Excel VBA工程密码破解

Excel VBA工程密码破解


方法一:破解后可能造成文件打开时出现错误,需要恢复控制台,之后会丢失vba工程窗体和模块。
方法二:此方法对于有窗体的程序来说可以查看其窗体,但是查看代码时报未知错误.
这两种方法仅作参考。
excel vba工程密码是很脆弱的.破解方法网上比比皆是,现总结一下以备无患.
==========================================================
方法一:
新建宏,执行,选择需要破解的Excel文件,运行即可。
'1>一段极好的VBA保护密码破解程序测试WIN98+OFFICE97破解率100%
'2>用以下代码对VBA加密保护后用offkey 6.5-7.0及Advanced VBA pASSWORD Recovery专业版均无法破解出保护程式码的密码
'移除VBA编码保护
Sub MoveProtect()
Dim FileName As String
FileName = Application.GetOpenFilename("Excel文件(*.xls & *.xla),*.xls;*.xla", , "VBA破解")
If FileName = CStr(False) Then
Exit Sub
Else
VBAPassword FileName, False
End If
End Sub
'设置VBA编码保护
Sub SetProtect()
Dim FileName As String
FileName = Application.GetOpenFilename("Excel文件(*.xls & *.xla),*.xls;*.xla", , "VBA破解")
If FileName = CStr(False) Then
Exit Sub
Else
VBAPassword FileName, True
End If
End Sub
Private Function VBAPassword(FileName As String, Optional Protect As Boolean = False)
If Dir(FileName) = "" Then
Exit Function
Else
FileCopy FileName, FileName & ".bak"
End If
Dim GetData As String * 5
Open FileName For Binary As #1
Dim CMGs As Long
Dim DPBo As Long
For i = 1 To LOF(1)
Get #1, i, GetData
If GetData = "CMG=""" Then CMGs = i
If GetData = "[Host" Then DPBo = i - 2: Exit For
Next

If CMGs = 0 Then
MsgBox "请先对VBA编码设置一个保护密码...", 32, "提示"
Exit Function
End If

If Protect = False Then
Dim St As String * 2
Dim s20 As String * 1

'取得一个0D0A十六进制字串
Get #1, CMGs - 2, St

'取得一个20十六制字串
Get #1, DPBo + 16, s20

'替换加密部份机码
For i = CMGs To DPBo Step 2
Put #1, i, St
Next

'加入不配对符号
If (DPBo - CMGs) Mod 2 <> 0 Then
Put #1, DPBo + 1, s20
End If
MsgBox "文件解密成功......", 32, "提示"
Else
Dim MMs As String * 5
MMs = "DPB="""
Put #1, CMGs, MMs
MsgBox "对文件特殊加密成功......", 32, "提示"
End If
Close #1
End Function

========================================================
方法二:
使用UltreEdit之类的十六进制编辑程序打开.XLS文件,在文本模式下查找“[Host Extender Info]”(也可只查Host),切换到十六进制模式,将前面的“DBP="XXXXXXX...”的DBP关键字改成CBP,将“GC= "XXXXXXX...”的GC关键字改成CC,使Excel不能识别此二项!存盘即可!!!
用Excel打开此文件,忽略错误提

示,进入VBA编辑器,嘿嘿,密码没有了!做一次存盘操作即可修复错误提示。



vba工程密码破解(二)API完美版

用API来破解vba工程密码是我在excelhome中看到的帖子,这边给他整理成文字,发表在我的空间,希望有这方面需要的朋友可以收藏。还是老话,vba破解请勿用于非法途径,这是做人基本道德。

这种方法实际是避开VBA工程密码验证,即,骗vba编辑器,该密码输入成功,请求放行。

原理不多说了,我也是半壶酒。先将方法公布:

===================================================

1.新建一个工作簿,打开,按ctrl+F11进入vba代码编辑器窗口:

2.新建一个模块,把以下代码复制进模块

---------------------------------------------------------------------------------------

Option Explicit

Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
(Destination As Long, Source As Long, ByVal Length As Long)

Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long

Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long

Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
ByVal lpProcName As String) As Long

Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer

Dim HookBytes(0 To 5) As Byte
Dim OriginBytes(0 To 5) As Byte
Dim pFunc As Long
Dim Flag As Boolean

Private Function GetPtr(ByVal Value As Long) As Long
'获得函数的地址
GetPtr = Value
End Function

Public Sub RecoverBytes()
'若已经hook,则恢复原API开头的6字节,也就是恢复原来函数的功能
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub

Public Function Hook() As Boolean
Dim TmpBytes(0 To 5) As Byte
Dim p As Long
Dim OriginProtect As Long

Hook = False

'VBE6.dll调用DialogBoxParamA显示VB6INTL.dll资源中的第4070号对话框(就是输入密码的窗口)
'若DialogBoxParamA返回值非0,则VBE会认为密码正确,所以我们要hook DialogBoxParamA函数
pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")

'标准api hook过程之一: 修改内存属性,使其可写
If VirtualProtect(ByVal pFunc, 6, &H40, OriginProtect) <> 0 Then
'标准api hook过程之二: 判断是否已经hook,看看API的第一个字节是否为&H68,
'若是则说明已经Hook
MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
If TmpBytes(0) <> &H68 Then
'标准api hook过程

之三: 保存原函数开头字节,这里是6个字节,以备后面恢复
MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
'用AddressOf获取MyDialogBoxParam的地址
'因为语法不允许写成p = AddressOf MyDialogBoxParam,这里我们写一个函数
'GetPtr,作用仅仅是返回AddressOf MyDialogBoxParam的值,从而实现将
'MyDialogBoxParam的地址付给p的目的
p = GetPtr(AddressOf MyDialogBoxParam)

'标准api hook过程之四: 组装API入口的新代码
'HookBytes 组成如下汇编
'push MyDialogBoxParam的地址
'ret
'作用是跳转到MyDialogBoxParam函数
HookBytes(0) = &H68
MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
HookBytes(5) = &HC3

'标准api hook过程之五: 用HookBytes的内容改写API前6个字节
MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
'设置hook成功标志
Flag = True
Hook = True
End If
End If
End Function



Private Function MyDialogBoxParam(ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
If pTemplateName = 4070 Then
'有程序调用DialogBoxParamA装入4070号对话框,这里我们直接返回1,让
'VBE以为密码正确了
MyDialogBoxParam = 1
Else
'有程序调用DialogBoxParamA,但装入的不是4070号对话框,这里我们调用
'RecoverBytes函数恢复原来函数的功能,在进行原来的函数
RecoverBytes
MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
hWndParent, lpDialogFunc, dwInitParam)
'原来的函数执行完毕,再次hook
Hook
End If
End Function

-------------------------------------------------------------------

3.在sheet1的编辑框数加上代码:

sub 破解()

if hook then

msgbox "破解成功"

end if

end sub



sub 恢复()

RecoverBytes

msgbox "恢复成功"

end sub



4.到此,一个vba破解程序完成了,回到该工作簿窗口,文件-打开 打开需要破解vba工程密码的工作簿.

5.运行"call 破解" 稍后你再双击刚才要解密的VBA工程窗体.是不是如入无人之境啊,工程保护密码形同虚设啊?

6.破解完成后,请右键刚破解的VBA工程,在"查看工程时需要密码"的地方复选框取消选择,OK.完成.

7.完成后别忘了执行"call 恢复",恢复密码保护(恢复程序的密码保护,已被破解的文件不收影响).

相关文档
最新文档