EXCEL2013 vba工程密碼破解
阿新 • • 發佈:2019-02-01
EXCEL vba工程密碼破解
這種方法實際是避開VBA工程密碼驗證,即,騙vba編輯器,該密碼輸入成功,請求放行。
原理不多說了,先將方法公佈:
===================================================
1.新建一個工作簿,開啟,按ALT+F11,進入vba程式碼編輯器視窗:
2.新建一個模組,“插入”--“模組”把以下程式碼複製進模組並儲存
---------------------------------------------------------------------------------------
Option Explicit
Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
(Destination As Long, Source As Long, ByVal Length As Long)
Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
ByVal lpProcName As String) As Long
Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
Dim HookBytes(0 To 5) As Byte
Dim OriginBytes(0 To 5) As Byte
Dim pFunc As Long
Dim Flag As Boolean
Private Function GetPtr(ByVal Value As Long) As Long
'獲得函式的地址
GetPtr = Value
End Function
Public Sub RecoverBytes()
'若已經hook,則恢復原API開頭的6位元組,也就是恢復原來函式的功能
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub
Public Function Hook() As Boolean
Dim TmpBytes(0 To 5) As Byte
Dim p As Long
Dim OriginProtect As Long
Hook = False
'VBE6.dll呼叫DialogBoxParamA顯示VB6INTL.dll資源中的第4070號對話方塊(就是輸入密碼的視窗)
'若DialogBoxParamA返回值非0,則VBE會認為密碼正確,所以我們要hook DialogBoxParamA函式
pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")
'標準api hook過程之一: 修改記憶體屬性,使其可寫
If VirtualProtect(ByVal pFunc, 6, &H40, OriginProtect) <> 0 Then
'標準api hook過程之二: 判斷是否已經hook,看看API的第一個位元組是否為&H68,
'若是則說明已經Hook
MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
If TmpBytes(0) <> &H68 Then
'標準api hook過程之三: 儲存原函式開頭位元組,這裡是6個位元組,以備後面恢復
MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
'用AddressOf獲取MyDialogBoxParam的地址
'因為語法不允許寫成p = AddressOf MyDialogBoxParam,這裡我們寫一個函式
'GetPtr,作用僅僅是返回AddressOf MyDialogBoxParam的值,從而實現將
'MyDialogBoxParam的地址付給p的目的
p = GetPtr(AddressOf MyDialogBoxParam)
'標準api hook過程之四: 組裝API入口的新程式碼
'HookBytes 組成如下彙編
'push MyDialogBoxParam的地址
'ret
'作用是跳轉到MyDialogBoxParam函式
HookBytes(0) = &H68
MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
HookBytes(5) = &HC3
'標準api hook過程之五: 用HookBytes的內容改寫API前6個位元組
MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
'設定hook成功標誌
Flag = True
Hook = True
End If
End If
End Function
Private Function MyDialogBoxParam(ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
If pTemplateName = 4070 Then
'有程式呼叫DialogBoxParamA裝入4070號對話方塊,這裡我們直接返回1,讓
'VBE以為密碼正確了
MyDialogBoxParam = 1
Else
'有程式呼叫DialogBoxParamA,但裝入的不是4070號對話方塊,這裡我們呼叫
'RecoverBytes函式恢復原來函式的功能,在進行原來的函式
RecoverBytes
MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
hWndParent, lpDialogFunc, dwInitParam)
'原來的函式執行完畢,再次hook
Hook
End If
End Function
-------------------------------------------------------------------
3.右擊sheet1工作表,“檢視程式碼”複製以下程式碼進去並儲存:
-------------------------------------------------------------------
sub 破解()
if hook then
msgbox "破解成功"
end if
end sub
sub 恢復()
RecoverBytes
msgbox "恢復成功"
end sub
------------------------------------
4.到此,一個vba破解程式完成了,回到該工作簿視窗,檔案-開啟 開啟需要破解vba工程密碼的工作簿.
5.執行"call 破解" 稍後你再雙擊剛才要解密的VBA工程窗體.是不是如入無人之境啊,工程保護密碼形同虛設啊?
6.破解完成後,請右鍵剛破解的VBA工程,在"檢視工程時需要密碼"的地方複選框取消選擇,OK.完成.
