VBA obfuscation

Today’s article is from Petros Chatzipantazis of spreasheet1.com and shows how VBA obfuscation can protect your code and intellectual property.

S1-CrunchCode

The problem:
By default, VBA code in Excel (or any other MS-Office application) can be accessed by anyone who knows how to open the Visual Basic Editor. In the absence of any password protection, any such user can open and alter VBA code, potentially breaking it. Even worse, a malicious user or macro virus could add code that performs pranks or compromises the security of files and settings on a user’s computer.

The simple – but ineffective – solution:
Lock your VBA project using a password. Your VBA code will still run, but can only be viewed by a user who knows the correct password. Unfortunately, there are plenty of fairly inexpensive software tools that could recover a lost or forgotten VBE password, no matter its length or complexity, within seconds.

In addition, Excel VBA code can be read directly (without using Excel) by many spreadsheet applications. For example, please note that ‘LibreOffice Calc’ doesn’t seem to honor any VBE password protection in Excel files.

The advanced solution: S1-CrunchCode
There is a solution called VBA obfuscation. Obfuscation is a set of techniques that hide the intent of your Excel VBA program without changing its runtime behavior e.g. obfuscated VBA code will run in both 32/64 bit Office 2010/2013 versions, if your original code was designed to do so.

When obfuscation is properly applied, it can increase the protection against hackers by orders of magnitude, while leaving your Excel application intact. Obfuscation is commonly used in .Net and Java environments for years and has been helping companies protect their intellectual property.

If your Excel VBA code shouldn’t be exposed globally or if your entire business rests on the intellectual property embodied in your Excel software, then obfuscating your VBA code becomes a necessity, not a luxury. Excel hackers can steal unique ideas, algorithms, sensitive information such as passwords, SQL queries, crack addins and change workbook functionality.

 

Native
VBA code <left) is transformed into obfuscated VBA code (right> using the
techniques discussed below

 

 

Notable Obfuscation Protection Techniques

S1-CruchCode uses several proven obfuscating methods, so that it is extremely difficult for a hacker to reverse-engineer your VBA code. Some of the techniques are described below:

1) Removal of comments & indentations
As discussed in our article about VBA Development Best Practices code layout makes not a bit of difference to the computer. A good visual layout of VBA code only helps the developer to infer a significant amount of information about the logical structure of the program. An elementary obfuscation trick is to remove all comments, blank lines, debug statements and indentations.

2) Variable name mangling
A good variable naming convention in software development conveys the type, scope and purpose of the variable with a simple visual inspection of its name. This allows the developer to concentrate on what the code is doing rather than having to figure out how the code is structured.

S1-CrunchCode renames variables, modules, userforms, procedure and function names to a garbled human unreadable name. There is absolutely no relation to the original names, which cannot be guessed or derived from the obfuscated names. Without any meaningful names in a VBA project, hackers must spend considerable time to determine the functionality of your code.

3) String Encryption
Plain text strings in VBA can be easily read. Hackers can use strings to understand program logic and to reverse-engineer your VBA code. For example, they could probably do searches for “License” which points them right to the code where license handling is performed with the intent to disable or remove licensing code. Searching for strings is straightforward in VBE. String encryption raises the bar, because only the encrypted (human unreadable) version is shown in your VBA code.

4) Control Flow Obfuscation
Obfuscation of program control flow is a powerful obfuscation technique. It’s goal to hide the intent of a sequence of instructions without changing the program logic e.g. splitting code into multiple lines or merging several lines etc.

5) Tamper protection
Your obfuscated code will be protected against modifications. Excel will stop running at once, if the code is modified or the VBE password is removed.

6) Declarative obfuscation
Procedures or entire modules (e.g. open-source code) can be exclude from obfuscation using custom attributes embedded in your code.

7)Obfuscation of UserForm controls
Using our unique and sophisticated technique, all obfuscated Excel UserForms appear identical and without controls. However at runtime, UserForms are restored to their original size and populated with controls, exactly as designed by the developer. 

A hacker would have to spend considerable time trying to locate the code that corresponds to an Excel form shown only when the program is run. Populating the UserForm with controls and restoring it back to its original size would be a major task too.

 

All
obfuscated Excel UserForms are shown empty in VBE, with identical dimensions
and garbled names.

 

 

Obfuscation Pitfalls
Obfuscation can be tricky on complex Excel applications. A poorly designed obfuscator can break your application e.g. by obfuscating reserved keywords. S1-CruchCode has been over 2 years in the making and has been tested with 100s of Excel applications successfully. A free trial is available for testing with your VBA code.

Conclusion
Each of the above techniques, which are already proven with .NET & Java assemblies, are on their own quite effective against hackers. When combined together for the obfuscation and code protection of Excel VBA projects, they form an impenetrable shield which is extremely difficult to break.

Until now, competitive Excel locking solutions compiled workbooks to an executable file or required additional runtime libraries to be installed on a client computer. S1-CrunchCode just hides the intent of your Excel VBA program without changing its runtime behavior. Your obfuscated program will run in any Excel version and in both 32/64 bit Office versions, if your original code does so.

S1-CrunchCode is a powerful code protection and obfuscation tool, which enables Excel VBA developers to deploy Excel workbooks and Addins without exposing the inner workings of their source VBA code.

For detailed information, please visit the dedicated CrunchCode website or download your free trial below: 

For more guest articles, see Guest articles and postings

For help and more information join our forumfollow the blogfollow me on twitter