Brucee's implementation just patches the call to point to the
correct destination.  You don't have to walk any machine code.
The (modified) linker emits a known call instruction, and relocation
information which says where it is and what symbol to patch
it with.  Symbol lookup is done in a highly controlled way.