Hi britedream, thank you for the reply

I'm kicking myself for being so close to the OEP. The reason I got 575DFF was because I thought all the 0's counted as stolen and so I had 1 extra byte to fill in. Because of this these were the stolen bytes I was using :

PUSH EBP
MOV EBP,ESP
SUB ESP,10
PUSH EAX (needed to fill 1 byte and this looked like a stolen byte
MOV EBX,AddressB.00575770 (because EAX was 0 and EBX contained the address)

Why is there one less stolen byte i.e. how do you know when not to fill in all the 0's?

Also even with your stolen bytes I can't get the program to run. I fixed the dump according R@dier's tut (and made sure Fix EP to OEP was unchecked) and also checked the EP with LordPE and it seems to be ok (175E00 = 575E00 - 400000). When I run the program it just does nothing, no error or anything. I think I'm close but I need a little more of your expert help

btw I like your method for finding stolen bytes, it's a lot quicker than the NOP method!