Upon starting, a dialog box shows up, which makes us wait for 5 seconds before the program actually starts. Same thing happens when you try to close it. Let’s find the string “Please wait… 5 seconds”.

It appears two times as expected. Let’s follow the first one:

Looks like this is the function which pops up the dialog and starts the timer. We can search for references to 013B1680:

Again appears two times, we shall follow the first one again:

Going up the call chain again:

Now this is interesting. There’s a function call to something in the program, a test instruction, and a jump over the assembly which creates our wait dialog. The license check must be happening in “sub_D219E0”!

Bingo! The function opens a file called “License.lic” and reads it’s contents!
If that files does not exist, execution jumps to the end of the function and we get the annoying popup. Let’s make that file and see what happens.

The code goes through a few functions until we arrive at this. Looks suspicious. We could attempt to decode it and check if it looks like a serial number…

…Or let the program do it for us. It appears edgyReggie has craftily hidden the serial by XORing it. Sneaky!
The serial is: NOREPLS-809J-NAS9-83H0-3NS9
After that the code goes deeper but I frankly can’t be bothered to follow it. Let’s get to patching!

We need remove that call to the license check.

A simple MOV fits snugly. At last, the full version is ours, permanently!

Yes, the serial number provided by user during registration is hashed by MD5 and result is compared with value “deab67dde2001dc1a078456015765ed6”. So I replace this value with my own:

echo -n "NOREPLS-0000-0000-0000-0000" | md5sum | tr -d '\n \-' | dd of=NoREpls1.2.1.exe bs=1 seek=76216 count=32 conv=notrunc

Edit: added another modification for accepting all the serial keys.

During validation of registration there is a call to function strncmp at address “0x4028c0” (highlighted in the picture). This function returns 0 if both the strings are equal and 1 otherwise. So I modified the later case by replacing instruction “or eax, 1” with “and eax, 0” at address “0x405dd2” (highlighted in the bottom picture).

echo -ne "\xe0\x00" | dd of=NoREpls1.2.1.exe bs=1 seek=20947 count=2 conv=notrunc

After this patch all the license key are valid and after first registration there is created file “License.lic” with entered serial number. After each restart serial key from License.lic is validating and compared using our patched strncmp, so this patch achieve permanent full version of software after first registration with any serial number.

Like always, some string editing.
Also small patch to change the “JNE” to “JMP”. (That’s the point where the program does stuff depending on licence file existence and correctness, so this modification basically makes existing and non-existing and correct and not-correct license accepted => licence checking disabled)

Patch position (just search for the intermodular call DialogBoxParamW, also ShowWindow is pretty close ):

CPU Disasm
Address   Hex dump          Command                                  Comments
010D15B0   $  55            PUSH EBP                                 ; NoREpls1_2_1_original.010D15B0(guessed Arg1,Arg2,Arg3,Arg4)
010D15B1   .  8BEC          MOV EBP,ESP
010D15B3   .  83EC 1C       SUB ESP,1C
010D15B6   .  FF15 00F00D01 CALL DWORD PTR DS:[<&COMCTL32.#17>]
010D15BC   .  E8 AF130000   CALL 010D2970
010D15C1   .  84C0          TEST AL,AL
010D15C3   .  75 18         JNE SHORT 010D15DD         ; <================ REPLACE THIS WITH JMP!
010D15C5   .  6A 00         PUSH 0                                   ; /InitParam = 0
010D15C7   .  68 E0260D01   PUSH 010D26E0                            ; |DialogProc = NoREpls1_2_1_original.10D26E0
010D15CC   .  6A 00         PUSH 0                                   ; |hParent = NULL
010D15CE   .  6A 6F         PUSH 6F                                  ; |TemplateName = 6F
010D15D0   .  6A 00         PUSH 0                                   ; |hInst = NULL
010D15D2   .  A2 80670E01   MOV BYTE PTR DS:[10E6780],AL             ; |
010D15D7   .  FF15 84F10D01 CALL DWORD PTR DS:[<&USER32.DialogBoxPar ; \USER32.DialogBoxParamW

Md5 is too long to bruteforce so, I just nop the jump instruction

I tried to decrypt as base64 with not success.
So I tried as MD5 and was success.

NOREPLS-0892-H43O-19JG-3UAN
(hash = deab67dde2001dc1a078456015765ed6)

I used strings and saw a pretty obvious md5 hash and verified that it was the hashed serial key in xdbg. I tried for a while to see if maybe where was some kind of second serial in a more easily recovered format somewhere but couldn’t find anything. Since I don’t want to spend a few days bruteforcing the hash (though I’m pretty sure I know the format of it since it’s likely the same as for the previous licenses), I instead just went to the function that handles startup license checks and changed a single byte to invert the logic check on the serial (sete ==> setne), so rather than checking that they’re equal it checks that they’re not equal. So now it just accepts anything except the real serial in the License.lic file.