Softice popup and we are in the code, all we have to do is to perform some Step Over (F10) and we can see rapidly the NAG screen splashing by a call Like This:
001B:00447D90 CALL 0043EA00 ----> It's call the NAG
So, Press F5 to let the prog end and reload it into softice.
We just have to put a BPX instruction at the call instruction (to go more faster) like this : BPX 001B:00447D90 and press F5 again to let sofice break at the BPX.
Now let's go for a Step Into (F8) to go into the call instruction. After this let's go for some more Step Over and you should see the splash screen once again.
001B:0043EA31 CALL [EDI+2C] ---> Call NAG Screen again
This Time the BPX will Not work but put one on it for later use(not time to know why) so you've got to press F5 and reload the prog into softice.
Trace the prog to the call instruction and perform a Step Into, and let's go for Step Over after.... You should see again the splash screen at:
Same as usual, put a break point and reload into softice (This Time It will work!!!) so press F5 untill the adress we interested in.
Step Into the instruction, light a smoke and do some more step over untill you see a gey rectangle window at adress:
001B:004478DB CALL 0043BB14 ---> Grey Rectangle
Yeah, we have it!!!! It's the fist instruction for drawning this @#º! Nag Screen.
So carefully, Step over few instruction and you should have this:
001B:004478EF CALL 004151A4 ---> Update the Window with Color and Text.
001B:0044792B CALL 00402CD0 ---> Destroy Window
001B:00447930 RET ---> Return to 001B:00447938 (MOV AL,01)
At this point we have to write down the CPU Registers, You Should have (after the RET instruction) Something like this:
EAX,ECX,EDX,EDI = 00000000
EBX = 00C33A0C
EBP = 0012FE24
ESP = 0012FE00
ESI = 00C31038
Now we just have to bypass those instructions so, put a breakpoint at 001B:004478EF ( the first call) and reload the prog, press F5 untill the last breakpoint.
What to do now?? Easy way.... Look at the CPU Registers there're some differences so we'll change this.
We just have to assemble some code here like this:
A 001B:004478EF (press return)
XOR EAX,EAX ------> EAX = 00000000
XOR ECX,ECX ------> Like eax
XOR EDX,EDX ------> No need to explain
MOV ESP, 0012FE00 ------> Move the value 12FE00 into ESP
JMP 00447938 ------> Jump after the RET instruction
Press Return, and that's all, try it again and you should not see THE NAG SCREEN anymore!!!!!
If you want to do a physical patch you can use HVIEW, and search the call instruction, change and save... Or you can also enable the code in Softice by doing CODE ON, Write done the hex code of the call instruction (E83442FFFF) maybe some more could help you to seek it into an hex editor. Change the ASM Code as shown above, write down again the change in hex, open an hex editor, seek for the first code and replace it (Simple?)