What does the 66 in "66:PUSH 08" stand for?

Question

Test platform is windows 32bit.

I use IDA pro to disassemble a PE file, do some very tedious transform work, and re-assembly it into a new PE file.

But there is some difference in the re-assembled PE file and the original one if I use OllyDbg
to debug the new PE file (although there is no difference of this part in the assembly file I transformed)

Here is part of the original one:

See the

PUSH 8 
PUSH 0

is correct.

Here is part of my new PE file:

See now the

PUSH 8
PUSH 0

is changed to

66:6A 08
66:6A 00

and it lead to the failure of the new PE's execution.

Basically, from what I have seen, it lead to the un-align of stack.

So does anyone know what is wrong with this part? I don't see any difference in the assembly code I transform....

Could anyone give me some help? Thank you!

Answer 1

66h is the operand-size override prefix. In 32-bit code, it switches the operand size to 16-bit from the default 32-bit. So what happens here is that the PUSH instruction pushes a 16-bit value on the stack instead of the 32-bit one, and the ESP is decremented by 2 instead of 4. That's why you get unbalanced stack after the call.

You should check your assembler's documentation to see how you can force 32-bit operand size for the PUSH imm instructions. Different assemblers use different conventions for that. For example, in NASM you'd probably use something like push dword 8.