2

What does ret do? Why is ret 0xC needed here? What if it was just ret and not ret 0xC or how about 0x4? 

mov eax,[esp+10] // param3
mov ecx,[esp+0C] // param2
mov edx,[esp+08] // param1
push eax
push ecx
push edx 
mov ecx,esi
call File.exe+333330 
pop esi
ret 000C
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
ILickLamasBruhUmirin
  • 23
  • 1
  • 3
  • You need to read. Read about epilogue and prolog, calling conventions and function return types. http://www.codeproject.com/Reference/672254/Win-x-Calling-Conventions – Abhineet Sep 03 '15 at 04:30
  • 3
    I'm voting to close this question as off-topic because there is no research effort put to get the solution. – Abhineet Sep 03 '15 at 04:42

1 Answers1

1

In short, ret 00C cleans up the stack after call File.exe+333330. Before the call, you pushed three 4-byte values onto the stack (the contents of eax, ecx, and edx). 4 * 3 = 12 = 0xC (in hex). If you had ret without a value, it would have returned from your subroutine, but wouldn't have cleaned up the stack at all. If you had ret 4, it would have only cleaned up one of the values. ret 12 or ret 0xC takes care of all three.

See here for a similar question.

Ben
  • 5,952
  • 4
  • 33
  • 44
  • Exactly what I was looking for. Thanks :) . Also, the link was a really good read as well. Double thanks :))))))))))))))))))))))))))))))))))). – ILickLamasBruhUmirin Sep 03 '15 at 05:08
  • 2
    Did anyone notice that there is a `pop esi` before the `ret 0c`? Secondly, if you don't properly clean up the stack it most likely won't return from the function and crash since the return location would have likely been garbage. – Michael Petch Sep 03 '15 at 06:08
  • No, this is the bottom of a larger function; it cleans up *its caller's* stack so that caller doesn't need `add esp, 12`. Presumably `File.exe+333330` is also stdcall or thiscall and cleans up the args for you by using `ret 12` itself. – Peter Cordes Mar 10 '21 at 06:36