Okay, I've tried something else.

1. Relocation table: Taking a look at 2EA9C4, it seems clear that the relocation table is empty, since there is only the header of the fix-up block (manipulated by ASPR?). I pushed that part to 231000, since there should be the original rel. table. After that I've fixed the directory table entry to 231000. No problem.

2. Thread Locale Storage: Examining addr 2ea9cc (place of TLS directory), I've found the following data:
Raw Data Start: 62F000 (- base = 22F000 => empty section)
-"- End : 62F01C
Index : 6140C4 (some zeros inside of .data)
Callbacks : 630010 (-base = 230010; hmmm... looks interesting, since at 630000 there's an exact copy of the TLS at 2ea9cc...)
Size of Zerofill : 0
Characteristics: 0

First I've simply tried to transfer those 24 bytes to 22e00 and fix the directory table entry for TlsTable accordingly. It works, as long as I don't delete the .data section

Now I've got not the slightest idea on how to proceed...
At the moment, I'm trying to find out if any code in the .data section is executed, but it doesn't look like that would happen.

So I'm afraid I'll need another hint

Regards
Wurstgote