UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
3 Pages V  1 2 3 >  (Go to first unread post)
   Reply to this topicStart new topic
> A Challenge For Groverparkgeorge (& Anyone Else), Access 2010    
 
   
isladogs
post Jun 29 2018, 09:55 PM
Post#1


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


This example app is partly in response to comments made by George in this thread Access 2016 Security
It is designed to show ways of making access apps reasonably secure

This is an ACCDE file so all VBA code has been removed.
The file has been renamed as ACCDR. It will not run if the file type is changed.
Startup properties have been modified.
There is no access to the navigation pane, ribbon or the rest of the application window
The taskbar has also been removed. It is restored automatically when the application closes

It has not been split or password protected, both of which would add additional security in a real world application

It is also intended as a (hopefully) fun challenge for anyone interested in finding a solution
The app contains a number of hidden tables (they are more hidden than usual as you will 'see') in addition to the usual system tables

The challenge is to determine:
a) the names of these tables
b) the number of records in each table
c) the contents of the memo/long text field for the third record in the table with the largest number of records

The first part should be fairly easy. The other two parts may be a little harder

If you succeed, please send a PM to me (isladogs) at UA rather than post the answer in this thread
Please include the answers to a, b & c together with a brief explanation of how you solved the challenge.
It would also be interesting if you could say how long it took you

The attached zip file contains ACCDR files for 32-bit & 64-bit Access

NOTE:
Access databases, including this one, can NEVER be made 100% secure
A capable and determined hacker can break any Access database given sufficient time
However appropriate security can make it hard enough to deter a 'casual' hacker

I am expecting/hoping that someone will be able to crack this ... if they wish to do so








Attached File(s)
Attached File  ShowHideTables.zip ( 526.19K )Number of downloads: 87
 
Go to the top of the page
 
GroverParkGeorge
post Jun 29 2018, 11:17 PM
Post#2


UA Admin
Posts: 35,009
Joined: 20-June 02
From: Newcastle, WA


It took me ~15 minutes to retrieve the tables, queries and records in the basic set of tables, including my set up time. It would have been shorter but I had an "overflow" issue to identify for you.

As you say, compiling the accdb into an accde removed the canonical code. That CAN be reverse engineered, but that's outside the scope of your task.

As I said, though, hiding the navigation pane should not be considered security. It's handy to do, but that's not the same thing as providing security. I got ALL of the data in the tables that you didn't deep hide in less that a quarter hour. Most people won't go beyond this level of "security", though.

I imagine it would take a while longer to locate and extract information from any tables you "deep hid" using code similar to that in this download on my site. I'll come back later to see if anyone else has "mapped" out those tables.
This post has been edited by GroverParkGeorge: Jun 29 2018, 11:19 PM
Go to the top of the page
 
theDBguy
post Jun 29 2018, 11:25 PM
Post#3


Access Wiki and Forums Moderator
Posts: 75,312
Joined: 19-June 07
From: SunnySandyEggo


Good evening,

I was able to use my demo as a starter to get the info requested.

Cheers!
Go to the top of the page
 
isladogs
post Jun 30 2018, 03:22 AM
Post#4


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


Hi both

I hope you weren't insulted by me setting the challenge - it was meant to be solvable with a bit of effort applause.gif

@DBGuy
Correct answer (in your PM) - your method was not how I expected it to be done. Thanks for the Extended Properties DEMO link - will look at it later

@George
The clue in your reply suggests you did get the answers by reversing the method I used to hide the tables
I looked at your link & had never heard of dual tables ...though I was unwittingly creating tables with the same properties.
Your DEMO indicates there is no way to display the 'dual' tables
However, as you obviously realise, that's not true - its trivially easy to do so (and I didn't use your code)
The screenshot shows your two dual tables & one I made to test the code

Attached File  NotVeryWellHiddenDualTables.PNG ( 41.52K )Number of downloads: 70


Also, as I'm sure you also realise, your method of creating the DUAL tables exposes the data in MSysObjects table anyway - doesn't that defeat the point?

Attached File  MSysObjects.PNG ( 17.88K )Number of downloads: 45


Anyone else want to take up the challenge - please do so - preferably without using the links already supplied ohyeah.gif

Fairly busy today on unrelated activities but if time I'll add a follow up example to include password protection & encryption
This post has been edited by isladogs: Jun 30 2018, 03:34 AM
Go to the top of the page
 
isladogs
post Jun 30 2018, 12:59 PM
Post#5


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


Well done also to Phil C
However, as some of you will have realised by now, I inadvertantly left a big loophole in the code which made some of the 'security' somewhat superfluous

I've been working on a more challenging example - it was so challenging, I locked myself out! blush.gif
That was when I realised my [censored]-up (mistake!)
Please can anyone who knows what I'm talking about, not mention it this thread! Thanks

