Hey guys !
I've attached an dll. Let me first tell you im not making un unpack request in particual so I think I posted in the right category
As you can see, the DLL is packed with Neolite 2. The first bytes at the EP is an E9 A6 00 00 so a short jump to the start of the neolite unpack routine.
But I noticed a very strange thing !!! As soon as I load the DLL in olly, those first four bytes are actually CHANGED to E9 24 D9 FA FF which looks like an jump to a routine in the dll itself which almost immideatly terminated the dll.
How can that first jump be changed and by who ??? I know it is not a relocation adress as it is not listed in the reloc table..
Really like to know how this is possible ??? Maybe its something small but I cant seem to figure it out ! :P