Protecting your code
Today's article is from Petros Chatzipantazis of spreasheet1.com and shows how VBA obfuscation can protect your code and intellectual property.
S1-CrunchCode
The problem:
By
default, VBA code in Excel (or any other MS-Office application) can be accessed
by anyone who knows how to open the Visual Basic Editor. In the absence of any
password protection, any such user can open and alter VBA code, potentially
breaking it. Even worse, a malicious user or macro virus could add code that
performs pranks or compromises the security of files and settings on a user's
computer.
The simple - but
ineffective - solution:
Lock your
VBA project using a password. Your VBA code will still run, but can only be
viewed by a user who knows the correct password. Unfortunately, there
are plenty of fairly inexpensive software tools that could recover a lost or
forgotten VBE password, no matter its length or complexity, within seconds.
In addition, Excel VBA code can be read directly (without using
Excel) by many spreadsheet applications. For example, please note that
'LibreOffice Calc' doesn't seem to honor any VBE password protection in
Excel files.
The advanced solution: S1-CrunchCode
There is a
solution called VBA obfuscation. Obfuscation is a set
of techniques that hide the intent of your Excel VBA program without changing
its runtime behavior e.g. obfuscated VBA code will run in both 32/64 bit Office
2010/2013 versions, if your original code was designed to do so.
When
obfuscation is properly applied, it can increase the protection against hackers
by orders of magnitude, while leaving your Excel application intact.
Obfuscation is commonly used in .Net and Java environments for years and has
been helping companies protect their intellectual property.
If your
Excel VBA code shouldn't be exposed globally or if your entire business rests
on the intellectual property embodied in your Excel software, then obfuscating
your VBA code becomes a necessity, not a luxury. Excel hackers can steal unique
ideas, algorithms, sensitive information such as passwords, SQL queries,
crack addins and change workbook functionality.

Native
VBA code <left) is transformed into obfuscated VBA code (right> using the
techniques discussed below
Notable Obfuscation Protection Techniques
S1-CruchCode uses several proven obfuscating methods, so that it is extremely
difficult for a hacker to reverse-engineer your VBA code. Some of the
techniques are described below:
1) Removal of comments
& indentations
As discussed in our article about VBA
Development Best Practices code layout makes not a bit of difference
to the computer. A good visual layout of VBA code only helps the developer
to infer a significant amount of information about the logical structure of the
program. An elementary obfuscation trick is to remove all comments, blank
lines, debug statements and indentations.
2) Variable name
mangling
A good variable naming convention in software development conveys the type,
scope and purpose of the variable with a simple visual inspection of its name.
This allows the developer to concentrate on what the code is doing rather than
having to figure out how the code is structured.
S1-CrunchCode renames variables, modules, userforms, procedure and function
names to a garbled human unreadable name. There is absolutely no relation to
the original names, which cannot be guessed or derived from the obfuscated
names. Without any meaningful names in a VBA project, hackers must spend
considerable time to determine the functionality of your code.
3) String Encryption
Plain text strings in VBA can be easily read. Hackers can use strings to
understand program logic and to reverse-engineer your VBA code. For example,
they could probably do searches for "License" which points them right
to the code where license handling is performed with the intent to disable or
remove licensing code. Searching for strings is straightforward in VBE. String
encryption raises the bar, because only the encrypted (human unreadable)
version is shown in your VBA code.
4) Control Flow
Obfuscation
Obfuscation of program control flow is a powerful obfuscation technique. It's
goal to hide the intent of a sequence of instructions without changing the
program logic e.g. splitting code into multiple lines or merging several lines
etc.
5) Tamper protection
Your obfuscated code will be protected against modifications. Excel will stop
running at once, if the code is modified or the VBE password is removed.
6) Declarative
obfuscation
Procedures or entire modules (e.g. open source code) can be exclude from
obfuscation using custom attributes embedded in your code.
7)
Obfuscation of UserForm controls
Using our unique and sophisticated technique, all obfuscated Excel UserForms
appear identical and without controls. However at runtime, UserForms are
restored to their original size and populated with controls, exactly as
designed by the developer.
A hacker
would have to spend considerable time trying to locate the code that
corresponds to an Excel form shown only when the program is run. Populating the
UserForm with controls and restoring it back to its original size would be a
major task too.

All
obfuscated Excel UserForms are shown empty in VBE, with identical dimensions
and garbled names.
Obfuscation Pitfalls
Obfuscation
can be tricky on complex Excel applications. A poorly designed obfuscator can
break your application e.g. by obfuscating reserved keywords. S1-CruchCode
has been over 2 years in the making and has been tested with 100s of Excel
applications successfully. A free trial is available for testing with your VBA
code.
Conclusion
Each of the above techniques, which are already proven with .NET & Java
assemblies, are on their own quite effective against hackers. When combined
together for the obfuscation and code protection of Excel VBA projects, they
form an impenetrable shield which is extremely difficult to break.
Until now,
competitive Excel locking solutions compiled workbooks to an executable file or
required additional runtime libraries to be installed on a client computer.
S1-CrunchCode just hides the intent of your Excel VBA program without
changing its runtime behavior. Your obfuscated program will run in any Excel
version and in both 32/64 bit Office versions, if your original code does so.
S1-CrunchCode
is a powerful code protection and obfuscation tool, which enables Excel VBA
developers to deploy Excel workbooks and Addins without exposing the inner
workings of their source VBA code.
For detailed information, please visit the dedicated CrunchCode website or download your free
trial below:
For more guest articles, see Guest articles and postings
For help and more information join our forum, follow the blog, follow me on twitter