Crack access (*.mdb) password

On the Access97 password crack, in many websites and magazines have been introduced. Here I repeat briefly.

The password for the database can be obtained from the 13 bytes at the 0x42 byte of the MDB file, respectively, with the 0x86,0xfb,0xec,0x37,0x5d,0x44,0x9c,0xfa,0xc6,0x5e,0x28,0xe6,0x13. But in Access 2000 and 2002, the key is no longer a fixed 13 byte. And the way the encryption has changed.

After Ccrun spent the afternoon studying, and finally Access2000 encryption way to figure out. Hey. I will post my ideas here. I hope to be useful to you, if you find that my understanding is wrong, please write to us. Mailbox: info@ccrun.com Copyright Although there is no matter, but if you want to reprint, please specify the source, and ensure the integrity of the document. Thank you.

I use the analysis tool is UltraEdit32 v10.00, programming tool is C + + Builder 6.0

After using UltraEdit32 analysis, Access2000 and Access2002 are found to be encrypted in the same way, so the following are only for Access2000 MDB files. There is the number I used is 16, so the front plus 0x, if you are using VB or other, to pay attention to the value OH.

First, you create a database file Db1.mdb with a blank password with accessxp, which contains a table with a field that doesn't have any data filled in. Save exit and then copy one for Db2.mdb, open 2.mdb exclusively, and add password 1324567890123 to save exit.

Use UltraEdit32 to open these two databases and compare them. The method I compare is also very simple. In UltraEdit32, quick and click on the tab of the open file (that is, switching back and forth between two files), hehe. Stupid way), found that the 0x42 byte changes from the beginning of the file header.

Db1.mdb

00000040H:BC 4E is the EC D7 9C FA FE CD E6 2B 25;

00000050h:8a 6C 7B CD E1 DF B1 4F F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

Db2.mdb

00000040H:BC 4E 8F D7 DE notoginseng A8 FA CB CD 1E E6 1C 25;

00000050H:B2 4 b/FC E1 ED B1 7C F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

To see clearly, I added different bytes to the color. See the doorway, Access97 later version, the password byte is no longer stored continuously, but a byte to save one. and has been encrypted. To decrypt the method, or use the old way "different or"! 0xBE ^ 0x8f = 0x31, this is exactly the ASCII code "1" Oh. The next 0xEC ^ 0xDE = 0x32 is exactly the ASCII code "2", hehe. Until the last of a different 0x4f ^ 0x7c =0x33, the word will be obtained in accordance with the string, is the password plaintext "1234567890123", do not think that this is the end of the day. Because this time it was just the right touch. Oh. I was just beginning to think so simple, so with a small program CB, tried to solve a few MDB password is OK, but try to move the network forum MDB file found out the password is wrong, dizzy. So with another tool to take the MDB password looked, found that people can correctly remove the password, is Access2000 format, so feel the way of Microsoft encryption is still not finished research. Continue to work, with ULTRAEDIT32 Open Dynamic Network Forum database Dvbbs.mdb, and I in front of the dense database to do a comparison, found a lot of different places. Had to be a byte a byte of the try .... NNN later found that the byte at the 0x62 plays a key role, known as the encryption flag.

Db1.mdb//Blank password

00000040H:BC 4E is the EC D7 9C FA FE CD E6 2B 25;

00000050h:8a 6C 7B CD E1 DF B1 4F F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

Db2.mdb//Password: 1234567890123

00000040H:BC 4E 8F D7 DE notoginseng A8 FA CB CD 1E E6 1C 25;

00000050H:B2 4 b/FC E1 ED B1 7C F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

Dvbbs.mdb//password is: yemeng.net

00000040H:BC 4E DB 6A D5 F9 FA 8C CF 4F E6 19 27;

00000050h:e4 0F D1 E3 DF B1-EB 3E;

00000060H:B1 F0 5B B6 7C 2A 4 a E0 7C 99 05 13;

How to try, or different or. Take 0x42 at the beginning of the byte 0xDB and empty password file 0x42 byte xor, take 0x62 of the encryption flag and empty password file 0x62 byte or, and then the obtained two values are different or:

(0xdb^0xbe) ^ (0x10^0x0c) =0x79 hehe. This value is the "Y" of ASCII, and then the byte is removed (remember to take one byte at a while)

(0x89^0xec) ^ (0x10^0x0c) =0x79, originally this byte should be "E", how to become "Y"? Try not to be different from the following two differences or values, only calculate 0x89^0xec=0x65 get "E", ha. That's right. Next

(0x14^0x65) ^ (0x10^0c) =0x6d get "M", next

(0xf9^9c) =0x65 get "E", note that this is only the two number of different or. Everyone in the back can try it on their own.