britedream, I'm afraid I don't understand what you're saying. In my dump the error comes from the instruction at 57891E: POP DWORD PTR DS:[EBX]
The flow of logic in my dump is as follows:
Code:
00578911 |. MOV EAX,DWORD PTR DS:[40781E] ; Moves 62A43C into EAX
00578917 |. MOV EBX,DWORD PTR DS:[EAX] ; Moves 77E7AD86 (address of kernel32.GetModuleHandleA) into EBX; before dumping, this is instead the address of ASPR's emulation of GetModuleHandleA
00578919 |. PUSH DWORD PTR DS:[EBX] ; Pushes 04247C83 onto the stack (CMP DWORD PTR SS:[ESP+4],0 is instruction at 77E7AD86)
0057891B |. MOV DWORD PTR SS:[EBP-4],EBX ; Moves 77E7AD86 to [EBP-4], which will be the data that POPs into ECX
0057891E |. POP DWORD PTR DS:[EBX] ; Tries to POP 04247C83 back to 77E7AD86; throws exception because data in kernel32 is not writable; does not throw an exception before unpacking, because ASPR's code is writable
00578920 |. MOV EAX,DWORD PTR SS:[EBP-4] ; Moves 77E7AD86 to EAX
Because the instructions at 578919 and 57891E do not do anything functional, merely are ASRP checks to see if that kernel32 code is writable, my suggestion was just to NOP them out.
Maybe I just do not understand what you are suggesting to change the code to? Which instructions are you saying should be changed to fix this problem?
Regards,
Satyric0n