%eax is preserved. However the value is changed and so the return value of the function (in %eax) is defined:
main:
pushl %eax
movl $42, (%esp)
popl %eax
ret
A correct decompilation (as done by holdec) is
// addr = 080483a0.0
// signature= func(main, ret=[<0, int(undef, 4),null,reg[eax]>], para=[], varargs=false)
??? main(???)
{
return 42;
}
While this provides tiny test program is a problem for some decompiler the following slightly changed program (also returning 42) is not:
main:
pushl %ebx
movl $42, %eax
popl %ebx
ret
Another test of the stack tracking is to assume that a parameter is passed in %ebx which should be returned (in %eax). This can be done directly:
main:
movl %ebx, %eax
ret
or via the stack
main:
pushl %ebx
popl %eax
ret
As expected not all decompiler pass this small test. Holdec (if given the information about the parameter in %ebx) will decompile it to
// addr = 080483a0.0
// signature= func(main, ret=[<0, int(undef, 4),,unknown>], para=[<0, int(undef, 4),parameter1,reg[ebx]>], varargs=false)
??? main(???)
{
return parameter1;
}
]]>