[AccessD] Unlock/Unprotect VBA Project

Bill Benson bensonforums at gmail.com
Mon May 7 18:24:53 CDT 2018


I wrote to the author of Unviewable+... He wrote back that not all of the
vba project is stored in text form (my note: he did not specify which parts
are or aren't). What is readable in a hex editor kind of depends - mostly
driven by the simplicity of the compression algorithm, especially if not
random text. He allows that an advanced and determined hacker could
decompress the entire VBA project using special software and compromise the
intellectual property.

I'll just add my two bits, that this can be partially mitigated by
obfuscating the code, spreading out passwords across several seemingly
garbldy-gook function calls, with strings spread across multiple forms and
controls in their text properties... it would take an awfully determined
and advanced hacker to crack this mechanism. As for dealing with hashes in
general, I know nothing of how to do that.

I rest my (perhaps weak) case at this point.

Cheers!


On Mon, May 7, 2018 at 1:45 AM, Stuart McLachlan <stuart at lexacorp.com.pg>
wrote:

> ISTM that if the actual connection strings, passwords etc are "stored"
> anywhere in the
> application, be it a form's text or tag property or anywhere else, then
> opening the file in a hex
> viewer is likely to reveal them.
>
>
> On 7 May 2018 at 3:37, Bill Benson wrote:
>
> > Stuart,
> >
> > Can you demonstrat that storing them in the manner I proposed,
> > together with an "unviewable +" locked project exposes this
> > information, in any possible way -other than perhaps reading internal
> > memory, which would be WAY WAY WAY over my head to figure out how to
> > do? Without a public function in the target workbook which exposes
> > them, do you have any method of getting at that info?
> >
> > On Sun, May 6, 2018, 11:06 PM Stuart McLachlan
> > <stuart at lexacorp.com.pg> wrote:
> >
> > > If you are that concerned about application security, you shouldn't
> > > be storing passwords at all.  Store a cryptographic hash and then
> > > compare the hash of the entered password to the stored hash.  Same
> > > with usernames.
> > >
> > > On 6 May 2018 at 21:33, Bill Benson wrote:
> > >
> > > > I did find a means of hiding all connection strings, passwords,
> > > > etc in a userform control's text or tag properties. It is
> > > > virtually impossible to force that userform into a loaded state to
> > > > read those crucial strings, from an external workbook, unless I
> > > > the author of the protected workbook was foolish enough to have a
> > > > public sub that loaded them, therefore it was virtually impossible
> > > > to get access to that protected information.
> > >
> > > --
> > > AccessD mailing list
> > > AccessD at databaseadvisors.com
> > > http://databaseadvisors.com/mailman/listinfo/accessd
> > > Website: http://www.databaseadvisors.com
> > >
> > --
> > AccessD mailing list
> > AccessD at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/accessd
> > Website: http://www.databaseadvisors.com
> >
>
>
> --
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>


More information about the AccessD mailing list