bart,

it is not a question of EP being or not inside the first section but of EP being inside a section that is not marked as being code. And as I already said, the application is not packed (it was initially packed with UPX). Can it be that UPX does not reset PE header to its original values when used to decompress a packed app???

Anyhow, what I still don't get is how sections that are both not marked as code and as executable (based on their section flags) and that are also not marked as code (based on PE header values) can still be executed as code without problems!!



yaa