Found the routine getting called by the click event, and looked at this;
Code:
004035E8 > 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004035EB . 50 PUSH EAX ; out password
004035EC 68 AC284000 PUSH Crack_Me.004028AC ; the password
004035F1 . FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
004035F7 . 8BF0 MOV ESI,EAX ; load result into esi
004035F9 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004035FC . F7DE NEG ESI ; negate esi
004035FE . 1BF6 SBB ESI,ESI ; sub esi esi
00403600 . 46 INC ESI ; increase esi by one
00403601 . F7DE NEG ESI ; negate esi
00403603 . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00403609 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0040360C . FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00403612 . 66:3BF7 CMP SI,DI
00403615 0F84 D7000000 JE Crack_Me.004036F2
An invalid serial would return 1 to eax, making the end result when it gets to 00403612 be comping 0 to 0... A valid serial would be something else and zero, taking the jump.
Changing the JE to JNZ would make it jump on everything but the real password.