ooook, right here goes (ooo first post nerves :P). i just edited this executable i was messing around with that had been annoying me as it was detecting if the file had been renamed or if it had been run from outside command line. Anyways the incesant (i THINK thats how you spell it) messageboxing was annoying me. so anyhow lazy/inexperienced/stupid me tracks down the messagebox calls and with a couple of je -> jmp bingo no more messageboxes anways im not bragging cos a) i'm crap b) i'm unimaginably crap, think about how bad you would be if you were to have a full frontal lobotomy, then halve that ability c) they were short jumps, god i can't even remember the hex for a long jump.

anyway, the whole point of the above ramble is....i was wondering how it might actually check the renaming thingy?

PS anyone got any tutorials that are good for really stupid people (either C or RCE or ASM or anything remotely helpful)....but not danish, i tried that once already. its waaaay to hard to pronounce :P

Well, if it checks the name then it has to have the original name stored somewhere. Open up the EXE in a hex editor and look for the EXE's name.

-nt20

getmodulefilenamea (00) - one way
parse commandline - another
and as nikolatesla20 says its gotta store the name to compare against somewhere in the exe

Actually, - no, it doesnt have to keep a copy of the original filename.
Any kind of checksum of the name would reveal a change.

LordByte

It doesn't have to store the name but it's a good place to start.

-nt20

cheers people, i was wondering why it hadnt got the name stored everyone has been most helpful so thanks again.