Lab: Crack All versions access password

access| cracked about Access97 password, in many websites and magazines have been introduced. Here I repeat briefly.

The password for the database can be obtained from the 13 bytes at the 0x42 byte of the MDB file, respectively, with the 0x86,0xfb,0xec,0x37,0x5d,0x44,0x9c,0xfa,0xc6,0x5e,0x28,0xe6,0x13. But in Access 2000 and 2002, the key is no longer a fixed 13 byte. And the way the encryption has changed.

After Ccrun spent the afternoon studying, and finally Access2000 encryption way to figure out. Hey. I will post my ideas here. I hope to be useful to you, if you find that my understanding is wrong, please write to us. Mailbox: info@ccrun.com Copyright Although there is no matter, but if you want to reprint, please specify the source, and ensure the integrity of the document. Thank you.

I use the analysis tool is UltraEdit32 v10.00, programming tool is C + + Builder 6.0

After using UltraEdit32 analysis, Access2000 and Access2002 are found to be encrypted in the same way, so the following are only for Access2000 MDB files. There is the number I used is 16, so the front plus 0x, if you are using VB or other, to pay attention to the value OH.

First, you create a database file Db1.mdb with a blank password with accessxp, which contains a table with a field that doesn't have any data filled in. Save exit and then copy one for Db2.mdb, open 2.mdb exclusively, and add password 1324567890123 to save exit.

Use UltraEdit32 to open these two databases and compare them. The method I compare is also very simple. In UltraEdit32, quick and click on the tab of the open file (that is, switching back and forth between two files), hehe. Stupid way), found that the 0x42 byte changes from the beginning of the file header.

Db1.mdb

00000040H:BC 4E is the EC D7 9C FA FE CD E6 2B 25;

00000050h:8a 6C 7B CD E1 DF B1 4F F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

Db2.mdb

00000040H:BC 4E 8F D7 DE notoginseng A8 FA CB CD 1E E6 1C 25;

00000050H:B2 4 b/FC E1 ED B1 7C F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

To see clearly, I added different bytes to the color. See the doorway, Access97 later version, the password byte is no longer stored continuously, but a byte to save one. and has been encrypted. To decrypt the method, or use the old way "different or"!0xbe ^ 0x8f = 0x31, this is exactly the ASCII code "1" Oh. The next 0xEC ^ 0xDE = 0x32 is exactly the ASCII code "2", hehe. Until the last of a different 0x4f ^ 0x7c =0x33, the word will be obtained in accordance with the string, is the password plaintext "1234567890123", do not think that this is the end of the day. Because this time it was just the right touch. Oh. I was just beginning to think so simple, so with a small program CB, tried to solve a few MDB password is OK, but try to move the network forum MDB file found out the password is wrong, dizzy. So with another tool to take the MDB password looked, found that people can correctly remove the password, is Access2000 format, so feel the way of Microsoft encryption is still not finished research. Continue to work, with ULTRAEDIT32 Open Dynamic Network Forum database Dvbbs.mdb, and I in front of the dense database to do a comparison, found a lot of different places. Had to be a byte a byte of the try .... NNN later found that the byte at the 0x62 plays a key role, known as the encryption flag.

Db1.mdb//Blank password

00000040H:BC 4E is the EC D7 9C FA FE CD E6 2B 25;

00000050h:8a 6C 7B CD E1 DF B1 4F F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

Db2.mdb//Password: 1234567890123

00000040H:BC 4E 8F D7 DE notoginseng A8 FA CB CD 1E E6 1C 25;

00000050H:B2 4 b/FC E1 ED B1 7C F7 3C;

00000060H:B1 0C F2 5B AA 7C 2A 4F E9 7C 99 05 13;

Dvbbs.mdb//password is: yemeng.net

00000040H:BC 4E DB 6A D5 F9 FA 8C CF 4F E6 19 27;

00000050h:e4 0F D1 E3 DF B1-EB 3E;

00000060H:B1 F0 5B B6 7C 2A 4 a E0 7C 99 05 13;

How to try, or different or. Take 0x42 at the beginning of the byte 0xDB and empty password file 0x42 byte xor, take 0x62 of the encryption flag and empty password file 0x62 byte or, and then the obtained two values are different or:

(0xdb^0xbe) ^ (0x10^0x0c) =0x79 hehe. This value is the "Y" of ASCII, and then the byte is removed (remember to take one byte at a while)

(0x89^0xec) ^ (0x10^0x0c) =0x79, originally this byte should be "E", how to become "y"? Try not to be different from the following two differences or values, only calculate 0x89^0xec=0x65 get "E", ha. That's right. Next

(0x14^0x65) ^ (0x10^0c) =0x6d get "M", next

(0xf9^9c) =0x65 get "E", note that this is only the two number of different or. Everyone in the back can try it on their own.

