[Bug] modify rax not work in `JmpToRet` when stack not align 0x10

[plusls]

In

https://github.com/regomne/ilhook-rs/blob/aeab7a18b79d2febd7dfafa4bcc78c33566ca7b8/src/x64.rs#L468

Here pop rax 3 times, and te last time will overwrite the prev rax that user modified.

[regomne]

Yes, you are right. Not only the JmpToRet, all 4 types of hook have the bug. I have to find a way to adjust the registers.

Oh, It seems that the bug only ocuurs in JmpToRet, while the rax has the right value in other 3 types.

[regomne]

I spent many time trying to find what the weird 2 lines (the 2nd and 3rd line) mean:

    // mov [rsp], rax
    // mov rax, [rsp+8]
    // mov rax, [rsp+0x10]
    // pop rax
    // pop rax
    // pop rax

And found that I had tried to set the correct rax value but made a mistake. They should be:

    // mov [rsp], rax
    // mov rax, [rsp+8]
    // mov [rsp+0x10], rax
    // pop rax
    // pop rax
    // pop rax

[plusls]

I spent many time trying to find what the weird 2 lines (the 2nd and 3rd line) mean:

    // mov [rsp], rax
    // mov rax, [rsp+8]
    // mov rax, [rsp+0x10]
    // pop rax
    // pop rax
    // pop rax

And found that I had tried to set the correct rax value but made a mistake. They should be:

    // mov [rsp], rax
    // mov [rsp+8], rax
    // mov [rsp+0x10], rax
    // pop rax
    // pop rax
    // pop rax

I think it should be

pop rax
pop rax
add rsp, 8

it just use 6 byte

[regomne]

We can't use any instructions which could modify the rflags register after popfq. That's why the instructions after it seems a little stupid...

[plusls]

We can't use any instructions which could modify the rflags register after popfq. That's why the instructions after it seems a little stupid...

ok, I think can use lea rsp, [rsp + 8]

And I think we should add comment to hint why not use add rsp, 8

[regomne]

2.1.1 published.