With my turn, this is built upon kaybee99's excellent answer which is built upon Đức Thanh Nguyễn's fantastic answer to allow this method to work with both x86 and amd64 versions of Office.

An overview of what is changed, we avoid push/ret which is limited to 32bit addresses and replace it with mov/jmp reg.

Tested and works on

Word/Excel 2016 - 32 bit version.
Word/Excel 2016 - 64 bit version.

how it works

1. Open the file(s) that contain your locked VBA Projects.

2. Create a new file with the same type as the above and store this code in Module1

   Option Explicit
   
   Private Const PAGE_EXECUTE_READWRITE = &H40
   
   Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
   (Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)
   
   Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LongPtr, _
   ByVal dwSize As LongPtr, ByVal flNewProtect As LongPtr, lpflOldProtect As LongPtr) As LongPtr
   
   Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LongPtr
   
   Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, _
   ByVal lpProcName As String) As LongPtr
   
   Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LongPtr, _
   ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _
   ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer
   
   Dim HookBytes(0 To 11) As Byte
   Dim OriginBytes(0 To 11) As Byte
   Dim pFunc As LongPtr
   Dim Flag As Boolean
   
   Private Function GetPtr(ByVal Value As LongPtr) As LongPtr
       GetPtr = Value
   End Function
   
   Public Sub RecoverBytes()
       If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 12
   End Sub
   
   Public Function Hook() As Boolean
       Dim TmpBytes(0 To 11) As Byte
       Dim p As LongPtr, osi As Byte
       Dim OriginProtect As LongPtr
   
       Hook = False
   
       #If Win64 Then
           osi = 1
       #Else
           osi = 0
       #End If
   
       pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")
   
       If VirtualProtect(ByVal pFunc, 12, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then
   
           MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, osi+1
           If TmpBytes(osi) <> &HB8 Then
   
               MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 12
   
               p = GetPtr(AddressOf MyDialogBoxParam)
   
               If osi Then HookBytes(0) = &H48
               HookBytes(osi) = &HB8
               osi = osi + 1
               MoveMemory ByVal VarPtr(HookBytes(osi)), ByVal VarPtr(p), 4 * osi
               HookBytes(osi + 4 * osi) = &HFF
               HookBytes(osi + 4 * osi + 1) = &HE0
   
               MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 12
               Flag = True
               Hook = True
           End If
       End If
   End Function
   
   Private Function MyDialogBoxParam(ByVal hInstance As LongPtr, _
   ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _
   ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer
   
       If pTemplateName = 4070 Then
           MyDialogBoxParam = 1
       Else
           RecoverBytes
           MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
                      hWndParent, lpDialogFunc, dwInitParam)
           Hook
       End If
   End Function
   

3. Paste this code in Module2 and run it

   Sub unprotected()
       If Hook Then
           MsgBox "VBA Project is unprotected!", vbInformation, "*****"
       End If
   End Sub
   

If the file is a valid zip file (the first few bytes are 50 4B -- used in formats like .xlsm), then unzip the file and look for the subfile xl/vbaProject.bin. This is a CFB file just like the .xls files. Follow the instructions for the XLS format (applied to the subfile) and then just zip the contents.

For the XLS format, you can follow some of the other methods in this post. I personally prefer searching for the DPB= block and replacing the text

CMG="..."
DPB="..."
GC="..."

with blank spaces. This obviates CFB container size issues.

My tool, VbaDiff, reads VBA directly from the file, so you can use it to recover protected VBA code from most office documents without resorting to a hex editor.

Have you tried simply opening them in OpenOffice.org?

I had a similar problem some time ago and found that Excel and Calc didn't understand each other's encryption, and so allowed direct access to just about everything.

This was a while ago, so if that wasn't just a fluke on my part it also may have been patched.

Colin Pickard has an excellent answer, but there is one 'watch out' with this. There are instances (I haven't figured out the cause yet) where the total length of the "CMG=........GC=...." entry in the file is different from one excel file to the next. In some cases, this entry will be 137 bytes, and in others it will be 143 bytes. The 137 byte length is the odd one, and if this happens when you create your file with the '1234' password, just create another file, and it should jump to the 143 byte length.

If you try to paste the wrong number of bytes into the file, you will lose your VBA project when you try to open the file with Excel.

EDIT

This is not valid for Excel 2007/2010 files. The standard .xlsx file format is actually a .zip file containing numerous sub-folders with the formatting, layout, content, etc, stored as xml data. For an unprotected Excel 2007 file, you can just change the .xlsx extension to .zip, then open the zip file and look through all the xml data. It's very straightforward.

However, when you password protect an Excel 2007 file, the entire .zip (.xlsx) file is actually encrypted using RSA encryption. It is no longer possible to change the extension to .zip and browse the file contents.

I've built upon Đức Thanh Nguyễn's fantastic answer to allow this method to work with 64-bit versions of Excel. I'm running Excel 2010 64-Bit on 64-Bit Windows 7.

1. Open the file(s) that contain your locked VBA Projects.

2. Create a new xlsm file and store this code in Module1

   Option Explicit
   
   Private Const PAGE_EXECUTE_READWRITE = &H40
   
   Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
   (Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)
   
   Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LongPtr, _
   ByVal dwSize As LongPtr, ByVal flNewProtect As LongPtr, lpflOldProtect As LongPtr) As LongPtr
   
   Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LongPtr
   
   Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, _
   ByVal lpProcName As String) As LongPtr
   
   Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LongPtr, _
   ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _
   ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer
   
   Dim HookBytes(0 To 5) As Byte
   Dim OriginBytes(0 To 5) As Byte
   Dim pFunc As LongPtr
   Dim Flag As Boolean
   
   Private Function GetPtr(ByVal Value As LongPtr) As LongPtr
       GetPtr = Value
   End Function
   
   Public Sub RecoverBytes()
       If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
   End Sub
   
   Public Function Hook() As Boolean
       Dim TmpBytes(0 To 5) As Byte
       Dim p As LongPtr
       Dim OriginProtect As LongPtr
   
       Hook = False
   
       pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")
   
   
       If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then
   
           MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
           If TmpBytes(0) <> &H68 Then
   
               MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
   
               p = GetPtr(AddressOf MyDialogBoxParam)
   
               HookBytes(0) = &H68
               MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
               HookBytes(5) = &HC3
   
               MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
               Flag = True
               Hook = True
           End If
       End If
   End Function
   
   Private Function MyDialogBoxParam(ByVal hInstance As LongPtr, _
   ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _
   ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer
   
       If pTemplateName = 4070 Then
           MyDialogBoxParam = 1
       Else
           RecoverBytes
           MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
                      hWndParent, lpDialogFunc, dwInitParam)
           Hook
       End If
   End Function
   

3. Paste this code in Module2 and run it

   Sub unprotected()
       If Hook Then
           MsgBox "VBA Project is unprotected!", vbInformation, "*****"
       End If
   End Sub
   

DISCLAIMER This worked for me and I have documented it here in the hope it will help someone out. I have not fully tested it. Please be sure to save all open files before proceeding with this option.