Hack into a protected Excel 2007 or 2010 Workbook

I’m back from the Power Analyst Bootcamp in Washington DC – and of course, it was a success. 37 of the finest analysts attended the 2-day event, where we shared our passion for Excel, deli meats, and spicy tricks and tips. In the end, everyone left with a bag full of new techniques that will make them better analysts.

.

While I was gone, there seems to have been a flurry of activity and questions in reference to hacking into a protected workbook. A couple of years ago, I posted a slick technique you can use to hack into a protected 2007 worksheet. Apparently, hacking in a protected workbook is also a highly desired talent. So today, I’ll walk through the steps to hack into a protected workbook.

.

Excel 2007 and 2010 files are essentially zipped packages that contain XML files. This means that if you take an xlsx file and change the extension to zip, you’ll be able to see all the xml documents that make up your Excel file. Not only that – you can change the content and properties of an Excel 2007 file simply by manipulating the XML documents that make it up.

.

That’s right. You can remove workbook protection simply by applying a simple edit to the xml within the Excel file.

.

When you encounter a protected workbook, it’s typically locked down so that you can’t change the structure of the workbook. This means you can’t unhide sheets, delete tabs, add sheets, or change the workbook structure in any way.

.

So let’s start hacking.

.

Step 1: Make a backup of your file in case things take a turn for the worse.

Step 2: Change the file extension to zip.

.

Step 3: Extract the contents of the zip file.

Step 4: Go to the extracted files and navigate to the xml for the target sheet (found in the ‘xl\worksheets’ directory)

.

Step 5: Open the target sheet’s xml document using an XML editor (I use a free editor called XML Marker)

Step 6: Find the ‘workbookProtection’ tag and remove the entire line.

.

Step 7: Save the edited xml document and replace the old xml document found in the original zip file.

Step 8: Change the extension back to xlsx.

.

At this point, your workbook is unprotected!

.

.

A couple of notes:

1. Any password you see in the XML file is not the real password, nor will it work if you try to use it. It’s worthless.

2. It seems as though this will only work on workbooks that have been protected for structure only. If the workbook has been protected for structure and ‘Windows’, something prevents you from even opening the Open XML package.

3. You obviously cannot do this for Excel 2003 or any kind of xls files.

4. See this link to hack into a protected worksheet.

144 thoughts on “Hack into a protected Excel 2007 or 2010 Workbook

  1. Chris

    This is brilliant. Thank you. I am amazed that the security for excel is such crap — I have worked for organizations where financial data is kept in spreadsheets with locked data, and that was considered part of the internal controls mechanism (that the spreadsheet was locked). I am talking about fortune 500 international company too.

  2. Kiran

    Boss, You are ultimate…….. boss….
    send us if you have any good things like this….
    to help us educate ourselves.

  3. DJ

    by the way do we have any chance to remove the password which is secured to open the file? or to view the content of the file?

  4. Naga Mahendra

    I have a excel flle which is not opening at all.The excel file is zipped and when i am trying to extract or open the file it is asking for password.

    Please help me out in this

    Thanks in Advance

  5. Gary Lee

    I’ve written a VB.NET application that looks at the file structure gets the sheet protection password hash and offers the shortest English word that can be used to un-protect each protected sheet in the workbook instantaneously. The sheet protection Password is stored as a 4 char hex string so there are only 32,768 possible permutations so lots of clashes.
    Happy to share with anyone that wants it.
    When I finish the structured storage portion I will release the source but for now it only works on xlsx and xlsm files not the older xls or newer xlsb which is why I need to finish off the Storage code.

  6. KAMAR

    Hi dears,

    When I tried to Extract the protected excel file after renaming as .zip pops up a message
    “No archives found” and cannot be extracted please can anyone clarify me.

    Thanks in advance

  7. Ade

    Ingenious, you just made me look like a guru after using it to help a colleague. All credits to you mate!
    Many thanks

  8. Ross

    Gary Lee, would love to see your work on password hashes. Would be invaluable at the moment as I’m currently firefighting in a finance department where the entire team left at short notice and in trying to come in and pick up the pieces am left with mountains of protected workbooks and sheets.

  9. Eric

    Thanks very much. Works like a charm for a workbook with only structure protected.

    BTW, Gary, there are already VB macros to hack worksheet passwords, don’t need to reinvent the wheel. Just google will suffice.

    However, to hack the password to open the workbook is another story.

  10. Frans

    i’ve tried it…
    changed the extension to zip…
    nothing to extract… “No archives found”
    anyway, tq…

  11. Gary Lee

    Eric,
    Sorry, I’ve been away but am now back and happy to share my code.
    there are Hacks out there but that’s exactly what they are “Hacks”
    your link shows a way to crack a sheet protection password and although it works, it is exactly as you say, a hack. It goes through far more iterations than it needs to, looks to be about double. and will give you a nonsensical string that will un-protect a sheet by trying each iteration until it finds one that matches (brute force) but it won’t make sense. whereas my code, because I’ve read the Specification and written code with a dictionary of English words and their associated hashes (I wrote an excel hash algorithm)
    for example, “eric” and “able” both have the same hash of CA35 so you could protect a sheet with one and unprotect with another, likewise “Eric” and “Able” are interchangeable with a hash of CA75.
    Note, it’s a fluke that upper case changes are the same in this instance.

