Author: matias921
Type: delete nag
Program: Imagedit (compiled with nag)
Using: w32dasm 8.9 and hexa editor

START:
Run Imagedit.exe
Open w32dasm and select Imagedit.exe
Search MessageBoxA with this code (there're anothers):


:0040C28E C3                      ret -->come from other way



* Reference To: KERNEL32.GetUserDefaultLangID, Ord:0172h
                                  |
:0040C28F FF1508314100            Call dword ptr [00413108] --> call what is in .00413108
:0040C295 25FF000000              and eax, 000000FF --> so what, eax = FF ?
:0040C29A 83F807                  cmp eax, 00000007 --> compare LanguageID 7=german
:0040C29D 7413                    je 0040C2B2       --> if 7 jump to mov eax, 00413354
:0040C29F 83F811                  cmp eax, 00000011 --> compare LanguageID 11=english
:0040C2A2 7407                    je 0040C2AB       --> if 11 jump to mov eax, 0041340C
:0040C2A4 B8A0344100              mov eax, 004134A0 --> copy some to eax (default LangID)
:0040C2A9 EB0C                    jmp 0040C2B7      --> any way jump to MessageBoxA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C2A2(C)
|
:0040C2AB B80C344100              mov eax, 0041340C --> copy eax depending idiom
:0040C2B0 EB05                    jmp 0040C2B7      --> direct jump to MessageBoxA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C29D(C)
|
:0040C2B2 B854334100              mov eax, 00413354 --> copy eax depending idioma

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040C2A9(U), :0040C2B0(U)
|

* Possible Reference to String Resource ID=00048: "bmp"  --> bmp?, what's this?
                                  |
:0040C2B7 6A30                    push 00000030     --> put in stack 00000030
:0040C2B9 6834334100              push 00413334     --> put in stack 00413334
:0040C2BE 50                      push eax          --> put in stack value eax
:0040C2BF 6A00                    push 00000000     --> put in stack 0

* Reference To: USER32.MessageBoxA, Ord:01BEh        /> call MessageBoxA with string
                                  |                 |    witch is in .004131FC
:0040C2C1 FF15FC314100            Call dword ptr [004131FC]
:0040C2C7 C3                      ret               --> back from call



* Referenced by a CALL at Address:  --> come from a down-call
|:0040CD29                                        /> copy in eax witch is in .00417C38
|                                                |
:0040C2C8 A1387C4100              mov eax, dword ptr [00417C38]
:0040C2CD 85C0                    test eax, eax     --> check eax=0
:0040C2CF 7402                    je 0040C2D3       --> if = pass call to eax
:0040C2D1 FFD0                    call eax          --> call eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C2CF(C)
|
:0040C2D3 6818504100              push 00415018     --> push 00415018




How remove this nag?

At start is:
* Reference To: KERNEL32.GetUserDefaultLangID, Ord:0172h
:0040C28F FF1508314100            Call dword ptr [00413108]

At end of MassegeBoxA, is a RET.
We must put a jump at start (in GetUserDefaultLangID) to the end (MessageBoxA)
So, change FF15 to EB36, that's a jump to the final RET
:0040C28F EB36                   jmp 00040C2C7

Hope you understood and learn, any trouble:
matias921@come.to