Hello

I try to do an inline patch in an armadillo 5.40 target.

My code cave begin after the 2Nd VirtualAlloc, because here I know the base range of armadillo layer.

The code cave, just rewrite back the call, then write the second patch in the arma layer, etc...

But as I have a problem since the first patch I didn't write others

Ok let me show you

After the 2nd VirtualAlloc, at the end of the routine I call my code cave

from
Code:
00EF854A     A3 5CA1F300                 MOV DWORD PTR DS:[F3A15C],EAX
00EF854F     8B45 08                     MOV EAX,DWORD PTR SS:[EBP+8]             ; PokerTra.00F99277
00EF8552     8BE5                        MOV ESP,EBP
00EF8554     5D                          POP EBP
00EF8555     C3                          RETN
to
Code:
00EF854A     E9 B2DD0100                 JMP PokerTra.00F16301
00EF854F     8B45 08                     MOV EAX,DWORD PTR SS:[EBP+8]
00EF8552     8BE5                        MOV ESP,EBP
00EF8554     5D                          POP EBP                                  ; kernel32.76A94911
00EF8555     C3                          RETN
And here is my code CAVE
Code:
00F16301     A3 0165F100                 MOV DWORD PTR DS:[F16501],EAX            ; save Arma base of code
00F16306     C705 4A85EF00 A35CA1F3      MOV DWORD PTR DS:[EF854A],F3A15CA3       ; Restore First Call
00F16310     60                          PUSHAD                                   ; save registrers
00F16311     9C                          PUSHFD                                   ; save registers
00F16312     A1 0165F100                 MOV EAX,DWORD PTR DS:[F16501]            ; Arma base of code
00F16317     05 BC860500                 ADD EAX,586BC                            ; Displacement
00F1631C     C700 683463F1               MOV DWORD PTR DS:[EAX],F1633468          ; Patch second call
00F16322     66:C740 04 00C3             MOV WORD PTR DS:[EAX+4],0C300            ; Patch second call
00F16328     9D                          POPFD                                    ; Restore Registers
00F16329     61                          POPAD                                    ; Restore Registers
00F1632A   ^ E9 1B22FEFF                 JMP PokerTra.00EF854A                    ; Jump to original code
To test it, I pass the debugBlocker with OpenMutexA trick, then I set a BP on the JMP to my code cave ( JMP PokerTra.00F16301 )
I do a step by step
And I finish here
Code:
00F16329     61                          POPAD                                    ; Restore Registers
When I run this step (to return to original code) I have an error Process terminated, exit code 80000004 (-2147483644.) and the target crash !

If I test the original bytes it has been well rewrote

Code:
from
00EF854A	 E9 B2DD0100				 JMP PokerTra.00F16301			  
to
00EF854A	 A3 5CA1F300				 MOV DWORD PTR DS:[F3A15C],EAX
ps: Also the second patch has been well writen

Any idea why the POPAD create this crash (when I look EAX is well restored) ?

Thansk for your help