4

What function have short and large in this code portion? large is same as long dword? 

mov eax, ebx
cmp [ebp+var_1], 0
jz  short loc_413123
call sub_40341C
pop large dword ptr fs:0
add esp, 0Ch
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
user1629569
  • 661
  • 1
  • 4
  • 17
  • 2
    This may sound strange, but it will be easier for us to answer this question if you post a hexadecimal dump of the machine code that corresponds to this disassembly. – zwol Dec 27 '12 at 21:22
  • I don't have the hexadecimal dump – user1629569 Dec 27 '12 at 21:30
  • Where did you get this if not from a disassembler? – zwol Dec 27 '12 at 21:50
  • 1
    Considering a dword, is just that, a dword, I doubt that it is a larger dword. – Linuxios Dec 27 '12 at 23:28
  • @Linuxios I *think* you say "qword" for a 64-bit memory access in Intel syntax? (I know GAS syntax a lot better) I'm betting "short" and "large" have something to do with the displacement size. I don't have an assembler to hand that will accept the OP's code without errors, which is why I asked for hex dumps. – zwol Dec 28 '12 at 18:11
  • @Zack: I think you're right. In Intel syntax speak, qword is a 64-bit word, and tword is something ridiculously big. – Linuxios Dec 28 '12 at 18:13

1 Answers1

4

short

jz short loc_413123 merely means that the offset (i.e. distance) for this jump is so small that it fits in a single byte, so this jump has been compiled to two simple bytes:

0x74 [1-byte-offset]

Had the distance been larger, the compiler would have had to encode the jump differently, which would take up more memory:

0x0f 0x84 [4-byte-offset]

With short, IDA Pro is simply telling you what kind of encoding this jump is using.

large

pop large dword ptr fs:0 is IDA's way of bringing to your attention that fs:0 is a far pointer: a regular offset (0) but with a segment selector (fs). I.e. large has nothing to do with the width of the data (dword), but the address (segment+offset). However, large doesn't really add any new information, that line simply means pop dword ptr [fs] and that might be the disassembly you would get from a different disassembler.

You can safely ignore both these keywords when you read the disassembly and they are certainly not necessary when writing your own assembly code.

Martin
  • 37,119
  • 15
  • 73
  • 82
  • So `large` in IDA just means there was a segment override? All addresses in x86 use a segment base ([Write to address without segment register](https://stackoverflow.com/q/52649719)); with no override it's usually DS, or SS for base=E/RBP or E/RSP. (In mainstream OSes, segment bases are 0 for segments other than FS or GS, and in 64-bit mode the HW enforces that, but logically everything is seg:off). – Peter Cordes Oct 14 '18 at 14:32
  • From another disassembler, you'd typically get something like `pop dword ptr [fs:0]`. You'd never get just `fs` with no offset, even if the offset is 0. – Peter Cordes Oct 14 '18 at 14:32