1、EXCEL vba工程密碼破解這種方法實際是避開VBA工程密碼驗證，即，騙vba編輯器，該密碼輸入成功，請求放行。原理不多說了，先將方法公布：=1.新建一個工作簿，打開，按ALT+F11，進入vba代碼編輯器窗口：2.新建一個模塊，“插入”-“模塊”把以下代碼復(fù)制進模塊并保存-Option ExplicitPrivate Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _        (Destination As Long, Source

2、As Long, ByVal Length As Long)Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _        ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long        Private Declare Function GetModuleHandleA

3、Lib "kernel32" (ByVal lpModuleName As String) As Long   Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _        ByVal lpProcName As String) As Long   Private Declare Function DialogBoxParam Lib "user32&q

4、uot; Alias "DialogBoxParamA" (ByVal hInstance As Long, _        ByVal pTemplateName As Long, ByVal hWndParent As Long, _        ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer        Dim HookBytes(0 To 5) As

5、 ByteDim OriginBytes(0 To 5) As ByteDim pFunc As LongDim Flag As BooleanPrivate Function GetPtr(ByVal Value As Long) As Long    '獲得函數(shù)的地址    GetPtr = ValueEnd FunctionPublic Sub RecoverBytes()    '若已經(jīng)hook,則恢復(fù)原API開頭的6字節(jié),也就是恢復(fù)原來函數(shù)的功能    If Flag Then MoveM

6、emory ByVal pFunc, ByVal VarPtr(OriginBytes(0), 6End SubPublic Function Hook() As Boolean    Dim TmpBytes(0 To 5) As Byte    Dim p As Long    Dim OriginProtect As Long       Hook = False       'VBE6.dll調(diào)用DialogBoxParamA顯示VB6IN

7、TL.dll資源中的第4070號對話框(就是輸入密碼的窗口)    '若DialogBoxParamA返回值非0,則VBE會認為密碼正確,所以我們要hook DialogBoxParamA函數(shù)    pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")       '標(biāo)準(zhǔn)api hook過程之一: 修改內(nèi)存屬性,使其可寫    If Virtual

8、Protect(ByVal pFunc, 6, &H40, OriginProtect) <> 0 Then        '標(biāo)準(zhǔn)api hook過程之二: 判斷是否已經(jīng)hook,看看API的第一個字節(jié)是否為&H68,        '若是則說明已經(jīng)Hook        MoveMemory ByVal VarPtr(TmpBytes(0), ByVal pFunc, 6        If

9、 TmpBytes(0) <> &H68 Then            '標(biāo)準(zhǔn)api hook過程之三: 保存原函數(shù)開頭字節(jié),這里是6個字節(jié),以備后面恢復(fù)            MoveMemory ByVal VarPtr(OriginBytes(0), ByVal pFunc, 6            '用AddressOf獲取MyDialogBoxParam的地址

10、0;           '因為語法不允許寫成p = AddressOf MyDialogBoxParam,這里我們寫一個函數(shù)            'GetPtr,作用僅僅是返回AddressOf MyDialogBoxParam的值,從而實現(xiàn)將            'MyDialogBoxParam的地址付給p的目的           

11、 p = GetPtr(AddressOf MyDialogBoxParam)                        '標(biāo)準(zhǔn)api hook過程之四: 組裝API入口的新代碼            'HookBytes 組成如下匯編            'push MyDialogBoxParam的地址 

12、           'ret            '作用是跳轉(zhuǎn)到MyDialogBoxParam函數(shù)            HookBytes(0) = &H68            MoveMemory ByVal VarPtr(HookBytes(1), ByVal VarPtr(p), 4      &

13、#160;     HookBytes(5) = &HC3                        '標(biāo)準(zhǔn)api hook過程之五: 用HookBytes的內(nèi)容改寫API前6個字節(jié)            MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0), 6        &#

14、160;   '設(shè)置hook成功標(biāo)志            Flag = True            Hook = True        End If    End IfEnd FunctionPrivate Function MyDialogBoxParam(ByVal hInstance As Long, _        ByVal pTempla

15、teName As Long, ByVal hWndParent As Long, _        ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer    If pTemplateName = 4070 Then        '有程序調(diào)用DialogBoxParamA裝入4070號對話框,這里我們直接返回1,讓        'VBE以為密碼正確了

16、0;       MyDialogBoxParam = 1    Else        '有程序調(diào)用DialogBoxParamA,但裝入的不是4070號對話框,這里我們調(diào)用        'RecoverBytes函數(shù)恢復(fù)原來函數(shù)的功能,在進行原來的函數(shù)        RecoverBytes        MyDialogBoxParam = DialogBoxPa

17、ram(hInstance, pTemplateName, _                           hWndParent, lpDialogFunc, dwInitParam)        '原來的函數(shù)執(zhí)行完畢,再次hook        Hook    End IfEnd Function-3.右擊sheet1工作表，“查看代碼”復(fù)制以下代碼進去并保存：-sub 破解()if hook thenmsgbox "破解成功"end ifend subsub 恢復(fù)()RecoverBytesmsgbox "恢