How to undo fix for breaking VBA password?

Question

I used the fix provided by Đức Thanh Nguyễn for the password problem on Is there a way to crack the password on an Excel VBA Project? . Unfortunately, this has left my machine in a state where the VBA for ALL new Excel files are no longer protected! This is his code:

In Module 1:

Option Explicit

Private Const PAGE_EXECUTE_READWRITE = &H40

Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
    (Destination As Long, Source As Long, ByVal Length As Long)

Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
    ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long

Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long

Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
    ByVal lpProcName As String) As Long

Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA"     (ByVal hInstance As Long, _
    ByVal pTemplateName As Long, ByVal hWndParent As Long, _
    ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer

Dim HookBytes(0 To 5) As Byte
Dim OriginBytes(0 To 5) As Byte
Dim pFunc As Long
Dim Flag As Boolean

Private Function GetPtr(ByVal Value As Long) As Long
    GetPtr = Value
End Function

Public Sub RecoverBytes()
    If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub

Public Function Hook() As Boolean
Dim TmpBytes(0 To 5) As Byte
Dim p As Long
Dim OriginProtect As Long

Hook = False

pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")


If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then

    MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
    If TmpBytes(0) <> &H68 Then

        MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6

        p = GetPtr(AddressOf MyDialogBoxParam)

        HookBytes(0) = &H68
        MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
        HookBytes(5) = &HC3

        MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
        Flag = True
        Hook = True
    End If
End If
End Function

Private Function MyDialogBoxParam(ByVal hInstance As Long, _
    ByVal pTemplateName As Long, ByVal hWndParent As Long, _
    ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
If pTemplateName = 4070 Then
    MyDialogBoxParam = 1
Else
    RecoverBytes
    MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
                       hWndParent, lpDialogFunc, dwInitParam)
    Hook
End If
End Function

In Module 2:

Sub unprotected()
    If Hook Then
        MsgBox "VBA Project is unprotected!", vbInformation, "*****"
    End If
End Sub

What I tried was to comment out the first clause of the If statement in the MyDialogBoxParam routine, making every pass go through the RecoverBytes step and the two that follow that. No luck. Can anyone help??? Thanks!

@Chuck - Just to confirm, you managed to solve the original problem from your question by rebooting, correct? — ashleedawg, Apr 11 '18 at 01:36
@ashleedawg no, it didn't. I shut down overnight and Windows updated, but it's still happening this morning. — Chuck Shultz, Apr 11 '18 at 12:37

score 1 · Accepted Answer · answered Apr 12 '18 at 16:47

It turns out my verification was flawed here. I was creating a brand new macro-enabled Excel file and testing if the passwords into the code held up. It turns out that if you put a password onto a macro-enabled Excel file that has absolutely no code added into it (maybe no changes to the Excel file at all, I'm not sure about that), the password and protection will not stick. You have to have something added into the code before it will retain the password and the protection flag being on. Sigh...

Thanks to everyone who chimed in with help!

ashleedawg · Answer 2 · 2018-04-11T01:36:50.853

0

Rebooting your computer should fix the problem
(and in general should be the first troubleshooting step for "any" unexplained issue.)

Also, next time, use this method to crack an Office password...

edited Apr 11 '18 at 01:36

answered Apr 10 '18 at 18:23

ashleedawg

20,365
9
72
105

2

I think you should highlight your moral once again for everyone here... **don't run code that you don't understand**... especially something that is jail-breaking a program. – dwirony Apr 10 '18 at 18:24
@dwirony - alright, I'll add that to my answer :) (ironically/unplanned, the link points to another apparent "moral" of mine.) – ashleedawg Apr 10 '18 at 18:27
The only Hex editor I've ever worked with was malware. Can you recommend one that isn't malware? – Chuck Shultz Apr 10 '18 at 18:33
Unfortunately, the answer you've given me is to run more code that I don't understand...hhhmmm.... ;-) – Chuck Shultz Apr 10 '18 at 18:37
No, there's no code. [Here's a YouTube Version](https://youtu.be/YC2GyeY6ZdE) of the same set of instructions but probably easier to follow than the summary, the first time anyway. I know it works since I've used it dozens of times. (and made both posts - sorry about the crappy audio but it works like a charm.) There are likely other methods too – ashleedawg Apr 10 '18 at 18:38
This website wants to install an extension in my browser. This screwed me before, I don't want to do it. Even so, this doesn't fix the problem caused by running the code above. – Chuck Shultz Apr 10 '18 at 18:47
too much malware can cause this phenomenon. – pokemon_Man Apr 10 '18 at 19:09
@ashleedawg I disagree. It's not unknown code from an unknown source. It's great code posted at SO that has been upvoted by 514 people. Sure it did something unintended in this case, but that's life. I think it's a little unfair to give the OP a hard time for using highly regarded code from this very site. Many of the people running code that I provide on this site don't *really* understand how it works. – jeffreyweir Apr 10 '18 at 19:40
1

@jeffreyweir But it's not that it's unknown code, it's the practice of running code that you don't know what it does or how it does it. – dwirony Apr 10 '18 at 20:12
I run code all the time that I don't know how it does what it does. My add-ins include Rob Bovey's XY chart labeller, Jon Peltier's charting stuff, Jan Karel's Name Manager, a VBA IDE called RubberDuck, a DAX formatting and evaluation tool, a whole bunch of other VBA tools, FastExcel by Charles Williams. I have no idea what's going on under the hood of any of those. Even if I could see the code, I still wouldn't understand most of it, and certainly wouldn't be able to conceptualise what it does by reviewing it line by line without running it. How is this any different to what the OP has done? – jeffreyweir Apr 10 '18 at 20:50
1

Bottom line is that you need to make a judgement call. The OP has made a valid judgement call: the code has thumbs up from 500+ people. He doesn't deserve downvoting for that. – jeffreyweir Apr 10 '18 at 20:51
@ChuckShultz - to which website are you referring? – ashleedawg Apr 10 '18 at 22:34

How to undo fix for breaking VBA password?

2 Answers2