Hi guys,
Summary:
Quote:
Doing Lena's tutorial CP6
ImageBase + AddressOfEntryPoint info is not matching with real EP of program.
Q: Why is that?
|
I have been following Lena's tutorials on RE and I have understood everything up to now.
Im in chapter 6 at the moment and I got lost inside the PE while exploring it before watching the chapter, so I thought "nice timing for practicing what i have learned up to now"...
So I found out that I was inside one of the window modules (a dll i think) and as the EIP was pointing to part of the code inside that dll i searched my way out to the main program using Olly's "Executable Modules" window. Then used the "Memory" window to find the information about the EP and I got this:
Code:
00340118 DF310600 DD 000631DF ; AddressOfEntryPoint = 631DF
00340124 0000417E DD 7E410000 ; ImageBase = 7E410000
The deal is that when i start the program the EP is located here:
Code:
0060A8EC p>/$ 55 PUSH EBP
So, I double checked the other tutorial files and all of their EP's correspond to the ImageBase + AddressOfEntryPoint. This executable is not packed or anything so can somebody explain me what is going on? why is it differing in such a way?