Pretty cool anti-debug this time... Here's my approach.
We use the same strategy as always for finding the anti-debug: Step your way through the code. You'll see the structure is known from the last two parts; nearly the same. When you come to the loop you'll know what I mean by nearly .
Again it's the second call which makes us worry, but this time it's triggered on the third (Not second as last time) run!
And that's not everything; just jump into it and you'll see what I mean:
What? Mmh... Something's wrong; let us remove our automatic analysis and have a look at the raw stuff. Right-click -> Analysis -> Remove analysis from module:
Now the reversing can continue. Jump a few instructions to get here:
The highlighted line is the terminating call; but how can that be? It's not shown as a call! Just re enable the analysis (Right-click -> Analysis -> Analyse code [CTRL + A]) and it will be correctly interpreted.
How do we want to patch? As always, you've got multiple possible solutions:
- NOP the call (And the PUSHs before! Why? Think or try it yourself )
- change PUSH EBP to RETN
I prefer the second way (1 byte patch; just unselect the "Fill with NOP's"); but it's up to you. Anyway, we've managed to clean our binary and are ready for cracking it!
It's the same as last time; run the program, pause the execution when the first nag is shown, ALT+K for having a look at the call stack, select the call to the DialogBox and change the JNZ in front of the call to a JZ (=JE) - done!