Please Read The Disclaimer Before Continuing.

This essay will give you some insight on removing annoying nag screens.  Since the program is so easy to reverse, I threw in a little hex editing just for fun.

Prepare To Crack:

Upon running the program, and testing all options, I found that there are no disabled functions in the unregistered version.  There is also no screen to enter a registration.  The only limitation is the annoying nag message box that follows:

Making The Crack:

To remove this nag, disassemble WinDAC32.exe with Wdasm ("Disassembler", "Open File To Disassemble") then choose WinDAC32.exe.

For a nag type such as this, there is a very simple way with which you can find exactly where the routine is in Wdasm.  Choose "Debug" then "Load Process" once the program is disassembled.  When the program is finished loading, press the "Run" button on the code screen.  As soon as the nag box pops up in WinDAC, press the "Step Into" button on the code screen.  You are now directly in the routine where the nag box is called, so press "Terminate" to get back to Wdasm, and you should be here:
 

* Reference To: USER32.MessageBoxA, Ord:0195h                                   | :00432AD6 FF1524DC4700            Call dword ptr [0047DC24] :00432ADC 891E                    mov dword ptr [esi], ebx :00432ADE 837DFC00                cmp dword ptr [ebp-04], 00000000 :00432AE2 89450C                  mov dword ptr [ebp+0C], eax :00432AE5 740B                    je 00432AF2 :00432AE7 6A01                    push 00000001 :00432AE9 FF75FC                  push [ebp-04] * Reference To: USER32.EnableWindow, Ord:00B2h                                   | :00432AEC FF150CDE4700            Call dword ptr [0047DE0C]

Now scroll up a bit.  Let's look for the spot where the program checks to see if it's registered, and then jumps.  You'll find this code here:
 

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00432AA2(C), :00432AB2(C), :00432AB7(C) | :00432ABD E82FC60000              call 0043F0F1 :00432AC2 8B45F8                  mov eax, dword ptr [ebp-08] :00432AC5 85C0                    test eax, eax :00432AC7 7403                    je 00432ACC :00432AC9 8B401C                  mov eax, dword ptr [eax+1C]

We'll need to patch the jump so that we jump to registered status (nag screen won't show).  To do this, first you need to find the location where we will be set to registered status.  You'll find this at line ":00432AF2 6A01                    push 00000001".  highlight the line "je 00432ACC" and get the offset from below (should be 00031EC7h (31EC7)).  Now do as follows:

1. If you haven't already, create a copy of the program in a different directory.
2. Open the program with HIEW ( c:\whatever\hiew c:\whatever\windac32.exe ).
3. Press F4 to get to hex view.
4. Press F5 to search.
5. Enter your search string: 31EC7.
6. Press F2 to get to code view.
7. Press F3 to edit.
8. Press F2 to enter the information.
9. Change "je  00031ECC" to "jne  00031EF2".
10. Press F9 to save.
11. Press F10 to exit.

Now run WinDAC, and the nag is gone!  Since this crack is so simple, let's have some fun.  Click on the question mark to show the "About" screen.  Down at the bottom, you'll see the following:

Just for the fun of it, let's change this so it says "Cracked" and then your name.  (Note: the link won't work after this, but your name will still be able to be highlighted if you choose).  Mine looks like this:

For simple text editing, I use a simple hex editor, HEDIT, but any editor will work.  After searching for the location we need to edit, you'll find it at address 000661C0.  Now you just need to change the original text to your new text.  Below are what my original and edited looked like:

Hex editing text can be rather difficult, as you usually cannot go over, or under the amount of original characters.  It just takes some trial and error, as well as a little luck (like mine!).