Break Access's password

Source: Internet
Author: User
Tags exit empty final header key string version access

The password for the database can be obtained from the 13 bytes at the 0x42 byte of the MDB file, respectively, with the 0x86,0xfb,0xec,0x37,0x5d,0x44,0x9c,0xfa,0xc6,0x5e,0x28,0xe6,0x13. But in Access 2000 and 2002, the key is no longer a fixed 13 byte. And the way the encryption has changed.

After Ccrun spent the afternoon studying, and finally Access2000 encryption way to figure out. Hey. I will post my ideas here. I hope to be useful to you, if you find that my understanding is wrong, please write to us. Mailbox: info@ccrun.com Copyright Although there is no matter, but if you want to reprint, please specify the source, and ensure the integrity of the document. Thank you.

The analysis tool I use is UltraEdit32 v10.00, the programming tool is C + + Builder 6.0.

After using UltraEdit32 analysis, Access2000 and Access2002 are found to be encrypted in the same way, so the following are only for Access2000 MDB files. There is the number I used is 16, so the front plus 0x, if you are using VB or other, to pay attention to the value OH.

First, you create a database file Db1.mdb with a blank password with accessxp, which contains a table with a field that doesn't have any data filled in. Save exit and then copy one for Db2.mdb, open 2.mdb exclusively, and add password 1324567890123 to save exit.

Use UltraEdit32 to open these two databases and compare them. The method I compare is also very simple. In UltraEdit32, quick and click on the tab of the open file (that is, switching back and forth between two files), hehe. Stupid way), found that the 0x42 byte changes from the beginning of the file header.

The following are the referenced contents:

Db1.mdb
00000040H:BC 4E is the EC D7 9C FA FE CD E6 2B 25;
00000050h:8a 6C 7B CD E1 DF B1 4F F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;
Db2.mdb
00000040H:BC 4E 8F D7 DE notoginseng A8 FA CB CD 1E E6 1C 25;
00000050H:B2 4 b/FC E1 ED B1 7C F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

To see clearly, I added different bytes to the color. See the doorway, Access97 later version, the password byte is no longer stored continuously, but a byte to save one. and has been encrypted. To decrypt the method, or use the old way "different or"! 0xBE ^ 0x8f = 0x31, this is exactly the ASCII code "1" Oh. The next 0xEC ^ 0xDE = 0x32 is exactly the ASCII code "2", hehe. Until the last of a different 0x4f ^ 0x7c =0x33, the word will be obtained in accordance with the string, is the password plaintext "1234567890123", do not think that this is the end of the day. Because this time it was just the right touch. Oh. I was just beginning to think so simple, so with a small program CB, tried to solve a few MDB password is OK, but try to move the network forum MDB file found out the password is wrong, dizzy. So with another tool to take the MDB password looked, found that people can correctly remove the password, is Access2000 format, so feel the way of Microsoft encryption is still not finished research. Continue to work, with ULTRAEDIT32 Open Dynamic Network Forum database Dvbbs.mdb, and I in front of the dense database to do a comparison, found a lot of different places. Had to be a byte a byte of the try .... NNN later found that the byte at the 0x62 plays a key role, known as the encryption flag.

The following are the referenced contents:

Db1.mdb//Blank password
00000040H:BC 4E is the EC D7 9C FA FE CD E6 2B 25;
00000050h:8a 6C 7B CD E1 DF B1 4F F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

Db2.mdb//Password: 1234567890123
00000040H:BC 4E 8F D7 DE notoginseng A8 FA CB CD 1E E6 1C 25;
00000050H:B2 4 b/FC E1 ED B1 7C F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

Dvbbs.mdb//password is: yemeng.net

00000040H:BC 4E DB 6A D5 F9 FA 8C CF 4F E6 19 27;

00000050h:e4 0F D1 E3 DF B1-EB 3E;

00000060H:B1 F0 5B B6 7C 2A 4 a E0 7C 99 05 13;

How to try, or different or. Take 0x42 at the beginning of the byte 0xDB and empty password file 0x42 byte xor, take 0x62 of the encryption flag and empty password file 0x62 byte or, and then the obtained two values are different or:

(0xdb^0xbe) ^ (0x10^0x0c) =0x79 This value is ASCII "Y" and then takes off a byte (remember to take one byte at a second)

(0x89^0xec) ^ (0x10^0x0c) =0x79 originally this byte should be "E", how to become "Y"? Try not to be different from the following two differences or values, only calculate 0x89^0xec=0x65 get "E", ha. That's right. Next

(0x14^0x65) ^ (0x10^0c) =0x6d get "M", next

(0xf9^9c) =0x65 get "E", note that this is only the two number of different or. Everyone in the back can try it on their own.

