How to Unlock VBA Password Using VBA Scripts

Editing or revising VBA scripts is essential to make its functionality better and up-to-date. However, time comes where the VBA you need to edit has a password and you have no idea what to do about it.

This article will demonstrate how to unlock forgotten or unknown VBA Script password using VBA codes.

the Logic in a Nutshell of VBA Password

1. The code will call a system function to create a dialog box for the password input.
2. The function returns 1 if the password is correct. Will return 0 if not.
3. After the password dialog box was closed, system will expect the return value.
4. If the return value is 1, system will acknowledged this as a correct password. Thus the VBA project will be unlocked.

The code below will demonstrate how to swap the memory of the Password Checker function a user defined function which will return 1 whenever it was called.

Option Explicit

Private Const PAGE_EXECUTE_READWRITE = &H40

Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LPtr, _
ByVal dwSize As LPtr, ByVal flNewProtect As LPtr, lpflOldProtect As LPtr) As LPtr

Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LPtr

Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LPtr, _
ByVal lpProcName As String) As LPtr

Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As LPtr, Source As LPtr, ByVal Length As LPtr)

Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LPtr, _
ByVal pTemplateName As LPtr, ByVal hWndParent As LPtr,ByVal lpDialogFunc As LPtr, ByVal dwInitParam As LPtr) As Integer

Dim HBytes(0 To 5) As Byte
Dim OBytes(0 To 5) As Byte
Dim pFunc As LPtr
Dim Flag As Boolean

Private Function GetPtr(ByVal Value As LPtr) As LPtr
    GetPtr = Value
End Function

Public Sub RecoverBytes()
    If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub

Public Function Hook() As Boolean
    Dim TmpBytes(0 To 5) As Byte
    Dim p As LPtr
    Dim OriginProtect As LPtr

    Hook = False

    pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")


    If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then

        MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
        If TmpBytes(0) <> &H68 Then

            MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6

            p = GetPtr(AddressOf MyDialogBoxParam)

            HookBytes(0) = &H68
            MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
            HookBytes(5) = &HC3

            MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
            Flag = True
            Hook = True
        End If
    End If
End Function

Private Function MyDialogBoxParam(ByVal hInstance As LPtr, _
ByVal pTemplateName As LPtr, ByVal hWndParent As LPtr, _
ByVal lpDialogFunc As LPtr, ByVal dwInitParam As LPtr) As Integer

    If pTemplateName = 4070 Then
        MyDialogBoxParam = 1
    Else
        RecoverBytes
        MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
                   hWndParent, lpDialogFunc, dwInitParam)
        Hook
    End If
End Function

Sub UnprotectedVBACode()
    'Run this subroutine to unlock the VBA project.
    If Hook Then
        Debug.print ("VBA Project was cracked.")
    End If
End Sub