[mycall]

I understand the modifications part, but why would push/pop counts be mismatched?

[seppel]

It was doing push/ret, ie. pushing stuff (addresses) and then returning to the pushed address. Or popping stuff without pushing before (saving the return address of something) and storing it somewhere.

That is of course perfectly legal, but not something you see in normal programs. In the end, it really helping me to understand how the stack works, but the first time I saw it, it was super confusing.

[tinus_hn]

The return address is on the stack so if you push data and then return, that data is now interpreted as an address to jump to.