我的工具VbaDiff直接从文件中读取VBA，因此您可以使用它从大多数办公文档中恢复受保护的VBA代码，而无需求助于十六进制编辑器。

保护是Excel中的一个简单的文本比较。 在你最喜欢的调试器中加载Excel (Ollydbg是我选择的工具)，找到进行比较的代码并将其修复为总是返回true，这应该可以让你访问宏。

Colin Pickard is mostly correct, but don't confuse the "password to open" protection for the entire file with the VBA password protection, which is completely different from the former and is the same for Office 2003 and 2007 (for Office 2007, rename the file to .zip and look for the vbaProject.bin inside the zip). And that technically the correct way to edit the file is to use a OLE compound document viewer like CFX to open up the correct stream. Of course, if you are just replacing bytes, the plain old binary editor may work.

顺便说一句，如果你想知道这些字段的确切格式，他们现在有文档:

http://msdn.microsoft.com/en-us/library/dd926151%28v=office.12%29.aspx

Tom -我最初犯了一个学生错误，因为我没有注意字节大小，而是从“CMG”设置复制粘贴到后续条目。这两个文件之间有两种不同的文本大小，但是，正如Stewbob警告的那样，我丢失了VBA项目。

使用HxD，有一个计数器跟踪您选择了多少文件。从CMG开始复制，直到计数器读取8F(十六进制为143)，同样地，当粘贴到锁定文件时-我最终在粘贴的末尾使用了两倍的“…”，这看起来有点奇怪，感觉几乎不自然，但它起作用了。

我不知道这是否重要，但在excel中重新打开文件之前，我确保关闭了十六进制编辑器和excel。然后我必须通过菜单打开VB编辑器，进入VBProject属性，并输入'new'密码来解锁代码。

我希望这能有所帮助。

您可以尝试这种不需要HEX编辑的直接VBA方法。它将适用于任何文件(*.xls， *.xls， *.xls)。xlsm, *。xlam……)。

测试和工作:

Excel 2007 Excel 2010 Excel 2013 - 32位版本 Excel 2016 - 32位版本

寻找64位版本?请看这个答案

它是如何工作的

我会尽我最大的努力解释它是如何工作的-请原谅我的英语。

The VBE will call a system function to create the password dialog box. If user enters the right password and click OK, this function returns 1. If user enters the wrong password or click Cancel, this function returns 0. After the dialog box is closed, the VBE checks the returned value of the system function if this value is 1, the VBE will "think" that the password is right, hence the locked VBA project will be opened. The code below swaps the memory of the original function used to display the password dialog with a user defined function that will always return 1 when being called.

使用代码

请先备份您的文件!

Open the file(s) that contain your locked VBA Projects Create a new xlsm file and store this code in Module1 code credited to Siwtom (nick name), a Vietnamese developer Option Explicit Private Const PAGE_EXECUTE_READWRITE = &H40 Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _ (Destination As Long, Source As Long, ByVal Length As Long) Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _ ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _ ByVal lpProcName As String) As Long Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _ ByVal pTemplateName As Long, ByVal hWndParent As Long, _ ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer Dim HookBytes(0 To 5) As Byte Dim OriginBytes(0 To 5) As Byte Dim pFunc As Long Dim Flag As Boolean Private Function GetPtr(ByVal Value As Long) As Long GetPtr = Value End Function Public Sub RecoverBytes() If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6 End Sub Public Function Hook() As Boolean Dim TmpBytes(0 To 5) As Byte Dim p As Long Dim OriginProtect As Long Hook = False pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA") If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6 If TmpBytes(0) <> &H68 Then MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6 p = GetPtr(AddressOf MyDialogBoxParam) HookBytes(0) = &H68 MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4 HookBytes(5) = &HC3 MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6 Flag = True Hook = True End If End If End Function Private Function MyDialogBoxParam(ByVal hInstance As Long, _ ByVal pTemplateName As Long, ByVal hWndParent As Long, _ ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer If pTemplateName = 4070 Then MyDialogBoxParam = 1 Else RecoverBytes MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _ hWndParent, lpDialogFunc, dwInitParam) Hook End If End Function Paste this code under the above code in Module1 and run it Sub unprotected() If Hook Then MsgBox "VBA Project is unprotected!", vbInformation, "*****" End If End Sub Come back to your VBA Projects and enjoy.

Access、Excel、Powerpoint或Word文档上的VBA项目密码(带有扩展名. accdb . xlsm . xltm . docm . dotm . potm . ppsm的2007、2010、2013或2016版本)可以轻松删除。

这只是将文件名扩展名更改为. zip，解压缩文件，并使用任何基本的十六进制编辑器(如XVI32)来“打破”现有密码的问题，这会“混淆”Office，因此它会在下次打开文件时提示输入新密码。

步骤总结:

rename the file so it has a .ZIP extension. open the ZIP and go to the XL folder. extract vbaProject.bin and open it with a Hex Editor "Search & Replace" to "replace all" changing DPB to DPX. Save changes, place the .bin file back into the zip, return it to it's normal extension and open the file like normal. ALT+F11 to enter the VB Editor and right-click in the Project Explorer to choose VBA Project Properties. On the Protection tab, Set a new password. Click OK, Close the file, Re-open it, hit ALT+F11. Enter the new password that you set.

此时，如果您愿意，您可以完全删除密码。

完整的说明和我制作的“way back when”视频在YouTube上。

令人震惊的是，这种解决方法已经存在多年了，而微软还没有解决这个问题。

这个故事的寓意是什么?

Microsoft Office VBA项目密码不依赖于任何敏感信息的安全。如果安全性很重要，请使用第三方加密软件。