我基于Đức Thanh nguynun的精彩回答，让这种方法适用于64位版本的Excel。我在64位的Windows 7上运行Excel 2010 64位。

Open the file(s) that contain your locked VBA Projects. Create a new xlsm file and store this code in Module1 Option Explicit Private Const PAGE_EXECUTE_READWRITE = &H40 Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _ (Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr) Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LongPtr, _ ByVal dwSize As LongPtr, ByVal flNewProtect As LongPtr, lpflOldProtect As LongPtr) As LongPtr Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LongPtr Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, _ ByVal lpProcName As String) As LongPtr Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LongPtr, _ ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _ ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer Dim HookBytes(0 To 5) As Byte Dim OriginBytes(0 To 5) As Byte Dim pFunc As LongPtr Dim Flag As Boolean Private Function GetPtr(ByVal Value As LongPtr) As LongPtr GetPtr = Value End Function Public Sub RecoverBytes() If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6 End Sub Public Function Hook() As Boolean Dim TmpBytes(0 To 5) As Byte Dim p As LongPtr Dim OriginProtect As LongPtr Hook = False pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA") If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6 If TmpBytes(0) <> &H68 Then MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6 p = GetPtr(AddressOf MyDialogBoxParam) HookBytes(0) = &H68 MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4 HookBytes(5) = &HC3 MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6 Flag = True Hook = True End If End If End Function Private Function MyDialogBoxParam(ByVal hInstance As LongPtr, _ ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _ ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer If pTemplateName = 4070 Then MyDialogBoxParam = 1 Else RecoverBytes MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _ hWndParent, lpDialogFunc, dwInitParam) Hook End If End Function Paste this code in Module2 and run it Sub unprotected() If Hook Then MsgBox "VBA Project is unprotected!", vbInformation, "*****" End If End Sub

这对我来说很有效，我在这里记录了它，希望它能帮助别人。我还没有完全测试过。请确保在继续此选项之前保存所有打开的文件。

事实上，大多数启用宏的Office文档的代码文件都没有加密，密码只会阻止使用Office程序打开项目。 这意味着，正如其他答案所建议的那样，您通常可以使用Office替代品来访问和编辑该文件。

但是，如果你只是需要访问代码，你可以使用oldump .py这样的工具来提取宏代码。这对于恶意软件分析非常有用，还可以从文件中获取大部分代码，这样如果忘记密码，就不必从头开始了。

此外，许多excel文件在打开时动态设置密码。这意味着如果您可以阅读代码，您通常可以找到明文密码或消除混淆。

oledump.py例子:

列出一个办公文档中的所有“流”(嵌入式二进制文件或代码文件):

python oledump.py -v yourExcelFile.xlsm

输出:

A: xl/vbaProject.bin
 A1:      2000 'PROJECT'
 A2:      1500 'PROJECTwm'
 A3: M    1224 'VBA/Module1'
 A4: M   18694 'VBA/Module2'
 A5: M   11877 'VBA/Module3'
...

旁边带M的流是宏，这是未加密的VBA代码

提取流

python oledump.py -s A3 -v yourExcelFile.xlsm > Module1.vba

这将把A3流中包含的代码输出到Module1.vba。

我通常将此与循环结合起来，将所有文件解压缩到一个文件夹中。这个快速的PowerShell脚本将提取大多数文件中的所有流:

New-Item -ItemType Directory "Output"

# just hardcode the highest stream outputted by oledump.py -v
$max = 5 
for ($i = 1; $i -le $max; $i++) {
    python oledump.py -s "A$i" -v yourExcelFile.xlsm > ".\Output\A$i"
}

注意，这将只提取人类可读的文件。

Colin Pickard has an excellent answer, but there is one 'watch out' with this. There are instances (I haven't figured out the cause yet) where the total length of the "CMG=........GC=...." entry in the file is different from one excel file to the next. In some cases, this entry will be 137 bytes, and in others it will be 143 bytes. The 137 byte length is the odd one, and if this happens when you create your file with the '1234' password, just create another file, and it should jump to the 143 byte length.

如果您尝试将错误的字节数粘贴到文件中，当您尝试用Excel打开该文件时，您将丢失VBA项目。

EDIT

这对Excel 2007/2010文件无效。标准的。xlsx文件格式实际上是一个。zip文件，包含许多子文件夹，其中格式、布局、内容等存储为xml数据。对于未受保护的Excel 2007文件，只需将.xlsx扩展名更改为.zip，然后打开zip文件并查看所有xml数据。这很简单。

但是，当您对Excel 2007文件进行密码保护时，整个.zip (.xlsx)文件实际上是使用RSA加密进行加密的。不再可以将扩展名更改为.zip并浏览文件内容。

Colin Pickard is mostly correct, but don't confuse the "password to open" protection for the entire file with the VBA password protection, which is completely different from the former and is the same for Office 2003 and 2007 (for Office 2007, rename the file to .zip and look for the vbaProject.bin inside the zip). And that technically the correct way to edit the file is to use a OLE compound document viewer like CFX to open up the correct stream. Of course, if you are just replacing bytes, the plain old binary editor may work.

顺便说一句，如果你想知道这些字段的确切格式，他们现在有文档:

http://msdn.microsoft.com/en-us/library/dd926151%28v=office.12%29.aspx

万一你的街区 没有发生= \ r \ nDPB“XXXX”=“XXXXX”\ r \ nGC =“XXXXXX” 如果您的“已知密码”文件比“未知密码”文件中的现有块短，请用后面的零填充十六进制字符串以达到正确的长度。

e.g.

CMG=“xxxxxx”\r\nDPB=“xxxxx”\r\nGC=“xxxxx”

在未知密码文件中，应设置为

CMG="XXXX00"\r\nDPB="XXXXX000"\r\nGC="XXXXXX0000"保留文件长度。

我在office 2007中也使用过。xla(97/2003格式)文件。

ElcomSoft提供高级办公密码破断器和高级办公密码恢复产品，只要文档是在Office 2007或更早版本中创建的，就可以适用于这种情况。