Out of curiosity, what was the assumption that ntlea made that necessitates a wrapper around GetWindowLongA? Is there a way to satisfy ntlea without having to write assembly?
That's described in the subject of 3/3. It should really be a comment in the code, though.
Technically we don't need to push $-2, but we need a two-byte instruction that shifts %esp by -4. What ntlea does, in more detail, is:
* Check for the hotpatch prefix (well, actually only the first 4 bytes of it). If it's not present, it makes different assumptions about the internal assembly, that are harder to match. [1]
* Replace the first 5 bytes with a jump to a hook. When the hook returns, it does:
pushl %ebp movl %esp, %ebp pushl $-2
and then jumps to byte offset 7 in the original function. [2]
[1] https://github.com/zxyacb/ntlea/blob/faeacc46c9015e828f312382632e0b0774f7541...
[2] https://github.com/zxyacb/ntlea/blob/master/Tools/ntlea/ntleai/ntleax.c#L325