A nice challenge....

[deroko]

well I've made a little walkaround and forced CreateFileA at 420155 to read DebugApiSpy.exe instead of dumped file itself.

Code:

.00400510: E91A000000                   jmp        .00040052F  ---�� (1)
.00400515: B88D85FCFB                   mov         eax,0FBFC858D
.0040051A: AB                           stosd
.0040051B: 66B8FFFF                     mov         ax,-1
.0040051F: 66AB                         stosw
.00400521: B050                         mov         al,050 ;'P'
.00400523: AA                           stosb
.00400524: 5F                           pop         edi
.00400525: 6800054000                   push        000400500 ;'DebugApiSpy.exe
.0040052A: E926FC0100                   jmp        .000420155  ---�� (3)
.0040052F: 57                           push        edi
.00400530: BF4E014200                   mov         edi,00042014E  ---�� (4)
.00400535: E9DBFFFFFF                   jmp        .000400515  ---�� (5)
.0040053A: 0000                         add         [eax],al

sorry for too many jmps in patch but I've forgot to save edi and didn't wanna write everything from the beginning
you have to restore opcodes rewriten by jmp or progy will fail, or patch integrity check latter on

This is my fast solution probably someone will come up with better solution =)
Anyway you may use original exe and inject into last section with code that will dump file to disk and pass that fname to CreateFileA

cheers