Control flow obfuscation threw me off a bit. I patched it out en-masse and while program ran most of the time getting rid of last nag (demo label and register menu item) just crashed application. Got to be more careful next time

After that i added usual “mov al, 1” to serial check function there was no more nag window, but it was still labeled a demo. Had to patch one more spot which removes demo label and disables “Register” menu item. This was weird and xref to that variable was lost to control flow obfuscation. But hey - whatever works…

Now its enough to patch “setnle al” > “mov al, 1” in serial check function, like before. I me needing that other patch to clean up UI was edgyReggie’s bug but hesitated. Too many times when i shouted “bug” it turned out to be my mistake

We use the same strategy as always for finding the anti-debug: Step your way through the code. You’ll see the structure is known from the last two parts; nearly the same. When you come to the loop you’ll know what I mean by nearly .

Again it’s the second call which makes us worry, but this time it’s triggered on the third (Not second as last time) run!
And that’s not everything; just jump into it and you’ll see what I mean:

What? Mmh… Something’s wrong; let us remove our automatic analysis and have a look at the raw stuff. Right-click -> Analysis -> Remove analysis from module:

Now the reversing can continue. Jump a few instructions to get here:

The highlighted line is the terminating call; but how can that be? It’s not shown as a call! Just re enable the analysis (Right-click -> Analysis -> Analyse code [CTRL + A]) and it will be correctly interpreted.
How do we want to patch? As always, you’ve got multiple possible solutions:

• NOP the call (And the PUSHs before! Why? Think or try it yourself )
• change PUSH EBP to RETN
• …

I prefer the second way (1 byte patch; just unselect the “Fill with NOP’s”); but it’s up to you. Anyway, we’ve managed to clean our binary and are ready for cracking it!

It’s the same as last time; run the program, pause the execution when the first nag is shown, ALT+K for having a look at the call stack, select the call to the DialogBox and change the JNZ in front of the call to a JZ (=JE) - done!

My first approaches half way failed with cracked binaries that crashed 50% of the time and worked the other 50%.
At the end I did something similar to @rokups and also patched the CRC on the StringTable to mess it that as well.
(To allow debugging I just patched a few jumps, I didn’t include those in the final binary tho’ which means my crack won’t work if a debugger is running in the background)
And because I love pictures:

End of serial checking routine, replace pop ebx or pop esi with pop eax (0x58).
The program will start in demo mode, you then have to register. After registering the program exits.
Now restarting and you have the full version.

CPU Disasm
Address   Hex dump          Command                                  Comments
00F7337B      837D E8 00    CMP DWORD PTR SS:[EBP-18],0
00F7337F      0F95C0        SETNE AL                                 ; here is the 3 byte patch I guess?
00F73382      5F            POP EDI
00F73383      5E            POP ESI                                  ; Either replace this
00F73384      5B            POP EBX                                  ; or this
00F73385      8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
00F73388      33CD          XOR ECX,EBP
00F7338A      E8 7F070000   CALL 00F73B0E
00F7338F      8BE5          MOV ESP,EBP
00F73391      5D            POP EBP
00F73392      C3            RETN