<_risc> tell me the offset and bytes top atch for the nag, so i can concentrate on patching it..
<_risc> pls
<[LaZaRuS]> one moment
<_risc> i'm a lame cracker
<_risc> :?
<[LaZaRuS]> :00459BC2
<[LaZaRuS]> is a call to NOP
<[LaZaRuS]> and..

CrackMe.exe...
offset 3bda: 833DACE1470000  (shrinker entry point)
offset 3cdc: FF7508FF55E0 (shrinker exit point)
offset 5530: sometext

rva to patch: 460164, change 'e8' to 'b8'

simple encryptor used on the exe, before it was packed with shrinker,
goes through the whole 'exe byte by byte, sub [ebx],7b/ inc ebx/ loop

this executes three times... 

so, i wanna make my patch, then let the decryptor decrypt it.. code this..

mov al, b8 (byte i want)
add al,7b  (first layer)
add al,7b  (second)
add al,7b  (last layer..)

oki. this leaves 29 in al.. 

at the shrinker exit point, i jump to my code, patch the memory,

mov     byte ptr [460164],29
push    dword ptr [ebp+08]
call    [ebp-20]


btw, at the shrinker exit point, d 460164 reveals nothing but ?? ?? ?? ?? ?? ??.. but dont worry
the data is there, just code the mov byte ptr [460164],xx and trace it.. to check if it works

:e 460164 29
Page not present 

but it works if you try to patch it with the asm..
sorted..


dodgy decryptor.. runs three times.. 

mov     ecx,[ecx]           (ecx == length of section?)
sub     byte ptr [ebx],7b   (magic decryption value)
inc     ebx                 (point to next byte :)
loop    0047b048            (dec ecx, jnz sub blah)
add     edi,08
dec     esi                 (esi==how many sections were crypted?)
jnz     0047b02e


tryme#1:4E0A5C9B70A48ID501266ECB59423%9EAA0C58E844C7E9EE (2 minutes)
tryme#2:R!SC / $C9ECB75B (5-10 minutes, as i didnt use the '$' at first..)
the nag patching, 'bout 20 minutes.. return the favour one day??


