[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft Access 97 MDW files



Does anyone know if there is a document that describes the
algorithm used to scramble the password found in Microsoft Access
MDW files?  I've tried my luck with the archives here, and on
Google, and I don't believe that this is a topic that has been
discussed.

I'm particularily concerned with the Password column in the
MSysAccounts table.  At first glance I can see only 64 bits of
entropy:

Here is a snippet from two columns copied and pasted into
notepad, one per line, saved, and then converted to hex:

fffedd2bb1bf52e1e4926952ad67f3d5e1e60d000a006952ad67f3d5e1e66952a
d67f3d5e1e6

>From this I've guessed that "fffe" is a unicode header, which
gives me:

dd2bb1bf52e1e4926952ad67f3d5e1e60d000a006952ad67f3d5e1e66952ad67f
3d5e1e6

Since the rows are CR/LF delimited we get:

dd2bb1bf52e1e4926952ad67f3d5e1e6
0d000a00
6952ad67f3d5e1e66952ad67f3d5e1e6

This file is also stored little-endian, so we get:

2bddbfb1e15292e4526967add5f3e6e1
526967add5f3e6e1526967add5f3e6e1

The first is a row that contains a password, the second row
contains a password of "" (0 length string)

If we separate the rows where the data matches we get:

2bddbfb1e15292e4 526967add5f3e6e1
526967add5f3e6e1 526967add5f3e6e1

It seems that the LS = RS on the empty password line, and RS = RS
between the two lines.  I've tried putting in a single character
password, but it seems to modify many bits in the LS.  Based on
this information, it seems that a 64-bit hash function is used to
calculate the left side, and the right side is used to obfuscate
the result of the function via XOR (which yeilds a result of 0
when LS = RS).  I also presume that the value of obfuscating the
results of the hash function is so that the output is not
noticably predictable at a glance?

Does anyone have information that they can share to help the
progression of this train of thought, or documentation to point
me
in the right direction?

Thanks,
Derek