carlAlex
11/2/2016 - 10:59 AM

Bruteforce password VBA Excel

Bruteforce password VBA Excel

Sub test()
    ActiveWorkbook.Unprotect Password:="(insert password here)"
End Sub
Sub PasswordBreaker()
    'Breaks worksheet password protection.
    Dim i As Integer, j As Integer, k As Integer
    Dim l As Integer, m As Integer, n As Integer
    Dim i1 As Integer, i2 As Integer, i3 As Integer
    Dim i4 As Integer, i5 As Integer, i6 As Integer
    On Error Resume Next
    For i = 65 To 66:
        For j = 65 To 66:
            For k = 65 To 66
                For l = 65 To 66:
                    For m = 65 To 66:
                        For i1 = 65 To 66
                            For i2 = 65 To 66:
                                For i3 = 65 To 66:
                                    For i4 = 65 To 66
                                        For i5 = 65 To 66:
                                            For i6 = 65 To 66:
                                                For n = 32 To 126
                                                    'Debug.Print Chr(i) & Chr(j) & Chr(k) & _
                                                        Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
                                                        Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
                                                    ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
                                                        Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
                                                        Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
                                                    If ActiveSheet.ProtectContents = False Then
                                                        MsgBox "One usable password is " & Chr(i) & Chr(j) & _
                                                        Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
                                                        Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
                                                        Exit Sub
                                                        End If
    Next: Next: Next: Next: Next: Next
    Next: Next: Next: Next: Next: Next
End Sub

 

You can try this direct VBA approach which doesn't require HEX editing. It will work for any files (*.xls, *.xlsm, *.xlam ...). 

Tested and works on 


Excel 2007
 Excel 2010
 Excel 2013 - 32 bit version.
 Excel 2016 - 32 bit version.

Looking for 64 bit version? See http://stackoverflow.com/a/31005696/4342479 

how it works

I will try my best to explain how it works - please excuse my english.
1.Excel will call a system function to create the password dialog box.
2.If user enters the right password and click OK, this function returns 1. If user enters the wrong password or click Cancel, this function returns 0.
3.After the dialog box is closed, Excel checks the returned value of the system function 
4.if this value is 1, Excel will "think" that the password is right, hence the locked VBA project will be opened. 
5.The code below swaps the memory of the original function used to display the password dialog with a user defined function that will always return 1 when being called. 

using the code
1.Open the file(s) that contain your locked VBA Projects

2.Create a new xlsm file and store this code in Module1

Option Explicit

Private Const PAGE_EXECUTE_READWRITE = &H40

Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
        (Destination As Long, Source As Long, ByVal Length As Long)

Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
        ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long

Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long

Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
        ByVal lpProcName As String) As Long

Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _
        ByVal pTemplateName As Long, ByVal hWndParent As Long, _
        ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer

Dim HookBytes(0 To 5) As Byte
Dim OriginBytes(0 To 5) As Byte
Dim pFunc As Long
Dim Flag As Boolean

Private Function GetPtr(ByVal Value As Long) As Long
    GetPtr = Value
End Function

Public Sub RecoverBytes()
    If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub

Public Function Hook() As Boolean
    Dim TmpBytes(0 To 5) As Byte
    Dim p As Long
    Dim OriginProtect As Long

    Hook = False

    pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")


    If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then

        MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
        If TmpBytes(0) <> &H68 Then

            MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6

            p = GetPtr(AddressOf MyDialogBoxParam)

            HookBytes(0) = &H68
            MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
            HookBytes(5) = &HC3

            MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
            Flag = True
            Hook = True
        End If
    End If
End Function

Private Function MyDialogBoxParam(ByVal hInstance As Long, _
        ByVal pTemplateName As Long, ByVal hWndParent As Long, _
        ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
    If pTemplateName = 4070 Then
        MyDialogBoxParam = 1
    Else
        RecoverBytes
        MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
                           hWndParent, lpDialogFunc, dwInitParam)
        Hook
    End If
End Function


3.Paste this code in Module2 and run it
Sub unprotected()
    If Hook Then
        MsgBox "VBA Project is unprotected!", vbInformation, "*****"
    End If
End Sub


4.Come back to your VBA Projects and enjoy.