|
Cracking Access Databases
Beating M$ with his own tools
|
Most stupid protection
|
24 September 1999
| by
LaptoniC
|
|
|
Courtesy of Fravia's page of
reverse engineering
|
slightly edited
by fravia+
|
fra_00xx 980924 LaptoniC 1000 ST PC
|
A most stupid protection indeed. I think this essay could be useful for newbies and beginners that
want to understand the relationships between modules and this kind of targets.
For protectors: you SHOULD NEVER, NEVER, NEVER write inside a module something like:
If LicCheck = 0 Then
'are the licence details already stored somewhere on the computer?
Duh. The fact that you can use access' debug functions to crack - and even to produce a
keygenerator! - is something that shareware authors should take note of...
| |
|
There is a crack, a crack in everything
That's how the light gets in
| |
Rating
|
(x)Beginner
( )Intermediate ( )Advanced ( )Expert
| |
This essay shows
the stupidity of M$ and its protections.
Cracking Access Databases
Beating
M$ with his own tools
Written by
LaptoniC
"Have you ever found a program which resists any attack by WinIce and where no Decompiler
exists ? Even no other tool works ?" says Pepper in his essay..Yes i have found a program
which cant be attacked by softice.(at least for me).Our target is only one .mdb file.It
is executed by Access runtime.Usual breakpoints doesnt help you much.I couldn't found any
valuable information after one week.In this essay i will completely nake M$ protection schema
and code keygen for this program.Sorry for my bad English I think you speak Turkish bad too :)
Microsoft Access 97 (it is part of M$ Office)
GetAccess 98
Visual Basic if you want to code keygen
SummitPro 2000
First essay about Access databases is written by Pepper.I suggest you to read it first.It will
give you brief information about access databases and the procedure.
Program is really big 18 mb.It is nightmare for dialup users like me.Program is not
important at all.Main goal is understanding the protection of mdb files.
This program is database program for companies.It is usefull for big companies to track
meetings, events etc.Program needs serial to unlock its some features.Main protection is in
the sp2000.mdb.If this program is access database lets try to open with Access 97.If you have
read pepper's essay you know that calculation is done by modules.I have tried to open all
modules and looked what is going on.I have opened all modules but Gfstartup and Mieutilities.
When you try to open this modules, access says that "You dont have access to ....".Lets try to
open this modules.I have bpx on messagebeep like pepper but couldnt found the way.(If you find
it please letme know)Before reinventing the wheel, I decided to search well.After good search
I found GetAccess 98.Here is what GetAccess claims in its helpfile "GetAccess'98 unsets Access
database file password&User level Security.It also reveals the database password if available."
GetAccess is Vb i hope finding a serial is not a big deal.Open the database and choose
"Remove Security Permissions Also".Wait, wait, wait it is very long process.Lets try to open
Mieutilities module.Yeah it worked.Lets analyze what is in this module.
Public Function LicCheck()
On Error GoTo LCErrorBit
Dim dbs As Database, rst As Recordset
Set dbs = CurrentDb
Set rst = dbs.OpenRecordset("Software Details")
rst.MoveFirst
ProdCode = rst("ProductCode")
ExtLName = rst("LicenceeName")
LicName = Left(ExtLName, Len(ExtLName) - 1) & ProdCode ;prodcode is SP2000 in the table
LicNum = rst("LicenceNumber")
If IsNull(LicName) Or LicName = "" Or IsNull(LicNum) Or LicNum = 0 Then
LicCheck = 0
GoTo LCExitPoint
End If
L1Len = Len(LicName)
DC = 0
For J = 1 To L1Len
DC = DC + (Asc(Mid(LicName, J, 1)) * (L1Len + 1 - J + 3))
Next J
DC = DC * Int((L1Len + 14.3) / 2)
If Int(DC) + 71077345 = Int(UnGNum(LicNum)) Then LicCheck = 1 Else LicCheck = 0
LCExitPoint:
If LicCheck = 0 Then
'are the licence details already stored somewhere on the computer ;ehehe programmers comment
On Error GoTo CantReadF1
SystemDirectory = GetSysDir()
FileNumber = FreeFile
Open SystemDirectory & "\config.sli" For Input As #FileNumber
Input #FileNumber, WLicName, LicNum
Close #FileNumber
SetAttr SystemDirectory & "\config.sli", vbHidden + vbSystem
GoTo FoundStoredDetails
CantReadF1:
Resume NothingValidStored
FoundStoredDetails:
On Error GoTo LCErrorBit
If IsNull(LicName) Or LicName = "" Or IsNull(LicNum) Or LicNum = 0 Then
LicCheck = 0
GoTo NothingValidStored
End If
LicNum = CLng(LicNum)
LicName = Left(WLicName, Len(WLicName) - 1) & "SP2000"
L1Len = Len(LicName)
DC = 0
For J = 1 To L1Len
DC = DC + (Asc(Mid(LicName, J, 1)) * (L1Len + 1 - J + 3))
Next J
DC = DC * Int((L1Len + 14.3) / 2)
If Int(DC) + 71077345 = Int(UnGNum(LicNum)) Then LicCheck = 1 Else LicCheck = 0
If LicCheck = 0 Then GoTo NothingValidStored
If LicCheck = 1 Then
rst.Edit
rst("LicenceeName") = WLicName
rst("LicenceNumber") = LicNum
rst.Update
rst.Close
Exit Function
It opens Software Details table and take Product Code ,Licence Name and LicenceNumber.It
computes real serial number and compare it.What is this Ungnum function ?
Public Function GNum(SN)
On Error Resume Next
SNStr = CStr(SN)
N1Str = Left(SNStr, 2)
N2Str = Left(SNStr, 1)
N1 = CInt(N1Str) + 17
N2 = CInt(N2Str) + 6
N1 = N1 * N2
GNum = SN + N1
End Function
Public Function UnGNum(SN)
On Error Resume Next
SNStr = CStr(SN)
N1Str = Left(SNStr, 2)
N2Str = Left(SNStr, 1)
N1 = CInt(N1Str) + 17
N2 = CInt(N2Str) + 6
N1 = N1 * N2
UnGNum = SN - N1
End Function
This info is enough to code keygen.If you have ever used access 97 you know that it has debug
menu.You can surf in the code like in softice.Open software details table ad fill name and
license number.Run it step by step.When you are at If Int(DC) + 71077345 ... note int(dc)
open debug menu and type gnum(int(dc)+71077345).This is your serial.You may ask why i didnt
changed this License check=0 stuff.I have tried but it crashes the program maybe it is because
of startupgf module.Access use visual basic language.You can easily code keygen by just copy
and paste.However program looks config.sli file in system directory you can make key file also.
Key file format is like this "Name","Serial" ie. "LaptoniC","12345678"
Sorry for my bad english and writing skill ,I am totally newbie but trying to learn.I hope
this essay helped you.As you see, M$ protection is worst than no protection.I end my essay
with a little poet
Hey cousin Billy
Hey cousin Billy
Is there anything
That you can do for me
Thought of the day :M$ programs may one day backfire.
Greetings: Accz, Bisoux, Eternal Bliss, Fravia+, Jeff, lurk_err, Psychotrn, +Sandman, Tkc,
T@rnado, and everyone who did teach me (great) knowledge.
I wont even bother explaining you
that you should BUY this target program if you intend to use it for a
longer period than the allowed one. Should you want to STEAL this
software instead, you don't need to crack its protection scheme at all:
you'll find it on most Warez sites, complete and already regged,
farewell, don't come back.
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
search_forms
+ORC
how to protect
academy database
reality cracking
how to search
java-script wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering legal?