New more challenging example to follow once I've fixed that issue
This post has been edited by isladogs: Jun 30 2018, 12:59 PM
Go to the top of the page
 
isladogs
post Jul 3 2018, 11:35 AM
Post#6


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


Here is a NEW challenge for anyone interested
It is intended as a 'fun challenge' whilst demonstrating various methods of making apps reasonably secure
It is NOT intended to be a completely locked down database that cannot be cracked (if indeed such a thing exists)

I have provided various clues which are intended to help achieve a solution.
All the information has been provided ... if you look and think carefully


The challenge is to:
a) unlock the database, obtain the name and contents of the hidden table
b) open the main form and find out how to enable the 'Click Me' button
c) work out the meaning of the message displayed

The first part should be relatively simple.
The rest of this MAY be a little harder to accomplish.
The standard approach used by several people in the previous challenge may not be as useful this time

NOTE: You can only run this application FOUR TIMES. After that it will be disabled, so plan carefully

If you succeed, please follow the supplied instructions to provide feedback
Please do not post your solution in this thread or it will spoil the challenge for others

If you get totally stuck, you can send me a PM

NOTE:
A further reminder that Access databases, including this one, can NEVER be made 100% secure
A capable and determined hacker can break any Access database given sufficient time

Both 32-bit & 64-bit versions have been supplied

I hope you enjoy puzzling out a solution
This post has been edited by isladogs: Jul 3 2018, 11:44 AM
Attached File(s)
Attached File  HiddenMessageChallenge32.zip ( 625.02K )Number of downloads: 60
Attached File  HiddenMessageChallenge64.zip ( 809.07K )Number of downloads: 31
 
Go to the top of the page
 
isladogs
post Jul 4 2018, 02:50 PM
Post#7


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


For info, I am aware of 4 people who solved the first challenge (out of 11 downloads) - GroverParkGeorge, DB Guy, raipon and Phil_cattivocarattere.
Raipon's solution was the neatest I've seen
As already stated, that challenge was easier than intended due to an error on my part

In a week or so, I will publish raipon's solution if he is happy for me to do so

11 people have also downloaded the second challenge so far but AFAIK nobody has yet solved it.
I hope at least one person will do so. It is definitely solvable though not necessarily using the same approach
This post has been edited by isladogs: Jul 4 2018, 02:51 PM
Go to the top of the page
 
isladogs
post Jul 5 2018, 02:32 PM
Post#8


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


I've had a couple of PMs about the fact that the new challenge is password protected.
Can I stress that the intention is very much that a password cracker should NOT need to be used.

As I said in the original post, all the information needed to solve the challenge has been provided.
There is a clue somewhere in the post containing the new challenge which will (with a bit of thought) help you work out the password


Once you solve that, further clues are provided to solve subsequent steps.
Each will involve a mixture of Access knowledge and lateral thinking skills.

REMINDER:
You can only run this application FOUR TIMES. After that it will be disabled, so plan carefully

Failing to enter the app due to incorrect password entry doesn't count towards that total

Remember it is intended to be solvable but it is likely to take a little longer this time
I may drip feed hints if necessary but IMHO its much more fun to work it out fully for yourself

Good luck thumbup.gif
This post has been edited by isladogs: Jul 5 2018, 02:45 PM
Go to the top of the page
 
isladogs
post Jul 6 2018, 02:11 AM
Post#9


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


HINT #1
Always read the small print

HINT #2
The first clue is in each of my posts in this thread including this one

HINT #3
A good way to remember a password is to make use of a phrase that can act as a memory aid

HINT #4
Think what it tells you about capitalisation

That should be more than enough to solve the first step
Please PM me when you've worked out this part
Go to the top of the page
 
isladogs
post Jul 6 2018, 11:48 AM
Post#10


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


OK. A spoiler....

HINT #5
Bill Murray, Scarlett Johannsen, Tokyo, 2003

Is that clear now?
Go to the top of the page
 
Phil_cattivocara...
post Jul 7 2018, 01:51 AM
Post#11



Posts: 225
Joined: 2-April 18



Since I "solved" the first challenge, now I want to explain why I do not deal with the new one: I am not interested in "guessing" password from the post, reading between the lines, "analizing author's mind". Technical ways to solve are ok but I leave psycology to professionals (and I mean human mind's professionals).Nothing personal, isladog, this is obvious.
PS: (Scarlett) Johansson, not Johanssen, or is it intentional this too?
This post has been edited by Phil_cattivocarattere: Jul 7 2018, 01:53 AM
Go to the top of the page
 
isladogs
post Jul 7 2018, 02:00 AM
Post#12


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


Hi Phil
That's fine but once in the database you still need to apply some fairly high level Access knowledge.
I needed to use a password to prevent solutions like the first challenge being used again.
So I decided to make that part require lateral thinking as you do when answering a cryptic crossword clue

Thanks for revealing part of the spoiler.... shrug.gif

It was just a spelling error. Realised too late to edit it.
This post has been edited by isladogs: Jul 7 2018, 02:05 AM
Go to the top of the page
 
