What is large dword? - McMap

About

What is large dword?

Asked 27/12, 2012 at 21:20 Answered 29/12, 2012 at 22:17

Solved assembly types x86 ida dword

L

1

4

What function have short and large in this code portion? large is same as long dword?

mov eax, ebx
cmp [ebp+var_1], 0
jz  short loc_413123
call sub_40341C
pop large dword ptr fs:0
add esp, 0Ch

Lease answered 27/12, 2012 at 21:20 Comment(6)

This may sound strange, but it will be easier for us to answer this question if you post a hexadecimal dump of the machine code that corresponds to this disassembly. – Schuller 27/12, 2012 at 21:22

I don't have the hexadecimal dump – Lease 27/12, 2012 at 21:30

Where did you get this if not from a disassembler? – Schuller 27/12, 2012 at 21:50

Considering a dword, is just that, a dword, I doubt that it is a larger dword. – Pau 27/12, 2012 at 23:28

@Pau I think you say "qword" for a 64-bit memory access in Intel syntax? (I know GAS syntax a lot better) I'm betting "short" and "large" have something to do with the displacement size. I don't have an assembler to hand that will accept the OP's code without errors, which is why I asked for hex dumps. – Schuller 28/12, 2012 at 18:11

@Zack: I think you're right. In Intel syntax speak, qword is a 64-bit word, and tword is something ridiculously big. – Pau 28/12, 2012 at 18:13

I

4

short

jz short loc_413123 merely means that the offset (i.e. distance) for this jump is so small that it fits in a single byte, so this jump has been compiled to two simple bytes:

0x74 [1-byte-offset]

Had the distance been larger, the compiler would have had to encode the jump differently, which would take up more memory:

0x0f 0x84 [4-byte-offset]

With short, IDA Pro is simply telling you what kind of encoding this jump is using.

large

pop large dword ptr fs:0 is IDA's way of bringing to your attention that fs:0 is a far pointer: a regular offset (0) but with a segment selector (fs). I.e. large has nothing to do with the width of the data (dword), but the address (segment+offset). However, large doesn't really add any new information, that line simply means pop dword ptr [fs] and that might be the disassembly you would get from a different disassembler.

You can safely ignore both these keywords when you read the disassembly and they are certainly not necessary when writing your own assembly code.

Invertase answered 29/12, 2012 at 22:17 Comment(2)

So large in IDA just means there was a segment override? All addresses in x86 use a segment base (Write to address without segment register); with no override it's usually DS, or SS for base=E/RBP or E/RSP. (In mainstream OSes, segment bases are 0 for segments other than FS or GS, and in 64-bit mode the HW enforces that, but logically everything is seg:off). – Hoot 14/10, 2018 at 14:32

From another disassembler, you'd typically get something like pop dword ptr [fs:0]. You'd never get just fs with no offset, even if the offset is 0. – Hoot 14/10, 2018 at 14:32

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.