使用 VBA 指令碼解鎖 VBA 密碼

Glen Alfaro 2022年5月18日
使用 VBA 指令碼解鎖 VBA 密碼

編輯或修改 VBA 指令碼對於使其功能更好和最新是必不可少的。但是,你需要編輯的 VBA 有密碼並且你不知道該怎麼做的時候到了。

本文將演示如何使用 VBA 程式碼解鎖忘記或未知的 VBA 指令碼密碼。

VBA 密碼簡述邏輯

  1. 程式碼會呼叫一個系統函式來建立一個輸入密碼的對話方塊。
  2. 如果密碼正確,函式返回 1。如果沒有,將返回 0
  3. 密碼對話方塊關閉後,系統會期待返回值。
  4. 如果返回值為 1,系統將確認這是一個正確的密碼。因此 VBA 專案將被解鎖。

下面的程式碼將演示如何將 Password Checker 函式的記憶體交換為使用者定義的函式,該函式在呼叫時將返回 1

Option Explicit

Private Const PAGE_EXECUTE_READWRITE = &H40

Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LPtr, _
ByVal dwSize As LPtr, ByVal flNewProtect As LPtr, lpflOldProtect As LPtr) As LPtr

Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LPtr

Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LPtr, _
ByVal lpProcName As String) As LPtr

Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As LPtr, Source As LPtr, ByVal Length As LPtr)

Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LPtr, _
ByVal pTemplateName As LPtr, ByVal hWndParent As LPtr,ByVal lpDialogFunc As LPtr, ByVal dwInitParam As LPtr) As Integer

Dim HBytes(0 To 5) As Byte
Dim OBytes(0 To 5) As Byte
Dim pFunc As LPtr
Dim Flag As Boolean

Private Function GetPtr(ByVal Value As LPtr) As LPtr
    GetPtr = Value
End Function

Public Sub RecoverBytes()
    If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub

Public Function Hook() As Boolean
    Dim TmpBytes(0 To 5) As Byte
    Dim p As LPtr
    Dim OriginProtect As LPtr

    Hook = False

    pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")


    If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then

        MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
        If TmpBytes(0) <> &H68 Then

            MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6

            p = GetPtr(AddressOf MyDialogBoxParam)

            HookBytes(0) = &H68
            MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
            HookBytes(5) = &HC3

            MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
            Flag = True
            Hook = True
        End If
    End If
End Function

Private Function MyDialogBoxParam(ByVal hInstance As LPtr, _
ByVal pTemplateName As LPtr, ByVal hWndParent As LPtr, _
ByVal lpDialogFunc As LPtr, ByVal dwInitParam As LPtr) As Integer

    If pTemplateName = 4070 Then
        MyDialogBoxParam = 1
    Else
        RecoverBytes
        MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
                   hWndParent, lpDialogFunc, dwInitParam)
        Hook
    End If
End Function

Sub UnprotectedVBACode()
    'Run this subroutine to unlock the VBA project.
    If Hook Then
        Debug.print ("VBA Project was cracked.")
    End If
End Sub

vba 解鎖密碼