diff --git a/thesis/src/02.intercept.tex b/thesis/src/02.intercept.tex
index c463c18..d3428cb 100644
--- a/thesis/src/02.intercept.tex
+++ b/thesis/src/02.intercept.tex
@@ -330,7 +330,22 @@ Example: \texttt{\tiny connect(2, 0x123:\{sa\_family: 2:AF\_INET, sin\_addr: "1.
 
 \section{Retrieving Function Return Values}\label{sec:retrieving-function-return-values}
 
-Lorem Ipsum.
+It might seem that retrieving return values of functions is as straightforward as retrieving their arguments, but this is not entirely the case.
+Most libc functions return -1 on error and set \texttt{errno} to indicate the exact type of error.
+Other functions (like \texttt{read}, \texttt{pipe}, or \texttt{sem\_getvalue}) even store their output in a pointer which was given to them as an argument.
+The following examples illustrate how this challenge was solved.
+
+Example (\texttt{malloc}): \\
+\texttt{return 0x1234; errno 0}, \\
+\texttt{return -1; errno ENOMEM}.
+
+Example (\texttt{pipe}): \\
+\texttt{return 0; errno 0; fildes=[3,4]}, \\
+\texttt{return -1; errno ENFILE}.
+
+Example (\texttt{read}): \\
+\texttt{return 12; errno 0; buf=0x7fff70:"Hello World!"}, \\
+\texttt{return -1; errno EINTR}.
 
 
 \section{Determining Function Call Location}\label{sec:determining-function-call-location}