[Deleted original reply, due to me being stupid
]
OK, so I read/watched some tutorials from the GHA and on youtube, and found out how to "look" what's inside said address. What I got was this quoted below (I edited out what game's EXE was given full access....so please bare with me!)
Alloc( MyCode, 2048 ) ; Allocate 2,048 bytes and store the allocated address into MyCode, which we use as the location where our new code goes.
Label( OverwrittenCode ) ; The code that was overwritten by the JMP to MyCode will go here.
Label( Exit ) ; JMP here to exit our custom code and go back to the original code.
Label( Return ) ; The location of the next instruction of the original code.
FullAccess( BlahBlahBlah.exe+0x0013E1E2, 2048 )
BlahBlahBlah.exe+0x0013E1E2 :
jmp MyCode
Return :
MyCode : ; The allocated address. Put your code after this.
OverwrittenCode : ; The overwritten code (code that was overwritten by the JMP to MyCode).
fstp dword ptr [ecx]
retn 14
Exit : ; Automatic JMP back to the original code, or you can JMP Return directly to avoid coming here.
jmp Return
I'm unsure where to progress from here
?
[edit] I also took an educated guess from following what you guys have been saying in this thread, and the GHA. So I looked at 53E1E2 ECX, and looked above him....there being a MOV ECX,DWORD. Inside that MOV I found this:
Alloc( MyCode, 2048 ) ; Allocate 2,048 bytes and store the allocated address into MyCode, which we use as the location where our new code goes.
Label( OverwrittenCode ) ; The code that was overwritten by the JMP to MyCode will go here.
Label( Exit ) ; JMP here to exit our custom code and go back to the original code.
Label( Return ) ; The location of the next instruction of the original code.
FullAccess( BlahBlahBlah.exe+0x0013E1DE, 2048 )
BlahBlahBlah.exe+0x0013E1DE :
jmp MyCode
nop
Return :
MyCode : ; The allocated address. Put your code after this.
OverwrittenCode : ; The overwritten code (code that was overwritten by the JMP to MyCode).
mov ecx, dword ptr [esp+4]
fstp dword ptr [ecx]
Exit : ; Automatic JMP back to the original code, or you can JMP Return directly to avoid coming here.
jmp Return
I'm not exactly sure what I'm looking at, but it "looks" to a novice like me that this is looking at my ECX in some way
!
ps: To recap thus far, this is me auto-assembling + injecting to get to this screen on the address:
"0053E1E2 FSTP DWORD PTR [ECX]" & "0053E1DE MOV [ECX, DWORD PTR[ESP+4]"