I don't exactly understand your advise but I'll explain it to you
ofcourse I can't and I'll not tell the name of the target (I red the FAQ today

).
The target uses the lib winmm.dll three times
first to count a timer for the program itself (which I can't change because it is a function)
second time is the compare between the start time and 10 minutes limit (which I mentioned)
third time (I don't remeber)
all the three calls are from the same jmp instruction.
then go to some place virtually that the program's adresses starts from 1000blah
and ends with 1blahblah
but these adresses are 00Ablah
I took some notes that when I loaded the program with ollydbg I found that the adress of jle instruction in A04cF3, And when I loaded it in ollydbg as ATTACH file the location was A0150B so I made a trainer which patch this instruction to jmp.
worked fine for two days or more I found that the trainer is not working.
I loaded it again in ollydbg and found that the address changed to A0149b.
I tried to make a loader (I used yoda's, dup2.1, and more) but nothing happened.
I tried to patch the winmm.dll but that I xored eax before checking but this made all functions using timers didn't worked too.
I can't make a code cave for it that eax value changed lots of times.
this is part of code in the fake area
00A04CA0 2B05 9888A000 SUB EAX,DWORD PTR>
00A04CA6 3D E0930400 CMP EAX,493E0 (5 minutes in this one)
00A04CAB 0F8E 0A000000 JLE 00A04CBB
every time the addresses changes
they are 4 programs from the same company and using the same scheme and I didn't found any solution in any site.
thx for you help