Building upon yesterday’s post regarding Unlocking an Access db’s VBA project, I wanted to see if the same was true with other Office programs so I performed the same test with Excel and the same hack worked. So if you need to unlock an Excel VBA Project, simply follow these steps.
Make a copy of the Excel workbook in question and only work with the copy. Never work with the original file just in case anything goes wrong.
The major difference with Excel vs Access is the fact that Excel is actually a zip file containing a multitude of folders and files, so you can just edit the file directly. As such, the first step is to unzip the workbook file with the zip software of your choosing (I like 7-zip) which will give you a listing similar to:
Go into the xl folder and locate the vbaProject.bin
Open the vbaProject.bin file in any HEX Editor of your choosing.
Find any and all occurrences of the term DPB= and change the B to another value (many tutorials suggest x, but it doesn’t seem to truly make any difference)
Once you have replaced all the occurrences, save the changes and exit out of the HEX editor.
Go back to the root folder of all the Excel files that you unzipped and now zip them all back up into a zip file. Basically, you are recreating the workbook file now that you are done editing it. Once you create the new zip file, don’t forget to give it back the appropriate extension (in my case xlsm) so Excel recognizes the file.
Open the newly saved/created workbook (like you would normally) and then go into the VBA editor. You will receive several error messages, simply dismiss them all (and yes, there can be quite a few!).
Open the VBA project properties which will now have no password specified.
Enter a new password and confirm it to resecure the VBA Project with a known password.
Save the VBA Project
Close the workbook.
That’s it! Everything should now be in order.
I’m also hoping that by shedding some light on this issue perhaps Microsoft will make the necessary changes to start protecting people’s information properly. This is completely unacceptable in 2018 IMHO.
HI Daniel
I found this bit of VBA code on the web.
I personally don’t understand how it works, but think it’s some kind of memory trick that lets you into protected VBA code without asking for a password.
I’ve got it saved in my personal.xlsm file with a button in the ribbon for it.
You may find it interesting, and may also find a way of using it for Access VBA as well.
—————————————————————————————————————————-
Option Explicit
Private Const PAGE_EXECUTE_READWRITE = &H40
Private Declare Sub MoveMemory Lib “kernel32” Alias “RtlMoveMemory” _
(Destination As Long, Source As Long, ByVal Length As Long)
Private Declare Function VirtualProtect Lib “kernel32” (lpAddress As Long, _
ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function GetModuleHandleA Lib “kernel32” (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib “kernel32” (ByVal hModule As Long, _
ByVal lpProcName As String) As Long
Private Declare Function DialogBoxParam Lib “user32” Alias “DialogBoxParamA” (ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
Dim HookBytes(0 To 5) As Byte
Dim OriginBytes(0 To 5) As Byte
Dim pFunc As Long
Dim Flag As Boolean
Private Function GetPtr(ByVal Value As Long) As Long
GetPtr = Value
End Function
Public Sub RecoverBytes()
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub
Public Function Hook() As Boolean
Dim TmpBytes(0 To 5) As Byte
Dim p As Long
Dim OriginProtect As Long
Hook = False
pFunc = GetProcAddress(GetModuleHandleA(“user32.dll”), “DialogBoxParamA”)
If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) 0 Then
MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
If TmpBytes(0) &H68 Then
MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
p = GetPtr(AddressOf MyDialogBoxParam)
HookBytes(0) = &H68
MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
HookBytes(5) = &HC3
MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
Flag = True
Hook = True
End If
End If
End Function
Private Function MyDialogBoxParam(ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
If pTemplateName = 4070 Then
MyDialogBoxParam = 1
Else
RecoverBytes
MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
hWndParent, lpDialogFunc, dwInitParam)
Hook
End If
End Function
Sub Main()
Hook
MsgBox “Unlocked”
End Sub
—————————————————————————————————————————-
But wouldn’t this code already need to exist in the VBA Project you need to unprotect?? So you’d have no way to implement it.
I’ll have to study it further, perhaps this can be somehow used with some sort of automation process.
Hi Daniel.
The code can sit in separate file, or in my case, in my personal.xlsm with a button in the ribbon, pointing to the ‘main’ routine.
Once you run the ‘main’ routine at the bottom of the script, any protected file you open will let you view the VB code as if there was no password.
First thank both of you for your sharing.
I needed to modify some projects done some years ago and delivered to other people who password protected code and did not recall which one used.
I’ve found some little errors in your listing
I copied code in a Module in my Personal.xlsb
It showed some lines with errors….
First I replaced double quotes “ ” for the usual ones ” ”
Second I changed lines:
If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) 0 Then
and
If TmpBytes(0) &H68 Then
for
If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect)0 Then
If TmpBytes(0) &H68 Then
as it seemed logic/correct to me and now it didn’t show errors.
Then executed the code and it appears the msgbox with “Unlocked”
And it works perfectly same with projects yet loaded as with the ones i load from now on.
Thanks again.
code sanitisers removing the less than character (because it is an html element opening tag and could be part of a cross sight scripting attack) above – meant to be [not equal to] 0 and [not equal to &H68] <>
Thanks for sharing this, Daniel. I think it’s important to expose the security flaws in Office. Users rely on built-in security and don’t realize that nothing at this level is secure.
You say that this kind of security is futile. That’s the same conclusion I came to when I bought my first version of Passware and used it to get the usernames and passwords from an MDW, database passwords and VBA project passwords. This kind of security is like a deadbolt on your front door and pane glass windows.
Thank you Bill.
Such a post is a double-edge sword. By posting this information, yes, I am making the hack accessible, but at the same time, the real goal, is to educate developers (the main audience of my blog) so that they hopefully realize the critical flaw that exists so they don’t wrongfully think their work is safe.
What I really don’t get is why Microsoft chooses not to address this. With data breaches, data security… being soo important how can they leave this door wide open?! They had a perfect opportunity to fix many vulnerabilities when they came out with their new file formats with Office 2007 and nothing. I’m just hoping that if enough people actually become aware (which 99% of developers are not, I know I wasn’t) that perhaps people will start requiring a minimal amount of security rather than the current illusion!
Hi Daniel,
any chance to get it to work with .xlsb?
This technique works, ‘as is’, with .xlsb extensions. I just tested to be 100% sure.
This trick doesn’t seem to work anymore in Excel 2010 (V 14.0.6129.5000). Although I can enter the VBA-Editor, on opening the module I get the error message unexpected error (40230)
Not sure this works in Excel 365 64bit. On run I get a “Compile Error: Type Mismatch” for VarPtr(TmpBytes(0)) of MoveMemory in the Hook() function.
It did work at the time of publishing, but it is possible MS has made changes since.
I have the password and I want to unlock it with code instead of typing it in.
Is this possible
while i am trying to un-protect the excel i am getting an error message that Macros in this workbook are corrupted and have been deleted. please help me out of this situation. this excel is very important to me.
Seems like it doesn’t work anymore? Excel 2019 user here.
I haven’t tested, but it is possible that Microsoft finally took security seriously and locked things down properly.