Hi guy it seems like you forget to look at the MSDN
Quote:
The lpApplicationName parameter can be NULL. In that case, the module name must be the first white space-delimited token in the lpCommandLine string.
If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous.
For example, consider the string "c:\program files\sub dir\program name".
This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:
c:\program.exe files\sub dir\program name
c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name
c:\program files\sub dir\program name.exe
|
I also had the same idea some time ago with CRegistryManager (if I'm correct, sorry I have lost my post or ARTeam forum's past era
), which on the unpacked program was doing so much checks that was so long to avoid all of them. It was packed with Asprotect or anyother packer easily unpackable, so was possible to modify the the IAT in all the ways you want.
I created a DLL into which DllMain I hooked the CreateProcessA, to point at the .dat original unpacked file. It was called passing a NULL parameter as stated above. The I added using IIDKing this DLL to the Import Table.
The result was working excellently and to release the patcher you can also use the QuickUnpack.dll I wrote..
Of course is just a way, the other one is simply patch all the checks.