我被要求更新一些Excel 2003宏,但是VBA项目有密码保护,而且似乎缺乏文档…没人知道密码。
是否有一种方法可以删除或破解VBA项目的密码?
当前回答
编辑:这是已接受答案的更新版本,应该适用于更多的办公室版本。这很难,但让我们把这个答案说出来吧!
轮到我了,这是建立在kaybee99的优秀答案之上的,它建立在Đức Thanh nguykun的出色答案之上,允许这种方法与32/64位版本的Office一起工作。
概览一下更改的内容,我们避免了push/ret,它仅限于32位地址,并将其替换为mov/jmp reg。
它是如何工作的
Open the file(s) that contain your locked VBA Projects. Create a new file with the same type as the above and store this code in Module1 Option Explicit Private Const PAGE_EXECUTE_READWRITE = &H40 Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _ (Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr) Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LongPtr, _ ByVal dwSize As LongPtr, ByVal flNewProtect As LongPtr, lpflOldProtect As LongPtr) As LongPtr Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LongPtr Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, _ ByVal lpProcName As String) As LongPtr Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LongPtr, _ ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _ ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer Dim HookBytes(0 To 11) As Byte Dim OriginBytes(0 To 11) As Byte Dim pFunc As LongPtr Dim Flag As Boolean Private Function GetPtr(ByVal Value As LongPtr) As LongPtr GetPtr = Value End Function Public Sub RecoverBytes() If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 12 End Sub Public Function Hook() As Boolean Dim TmpBytes(0 To 11) As Byte Dim p As LongPtr, osi As Byte Dim OriginProtect As LongPtr Hook = False #If Win64 Then osi = 1 #Else osi = 0 #End If pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA") If VirtualProtect(ByVal pFunc, 12, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, osi+1 If TmpBytes(osi) <> &HB8 Then MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 12 p = GetPtr(AddressOf MyDialogBoxParam) If osi Then HookBytes(0) = &H48 HookBytes(osi) = &HB8 osi = osi + 1 MoveMemory ByVal VarPtr(HookBytes(osi)), ByVal VarPtr(p), 4 * osi HookBytes(osi + 4 * osi) = &HFF HookBytes(osi + 4 * osi + 1) = &HE0 MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 12 Flag = True Hook = True End If End If End Function Private Function MyDialogBoxParam(ByVal hInstance As LongPtr, _ ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _ ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer If pTemplateName = 4070 Then MyDialogBoxParam = 1 Else RecoverBytes MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _ hWndParent, lpDialogFunc, dwInitParam) Hook End If End Function Paste this code in Module2 and run it Sub unprotected() If Hook Then MsgBox "VBA Project is unprotected!", vbInformation, "*****" End If End Sub
其他回答
Tom -我最初犯了一个学生错误,因为我没有注意字节大小,而是从“CMG”设置复制粘贴到后续条目。这两个文件之间有两种不同的文本大小,但是,正如Stewbob警告的那样,我丢失了VBA项目。
使用HxD,有一个计数器跟踪您选择了多少文件。从CMG开始复制,直到计数器读取8F(十六进制为143),同样地,当粘贴到锁定文件时-我最终在粘贴的末尾使用了两倍的“…”,这看起来有点奇怪,感觉几乎不自然,但它起作用了。
我不知道这是否重要,但在excel中重新打开文件之前,我确保关闭了十六进制编辑器和excel。然后我必须通过菜单打开VB编辑器,进入VBProject属性,并输入'new'密码来解锁代码。
我希望这能有所帮助。
对于.xlsm或.dotm文件类型,您需要以稍微不同的方式进行操作。
Change the extension of the .xlsm file to .zip. Open the .zip file (with WinZip or WinRar etc) and go to the xl folder. Extract the vbaProject.bin file and open it in a Hex Editor (I use HxD, its completely free and lightweight.) Search for DPB and replace with DPx and save the file. Replace the old vbaProject.bin file with this new on in the zipped file. Change the file extension back to .xlsm. Open workbook skip through the warning messages. Open up Visual Basic inside Excel. Go to Tools > VBAProject Properties > Protection Tab. Put in a new password and save the .xlsm file. Close and re open and your new password will work.
您可以尝试这种不需要HEX编辑的直接VBA方法。它将适用于任何文件(*.xls, *.xls, *.xls)。xlsm, *。xlam……)。
测试和工作:
Excel 2007 Excel 2010 Excel 2013 - 32位版本 Excel 2016 - 32位版本
寻找64位版本?请看这个答案
它是如何工作的
我会尽我最大的努力解释它是如何工作的-请原谅我的英语。
The VBE will call a system function to create the password dialog box. If user enters the right password and click OK, this function returns 1. If user enters the wrong password or click Cancel, this function returns 0. After the dialog box is closed, the VBE checks the returned value of the system function if this value is 1, the VBE will "think" that the password is right, hence the locked VBA project will be opened. The code below swaps the memory of the original function used to display the password dialog with a user defined function that will always return 1 when being called.
使用代码
请先备份您的文件!
