PDA

View Full Version : VBA Code Security and Sheet Protection



dansam
02-06-2007, 12:51 AM
HELP : :( HOW to make the VBA code and the sheet protection more strong?

Aussiebear
02-06-2007, 02:22 AM
Lots of people want the protection to be stronger but sadly there are limits to what protection can do. Determined people can easily get past Excel protection. Please read posts on this issue over the last couple of pages in this forum, and see the responces from persons highly regarded in this area. Johnske has a great report on this very issue which may ne of some assistance.

If you want strong protection then create a stand alone workbook, otherwise join the rest of us, as we hope our work remains untouched.

johnske
02-06-2007, 02:56 AM
Read here (http://xlvba.3.forumer.com/index.php?showtopic=270&hl=), protection is there to stop accidental erasures, it is NOT security. If it's on a computer, no matter how secure you think it is - it can be cracked. If it's really that sensitive don't put it on your computer :)

mdmackillop
02-06-2007, 03:05 AM
Hi Dansam
Welcome to VBAX
When you post a question, please give it a meaningful title. "Help me" is of no use to someone looking for specific topics to assist or searching for solutions,
Regards
MD

Aussiebear
02-06-2007, 05:48 AM
Read here (http://xlvba.3.forumer.com/index.php?showtopic=270&hl=), protection is there to stop accidental erasures, it is NOT security. If it's on a computer, no matter how secure you think it is - it can be cracked. If it's really that sensitive don't put it on your computer :)

Took the words right out of my mouth.... but that aside, just what is it that you were looking to "protect" ? Is it code, formula's. layout of a sheet or workbook? If you can post an example then maybe someone can come up with something to help you in your task.

ndendrinos
02-07-2007, 04:34 PM
from Aussiebear :
Hello,


Lots of people want the protection to be stronger but sadly there are limits to what protection can do. Determined people can easily get past Excel protection. Please read posts on this issue over the last couple of pages in this forum, and see the responces from persons highly regarded in this area. Johnske has a great report on this very issue which may ne of some assistance.

If you want strong protection then create a stand alone workbook, otherwise join the rest of us, as we hope our work remains untouched.
Can you elaborate more on the stand alone mention ?
I have converted an excel file to exe and protected it with a simple password.
Now I know zilch on "cracking" but it seems to me that it might prove difficult to open without the password ( at least to the average user that knows a little bit of VBA ... such as yours truly )
Is this what's known as "standalone" ?
Thank you
Nick

Ken Puls
02-07-2007, 04:49 PM
If you want strong protection then create a stand alone workbook,

Sorry, not true. 10 minutes and $35 on the internet and your file is open to anyone. No experience necessary.

Excel is not a secure app, cannot be made secure at this point, and should not be relied on to be such. Locking the file is akin to locking a house. It will keep the honest people out.

ndendrinos
02-07-2007, 05:14 PM
Hello Ken.
You are right but would you say that the same technology would open the exe conversion.
I really do not see how since I cannot open the file at all ... all I get when I click on the file ia a prompter for password on my desktop. Does the software to crack the file work on just the prompter ? If this is the case do you know of an envelope that would protect any type of file in it or is there no security at all no matter what one uses?
Thank you

Ken Puls
02-07-2007, 05:25 PM
My understanding on this stuff, fwiw...

You can't convert an xls or xla file to an exe file. If you have an add-in coded in VB6 or VB.Net, though, you could compile it as a dll. (Or an Xll file in C.) That would be more secure, but I'm not totally convinced that a dll canot be decompiled. (In fairness, I have nothing to back that up. It's just my suspicion.)

With regards to using a workbook_open password, they are harder to crack than worksheet, workbook structure or VBA project passwords. The downside is that it might just cost the person trying to break in a bit of money to do so.

The only other kind of security measure that comes to mind is policy level protection on the network or file structure. This is not, however, anything to do with the Excel file.

I supose that you could use a password protected Zip or Rar file for emailing, but I have no knowledge of how secure they are or are not.