這種方法實際是避開VBA工程密碼驗證,即,騙vba編輯器,該密碼輸入成功,請求放行。
原理不多說了,先將方法公佈:
===================================================
1.新建一個工作簿,開啟,按ALT+F11,進入vba程式碼編輯器視窗:
2.新建一個模組,“插入”--“模組”把以下程式碼複製進模組並儲存
---------------------------------------------------------------------------------------
Option Explicit
Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
(Destination As Long, Source As Long, ByVal Length As Long)
Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
ByVal lpProcName As String) As Long
Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
Dim HookBytes(0 To 5) As Byte
Dim OriginBytes(0 To 5) As Byte
Dim pFunc As Long
Dim Flag As Boolean
Private Function GetPtr(ByVal Value As Long) As Long
'獲得函式的地址
GetPtr = Value
End Function
Public Sub RecoverBytes()
'若已經hook,則恢復原API開頭的6位元組,也就是恢復原來函式的功能
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub
Public Function Hook() As Boolean
Dim TmpBytes(0 To 5) As Byte
Dim p As Long
Dim OriginProtect As Long
Hook = False
'VBE6.dll呼叫DialogBoxParamA顯示VB6INTL.dll資源中的第4070號對話方塊(就是輸入密碼的視窗)
'若DialogBoxParamA返回值非0,則VBE會認為密碼正確,所以我們要hook DialogBoxParamA函式
pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")
'標準api hook過程之一: 修改記憶體屬性,使其可寫
If VirtualProtect(ByVal pFunc, 6, &H40, OriginProtect) <> 0 Then
'標準api hook過程之二: 判斷是否已經hook,看看API的第一個位元組是否為&H68,
'若是則說明已經Hook
MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
If TmpBytes(0) <> &H68 Then
'標準api hook過程之三: 儲存原函式開頭位元組,這裡是6個位元組,以備後面恢復
MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
'用AddressOf獲取MyDialogBoxParam的地址
'因為語法不允許寫成p = AddressOf MyDialogBoxParam,這裡我們寫一個函式
'GetPtr,作用僅僅是返回AddressOf MyDialogBoxParam的值,從而實現將
'MyDialogBoxParam的地址付給p的目的
p = GetPtr(AddressOf MyDialogBoxParam)
'標準api hook過程之四: 組裝API入口的新程式碼
'HookBytes 組成如下彙編
'push MyDialogBoxParam的地址
'ret
'作用是跳轉到MyDialogBoxParam函式
HookBytes(0) = &H68
MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
HookBytes(5) = &HC3
'標準api hook過程之五: 用HookBytes的內容改寫API前6個位元組
MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
'設定hook成功標誌
Flag = True
Hook = True
End If
End If
End Function
Private Function MyDialogBoxParam(ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
If pTemplateName = 4070 Then
'有程式呼叫DialogBoxParamA裝入4070號對話方塊,這裡我們直接返回1,讓
'VBE以為密碼正確了
MyDialogBoxParam = 1
Else
'有程式呼叫DialogBoxParamA,但裝入的不是4070號對話方塊,這裡我們呼叫
'RecoverBytes函式恢復原來函式的功能,在進行原來的函式
RecoverBytes
MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
hWndParent, lpDialogFunc, dwInitParam)
'原來的函式執行完畢,再次hook
Hook
End If
End Function
-------------------------------------------------------------------
3.右擊sheet1工作表,“檢視程式碼”複製以下程式碼進去並儲存:
-------------------------------------------------------------------
sub 破解()
if hook then
msgbox "破解成功"
end if
end sub
sub 恢復()
RecoverBytes
msgbox "恢復成功"
end sub
------------------------------------
4.到此,一個vba破解程式完成了,回到該工作簿視窗,檔案-開啟 開啟需要破解vba工程密碼的工作簿.
5.執行"call 破解" 稍後你再雙擊剛才要解密的VBA工程窗體.是不是如入無人之境啊,工程保護密碼形同虛設啊?
6.破解完成後,請右鍵剛破解的VBA工程,在"檢視工程時需要密碼"的地方複選框取消選擇,OK.完成.
7.完成後別忘了執行"call 恢復",恢復密碼保護(恢復程式的密碼保護,已被破解的檔案不收影響. (請勿用於非法途徑)
已驗證,破解成功