I've been asked to update some Excel 2003 macros, but the VBA projects are password protected, and it seems there's a lack of documentation... no-one knows the passwords.
Is there a way of removing or cracking the password on a VBA project?
+2
A:
The protection is a simple text comparison in Excel. Load Excel in your favourite debugger (Ollydbg being my tool of choice), find the code that does the comparison and fix it to always return true, this should let you access the macros.
Treb
2009-06-22 10:54:40
No longer valid with new formats.
Anonymous Type
2010-09-27 22:37:57
+28
A:
Yes there is, as long as you are using a .xls format spreadsheet (the default for Excel up to 2003). For Excel 2007 onwards, the default is .xlsx, which is a fairly secure format, and this method will not work.
As Treb says, it's a simple comparison, so one method is simply to swap out the password entry in the file using a hex editor (see What is a good Windows hex editor?). Step by step example:
- Create a new simple excel file.
- In the VBA part, set a simple password (say - 1234).
- Save the file and exit. Then check the file size - see Stewbob's gotcha
- Open the file you just created with a hex editor.
Copy the lines starting with the following keys:
CMG=.... DPB=... GC=...FIRST BACKUP the excel file you don't know the VBA password for, then open it with your hex editor, and paste the above copied lines from the dummy file.
- save the excel file and exit.
- Now, open the excel file you need to see the VBA code in. The password for the VBA code will simply be 1234 (as in the example I'm showing here).
Colin Pickard
2009-06-22 10:58:24
In the blank excel file, or the locked one? Check the file size of the blank file. If its the locked file, make sure your backup is safe, then try changing just the other two lines. You sure it's encrypted file?
Colin Pickard
2009-09-02 13:43:49
In the blank file. The other two lines do not appear either. Does this also work in Excel 2007? I used HEdit.
Geoffrey Van Wyk
2009-09-02 13:51:36
I think there might be changes for Excel 2007, so this might not work. I don't have a copy of 2007 to try on this machine I'm afraid.
Colin Pickard
2009-09-02 14:16:59
I can't confirm this, but I suspect that this trick will not work on the newer format. You may be reduced to brute-forcing the password. There are various sketchy-looking tools on the web for this. Good luck!
Colin Pickard
2009-09-02 15:09:02
Excel 2007 password protection (and file format) is radically different than Excel 2003. I included some specifics about it in my answer below. In my opinion, the password protected option on an Excel 2007 file is the first time in Microsoft Office history that they have produced a reasonably secure file.
Stewbob
2010-09-10 17:42:53
+15
A:
Colin Pickard has an excellent answer, but there is one 'watch out' with this. There are instances (I haven't figured out the cause yet) where the total length of the "CMG=........GC=...." entry in the file is different from one excel file to the next. In some cases, this entry will be 137 bytes, and in others it will be 143 bytes. The 137 byte length is the odd one, and if this happens when you create your file with the '1234' password, just create another file, and it should jump to the 143 byte length.
If you try to paste the wrong number of bytes into the file, you will lose your VBA project when you try to open the file with Excel.
EDIT
This is not valid for Excel 2007 files. The standard .xlsx file format is actually a .zip file containing numerous sub-folders with the formatting, layout, content, etc, stored as xml data. For an unprotected Excel 2007 file, you can just change the .xlsx extension to .zip, then open the zip file and look through all the xml data. It's very straightforward.
However, when you password protect an Excel 2007 file, the entire .zip (.xlsx) file is actually encrypted using RSA encryption. It is no longer possible to change the extension to .zip and browse the file contents.
Stewbob
2009-06-24 14:36:12
Then you need to use standard zip hacking tools. Its no longer a "how do i back an excel file" problem.
Anonymous Type
2010-09-27 22:37:20
@Anonymous Type: I think a zip cracking tool won't help. As I understand Stewbob, it's not the file entries in the zip file that are encrypted, but the whole zip file itself, which should include the header and the central directory.
Treb
2010-09-28 06:58:21
A:
Stewbob, could you kindly explain the line
"f this happens when you create your file with the '1234' password, just create another file, and it should jump to the 143 byte length"
What do you mean by saying "just create another file"? I have the same problem which you mentioned - losing my VBA project instead of changing the password into new one.
tom
2010-02-23 13:29:04
+1
A:
Tom - I made a schoolboy error initially as I didn't watch the byte size and instead I copied and pasted from the "CMG" set up to the subsequent entry. This was two different text sizes between the two files, though, and I lost the VBA project just as Stewbob warned.
Using HxD, there is a counter tracking how much file you're selecting. Copy starting from CMG until the counter reads 8F (hex for 143) and likewise when pasting into the locked file - I ended up with twice the number of "..." at the end of the paste, which looked odd somehow and felt almost unnatural, but it worked.
I don't know if it is crucial, but I made sure I shut both the hex editor and excel down before reopening the file in Excel. I then had to go through the menus to open the VB Editor, into VBProject Properties and entered in the 'new' password to unlock the code.
I hope this helps.
Scoob
2010-04-12 15:35:20
+1
A:
ElcomSoft makes Advanced Office Password Breaker and Advanced Office Password Recovery products which may apply to this case, as long as the document was created in Office 2007 or prior.
Charles Duffy
2010-04-12 15:44:18
This is probably the best of the brute force tools commerically available.
Anonymous Type
2010-09-27 22:39:13
A:
Have you tried simply opening them in OpenOffice.org?
I had a similar problem some time ago and found that Excel and Calc didn't understand each other's encryption, and so allowed direct access to just about everything.
This was a while ago, so if that wasn't just a fluke on my part it also may have been patched.
greg
2010-04-12 15:50:42
A:
Thanks Scoob for the suggestion. I created .xls file in Excel 2010 and the "CMG...." block length was 8B (hex for 139), while the file for which password was changed had 95 (hex for 149).
I inserted "..." after 139th character and it worked in the target file.
I will assume that the different length of "CMG..." block is due to the size of the password.
vbenergy
2010-07-26 02:01:55
Please add this as a comment. This is not an answer to the original question.
shahkalpesh
2010-08-12 08:49:28
A:
This is a great trick - I've used it on some sample files, but I need help with the file I actually need to access. For some reason, it has a shorter block length (5F) than any of the sample files I am creating, so adding extra ...'s isn't an option. Does anyone know a solution to this? I'm busy downloading open office to see if that works...
coffee
2010-08-03 20:00:04
create a new question. you won't get an answer putting in an answer to the original question.
Anonymous Type
2010-09-27 22:40:03
A:
I've been successful using the "1234" method, however I am having the same problems when the password protected file has a shorter block length than the "1234" block length.. any new insight?
caffiene
2010-10-21 03:41:14