crackXL - Microsoft Excel COM password cracker

This program was originally published on neworder and sourceforge. You can check the projects page or the comments section on neworder for more discussion. There you will find the implementation in .NET by stand__sure and the bruteforce version by rattle

When working with Office through COM you have several choices. You can either use .NET or Visual Basic, the result being the same for both which is having COM nicely packaged and wrapped up with all the extra overhead that comes with these two programming platforms. Another method is to code your client in C/C++ where you can use either MFC or attempt to make good use of the ole header on your own. This method should result in faster code but you don't get the benefits of the abstraction provided by .NET or MFC. Because I enjoy learning and hackerish exploration I chose to code without MFC or .NET.

There are several steps when accessing an Excel file via COM. The first step is to interface with COM and get the class identifier (CLSID) for Excel. This identifier located in the registry and is mapped to the programmatic identifier (PROGID) excel.application and also to the server Excel.exe.


Once you have the CLSID you use it, interfacing with the IUnknown interface to create an instance of the Excel Application. Next you need to call the QueryInterface method to determine the dispatch ID (DISPID) of the method we want to call. This ID is a unique number that identifies each method within the class. Once you have this Identifier you can use Invoke to call the method. When you invoke a function with IDispatch::Invoke you need to pass the correct parameter and be ready to receive it's returned value. You will see this pattern used throughout the code.

//filename: crackXL.cpp
//usage is: crackXL <excel file> <dictionary file> where the dictionary
//is a simple word list

#include <windows.h>
#include <ole2.h>
#include <fstream>

using namespace std;

int main(int argc, char* argv[])
	// global variables

	ifstream in_fp;
	const char* szFileName = argv[1];
	const char* szDictFile = argv[2];
	wchar_t wszFileName[MAX_PATH+1];
	DISPPARAMS dpNoArgs = {NULL, NULL, 0, 0};
	VARIANT vResult;	// used to hold variant results
	OLECHAR FAR* szFunction;
	IDispatch* pDispApp;
	IDispatch* pDispXlBooks;
	DISPID dispid_Books; 	//Documents property of application object
	DISPID dispid_Quit;
	BSTR bstrFileName = ::SysAllocString(OLESTR("filename"));
	BSTR bstrPassWord = ::SysAllocString(OLESTR("pass"));

	//get arguements and check files

	if ( argc != 3 ){
		printf("usage %s  \n", argv[0]);
	}, ios::in);
	if (!in_fp || strlen(szFileName) > MAX_PATH){
		printf("error loading %s\n", szFileName);
	in_fp.close();, ios::in);
	if (!in_fp){
		printf("error loading %s\n", szDictFile);

	//convert file name to bstr for use with COM
	MultiByteToWideChar(CP_ACP, 0, szFileName, strlen(szFileName)+1,
			wszFileName, sizeof(wszFileName)/sizeof(wszFileName[0]));

	bstrFileName = ::SysAllocString(wszFileName);
	// COM work starts here

	//Initialize COM
	printf("initializing COM...\n");

	//get the CLSID for the Excel Application Object
	CLSID clsid;
	CLSIDFromProgID(L"Excel.Application", &clsid);

	//get a pointer to the Objects IUnknown interface and Create
	//an instance of the Excel Application.

	IUnknown* pUnk;
	HRESULT hr = ::CoCreateInstance( clsid, NULL,
			CLSCTX_SERVER, IID_IUnknown, (void**) &pUnk);

	printf("instance of Excel Created...\n");

	   All COM interfaces inherit from the IUnknown interface, this interface
	   has a total of three functions: QueryInterface(), AddRef() and Release()
	   QueryInterface() is used to retrieve a pointer to the IDispatch Interface
	   and the AddRef() and Release() functions are used to maintain the 
	   reference count (a count of all the number of interface pointers that are
	   being used by clients).

	hr = pUnk->QueryInterface(IID_IDispatch, (void**)&pDispApp);

	   use ::GetIDsOfNames on pDisApp to get the DISPID
	   The DISPID (dispatch identifier) uniquely identifies each method within
	   a function.  You then use ::Invoke to call that method or property.
	   when IDispatch::Invoke is called it also passes on parameters for the 
	   method and recieves it's returned value.  This does most of the work.

	szFunction = OLESTR("Workbooks");
	hr = pDispApp->GetIDsOfNames (IID_NULL, &szFunction, 1,
			LOCALE_USER_DEFAULT, &dispid_Books);

	hr = pDispApp->Invoke (dispid_Books, IID_NULL,
			&dpNoArgs, &vResult, NULL, NULL);

	pDispXlBooks = vResult.pdispVal;

	//DISPPARAMS for Open method

	DISPID dispid_Open;
	VARIANT vArgsOpen[5];
	dpOpen.cArgs = 5;
	dpOpen.cNamedArgs = 0;
	dpOpen.rgvarg = vArgsOpen;
	char entry[25];
	wchar_t wszPassWord[25];

	printf("attempting dictionary attack...\n");

	while(in_fp.getline(entry, sizeof(entry))){

		//again convert to bstr
		MultiByteToWideChar(CP_ACP, 0, entry, -1,
				wszPassWord, sizeof(wszPassWord)/sizeof(wszPassWord[0]));

		bstrPassWord = ::SysAllocString(wszPassWord);
		vArgsOpen[4].vt = VT_BSTR;
		vArgsOpen[4].bstrVal = bstrFileName;		//Filename
		vArgsOpen[3].vt = VT_ERROR;
		vArgsOpen[3].scode = DISP_E_PARAMNOTFOUND;	//Updatelinks - ommitted
		vArgsOpen[2].vt = VT_BOOL;
		vArgsOpen[2].scode = TRUE;					//Open ReadOnly
		vArgsOpen[1].vt = VT_ERROR;
		vArgsOpen[1].scode = DISP_E_PARAMNOTFOUND;  //file format - ommitted
		vArgsOpen[0].vt = VT_BSTR;
		vArgsOpen[0].bstrVal = bstrPassWord;		//the file password;

		//Invoke the Open method
		szFunction = OLESTR("Open");
		hr = pDispXlBooks->GetIDsOfNames(IID_NULL, &szFunction, 1, 
			                             LOCALE_USER_DEFAULT, &dispid_Open);
		hr = pDispXlBooks->Invoke(dispid_Open, IID_NULL, 
			                      LOCALE_USER_DEFAULT, DISPATCH_METHOD, 
								  &dpOpen, NULL, NULL, NULL);
		if (!FAILED(hr))

	if (!FAILED(hr)) // the password was in the dictionary file
		printf("\npassword is %s\n", entry);
		printf("\nthe password was not found\n");
	//Invoke the Quit method

    szFunction = OLESTR("Quit");
    hr = pDispApp->GetIDsOfNames(IID_NULL, &szFunction, 1, 
                                 LOCALE_USER_DEFAULT, &dispid_Quit);
    hr = pDispApp->Invoke (dispid_Quit, IID_NULL, 
                           LOCALE_USER_DEFAULT, DISPATCH_METHOD,
                           &dpNoArgs, NULL, NULL, NULL);





	return 0;

Download the latest version of crackXL from sourceforge here.

feedback? comment on livejournal.