How to bypass a protection with a single byte

I was looking for a Post-it like program for Mac OS X (I don’t like Stickies!) and found this nice one, Edgies (available at http://www.oneriver.jp/Edgies/index_e.html).

It has a very annoying register me protection which shows every few times you open/close a note.

My first attempt to bypass this was to go after the serial registration routine (it’s located at RegistrationManager framework) but it appears to be too long and complicated to be worth the trouble.
Next obvious step was to go after the shareware message. Doing a grep for message Shareware Information and we land again at RegistrationManager framework at a nice function labeled showDemoDialogue.

After disassembling the main program and searching for function references we reach to:

000080c7    calll           0x0008f158                    +[RegistrationManager sharedRegistrationManager]
000080cc    movl            0x00091394,%edx               registered
000080d2    movl            %edx,0x04(%esp,1)
000080d6    movl            %eax,(%esp,1)
000080d9    calll           0x0008f158                    -[(%esp,1) registered]
000080de    movb            %al,(%ebx)
000080e0    testb           %al,%al
000080e2    jne             0x00008134 <- CRACKME =)
000080e4    movl            0x0008a014,%eax
000080e9    cmpb            $0x00,(%eax)
000080ec    je              0x00008134
000080ee    movl            0x000000f8(%esi),%eax         (int)demoCount
000080f4    addl            $0x01,%eax
000080f7    movl            %eax,0x000000f8(%esi)         (int)demoCount
000080fd    cmpl            $0x01,%eax
00008100    jbe             0x00008134
00008102    movl            0x00091398,%eax               sharedRegistrationManager
00008107    movl            %eax,0x04(%esp,1)
0000810b    movl            0x00092668,%eax               RegistrationManager
00008110    movl            %eax,(%esp,1)
00008113    calll           0x0008f158                    +[RegistrationManager sharedRegistrationManager]
00008118    movl            0x00091390,%edx               showDemoDialogue
0000811e    movl            %edx,0x04(%esp,1)
00008122    movl            %eax,(%esp,1)
00008125    calll           0x0008f158                    -[(%esp,1) showDemoDialogue]
0000812a    movl            $0x00000000,0x000000f8(%esi)  (int)demoCount
00008134    addl            $0x10,%esp
00008137    popl            %ebx
00008138    popl            %esi
00008139    popl            %ebp
0000813a    ret

So this is pretty obvious to understand and bypass. There is a call which seems to check if the program is registered or not, and if it’s not then it will display the nag message after a few counts. Easy way to bypass all this is to change that JNE into a JMP (75 to EB) at 0x80e2 address.

Patch the main program, run it again and voila. No more nag 😄.

The whole protection goes down due to a single byte (too many protections are bypassed like this). I assumed that the serial routine is hard or long to analyse. I might be wrong since today I’m too lazy to check it, but why waste time on that if you can patch a single byte!