I have a scenario which includes an windows application detection mechanism. The programmers behind this application have programmed a detection mechanism which will detect virtual machines and wine. By examining with Process Monitor, I see it does this by checking for the registry key 'HKEY_CURRENT_USER\\Wine' and some other keys made by VMs (not relevant here). If it succeeds with opening this key, it will popup with a message saying that "This applications can not run in virtual machines".
I thought it would be easier than it was, to download the latest Wine source and rename every occurrence of "\\Wine\\" and "\\Wine" and "Software\\Wine" to "\\Rine\\", "\\Rine" and "Software\\Rine", respectively. This is a tedious process, partly because I am horrible with regex and partly because I just want to change the registry key, not the name of WineDbg.dll for example. I did this and compiled, made a new prefix, and try to run the application again (with the new binary, wineserver and loader). This time, same popup appears, and yes, wine still creates 'HKEY_CURRENT_USER\\Wine', only this time it ALSO creates 'HKEY_CURRENT_USER\\Rine'.
I could go on and grep the source much more, but it must be an easier way to run the application. If I rename the name in regex will of course make a new one. My first try was to disassemble the application executable in ollydbg, but the clever programmers have made the code self-modifying in a way, so I can't even find any api calls to open registry (RegOpenKey), and I really don't have any experience with disassembling either.
To conclude; A windows application checks for Wine registry key and won't start. How can I start the application any way, without modifying the application itself?
A big cake to whoever finds the answer!
Good evening.
