Figure 1: Excerpt from return.cpp
/*---------------------------------------------------------------- FUNCTION: ReturnMgr::NakedReturnPoint PURPOSE: Interceptor of function returns ----------------------------------------------------------------*/ __declspec(naked) void ReturnMgr::NakedReturnPoint(void) { DWORD l_dwSavedLastError; PDWORD l_pReturnAddress; PDWORD l_pReturnValue; //It would be much easier to write this function entirely on //assembly. The code would be shorter and faster but more //difficult to read and compile. //Therefore, I limited myself to only few assembly operation, //writing the rest on C. __asm { SUB ESP,4; Reserve space for return address PUSHAD ; Push EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI PUSHFD ; Store flags MOV EBP, ESP ; allow access to local variables SUB ESP, __LOCAL_SIZE ;reserve space for local variables mov l_pReturnAddress, EBP } l_pReturnAddress += 8+1; //adjust for 8 registers pushed by PUSHAD and flags l_pReturnValue =l_pReturnAddress-1;//EAX was the first register //pushed by PUSHAD. l_dwSavedLastError = GetLastError(); if(g_Data.m_pRetMgr) g_Data.m_pRetMgr->CommonReturnPoint (l_pReturnAddress, l_pReturnValue); SetLastError(l_dwSavedLastError); __asm { ADD ESP, __LOCAL_SIZE ;remove local variables from stack POPFD ;restore flags POPAD ;restore registers ; now ESP should be 4 bytes smaller than on entry to ; this function. that additional space should be already ; filled by an original return address. Now we will return ; to this address: RET } }//__declspec(naked) ReturnMgr::NakedReturnPoint(void)