Hi @Duke_Nukem,
- In this context, you can consider the placeholder as a “fake” virtual address that will later be replaced by the real one. That’s because you don’t know where the MessageBoxA function will be located in the virtual address space of the target process. The same applies for the entrypoint: you need to get the OEP at first, and then patch the shellcode.
- Yes, they are the same. It doesn’t matter, since they will get replaced at runtime.
- The shellcode is executed after being patched. This means that the first call will actually call MessageBoxA, while the return will actually return to the OEP.
Hope this helps you to better understand 