  12. Gary Lee

    So here is the code to produce an excel worksheet protection hash when passed a password written in VB.NET but you could easily write it in VBA C# etc

    Friend Shared Function CalculatePasswordHash(Password As String) As String
    Dim num As UShort = 0
    Try
    For i As Integer = Password.Length – 1 To 0 Step -1
    num = num Xor CUShort(AscW(Password(i)))
    num = (CUShort((num >> 14 And 1)) Or CUShort((CInt(num) << 1 And 32767)))
    Next
    num = num Xor 52811

    num = num Xor CUShort(Password.Length)
    Return num.ToString("x").ToUpper
    Catch
    Return ""
    End Try

    End Function

  13. Gary Lee

    I then grabbed the biggest word list I could and sorted it by length then passed each word to this function to get the hashes, I kept the shortest words with unique hashes using lower case, first letter in upper case and all in upper case to keep the list and associated hashes as small as possible 22,000 words cover all 32,768 hash codes.

    with a complete list of all possible hashes it was then easy to write code to get the hashes from the workbook along with their associated worksheet names

  14. Gary Lee

    Workbook Open Password:
    The older versions of Excel (xls) 97 are easy to crack the workbook on open using brute force as they rely on two iterations of MD5 encryption one of RC4 and a final third one of MD5. so grabbing the Encryption Verifier, the Encryption Verifier Hash and the salt from the workbook stream means you can do this in a reasonable amount of time.
    I’ve written this in VB.net also and as we only need the first 10 characters of the hash to decrypt the workbook (or ms word document) it doesn’t take too long my code currently takes 3 days but using cudify to utilise an Nvidia GPU it takes less than 5 minutes.
    I had to write the RC4 and MD5 algorithms as the Microsoft cryptography classes in .Net are really slow in comparision and when needing to run millions of iterations a second it was taking over 7 days……
    even 5 minutes could be speeded up using rainbow tables and a memory trade off but for my purposes (understanding excel encryption) there wasn’t any need.

  15. JamesB

    @Gary Lee you have got to be joking! A basic hex hack can be automated so it takes a fraction of a second. Although there are still better (faster and neater) alternatives.

  16. Gary Lee

    JamesB:
    it’s in the word “HACK!”
    I’m interested in the mechanics, the structure and the encryption not in a Hack.
    hence the Do It Right approach.

    Giving an actual password using a word from an English dictionary without changing the structure or contents of a file has to be a preferred method.

    A Hex Hack for the VBA Backdoor Password is possible but not a great method as it changes the file structure and can cause issues on opening the file.

    As for the Password for Opening an excel 97 file, if you can show a hex hack that does that, I’d be very very amazed as the file is encrypted using as I’ve said EV EVH and SALT
    so any changes to the file in a hex editor would render the file usesless.

  17. Gary Lee

    @Puneet:
    This can only be done on Excel workbooks with extensions XLSX and XLSM as these use XML, XLSB, reverts to compound storage and XLS is also compound so can’t be accessed this way.

    You may also have issues with WinZip not recognising the file as a zip file so it’s best to use 7Zip which will open the files once you’ve changed the extension to ZIP.

  18. JamesB

    @Gary Lee
    If you email an xl97 file to me (jbrown124 [at] hotmail.co,uk) with a single (password protected) VBA Module containing a word or phrase (of your choosing) then I will post on here what that word or phrase is.

  19. Hossein

    Hi dears,

    When I tried to Extract the protected excel file after renaming as .zip pops up a message
    “No archives found” and cannot be extracted please can anyone clarify me.

    Thanks in advance

  20. Gary Lee

    @Hossein: if the file is XLSX or XLSM then you can rename as .zip and open with 7Zip Not Winzip
    XLSB uses the BIFF (Binary Information File Format) so is not in zip format as are older files xls.

    @JamesB: I am fully conversant with the various encryption and security methods used by Excel 97,2003,2007,2010 so really don’t need someone to show me they can perform a hack on an old file.

  21. Donna

    I tried with 7zip and I get Can not open the file
    the File is a Compound archive.

    I must be doing something wrong. HELP

  22. Gary Lee

    Hi Donna, what is your current file extension (xlsb, xls, xlsx)? this will only work on xlsm and xlsx file extensions.
    you can contat me directly on

    gary.lee AT sarxos . com

  23. Gary Lee

    Donna,
    This particular method won’t work with a compound file this will only work on XLSM and XLSX files.

  24. Andrei

    @Garry Lee
    I have a protected 2010 excel file and i forgot the password.
    Can you help me to open it?

  25. Velma

    My problem here is that the whole workbook seems protected, not just sheets. I used a Hex Editor to change the DBP to DBx, because it was protected and I couldn’t get into the VBA editor. So I got that done, but every time I use a XML Editor and try to go to a certain page in the book, I get a pop up that says “EXCEL PASSWORD SECURITY BREACH” with no option but to click “OK’, when results in the book closing itself. I can get into VBA editor, but I’d like to know how to disable this passwork crack detection and shutdown feature, and if that can be done thru the VBA editor (sorry, I’m a nood here…)

  26. Gary Lee

    Velma, why are you using an XML Editor? can you open it directly in Excel? what is the file extension, what version of Excel created the file?

  27. Aayaan shah

    Lee my file is lack with password, when i open it , it required password,, so can you help me, break that password..

Leave a Reply

Your email address will not be published. Required fields are marked *