Menu
I have a corrupted Excel vbaproject.bin extracted from .xlam add-in. How can I read modules with vba code extracted from this bin file as HEX streams? I'm using oletools, more details in this thread:
https://bitbucket.org/decalage/oletools/issues/38/extracted-vba-hex-files-from-vbaprojectbin
597
The VBAProject. bin is a binary file of any VBA project (as described above, an Excel workbook or document with a macro) that contains all the code modules of the project/workbook in it. “VBAProject. bin” is a default name given by MS Office to the binary VB Project file.
To open any workbook file, we will go to the VBA page and type the code 'open wb, then we will press the enter key and type “Workbooks. Open myFile”.
Use Alt+F11 to enter the macro editor. Once in VBA double click the sheet you need to unlock from the menu listing on the left. This will open the general declarations page for the sheet. Sub PasswordBreaker() 'Breaks worksheet password protection.
Open up the file in Excel. Head to the Developer tab and click Visual Basic, and try to access the Project menu. You should see the password prompt, and with any luck, the correct password should be the one we set up in our dummy document. We're back in the document!
I never succeeded in recovering the VBA code with oletools. However I had some success with oledump:
http://blog.didierstevens.com/programs/oledump-py/
I found it better suited to work with a corrupted workbook. So if you want to give it a try, download oledump.py:
https://github.com/DidierStevens/DidierStevensSuite/raw/master/oledump.py
You also need to install the module dependency "olefile" :
C:\temp>pip install olefile
Next, open your workbook with 7zip and extract the "xl\vbaProject.bin". You can also extract each module present in "xl\vbaProject.bin\VBA\" if oledump is unable to read vbaProject.bin.
Then execute this command to display all the modules in the vbaProject.bin:
C:\temp>python oledump.py --vbadecompresscorrupt C:\temp\vbaProject.bin
And to display the code from a module, add -s followed by the module number:
C:\temp>python oledump.py --vbadecompresscorrupt -s 3 C:\temp\vbaProject.bin
If reading the vbaProject.bin failed, extract the targeted module with 7zip and try to read it directly:
C:\temp>python oledump.py -r -v --vbadecompresscorrupt C:\temp\Module1
C:\temp>python oledump.py -r -v --vbadecompresscorrupt C:\temp\ThisWorkbook
Now, if at this point you haven't seen a line of VBA, then the code is most probably unrecoverable.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
