Hi Vox Humana,

Following your pointers, I was able to crack the app... After checking the code with IDA, I found the following:

...
.text:004875AD call ds:__vbaOnError
.text:004875B3 mov dword ptr [ebp-4], 7
.text:004875BA call sub_0_407034
.text:004875BF mov [ebp-0C8h], eax
.text:004875C5 call ds:__vbaSetSystemError
...


And on the sub_0_407034 is the reference to the DLLFunctionCall
you mentioned:
...
text:00407034 sub_0_407034 proc near ; CODE XREF: .text:004875BAp
.text:00407034 mov eax, dword_0_48E950
.text:00407039 or eax, eax
.text:0040703B jz short loc_0_40703F
.text:0040703D jmp eax
.text:0040703F ; --------------------------------------------------------------
.text:0040703F
.text:0040703F loc_0_40703F: ; CODE XREF:sub_0_407034+7j
.text:0040703F push offset off_0_40701C
.text:00407044 mov eax, offset DllFunctionCall
.text:00407049 call eax ; DllFunctionCall
.text:0040704B jmp eax
.text:0040704B sub_0_407034 endp
...

and at offset off_0_40701C is the reference that comes after the softSENTRY name:

...

.text:00407000 45 78 45 64 53 53 2E 64-6C 6C 00 00 0B 00 00 00 "ExEdSS.dll....."
.text:00407010 73 6F 66 74 53 45 4E 54-52 59 00 00 00 70 40 00 "softSENTRY...p@."
.text:00407020 10 70 40 00 00 00 04 00-48 E9 48 00 00 00 00 00 "p@....HTH....."
.text:00407030 00 00 00 00 A1

So what I did was made a patcher that searches for softSENTRY and inserts a ret 27 bytes after the name (change A1 for C3).

It worked like a charm with the .exe and the .ocx... no more checks or nags...

In a later version of the program I found a second check but only after the SS.dll... so I had to patch that too.

Actually I made a "generic" patcher that will search for that sequence of bytes in any file... so it migth crack other softSENTRY apps too...

Again thanks for the help!!!

Cheers,

TGD