Again, Excel's security only helps keep honest people honest. It does nothing to stop anyone determined to get into your file.

ndendrinos
02-07-2007, 06:04 PM
Ken.You've shown patience with my questions maybe you could put this one to a test for the benefit of all that follow this post or might look at it in the future.
This is the converter I'm talking about .... the website I got it from was given to me
by XLD (with thanks)
http://orlando.mvps.org/index.asp#XLtoExe
in reply to a posting of mine.
http://www.vbaexpress.com/forum/showthread.php?t=11223

Thank you

dansam
02-07-2007, 10:05 PM
hi johnske
and every one,
thankyou for your advice

Ken Puls
02-07-2007, 11:20 PM
This is the converter I'm talking about .... the website I got it from was given to me by XLD (with thanks)
http://orlando.mvps.org/index.asp#XLtoExe


I'm honestly not sure I can shed any light on this, as I've never used it, and I don't know how the thing works. I may just have to eat my words on my statement about xls files not being able to be converted to exe's.

dansam
02-08-2007, 01:14 AM
Hi everyone
i have an idea to protect the sheet a littlebit more !
steps:
(1) Make a macro that run automatically runs after 2 seconds.
(2) That macro has a code to protect the sheet. Example "Activesheet.protect...." etc..
(3) And that macro runs when the workbook opens.



So that will protect the sheet every 2 sec.
So when (if) the user (in any way) tries to unprotect the sheet then
because of that macro it will be re-potected.

There is only 2 problems:
when the user dissable the macro then what? (he can Easily unprotect the sheet in any way!")
If the user unloacks the vb code protection then this meathod is not useful.
so anybody has a code to protect the vba code ??(as we protects the sheet using the code?)

Any coments??

thankyou,
dansam

Ken Puls
02-08-2007, 10:06 AM
There is only 2 problems:
when the user dissable the macro then what? (he can Easily unprotect the sheet in any way!")
Exactly

If the user unloacks the vb code protection then this meathod is not useful.
Exactly

so anybody has a code to protect the vba code ??(as we protects the sheet using the code?)
As you said yourself... when the user disables the macros, then what? VBAProject passwords can be removed in (way) under a minute by someone who knows what they are doing.

Again, with the possible exception of the Exe thing above, Excel is not a secure app, cannot be made secure at this point, and should not be relied on to be such.

dansam
02-09-2007, 12:44 AM
Hi , :thinking:
Now by using the "xl to exe convertor" i made an exe file of my xls file.
it is very useful to protect xl file in many ways:
* it always enables the macro (not ask the user to select !):rotlaugh:
* u can't crack it (cant remove vba or sheet protection) using the normal softwares avaliable in market.. :yes
so now is there any way to crack the protection of the exe file ?


and anyone has the code to protect the vba code using a macro (like we protect the sheet using a macro) ?

with

Regards,

dan

johnske
02-09-2007, 03:33 AM
Hi , :thinking:
Now by using the "xl to exe convertor" i made an exe file of my xls file.
it is very useful to protect xl file in many ways:
* it always enables the macro (not ask the user to select !):rotlaugh:
* u can't crack it (cant remove vba or sheet protection) using the normal softwares avaliable in market.. :yes
so now is there any way to crack the protection of the exe file ?...According to the info on the site where this comes from

You can convert back to XL format using Excel's Save As command if not read-onlyIf you can convert back, you then have exactly the same protection as any ordinary workbook, addin, etc - which can be cracked... :)

Dave
02-09-2007, 08:50 AM
I think Aussiebear said it best... "just what is it that you were looking to "protect" ? Is it code, formula's. layout of a sheet or workbook?" Perhaps answering this would lead to a useful solution. Dave

dansam
02-09-2007, 10:19 AM
We have many genius software developers on this planet, so why they don’t develop
An application that protects the excel file or directly complies its VBA code?

Ken Puls
02-09-2007, 11:48 AM
has the code to protect the vba code using a macro (like we protect the sheet using a macro) ?
The VBE does not expose the password or VBE protection objects to VBA code. Reason for this, I'm guessing, is so that you can't just keep feeding passwords to it via automation. (i.e. Attempt to hack it via brute force.)


We have many genius software developers on this planet, so why they don?t develop an application that protects the excel file or directly complies its VBA code?

"They" have. It's called Visual Studio. It's a lot more work, to be sure, but you can compile your code into a dll file, which is a lot more resistant to hacking. I said above that I felt that these may be able to be reverse engineered, and I still believe that, but you would need a lot more skill that using Google to be able to do it. Excel was never really meant to be a secure platform. If you want secure your app, learn how to code in VB.Net or C and use Visual Studio with VSTO.

Wolfgang
02-09-2007, 12:40 PM
Hi dansam...

Here's how we do it:

Rather than sending out a workbook full of VBA we only give away selected data in a scrambled form...

Meaning, we give away reports to individuals and scramble data which may not be seen by some...neither the underlying formulas...

The example workbook shows a formula created by XLD and below the formula in a scrambled form...

By doing so, we do not need to include any VBA and are able to scramble what we believe should be scrambled...

