Calculate 64bit jmp for code cave in c#

Question

i cannot solve my problem. Any help appreciated. I want to create a jmp to my allocated memory. If i check my calculation with cheat engine allocated memory it is fine. Cause Cheat Engine allocates memory in a higher region. My allocated memory is eg: 0x870000 and the adress where i want to create the jmp is at: 7FFDE65F5184.

Console.WriteLine("toWrite: {0:x}", toWrite.ToInt64()); /*toWrite: 7FFDE65F5184*/
IntPtr allocation = VirtualAllocEx(openproc, IntPtr.Zero , 0x1024, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);

Console.WriteLine("allocation: {0:x}", allocation.ToInt64()); /* allocation: 870000*/

IntPtr jmp = new IntPtr((toWrite.ToInt64() - (allocation.ToInt64() + 5)));

byte[] bytes1 = BitConverter.GetBytes(jmp.ToInt64());


byte[] bytes2 = { 0, 0, 0, 0, 0, 0, 0, 0, 0, };
bytes2[0] = 233;
bytes2[1] = bytes1[0];
bytes2[2] = bytes1[1];
bytes2[3] = bytes1[2];
bytes2[4] = bytes1[3];
/*nops*/
bytes2[5] = 144;
bytes2[6] = 144;
bytes2[7] = 144;
bytes2[8] = 144;
UIntPtr written = new UIntPtr();
WriteProcessMemory(openproc, toWrite, bytes2, 9, out written);

50% of the result is correct. anyone can help?

This is my result:

7FFDE65F5184 - E9 77AE271A           - jmp 7FFE00870000

Why is there 7FFE00 in front of my needed jmp adress ? if i choose another value than IntPtr.Zero in VirtualAllocEx the return value is 0 - dont know why! i know it is not well coded, but first of all i want to understand what is my problem and how i can solve this issue.

Thanks so much guys!

Answer 1

Wow guys! You ve inspired me and i got my solution ... MEM_TOP_DOWN did the job! Thanks so much!