You can't do the necessary far jump with the conditional jump instructions (apparently). Just put a label in front of your jmp return and jne to that. But even then you do have the test rdi,rdi and that other jne instruction from the original code in your injection, to avoid that I'd inject two lines higher.
Also and I'm not sure if that can happen, but if you get memory allocated near the injection point that'll shorten your jump instruction and screw up your return so to make sure I'd probably set the return point explicitly like this:
_Test2:
jmp newmem
_Test2+F: (this is for an injection point 2 lines higher, +10 would be for your current injection point)
return:
Also and I'm not sure if that can happen, but if you get memory allocated near the injection point that'll shorten your jump instruction and screw up your return so to make sure I'd probably set the return point explicitly like this:
_Test2:
jmp newmem
_Test2+F: (this is for an injection point 2 lines higher, +10 would be for your current injection point)
return:
CE can't allocate near where you're injecting so a far jump is used. Seems to be a CE bug as manually allocation does work using the API (at least that's what Booboo told me, haven't tested myself) so maybe CE' has a strict allocation filters? I don't know.
Here is my solution
aobscanmodule(freespacee,ACOrigins.exe,00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00)
FULLACCESS(freespacee,1000)
You can increase the number of zeroes to find a bigger code cave but this should suffice. I was able to find a 500-800 bytes free zone with that consistently (used like 300 bytes in my injections without any issues for anyone).
Here is my solution
aobscanmodule(freespacee,ACOrigins.exe,00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00)
FULLACCESS(freespacee,1000)
You can increase the number of zeroes to find a bigger code cave but this should suffice. I was able to find a 500-800 bytes free zone with that consistently (used like 300 bytes in my injections without any issues for anyone).
