Stupid question: module has entry point outside of code???

if you set the BaseOfCode field w/ yielding alignment to the Memory Alignment that adheres to AddrOfEntrypoint field then you wont get that message.

so like..you get this message typically w/ Packed/Protected files or viriis...anyways heres example:

3 sections:
.text
.data
.foo

So if the file was assemblded normally the entrypoint would be in .text like 1000h or something and baseofcode would prolly by rva of 1000h so if .foo is at rva 4000h just set baseofcode to that and then keep the ep of .foo like what it might be like 4028h...anyways PE loader dont give rats ass about BaseOfCode field..ive never seen it in use atleast.

Sorry guys but when you talk PE stuff to me you must be more clear.

phax, are you saying that UPX packing and upacking left PE section flags untouched but it did alter relocation, debug and import table values in PE header?

archphase, I suppose you are saying that olly's message disappears if BaseOfCode and SizeOfCode are such that the EP is included in what PE header declares being code.
But I did not understand the following sentences in your post:

1) yielding alignment to the Memory Alignment that adheres to AddrOfEntrypoint field
2) so if .foo is at rva 4000h just set baseofcode to that and then keep the ep of .foo like what it might be like 4028h

Could you please clarify their meaning?


yaa

OK, well like say our original EP was like 1010h which could be in our .text section, you'd also notice that OptionalHeader field .BaseOfCode would be 1000h or the RVA of .text in memory -- you can check this w/ .text Section Header field aswell..

Anyways if the file is packed and a new section is added like e.g: .foo at RVA 4000h and entrypoint is now 4010h in .foo and BaseOfCode is not updated then you get your info message from olly.