Part |

I've read tutorial about unpacking Bit-Art, and that what is said there is OK but
is enough just for main screen appearing. After that each button causes some
crash. It is because there are some more calls inserted into code to prevent
using unpacked version.
Every call decrypts itself and after that it encrypts itself again. And the best
method to see what code suppose to execute instead inserted call is to watch
what's going on with stack
and after restoring registers and flags there is "health code" 5 bytes long.
And after that there is again pushing registers and call encryption.
calls table starts at 4e30f5 and eds at 4e4ec1 and I put breakpoint at the
beginning on each, and then took somea actions, so I knew which of calls is
invoked. After that was easy. And there is one call that is not in this table and
is responsible for IAT erasing, he can be found by breaking on IAT writting.
So additional in tutorial about patching is next:

1.

4485e9 call 470ed4 <------- Erases IAT
should be
4485e9 lea edi,[esi+3c]
push 20

2.

44860a call 4e3d11
should be
44860a movzx ecx,ax
mov [edi],eax

3.

444b01 call 4e3da2
should be
44860a movx ecx, byte ptr [esp+08]

4.

41284f call 4e32a3
should be
41284f mov [esi+7C],ebx
push 0F

5.

412895 call 4e3386
should be
412895 mov [esi+58],ebx
mov eax, esi

6.

4460fa call 4e4428
should be
4460fa mov esi, ecx
mov [ebp-10], esi

no more weird calls
And the way how was registration patched is wrong. That call mustn't be

overwitten, because some strange ractions happened.
Instead I did next

402199 push eax
should be
402199 push edx

and

4021b0 test eax,eax
should be
4021b0 test edx,edx

I tried after this some programs and had more and less success. Some of them were

packed perfect, but some not. So I'm wondering is it because registration or not.

And sometimes after several times of packing the same program, he was packed in

wrong way. Any comment, suggestion.

If one wants my exe it is OK.