This sums up the rules.

Decryption, first remove the encrypted file from the beginning of the file header 0x62 byte, and the empty password database file 0x62 different or, get an encryption mark.

And then from the 0x42 to start every byte to take a byte, to obtain 13 encrypted password bytes, respectively, and the empty password database file 0x42 at every other byte of 13 bytes to be different or, get 13 cipher semi-finished. Why it is semi-finished, because also to 13 bytes of the password every other byte, and the encryption flag is different or, the final 13 bytes is the real password. Of course, if there are 0x0 bytes in the middle, the number of password digits is not 13 digits. Just show it straight out.

In addition I found that the encryption logo will vary with time or machine, so there is no omnipotent, but there is a reference to it. The following code is the number I get when I write this program, and I write this article is not a time, so the value is different, but the final decryption result is the same. We can refer to it.

Yes, there is another important thing is to judge the database version first, I used a simple method, take the 0x14 at the byte, if 0 is judged to be Access97, if 1 is considered Access2000 or 2002. There is no way of judging 2000 and 2002, if any knows, please advise.

Code:

The definition here is 13 bytes as Access2000 or different source code. The corresponding encryption symbol is 0X13,CCRUN hereby indicate

Of course you can use this group: be EC 9C FE 2B 8A 6C 7B CD DF 4F the corresponding encryption symbol for this group is 0x0c

Oh, the procedure is a bit messy, I hope you can read it.

Char passsource2k[13]={0xa1,0xec,0x7a,0x9c,0xe1,0x28,0x34,0x8a,0x73,0x7b,0xd2,0xdf,0x50};

Access97 or source of the different

Char passsource97[13]={0x86,0xfb,0xec,0x37,0x5d,0x44,0x9c,0xfa,0xc6,0x5e,0x28,0xe6,0x13};

The following are the referenced contents:

void __fastcall Tmainform::getmdbpass ()
{
Char passstrtemp[26],ver,encrypflag,t1;
int filehandle;
String Mdbpassword,mdbversion,mdbfilename;

Filehandle=fileopen (Mdbfilename,fmopenread);
if (filehandle<0)
{
ShowMessage ("File open Error!)" ");
Return
}

Get the database version
FileSeek (filehandle,0x14,0);
Fileread (filehandle,&ver,1);

Get the encryption flag
FileSeek (filehandle,0x62,0);
Fileread (filehandle,&encrypflag,1);

Read encrypted password to buffer
FileSeek (filehandle,0x42,0);
Fileread (filehandle,&passstrtemp,26);
FileClose (FileHandle);

if (ver<1)
{
Mdbversion= "Access 97";
if (int (passstrtemp[0]^passsource97[0]) ==0)
mdbpassword= "Password is empty!";
Else
{
Mdbpassword= "";
for (int j=0;j<13;j++)
Mdbpassword=mdbpassword+char (Passstrtemp[j]^passsource97[j]);
}
}
Else
{
Mdbversion= "Access or 2002";
Mdbpassword= "";
for (int j=0;j<13;j++)
{
if (j%2==0)

T1=char (0x13^encrypflag^passstrtemp[j*2]^passsource2k[j]);

Each byte is different from the encryption flag or. The encryption flag here is 0x13

Else

T1=char (Passstrtemp[j*2]^passsource2k[j]);
MDBPASSWORD=MDBPASSWORD+T1;
}
}
if (mdbpassword[1]<0x20| | mdbpassword[1]>0x7e)
mdbpassword= "Password is empty!" ";
editmdbfilename->text=mdbfilename;
editmdbpassword->text=mdbpassword;
editmdbversion->text=mdbversion;
}



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.