Half-Life client buffer overflow

[<eip_ger () yahoo de>]

Hi,
i tried to write my own exploit for the buffer overflow in the Half-Life 
client (Counter-Strike mod) up to Version 1.1.1.0 (Half-Life).
I overflow the buffer, jump to my shellcode, but everytime some bytes are 
changed. 
In my shellcode are two calls and always after the first call are some 
bytes changed, when i look at the stack, after the overflow. With a 
debugger i can find my shellcode on the stack and it is executed but only 
to the first call. After the call opcodes, some bytes (four, five or six) 
are changed and then the rest of my shellcode is ok.
Is the opcode for a call maybe a escape sequence for Half-Life so that it 
changes some values that are following?
Can someone help me, please?