Finding Correct EP

Hi guys,

Summary:

Quote:

Doing Lena's tutorial CP6
ImageBase + AddressOfEntryPoint info is not matching with real EP of program.

Q: Why is that?

I have been following Lena's tutorials on RE and I have understood everything up to now.

Im in chapter 6 at the moment and I got lost inside the PE while exploring it before watching the chapter, so I thought "nice timing for practicing what i have learned up to now"...

So I found out that I was inside one of the window modules (a dll i think) and as the EIP was pointing to part of the code inside that dll i searched my way out to the main program using Olly's "Executable Modules" window. Then used the "Memory" window to find the information about the EP and I got this:

Code:

00340118    DF310600    DD 000631DF          ;  AddressOfEntryPoint = 631DF
00340124    0000417E    DD 7E410000          ; ImageBase = 7E410000

The deal is that when i start the program the EP is located here:

Code:

0060A8EC p>/$  55                PUSH EBP

So, I double checked the other tutorial files and all of their EP's correspond to the ImageBase + AddressOfEntryPoint. This executable is not packed or anything so can somebody explain me what is going on? why is it differing in such a way?