Just an idea...maybe that's not what you are looking for...

Best,
Wolfgang

Aussiebear
02-09-2007, 01:52 PM
Wolfgang..... I can read that. :devil2:

(Yes I know. Liar Lair pants on fire)

johnske
02-09-2007, 03:51 PM
No matter what security or program you use, it can be read with a hex editor - in fact you really don't need anything more sophisticated than Wordpad to read all underlying VBA

ndendrinos
02-09-2007, 04:37 PM
From johnske :
I
f you can convert back, you then have exactly the same protection as any ordinary workbook, addin, etc - which can be cracked...

John is right... but the way I see it you have to open the file before you can save it as an xls file.
Just in case none of you (except dansam) have had a look at my attachement and tried to open the file ... you do not see the file at all. All you get when you double click on it is a promter for a password. Don't know about software to crack a password but I have tried to open the file with the wrong password get told that the password is wrong and in order to enter a new password I have to double click the file and start all over again ... Using software to crack it would become a manual process rather than an automated one, but maybe I'm wrong.

johnske
02-09-2007, 09:17 PM
Maybe I'm a bit thick, but this is not the 1st thread on this topic and I really fail to see the continued pre-occupation with making code 'secure'... What happens when someone is (quite legitimately) called in to correct or upgrade your so-called secure code? Any attempts at making it secure then becomes a nuisance that's a real PITA to these ppl - it's better to either leave it unprotected, or protect it and leave the password where anyone can easily find it.

There is no - I repeat NO - application that is totally secure, yet billions of ppl continue to (successfully) work on a daily basis with all these applications using only the inbuilt protection provided - so get over it.

I've provided instances of ways to up the protection level for Excel in the past, but always with the thought that this is only a gimmick to lower the anxiety levels of those pre-occupied with 'security'.

Let's face it - what's the big deal? There's none of us that are really doing anything that hasn't been done (thousands of times) before or that can't be duplicated or replicated in any way - so why be paranoid about someone reading or copying your code? :dunno

Wolfgang
02-10-2007, 01:29 AM
John is right…

People who need to steal code most likely don’t know what to do with it anyhow…

And all others who are in the know most likely are rolling across the floor, because they have never seen such crappy stuff before…

Therefore, it really doesn’t matter if you try to secure your code…

Our TBCs (TopBrassComedians) wanted some means of hiding certain data in their reports plus the formulas which they used, so we wrote a program that encrypts individual cells and the reports are sent out without any code imbedded…

Even with code I doubt very seriously that any member of said group has the slightest clue as far as code cracking is concerned…

Best,
Wolfgang

dansam
02-10-2007, 05:25 AM
In an exe file converted form *.xls file ,

Macros are always enabled. So, the main problem is”You can convert back to XL format using Excel's Save As command if not read-only ” so,
Why we don’t disable the ,

Save as option in file menu ,
Save as option from toolbar
And also ctrl + s method ,Using a vba code?
I am sure that it is not impossible because I have seen the same thing to disable the cut copy paste command but anyone know the right code ?
If so then (according to me) there is no just any way to crack the program..
What r u thinking?
Regards,


dansam

ndendrinos
02-10-2007, 08:30 AM
Wolfgang / johnske ... there is no preoccupation on my part at least to protect my code (never mine , but rather yours with great thanks) . The sole preoccupation are the few bad apples, educated in VBA , that for one reason or other decide to introduce malicious code in an excel file without anyone's knowledge thus creating harm .
Code is a great convenience and If anything should be shared rather than hidden
What I have learned recently and might prove of interest to anyone reading this post is this:
Out the window goes the the fallacy that upon opening an excel file one will be prompted to accept or decline macros if code exists in the said file.
The conversion bypasses this and that is really too bad.

mdmackillop
02-10-2007, 09:21 AM
Out the window goes the the fallacy that upon opening an excel file one will be prompted to accept or decline macros if code exists in the said file.
The conversion bypasses this and that is really too bad.
Surely if the file has been converted to .exe, you're no longer opening an Excel file. As with any exe file, you open it at your own risk.

ndendrinos
02-10-2007, 10:12 AM
Agreed Malcom . The problem is that the conversion looks to the eye exactly like an Excel file.

mdmackillop
02-10-2007, 11:04 AM
But only when it's been opened, then it's too late!

Justinlabenne
02-10-2007, 09:52 PM
As a note and a bit off topic, Visual Studio 2005 has the ildasm tool (Intermediate Language Disassembler), which can be used to view .Net compiled exe's and dll's in IL code (exposing most of the code in a pretty readable format)