Open the file(s) that contain your locked VBA Projects Create a new xlsm file and store this code in Module1 code credited to Siwtom (nick name), a Vietnamese developer Option Explicit Private Const PAGE_EXECUTE_READWRITE = &H40 Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _ (Destination As Long, Source As Long, ByVal Length As Long) Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _ ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _ ByVal lpProcName As String) As Long Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _ ByVal pTemplateName As Long, ByVal hWndParent As Long, _ ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer Dim HookBytes(0 To 5) As Byte Dim OriginBytes(0 To 5) As Byte Dim pFunc As Long Dim Flag As Boolean Private Function GetPtr(ByVal Value As Long) As Long GetPtr = Value End Function Public Sub RecoverBytes() If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6 End Sub Public Function Hook() As Boolean Dim TmpBytes(0 To 5) As Byte Dim p As Long Dim OriginProtect As Long Hook = False pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA") If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6 If TmpBytes(0) <> &H68 Then MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6 p = GetPtr(AddressOf MyDialogBoxParam) HookBytes(0) = &H68 MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4 HookBytes(5) = &HC3 MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6 Flag = True Hook = True End If End If End Function Private Function MyDialogBoxParam(ByVal hInstance As Long, _ ByVal pTemplateName As Long, ByVal hWndParent As Long, _ ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer If pTemplateName = 4070 Then MyDialogBoxParam = 1 Else RecoverBytes MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _ hWndParent, lpDialogFunc, dwInitParam) Hook End If End Function Paste this code under the above code in Module1 and run it Sub unprotected() If Hook Then MsgBox "VBA Project is unprotected!", vbInformation, "*****" End If End Sub Come back to your VBA Projects and enjoy.
Colin Pickard has an excellent answer, but there is one 'watch out' with this. There are instances (I haven't figured out the cause yet) where the total length of the "CMG=........GC=...." entry in the file is different from one excel file to the next. In some cases, this entry will be 137 bytes, and in others it will be 143 bytes. The 137 byte length is the odd one, and if this happens when you create your file with the '1234' password, just create another file, and it should jump to the 143 byte length.
如果您尝试将错误的字节数粘贴到文件中,当您尝试用Excel打开该文件时,您将丢失VBA项目。
EDIT
这对Excel 2007/2010文件无效。标准的。xlsx文件格式实际上是一个。zip文件,包含许多子文件夹,其中格式、布局、内容等存储为xml数据。对于未受保护的Excel 2007文件,只需将.xlsx扩展名更改为.zip,然后打开zip文件并查看所有xml数据。这很简单。
但是,当您对Excel 2007文件进行密码保护时,整个.zip (.xlsx)文件实际上是使用RSA加密进行加密的。不再可以将扩展名更改为.zip并浏览文件内容。
事实上,大多数启用宏的Office文档的代码文件都没有加密,密码只会阻止使用Office程序打开项目。 这意味着,正如其他答案所建议的那样,您通常可以使用Office替代品来访问和编辑该文件。
但是,如果你只是需要访问代码,你可以使用oldump .py这样的工具来提取宏代码。这对于恶意软件分析非常有用,还可以从文件中获取大部分代码,这样如果忘记密码,就不必从头开始了。
此外,许多excel文件在打开时动态设置密码。这意味着如果您可以阅读代码,您通常可以找到明文密码或消除混淆。
oledump.py例子:
列出一个办公文档中的所有“流”(嵌入式二进制文件或代码文件):
python oledump.py -v yourExcelFile.xlsm
输出:
A: xl/vbaProject.bin
A1: 2000 'PROJECT'
A2: 1500 'PROJECTwm'
A3: M 1224 'VBA/Module1'
A4: M 18694 'VBA/Module2'
A5: M 11877 'VBA/Module3'
...
旁边带M的流是宏,这是未加密的VBA代码
提取流
python oledump.py -s A3 -v yourExcelFile.xlsm > Module1.vba
这将把A3流中包含的代码输出到Module1.vba。
我通常将此与循环结合起来,将所有文件解压缩到一个文件夹中。这个快速的PowerShell脚本将提取大多数文件中的所有流:
New-Item -ItemType Directory "Output"
# just hardcode the highest stream outputted by oledump.py -v
$max = 5
for ($i = 1; $i -le $max; $i++) {
python oledump.py -s "A$i" -v yourExcelFile.xlsm > ".\Output\A$i"
}
注意,这将只提取人类可读的文件。
推荐文章
- Excel VBA -退出循环
- 在SQL Server Management Studio中保存带有标题的结果
- Visual Basic 6.0与VBA的区别
- 连接网络共享时,如何提供用户名和密码
- Excel:匹配字符串中的最后一个字符/字符串
- 以编程方式将EditText的输入类型从PASSWORD更改为NORMAL,反之亦然
- 如何在隐藏和查看密码之间切换
- 在php中生成一个随机密码
- .text, .value和.value2之间的区别是什么?
- 从c#读取Excel文件
- SHA512 vs. Blowfish和Bcrypt
- 密码屏蔽控制台应用程序
- 检查单元格是否包含子字符串
- 在Excel中从公式返回空单元格
- 熊猫:在excel文件中查找表格列表
