I've found the anti-autodump stuff to be working pretty well, he creates a .tmp file which contains a value calculated from the API GetTickCount(), - then simply calls CreateProcess(). Looks like the new process looks for the file, gets tick count again possibly, and decides if it's being debugged. Anyways, it hurts a debugger because it basically switched processes. (or so it would seem )

It doesn't affect debugging however, except in the fact that you can't latch on to the new process like you wish you would.

Also, the program continues to readfile upon some file (don't know yet, haven't traced it). Once this readfile is in place, I notice all original program's data is now in memory and valid, even the OEP bytes are still intact.

Beatch is going down soon, I can emulate any call I want...hehe

-Lunar