This sums up the rules.

Decryption, first remove the encrypted file from the beginning of the file header 0x62 byte, and the empty password database file 0x62 different or, get an encryption mark.

And then from the 0x42 to start every byte to take a byte, to obtain 13 encrypted password bytes, respectively, and the empty password database file 0x42 at every other byte of 13 bytes to be different or, get 13 cipher semi-finished. Why it is semi-finished, because also to 13 bytes of the password every other byte, and the encryption flag is different or, the final 13 bytes is the real password. Of course, if there are 0x0 bytes in the middle, the number of password digits is not 13 digits. Just show it straight out.

In addition I found that the encryption logo will vary with time or machine, so there is no omnipotent, but there is a reference to it. The following code is the number I get when I write this program, and I write this article is not a time, so the value is different, but the final decryption result is the same. We can refer to it.

Yes, there is another important thing is to judge the database version first, I used a simple method, take the 0x14 at the byte, if 0 is judged to be Access97, if 1 is considered Access2000 or 2002. There is no way of judging 2000 and 2002, if any knows, please advise.

Code:

The definition here is 13 bytes as Access2000 or different source code. The corresponding encryption symbol is 0X13,CCRUN hereby indicate

Of course you can use this group: be EC 9C FE 2B 8A 6C 7B CD DF 4F the corresponding encryption symbol for this group is 0x0c

Oh, the process is a bit messy, I hope you can read.

Char passsource2k[13]={0xa1,0xec,0x7a,0x9c,0xe1,0x28,0x34,0x8a,0x73,0x7b,0xd2,0xdf,0x50};

Access97 or source of the different

Char passsource97[13]={0x86,0xfb,0xec,0x37,0x5d,0x44,0x9c,0xfa,0xc6,0x5e,0x28,0xe6,0x13};

void __fastcall Tmainform::getmdbpass ()

{

Char passstrtemp[26],ver,encrypflag,t1;

int filehandle;

String Mdbpassword,mdbversion,mdbfilename;

Filehandle=fileopen (Mdbfilename,fmopenread);

if (filehandle<0)

{

ShowMessage ("File open Error!");

Return

}

Get the database version

FileSeek (filehandle,0x14,0);

Fileread (filehandle,&ver,1);

Get the encryption flag

FileSeek (filehandle,0x62,0);

Fileread (filehandle,&encrypflag,1);

Read encrypted password to buffer

FileSeek (filehandle,0x42,0);

Fileread (filehandle,&passstrtemp,26);

FileClose (FileHandle);

if (ver<1)

{

Mdbversion= "Access 97";

if (int (passstrtemp[0]^passsource97[0]) ==0)

mdbpassword= "Password is empty!";

Else

{

Mdbpassword= "";

for (int j=0;j<13;j++)

Mdbpassword=mdbpassword+char (Passstrtemp[j]^passsource97[j]);

}

}

Else

{

Mdbversion= "Access or 2002";

Mdbpassword= "";

for (int j=0;j<13;j++)

{

if (j%2==0)

T1=char (0x13^encrypflag^passstrtemp[j*2]^passsource2k[j]);

Each byte is different from the encryption flag or. The encryption flag here is 0x13

Else

T1=char (Passstrtemp[j*2]^passsource2k[j]);

MDBPASSWORD=MDBPASSWORD+T1;

}

}

if (mdbpassword[1]<0x20| | mdbpassword[1]>0x7e)

mdbpassword= "Password is empty!";

editmdbfilename->text=mdbfilename;

editmdbpassword->text=mdbpassword;

editmdbversion->text=mdbversion;

}