Is there a way to crack the password on an Excel VBA Project?

You can try this direct VBA approach which doesn't require HEX editing. It will work for any files (*.xls, *.xlsm, *.xlam ...).

Tested and works on:

Excel 2007
Excel 2010
Excel 2013 - 32 bit version
Excel 2016 - 32 bit version

Looking for 64 bit version? See this answer

How it works

I will try my best to explain how it works - please excuse my English.

1. The VBE will call a system function to create the password dialog box.
2. If user enters the right password and click OK, this function returns 1. If user enters the wrong password or click Cancel, this function returns 0.
3. After the dialog box is closed, the VBE checks the returned value of the system function
4. if this value is 1, the VBE will "think" that the password is right, hence the locked VBA project will be opened.
5. The code below swaps the memory of the original function used to display the password dialog with a user defined function that will always return 1 when being called.

Using the code

Please backup your files first!

1. Open the file(s) that contain your locked VBA Projects

2. Create a new xlsm file and store this code in Module1

   code credited to Siwtom (nick name), a Vietnamese developer

   Option ExplicitPrivate Const PAGE_EXECUTE_READWRITE = &H40Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _        (Destination As Long, Source As Long, ByVal Length As Long)Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _        ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As LongPrivate Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LongPrivate Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _        ByVal lpProcName As String) As LongPrivate Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _        ByVal pTemplateName As Long, ByVal hWndParent As Long, _        ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As IntegerDim HookBytes(0 To 5) As ByteDim OriginBytes(0 To 5) As ByteDim pFunc As LongDim Flag As BooleanPrivate Function GetPtr(ByVal Value As Long) As Long    GetPtr = ValueEnd FunctionPublic Sub RecoverBytes()    If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6End SubPublic Function Hook() As Boolean    Dim TmpBytes(0 To 5) As Byte    Dim p As Long    Dim OriginProtect As Long    Hook = False    pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")    If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then        MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6        If TmpBytes(0) <> &H68 Then            MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6            p = GetPtr(AddressOf MyDialogBoxParam)            HookBytes(0) = &H68            MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4            HookBytes(5) = &HC3            MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6            Flag = True            Hook = True        End If    End IfEnd FunctionPrivate Function MyDialogBoxParam(ByVal hInstance As Long, _        ByVal pTemplateName As Long, ByVal hWndParent As Long, _        ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer    If pTemplateName = 4070 Then        MyDialogBoxParam = 1    Else        RecoverBytes        MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _                           hWndParent, lpDialogFunc, dwInitParam)        Hook    End IfEnd Function

3. Paste this code under the above code in Module1 and run it

   Sub unprotected()    If Hook Then        MsgBox "VBA Project is unprotected!", vbInformation, "*****"    End IfEnd Sub

4. Come back to your VBA Projects and enjoy.

Yes there is, as long as you are using a .xls format spreadsheet (the default for Excel up to 2003). For Excel 2007 onwards, the default is .xlsx, which is a fairly secure format, and this method will not work.

As Treb says, it's a simple comparison. One method is to simply swap out the password entry in the file using a hex editor (see Hex editors for Windows). Step by step example:

1. Create a new simple excel file.
2. In the VBA part, set a simple password (say - 1234).
3. Save the file and exit. Then check the file size - see Stewbob's gotcha
4. Open the file you just created with a hex editor.

5. Copy the lines starting with the following keys:

   CMG=....DPB=...GC=...

6. FIRST BACKUP the excel file you don't know the VBA password for, then open it with your hex editor, and paste the above copied lines from the dummy file.

7. Save the excel file and exit.
8. Now, open the excel file you need to see the VBA code in. The password for the VBA codewill simply be 1234 (as in the example I'm showing here).

If you need to work with Excel 2007 or 2010, there are some other answers below which might help, particularly these: 1, 2, 3.

EDIT Feb 2015: for another method that looks very promising, look at this new answer by Đức Thanh Nguyễn.

I've built upon Đức Thanh Nguyễn's fantastic answer to allow this method to work with 64-bit versions of Excel. I'm running Excel 2010 64-Bit on 64-Bit Windows 7.

1. Open the file(s) that contain your locked VBA Projects.

2. Create a new xlsm file and store this code in Module1

   Option ExplicitPrivate Const PAGE_EXECUTE_READWRITE = &H40Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _(Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LongPtr, _ByVal dwSize As LongPtr, ByVal flNewProtect As LongPtr, lpflOldProtect As LongPtr) As LongPtrPrivate Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LongPtrPrivate Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, _ByVal lpProcName As String) As LongPtrPrivate Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LongPtr, _ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As IntegerDim HookBytes(0 To 5) As ByteDim OriginBytes(0 To 5) As ByteDim pFunc As LongPtrDim Flag As BooleanPrivate Function GetPtr(ByVal Value As LongPtr) As LongPtr    GetPtr = ValueEnd FunctionPublic Sub RecoverBytes()    If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6End SubPublic Function Hook() As Boolean    Dim TmpBytes(0 To 5) As Byte    Dim p As LongPtr    Dim OriginProtect As LongPtr    Hook = False    pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")    If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then        MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6        If TmpBytes(0) <> &H68 Then            MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6            p = GetPtr(AddressOf MyDialogBoxParam)            HookBytes(0) = &H68            MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4            HookBytes(5) = &HC3            MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6            Flag = True            Hook = True        End If    End IfEnd FunctionPrivate Function MyDialogBoxParam(ByVal hInstance As LongPtr, _ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer    If pTemplateName = 4070 Then        MyDialogBoxParam = 1    Else        RecoverBytes        MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _                   hWndParent, lpDialogFunc, dwInitParam)        Hook    End IfEnd Function

3. Paste this code in Module2 and run it

   Sub unprotected()    If Hook Then        MsgBox "VBA Project is unprotected!", vbInformation, "*****"    End IfEnd Sub

DISCLAIMER This worked for me and I have documented it here in the hope it will help someone out. I have not fully tested it. Please be sure to save all open files before proceeding with this option.