From b5d8749cd7a37a08c89144ed94582719887438b7 Mon Sep 17 00:00:00 2001
From: Convery <convery10122@gmail.com>
Date: Tue, 19 Nov 2019 20:30:33 +0100
Subject: [PATCH 1/2] Fix for failing to detect { xor; jmp } locations in x64

---
 mhook-lib/mhook.cpp | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/mhook-lib/mhook.cpp b/mhook-lib/mhook.cpp
index 054ba7c..4ec4cc1 100644
--- a/mhook-lib/mhook.cpp
+++ b/mhook-lib/mhook.cpp
@@ -969,14 +969,23 @@ static DWORD DisassembleAndSkip(PVOID pFunction, DWORD dwMinLen, MHOOKS_PATCHDAT
         while ( (dwRet < dwMinLen) && (pins = GetInstruction(&dis, (ULONG_PTR)pLoc, pLoc, dwFlags)) ) 
         {
             ODPRINTF((L"mhooks: DisassembleAndSkip: %p:(0x%2.2x) %s", pLoc, pins->Length, pins->String));
-            if (pins->Type == ITYPE_RET     ) break;
-            if (pins->Type == ITYPE_BRANCH  ) break;
-            if (pins->Type == ITYPE_CALLCC  ) break;
-
+            if (pins->Type == ITYPE_RET     )   break;
+            if (pins->Type == ITYPE_BRANCHCC)   break;
+            if (pins->Type == ITYPE_CALL)       break;
+            if (pins->Type == ITYPE_CALLCC)     break;
+            
             #if defined _M_X64
                 bool bProcessRip = false;
+                // jmp to rip+imm32
+                if ((pins->Type == ITYPE_BRANCH) && (pins->OperandCount == 1) && (pins->X86.Relative) && (pins->X86.BaseRegister == AMD64_REG_RIP) && (pins->Operands[0].Flags & OP_IPREL))
+                {
+                    // rip-addressing "jmp [rip+imm32]"
+                    ODPRINTF((L"mhooks: DisassembleAndSkip: found OP_IPREL on operand %d with displacement 0x%x (in memory: 0x%x)", 1, pins->X86.Displacement, *(PDWORD)(pLoc + 3)));
+                    bProcessRip = true;
+                }
+            
                 // mov or lea to register from rip+imm32
-                if ((pins->Type == ITYPE_MOV || pins->Type == ITYPE_LEA) && (pins->X86.Relative) && 
+                else if ((pins->Type == ITYPE_MOV || pins->Type == ITYPE_LEA) && (pins->X86.Relative) && 
                     (pins->X86.OperandSize == 8) && (pins->OperandCount == 2) &&
                     (pins->Operands[1].Flags & OP_IPREL) && (pins->Operands[1].Register == AMD64_REG_RIP))
                 {

From 50c81680b8fd0256c034707fea914fc77640ea68 Mon Sep 17 00:00:00 2001
From: Convery <convery10122@gmail.com>
Date: Thu, 21 Nov 2019 09:21:57 +0100
Subject: [PATCH 2/2] Update mhook.cpp

---
 mhook-lib/mhook.cpp | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mhook-lib/mhook.cpp b/mhook-lib/mhook.cpp
index 4ec4cc1..ee4b78b 100644
--- a/mhook-lib/mhook.cpp
+++ b/mhook-lib/mhook.cpp
@@ -971,7 +971,6 @@ static DWORD DisassembleAndSkip(PVOID pFunction, DWORD dwMinLen, MHOOKS_PATCHDAT
             ODPRINTF((L"mhooks: DisassembleAndSkip: %p:(0x%2.2x) %s", pLoc, pins->Length, pins->String));
             if (pins->Type == ITYPE_RET     )   break;
             if (pins->Type == ITYPE_BRANCHCC)   break;
-            if (pins->Type == ITYPE_CALL)       break;
             if (pins->Type == ITYPE_CALLCC)     break;
             
             #if defined _M_X64