You're mixing up data and code.
I was tempted to stop here but I guess I can spare a few more mins writing this 
Without a specific educational workflow, though. Just writing this up as I go along. Recommended to read through first before following.
Tool: OllyDbg and some generic hex editor
Exe: 2.0a
The mission: Change "data\stage.dat" to something wonky
Step 1: find the address of the string
Open the hex editor of your choice and search for the string. As you have found yourself, it's 47be0. We're going to remember that address.
Step 2: find the command accessing that memory portion
This is where you are struggling. Going to give you a quick rundown: LF2 loads strings by their addresses (probably other apps as well but I don't feel enough criminal incentive to test). Or, more properly, their
offsets. The data located at this offset is put onto the stack and another routine is called. You can imagine this like a high-level function that needs additional parameters. Those are grabbed from the stack.
So, we're looking for the command that pushes this address onto the stack: "push offset 00447be0".
Notice the leading "004", that's always needed.
You should find something like this (copypasting Olly):
Code:
CPU Disasm
Address Hex dump Command Comments
0040C932 |. 68 E07B4400 PUSH OFFSET 00447BE0 ; ASCII "data\stage.dat"
0040C937 |. 8BD9 MOV EBX,ECX
0040C939 |. E8 F2800000 CALL 00414A30
insert wondrous text and note address
Find an unused portion (look for a bunch of 00) and insert your new string there:
![[Image: FGcO2q0.png]](https://i.imgur.com/FGcO2q0.png)
As you can see, my accuracy is bad and I missed the beginning of the line. Doesn't matter, we're just going to use the correct offset then. In my case, that's 4c741.
For reference, the character that tells LF2 to stop pushing letters onto the stack is the hex-character "00", so make sure to have at least one of them between each string you add.
Step 4: change the PUSH
At address 0040C932 (in Olly, use Ctrl+G for "go to address"), replace the offset with the new one, in my case "push offset 0044c741". Olly will automagically show the new string that's going to be pushed onto the stack ("data\hello_look_at_my_marvelous_stage.dat").
Step 5: save your changes
I personally find it not too user-friendly, so here's how to produce an exe from the disassembled Olly-mess.
- Select all (Ctrl+A)
- Right click > Edit > Copy to executable
- In the new window > Right click > Save file
Step 6:
You're done.
***
As you can see, JMPs are not necessary here. If you were using a DLL, you
might have to. If you plan on changing or adding new functionalities, you definitely
should. However, because JMPs occupy a large block, you'll usually overwrite a couple of the following lines, so you better have a backup ready (which is also why I pasted a few more lines than the one we were interested in). The basic procedure in that case would be: JMP to unused section, add the lines that were overwritten by the JMP, continue with your own code, JMP back to where applicable.
***
Alternative, super-short step
Because this is a rather simple thing, you could directly change a few bytes using your hex editor of choice.
- search for the hex dump written in step 2: "68 E0 7B 44 00"
This is essentially the machine code for "PUSH OFFSET" (68) "00 44 7b e0" (byte-order reversed). Address should be c932h (notice how small the number is, we're now in the "do stuff"-region of the exe instead of "hardcoded data"-region).
- after having inserted your fantastic string, change the bytes accordingly. For me, it'd read "68 41 c7 44 00".
- since most of the string-operations work like this, you'll just have to hunt for the address inside the exe first, then look for the byte pattern "68 xx xx 4x 00" and change that one accordingly.
That's it, you're done
Chat
Discord
![[Image: QmQ5Luj.png]](https://i.imgur.com/QmQ5Luj.png)
![[Image: XEL60Ux.png]](https://i.imgur.com/XEL60Ux.png)
![[Image: xyFXU2z.png]](https://i.imgur.com/xyFXU2z.png)
