Hi,

I was going okay with your instructions until here:

"the next call checks if target ep start at 1000, inside the call change the last two je to jmp, next call, put retn inside"

How do you mean put a retn inside the next call, inside this call I have:

0041040C /$ 55 PUSH EBP
0041040D |. 8BEC MOV EBP,ESP
0041040F |. 51 PUSH ECX
00410410 |. 53 PUSH EBX
00410411 |. 8B05 C6554000 MOV EAX,DWORD PTR DS:[4055C6] ; <&kernel32.GetModuleHandleA>
00410417 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
00410419 |. FF33 PUSH DWORD PTR DS:[EBX]
0041041B |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
0041041E |. 8F03 POP DWORD PTR DS:[EBX]
00410420 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00410423 |. 5B POP EBX
00410424 |. 59 POP ECX
00410425 |. 5D POP EBP
00410426 \. C3 RETN

and if I F8 from here, I hit an access violation, and the file corrupted message comes up soon after.

What should I change in this call, and why?

I really appreciate your help.