End of unpacking routine looks like this (popa is a good indicator):
Code:
;.....
add eax, [ebp+422h]
pop ecx
or ecx, ecx
mov [ebp+3A8h], eax ; fills the push 0 with
; OEP address below
popa
jnz short goon
mov eax, 1
retn 0Ch
goon:
push 0
retn
But.., why you don't want to unpack application entirely, add your code
and run?