2023- 2022
- 2021
- 2020
- 2019
- 2018
- 2017
- 2016
- 2015
- 2014
- 2013
- 2012
- 2011
- 2010
- 2009
- 2008
- 2007
- 2006
- 2005
2004
Silence- Snowflakes
- Paranoia Pays
- Microsoft Help
- Polyglot 11: More C
- Polyglot 11: C
- Polyglot 10: Smalltalk
- Toronto Wisdom
- Exterminated
- The Last Straw
- BT Broadband Trap
- Polyglot 9: Moo
- Polyglot 8: SVG
- Polyglot 7: POV-Ray
- Polyglot 6: Python
- Polyglot 5: PHP
- Polyglot 4: Euphoria
- Polyglot 3: JavaScript
- Polyglot 2: Java
- Polyglot 1: VB
- POV-Ray
- Etch A Sketch
- Slashdotting
- Flashy Lies
- Scientific Illiteracy
- Creeping Featurism
- VidScope
- Saturn V
- Perspectives
- Slide Rule
- eBay Sale
- Iron Filings
- Gimble
- VBA Security
- Random Morsels
- Exact Change
- Easter Egg
- Diametral Pitch
- mod_deflete
- Ethical Spam?
- Deadlines
- CPU Power
- Fosdem 2004
- Academic Reversal
- Mars Memorial
- Culture Clash
- Watching the Users
- 2003
- 2002
VBA Security
6 May 2004
An elderly friend found my earlier article about gears. Since he's a gear-making guru, he had a few words to say on the topic. Being Canadian, he wrote his comments in Corel WordPerfect, attached it to an email then sent it to me. When I get this sort of thing I usually throw back a form letter (loosely based on Stallman's template) telling the person not to use proprietary file formats. But in this case that didn't seem like an appropriate course of action. So the quest began to read the offending document.
OpenOffice won't open it. Word won't open it. Corel don't publish a viewer. Google doesn't interpret it (yet). A hex editor showed enough content to get the gist of what he wrote, but wasn't satisfactory. Fortunately a company called WordAutomation have a product called CleanConvert which purports to convert WordPerfect documents to Word. Cleverly they've built their application as a VBA macro within Word. Unfortunately when I ran it, the program failed with an fatal error in a date module. I wrote to WordAutomation with a description of the problem. They didn't bother to reply. [Update: they eventually replied and suggested I uninstall and reinstall.]
When all else fails, use the source. CleanConvert's code was "protected" using Microsoft's "security". Two minutes later I was happily browsing the code using OpenOffice. A bit of tracing showed that the fatal error was coming from a dependancy bug in the module that checked if the demo version had expired. Which meant in order to legitimately use the demo, I would have to crack it! While OpenOffice will view "protected" VBA code, it cannot modify it.
Using diff and a hex editor, it soon became pretty obvious that Microsoft's passwords were set using three fields called CMG, DPB and GC. All one has to do is save a file with a known password, find these fields, copy their values into the same fields of the offending file, and presto one has full access. Not even a simple checksum to slow one down. Once I had access to CleanConvert's code, it was just a matter of deleting the date module, setting the demo mode to never expire, and converting my friend's document. His comments have been posted as an update to the Diametral Pitch article.
As usual, once one has found the answer (in this case: CMG, DPB and GC) it is easy to determine if anyone else has found it first. Google quickly found a match in a small company called ElcomSoft. Why am I not surprised. Note to self, don't visit the USA any time soon. [Insert appropriate 'Soviet Russia' joke here.]
Update: Unfortunately a client as now asked me to "protect" a VBA application which I wrote for him several months ago. How does one make an insecure platform secure? I'm currently examining the concept of building an encrypted VM on top of VBA.
