https://github.com/mcafee/mysql-audit/issues/132

hot_patch.dif

diff --git a/src/hot_patch.cc b/src/hot_patch.cc
index 5e4d7f2..759bcaf 100644
--- a/src/hot_patch.cc
+++ b/src/hot_patch.cc
@@ -279,6 +279,23 @@ static bool HookFunction(ULONG_PTR targetFunction, ULONG_PTR newFunction, ULONG_
 		if (ud_obj.mnemonic == UD_Ijmp || ud_obj.mnemonic == UD_Icall ||
 				ud_obj.operand[0].type == UD_OP_JIMM)
 		{
+#ifdef __i386__
+			const BYTE *pc = (const BYTE *)targetFunction + InstrSize;
+			if (*pc == 0xe8) {
+				const BYTE *callee = pc + 5 + *(DWORD*)(pc + 1);
+				if (memcmp(callee, "\x8b\x1c\x24\xc3", 4) == 0) {
+					// If the current instruction is "call callee"
+					// and the callee is "movl (%esp), %ebx; ret",
+					// use "movl pc + 5, %ebx" instead.
+					BYTE *dest = (BYTE *)trampolineFunction + uCurrentSize;
+					*dest = 0xbb;
+					*(DWORD*)(dest + 1) = (DWORD)(pc + 5);
+					uCurrentSize += 5; // size of "mov pc + 5, %ebx"
+					InstrSize += 5;    // size of "call callee"
+					goto after_copy_instruction;
+				}
+			}
+#endif
 			sql_print_error(
 					"%s unable to disassemble at address: 0x%p. Found relative addressing for instruction: [%s]. Aborting.",
 					log_prefix, (void *)(InstrSize + targetFunction), ud_insn_asm(&ud_obj));
@@ -291,6 +308,9 @@ static bool HookFunction(ULONG_PTR targetFunction, ULONG_PTR newFunction, ULONG_
 
 		uCurrentSize += ud_insn_len (&ud_obj);
 		InstrSize += ud_insn_len (&ud_obj);
+#ifdef __i386__
+	after_copy_instruction:
+#endif
 		if (InstrSize >= JUMP_SIZE) // we have enough space so break
 		{
 			disassemble_valid = true;