I just want to know that how to find out the patches which loader make when he load the exe. Any guidance over it would be helpful.

Cheres
war1

im assuming here you thinking about the windows loader ? i would recommend you get very familiar with the Windows PE format ( msdn google) , if you wanna find out WHAT patch's A loader does , you can either disasm , or dump .exe from memory and diff with original file or something like that ( possible fault: alignment i think ? )

hope it helps

i tried ...i just opened the exe with loader and it was working fine...then i used lord pe to dump it but the dump was not working. I tried to compare it with the original exe then i got more than 10,000 bytes patched ..i know something i am doing wrong ..please make correct if i am wrong

the information about your problem is scarse , you need to elloborate more in order to get any help ,

is the file packed/protected ?
what are you trying to achive ?
what have you done so far ?

i am working on application packed with engima and i want to bypass the registeration box. I got the program cracked by cracker and he made a loader for that to bypass the registeration box.....with the help of that loader you will get the registeration and when u hit enter it says activated and program starts....so i just wants to know where he made the patch to make it work. I tried of couple of tutorial over enigma but none of them working. So i just want to know where he made patch so that in the upcoming future i should be able to deal with this kind of situation. If you want i can post the application?

just disassemble/debug loader, it's usually very simple apps, that do:
run app, wait some time, check specified address, overwrite it with patched data ... (of course your loader can be packed too)
some time i see app that work with common patchers (~7) and was able extract what changes they do, i can't find it anymore ...

Second approach:
compare original with dumped one, for this you must have comparer where you can shift data (there are a lot of changes so you must synchronize it on right place)

the simplest is to put a breakpoint in the WriteProcessMemory api while debugging the loader, This API is normally used to write something in the target process's space and then look at the arguments of the call.

Most patches are done to fix code relocations. The loader also remaps the sections to align along the alignment boundary (almost always 0x1000) that's specified in the PE header.