddOnLen</span>, <span>@BlankSpaceAdded</span> <span>=</span> <span>0</span>  <br><br><span>END</span>  <br><br><span>SELECT</span> <span>@Line</span> <span>=</span> <span>isnull</span>(<span>@Line</span>, N<span>''</span>) <span>+</span>  <br><br><span>isnull</span>(<span>SUBSTRING</span>(<span>@SyscomText</span>, <span>@BasePos</span>, <span>@CurrentPos</span><span>-</span><span>@BasePos</span> <span>+</span> <span>@LFCR</span>), N<span>''</span>)  <br><br><span>SELECT</span> <span>@BasePos</span> <span>=</span> <span>@CurrentPos</span><span>+</span><span>2</span>  <br><br><span>INSERT</span> #CommentText <span>VALUES</span>( <span>@LineId</span>, <span>@Line</span> )  <br><br><span>SELECT</span> <span>@LineId</span> <span>=</span> <span>@LineId</span> <span>+</span> <span>1</span>  <br><br><span>SELECT</span> <span>@Line</span> <span>=</span> <span>NULL</span>  <br><br><span>END</span>  <br><br><span>ELSE</span>  <br><br><span>--</span><span>如果回车没找到  </span><span><br></span><br><span>BEGIN</span>  <br><br><span>IF</span> <span>@BasePos</span> <span> <span>@TextLength</span>  <br><br><span>BEGIN</span>  <br><br><span>--</span><span>如果@Lines长度的新值大于定义的长度  </span><span><br></span><br><span>While</span> (<span>isnull</span>(<span>LEN</span>(<span>@Line</span>),<span>0</span>) <span>+</span> <span>@BlankSpaceAdded</span> <span>+</span>  <br><br><span>@TextLength</span><span>-</span><span>@BasePos</span><span>+</span><span>1</span> ) <span>></span> <span>@DefinedLength</span>  <br><br><span>BEGIN</span>  <br><br><span>SELECT</span> <span>@AddOnLen</span> <span>=</span> <span>@DefinedLength</span> <span>-</span>  <br><br>(<span>isnull</span>(<span>LEN</span>(<span>@Line</span>),<span>0</span>) <span>+</span> <span>@BlankSpaceAdded</span>)  <br><br><span>INSERT</span> #CommentText <span>VALUES</span>  <br><br>( <span>@LineId</span>,  <br><br><span>isnull</span>(<span>@Line</span>, N<span>''</span>) <span>+</span> <span>isnull</span>(<span>SUBSTRING</span>(<span>@SyscomText</span>,  <br><br><span>@BasePos</span>, <span>@AddOnLen</span>), N<span>''</span>))  <br><br><span>SELECT</span> <span>@Line</span> <span>=</span> <span>NULL</span>, <span>@LineId</span> <span>=</span> <span>@LineId</span> <span>+</span> <span>1</span>,  <br><br><span>@BasePos</span> <span>=</span> <span>@BasePos</span> <span>+</span> <span>@AddOnLen</span>, <span>@BlankSpaceAdded</span> <span>=</span>  <br><br><span>0</span>  <br><br><span>END</span>  <br><br><span>SELECT</span> <span>@Line</span> <span>=</span> <span>isnull</span>(<span>@Line</span>, N<span>''</span>) <span>+</span>  <br><br><span>isnull</span>(<span>SUBSTRING</span>(<span>@SyscomText</span>, <span>@BasePos</span>, <span>@TextLength</span><span>-</span><span>@BasePos</span><span>+</span><span>1</span> ), N<span>''</span>)  <br><br><span>if</span> <span>LEN</span>(<span>@Line</span>) <span> <span>@DefinedLength</span> <span>and</span> <span>charindex</span>(<span>'</span> <span>'</span>,  <br><br><span>@SyscomText</span>, <span>@TextLength</span><span>+</span><span>1</span> ) <span>></span> <span>0</span>  <br><br><span>BEGIN</span>  <br><br><span>SELECT</span> <span>@Line</span> <span>=</span> <span>@Line</span> <span>+</span> <span>'</span> <span>'</span>, <span>@BlankSpaceAdded</span> <span>=</span> <span>1</span>  <br><br><span>END</span>  <br><br><span>END</span>  <br><br><span>END</span>  <br><br><span>END</span>  <br><br><span>FETCH</span> <span>NEXT</span> <span>FROM</span> ms_crs_syscom <span>into</span> <span>@SyscomText</span>  <br><br><span>END</span>  <br><br><span>IF</span> <span>@Line</span> <span>is</span> <span>NOT</span> <span>NULL</span>  <br><br><span>INSERT</span> #CommentText <span>VALUES</span>( <span>@LineId</span>, <span>@Line</span> )  <br><br><span>select</span> <span>Text</span> <span>from</span> #CommentText <span>order</span> <span>by</span> LineId  <br><br><span>CLOSE</span> ms_crs_syscom  <br><br><span>DEALLOCATE</span> ms_crs_syscom  <br><br><span>DROP</span> <span>TABLE</span> #CommentText  <br><br><span>--</span><span> -------------------------------------  </span><span><br></span><br><span>--</span><span>结束从sp_helptext提取  </span><span><br></span><br><span>--</span><span> -------------------------------------  </span><span><br></span><br><span>--</span><span>删除用短横线创建的存储过程并重建原始的存储过程 </span><span><br></span><br><span>ROLLBACK</span> <span>TRAN</span>  <br><br><span>DROP</span> <span>TABLE</span> #output<br><br><span>END</span></span></span></span>

2.启用sqlserver的dac，远程dac启用方法

在查询分析器里运行

EXEC sp_configure 'remote admin connections', 1;
RECONFIGURE;

 

3.然后开一个 数据库引擎查询（database engine query），切记这个查询和一般的查询不一样

 

接下来在弹开的数据库连接对话框里

“服务器名称 ”这一栏里面输入“admin:数据库ip地址或别名”，其他和平时连接一样

 

4. 这步你懂的 exec sp_decrypt '要破解的存储过程名字'