Monday, 24 March 2014

Excel removing password from: VBA Project, Workbook, Sheet.

Updated to ver 1.2 (corrected issue with finding 'VBA Project.bin' file when Windows option "hide extensions for known file types" switched on.

Excel uses several others types of protection, the most common: WorkSheet and WorkBook protection, also not real one but more for foolproof. Regarding this topic there are much more info than about VBA Project unlocking, yet I decided to combine all those feature within one simple tool - 'Excel Unlocker.xlsm'.

  • Unlock VBA Project
  • Remove WorkBook Protection
  • Remove WorkSheets Protection
Unlock VBA Project. Uses the same algorithm described on previous post.

Remove WorkSheets Protection.
Macros just extracts all Sheets into tmp folder, then removes parameter "sheetProtection" from sheet xml files, and put them back into archive. (Remember, starting from version 2007 Excel stores its file in ZIP compressed archive with a directory structure of XML text documents, meaning that if you change extension from xlsx to zip you'll get a zip archive).

Remove WorkBook Protection. 
The program tries to find acceptable password, taking into account the fact that Excel uses algorithm which convert any password into 16-bit HASH and store it within the file (first bit always the same, so 2^15=32768 possible values, it's quite easy to try them all). Why that tactic? Certainly, there is an option to remove WorkBook protection parameter in workbook.xml file (inside zip archive), but 2007 version uses AES-128 encryption for files which have WorkBook protection option (meaning that even if you do not use your own password (leave it blank) when switch on WorkBook protection option Excel uses 'VelvetSweatshop' password for encrypting your file). So, you can't access inside excel file structure that easy, but checking 32768 values takes from few second to several minutes (on old PCs).

Yet in Excel 2013 Microsoft used another trick - changed tactic of calculation password HASH from 50 000 rounds of AES-128 to 100 000 rounds of AES-512, that significantly increased calculation time (from a 5-15 sec to 6 hours on AMD 4-cores 3,2 Ghz). Originally this tool was developed for 2007 Excel, and not took into account changes in 2013 version.

Please consider, that for some files method to unlock VBA Project may not work (because method build on 'known trick' rather than understanding technology behind).

Wednesday, 8 January 2014

VBA password remover


I would like to present a simple macro (in a form of .xlsm workbook) which allows to 'remove' password protection from VB Project in '.xlsm' files. It was tested on the workbooks created in Excel 2007/2010. Macro works by the algorithm described in my previous post, so in fact it changes any password in VBA Project to 'macro'.

File stored here:

Thursday, 6 December 2012

For Excel 2007/2010 (.xlsm) files do following steps:

1. Create a new .xlsm file.
2. In the VBA part, set a simple password (for instance 'macro').
3. Save the file and exit.
4. Change file extention to '.zip', open it by any archiver program.
5. Find the file: 'vbaProject.bin' (in 'xl' folder).
6. Extract it from archive.
7. Open the file you just extracted with a hex editor (for example HxD).
8. Find and copy the value from parameter DPB (value in quotation mark), example:
        DPB="282A84CBA1CBA1345FCCB154E20721DE77F7D2378D0EAC90427A22021A46E9CE6F17188A".  (This value generated for 'macro' password. You can use this DPB value to skip steps 1-8)

9. Do steps 4-7 for file with unknown password (file you want to unlock).
10. Change DBP value in this file on value that you have copied in step 8.
>>If copied value is shorter than in encrypted file you should populate missing characters with 0 (zero). If value is longer - that is not a problem (paste as it is).

11. Save the 'vbaProject.bin' file and exit from hex editor.
12. Replace existing 'vbaProject.bin' file with modified one.
13. Change extention from '.zip' back to '.xlsm'
14. Now, open the excel file you need to see the VBA code in. The password for the VBA code
will simply be macro (as in the example I'm showing here).

For those who still using old file format (2003 - .xls) method has less steps:

1. Open .xls file with hex editor (for example HxD).
2. Find parameter DPB, change value for this parameter by our own. If your value is shorter than value in encrypted file, you should populate missing characters with 0 (zero). If value is longer - that is not a problem (paste as it is).

DPB="282A84CBA1CBA1345FCCB154E20721DE77F7D2378D0EAC90427A22021A46E9CE6F17188A".  (This value generated for 'macro' password).
3. Save changes.