Cracking Sheet Password with VBA

My question is: What kind of exploit does it use to work? In other words, how come this generated string of A's and B's can be used as the password to a sheet inside a particular workbook ?

38.4k 30 30 gold badges 142 142 silver badges 188 188 bronze badges asked Nov 13, 2013 at 12:36 Mariusz Górski Mariusz Górski 399 1 1 gold badge 4 4 silver badges 11 11 bronze badges No idea about the code but maybe it's some iteration of this flaw: davidbugden.com/?p=16 Commented Nov 13, 2013 at 12:45 Sounds like searching for a hash collision. Commented Nov 13, 2013 at 12:46 You'll find a short explanation here. Commented Nov 13, 2013 at 12:48 possible duplicate of How does Excel's worksheet password protection work – user2140173 Commented Nov 13, 2013 at 12:58 @mehow - u sir deserve a cold one ! 10q kindly, it's exactly what I've been searching for. Commented Nov 13, 2013 at 13:58

5 Answers 5

The Excel worksheet password protection works by converting the input password to a hash and stores it. A hash is a one-way algorithm that crunches up the bits, losing some information along the way, but generating a fingerprint of the original data. Because of the loss of data, it is impossible to reverse a hash to get the original password, but in the future if someone types in a password it can be hashed and compared against the stored hash. This (usually) makes it more secure than simply storing the password as a string to compare against.

The best description by far I've encountered of how brute forcing the Excel hashing algorithm works is on the page @mehow links to, posted by Torben Klein. His answer can be summed up as:

  1. The Excel hash function maps the large space of possible passwords to the small space of possible hashes.
  2. Because the hashing algorithm generates such small hashes, 15 bits, the number of possible hashes is 2^15 = 32768 hashes.
  3. 32768 is a tiny number of things to try when computing power is applied. Klein derives a subset of the input passwords that cover all of the possible hashes.

Based on this description of Excel's hashing function, the following code generates the same hash as Excel which you can use to test Klein's function.

Option Explicit 'mdlExcelHash Public Function getExcelPasswordHash(Pass As String) Dim PassBytes() As Byte PassBytes = StrConv(Pass, vbFromUnicode) Dim cchPassword As Long cchPassword = UBound(PassBytes) + 1 Dim wPasswordHash As Long If cchPassword = 0 Then getExcelPasswordHash = wPasswordHash Exit Function End If Dim pch As Long pch = cchPassword - 1 While pch >= 0 wPasswordHash = wPasswordHash Xor PassBytes(pch) wPasswordHash = RotateLeft_15bit(wPasswordHash, 1) pch = pch - 1 Wend wPasswordHash = wPasswordHash Xor cchPassword wPasswordHash = wPasswordHash Xor &HCE4B& getExcelPasswordHash = wPasswordHash End Function Private Function RotateLeft_15bit(num As Long, Count As Long) As Long Dim outLong As Long Dim i As Long outLong = num For i = 0 To Count - 1 outLong = ((outLong \ 2 ^ 14) And &H1) Or ((outLong * 2) And &H7FFF) 'Rotates left around 15 bits, kind of a signed rotateleft Next RotateLeft_15bit = outLong End Function