CreateFileA, the mother of all self-checks

Quote:

I don't know if I understand all this topic, but relatively at the .bak method, there is a well knowed way to bypass the CRC-check on disk : simply leave the original exe as it is and start the patched one, renamed, in the same folder... What more is needed ?

GetCommandLine, GetModuleFileName and the other derivatives can give you the filename of the the exe that's running.

You're assuming that the filename was hardcoded somewhere; which is usually not the case.

[Michel]

Ok, you are totally right !

[Shub-Nigurrath]

Hi guy it seems like you forget to look at the MSDN

Quote:

The lpApplicationName parameter can be NULL. In that case, the module name must be the first white space-delimited token in the lpCommandLine string.
If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous.
For example, consider the string "c:\program files\sub dir\program name".
This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:

c:\program.exe files\sub dir\program name
c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name
c:\program files\sub dir\program name.exe

I also had the same idea some time ago with CRegistryManager (if I'm correct, sorry I have lost my post or ARTeam forum's past era ), which on the unpacked program was doing so much checks that was so long to avoid all of them. It was packed with Asprotect or anyother packer easily unpackable, so was possible to modify the the IAT in all the ways you want.

I created a DLL into which DllMain I hooked the CreateProcessA, to point at the .dat original unpacked file. It was called passing a NULL parameter as stated above. The I added using IIDKing this DLL to the Import Table.

The result was working excellently and to release the patcher you can also use the QuickUnpack.dll I wrote..
Of course is just a way, the other one is simply patch all the checks.

so far i can see still is possible to inline patch Aspr. 1.3x -2.x

Proof: hxx//www.appznet.eu.tt/Sep/Tag&Rename.v3.1.6-RES-crk.zip

Password: www.appznet.eu.tt

this one has the OEP encrypted ......might be aspr.2.0

anyone has ideas how this work was done?? how to inline patch latest aspr. manually

its time for an update. many user will be happy
h**p://www.omck.info/b2.php?p=952&more=1#more952