Bypass Visual Basic password protected source code

Enable Developer Tab in Excel

In order to create a visual basic project, you must first enable the developer tab to access the editor. To enable the developer tab you need to go to File → Options → Customize ribbons. Once the Excel Options window is open, enable developer mode and click "OK".

Now you can access macros and write code in Visual Basic.

Write source code

To access the code editor from the Developer tab, click Visual Basic.

At this point you will find yourself in front of your editor ready to write the code.

The code with which I tested the project is the following:

Sub TestProtection()
Range("A1").Value = "Hello World"
Range("B1").Value = Int((10 * Rnd) + 1)
End Sub

Set Password Protection

To set the password go to Tools → VBAProject Properties → Protection Tab Set the password as you like and remember to enable "Lock project for viewing". This option prevents the code from being displayed.

In this file, the password set is "test".

Save file

To save the project click on "Save" and choose "No".

In the new window that will be presented, change the format of the file to be saved to "Excel Macro-Enabled Workbook" and save it.

It will generate a new file containing the source code.

Test Password Protection

To test the password protection open the new file and access the source code, the shorcut is alt+F11 but for some reason is not working for me. Another way to access is navigating to Developer tab and access VisualBasic.

Trying to access the project containing the source code, you will be asked to enter the previously set password.

Create a dummy project

In order to access the password-protected source code, we need to create a dummy project with our password and replace the binary dedicated to checking the password on the target file with our own. In words, it might seem difficult but with the example, I am about to show it will be very simple. Now let's recreate the second file in the same way as seen above but with a different password, let's say that this time the password will be "jafor". So we have 2 files one with a password set to "test" which is the target file in which we have to bypass the password and the second is our file with a password set to "jafor". The goal is to replace the password "test" of the first file with the password "jafor".

Exctrat jafor's authentication hex code

To extract the code you need to change the file format from .xlsm to .zip.

When opening the zip file you will find a folder structure like the following:

Navigate into the xl directory and open vbaProject.bin with a hex editor.

The hex-editor used is xhd. Once opened the filevbaProject .bin with the hex-editor, search for the text CMG as seen in the image below.

Now copy the portion as shown below.

This is the portion of code where it says which password is set, which in this case is "jafor". Our goal is to replace this portion in the target file so that the password set is "jafor" and no longer "test".

Replace password in the target file

We also perform the same steps on the target file to open the binary file with our hex editor and paste the dummy's code in the target file and save it.

After changing the target file's code with our dummy's code:

Replace the modified binary with the original one inside the zip folder and change the format back from .zip to .xlsm. Now we can access the source code with the password "jafor" instead of "test".