Writing a trampoline function

I managed to overwrite the first few bytes of the function in memory and combine it into my own function. I'm now having trouble creating a trampoline function to return to the real function.

This is the second part of my question here .

BYTE *buf = (BYTE*)VirtualAlloc(buf, 12, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); void (*ptr)(void) = (void (*)(void))buf; vm_t* VM_Create( const char *module, intptr_t (*systemCalls)(intptr_t *), vmInterpret_t interpret ) { MessageBox(NULL, L"Oh Snap! VM_Create Hooked!", L"Success!", MB_OK); ptr(); return NULL;//control should never get this far } void Hook_VM_Create(void) { DWORD dwBackup; VirtualProtect((void*)0x00477C3E, 7, PAGE_EXECUTE_READWRITE, &dwBackup); //save the original bytes memset(buf, 0x90, sizeof(buf)); memcpy(buf, (void*)0x00477C3E, 7); //finish populating the buffer with the jump instructions to the original functions BYTE *jmp2 = (BYTE*)malloc(5); int32_t offset2 = ((int32_t)0x00477C3E+7) - ((int32_t)&buf+12); memset((void*)jmp2, 0xE9, 1); memcpy((void*)(jmp2+1), &offset2, sizeof(offset2)); memcpy((void*)(buf+7), jmp2, 5); VirtualProtect((void*)0x00477C3E, 7, PAGE_EXECUTE_READ, &dwBackup); } 

0x00477C3E is the address of the function that has been overwritten. Asm for the original function is saved until buf before I write them. Then my 5-byte jmp command is added to buf to return to the rest of the original function.

The problem occurs when ptr () is called, the program crashes. When debugging the site with which it crashes is not like my ptr() function, however, double checking the offset calculation looks right.

NOTE: superfluous code is omitted to facilitate reading through

EDIT: this is what the ptr() function looks like in ollydbg

 0FFB0000 55 PUSH EBP 0FFB0001 57 PUSH EDI 0FFB0002 56 PUSH ESI 0FFB0003 53 PUSH EBX 0FFB0004 83EC 0C SUB ESP,0C 0FFB0007 -E9 F1484EFD JMP 0D4948FD 

So it looks like my offset calculation is wrong.