Phil_cattivocara...
post Jul 7 2018, 02:15 AM
Post#13



Posts: 225
Joined: 2-April 18



QUOTE (isladog)
Thanks for revealing part of the spoiler....
I never wrote it was in the spoiler... that's you you have just done.
OT: I am very "susceptible" to Scarlet Johansson presence and it should be not too difficult to guess why (ehm... it's not my fault). Protect her is such a duty, for me. (please smile, everybody)
Go to the top of the page
 
isladogs
post Jul 7 2018, 02:36 AM
Post#14


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


LOL smirk.gif

I reckon anyone reading this will have already clicked on the spoiler anyway...difficult to resist I find

Not too hard to 'analyse your mind' in this case Phil though there was a good reason for including her name.
Have a good weekend

P.S. For info, at least one regular forum contributor has got the password from deduction, used Access knowledge to view the deep hidden table and is now working on the click me part
This post has been edited by isladogs: Jul 7 2018, 02:46 AM
Go to the top of the page
 
isladogs
post Jul 9 2018, 12:02 PM
Post#15


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


FYI I am aware of 2 forum members who have deduced the password and viewed the deep hidden table.
Both appear to be actively seeking a solution to the next step.

Interestingly both have missed something...though it won't block further progress.

There have been 18 downloads so far. I would appreciate getting a PM from anyone else who has tried or is trying this so I know how you are getting on ...or not....
As already stated, it is solvable and I have the complete solution ready for distribution at a later date

Of course if you hit the four attempts limit, you can always try deleting and reinstalling a fresh copy
It might help....or possibly not.

Good luck
Go to the top of the page
 
JonSmith
post Jul 9 2018, 12:07 PM
Post#16


UtterAccess VIP
Posts: 4,043
Joined: 19-October 10



Oh, some of them are repeats of me btw. I clear up my desktop a tad too regularly so when I was trying to do the password and failed a few times I was deleting it then downloading again.
Still, I'm one of the two that got the password. I would have got it faster it Google was better or I just changed my search abit a couple of days ago!

If you are messing with my registry though or planting files to keep track of attempts then thats devious!!
Go to the top of the page
 
theDBguy
post Jul 9 2018, 12:11 PM
Post#17


Access Wiki and Forums Moderator
Posts: 75,312
Joined: 19-June 07
From: SunnySandyEggo


Re: "If you are messing with my registry though or planting files to keep track of attempts then thats devious!!"

And could potentially get someone in trouble at work... (like me smile.gif)

Just my 2 cents...
Go to the top of the page
 
isladogs
post Jul 9 2018, 01:20 PM
Post#18


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


@JonSmith
QUOTE
I would have got it faster it Google was better or I just changed my search a bit a couple of days ago!

LOL - without (hopefully) giving anything away, actually its the first hit if you search correctly!

For info, I've since posted this challenge on another forum & someone worked out the password without any hints.

QUOTE
If you are messing with my registry though or planting files to keep track of attempts then that's devious!!

Now you're reading things into what I wrote. Not everything is intended as a clue ohyeah.gif

@DBGuy
QUOTE
And could potentially get someone in trouble at work... (like me )

Surely you wouldn't dream of spending your work time working on my challenge! dazed.gif

Now - are there any hints in this post?
Go to the top of the page
 
isladogs
post Jul 12 2018, 11:52 AM
Post#19


UtterAccess VIP
Posts: 1,357
Joined: 4-June 18
From: Somerset, UK


For info the DB Guy has now completed the puzzle. Congratulations pompom.gif
I hope he won't mind me saying that a significant part of his approach (though not all) involved systematically removing every level of security step by step.

As I said originally:
A further reminder that Access databases, including this one, can NEVER be made 100% secure
A capable and determined hacker can break any Access database given sufficient time


The DB Guy has just proved that statement to be 100% true.

However it can also be solved (perhaps more easily) without needing to 'hack' the supplied database.
I have now forwarded my own solution to the DB Guy

I do hope others will continue to work on this and find their own solution(s)
Its since been published on two other forums and had around 70 downloads (though some like Jon may have downloaded it more than one)
This post has been edited by isladogs: Jul 12 2018, 11:55 AM
Go to the top of the page
 
theDBguy
post Jul 12 2018, 12:08 PM
Post#20


Access Wiki and Forums Moderator
Posts: 75,312
Joined: 19-June 07
From: SunnySandyEggo


Thanks! I just want to say I had fun working on this challenge (and the last one). There were a couple of tough spots for me; if only I had known there's an easier way.

Good luck to everyone. I can't wait to see others' approach at solving this and hoping to learn from them.

Cheers! cheers.gif
Go to the top of the page
 
3 Pages V  1 2 3 >


Custom Search


RSSSearch   Top   Lo-Fi    23rd May 2019 - 08:25 AM