It was out of PITY for de!’s hard work that I did not post the password. I did not forget it! de! IF YOU DARE, make a comment in this blog challenging me to post your PW and I will do so! For ALL to see.
TSRh is HACKED and its security TOTALLY COMPROMISED but you fail to see it. See my today’s post where I posted the proof!
You have executable-can-move checked in DllCharacteristic and relocations are present, thus windows7+ loads the executable at a random address, imagebase is just the preferred address. But as you can see in the opcodes you are hardcoding your VA, which will then be invalid.
Better to choose a relative jump directly, which doesnt encode an absolute VA but rather the location relative to the current address. Use the following and avoid all issues with location of the executable:
000000013F44D000 E9 FB3FFEFF jmp 13F431000
If you are wondering how to get “FB3FFEFF”:
(0x000000013F44D000 – 114693) + 5 –> FB3FFEFF
where 0x000000013F44D000 is the current address, 114693 is the difference to the new location and 5 the size of the jump instruction itself.