Eh, not sure what all use this will be but I figured I'd share anyway as I've not seen this trick posted anywhere and it's just a little something I found myself fiddling around.

Anyhow, if you are interested in making a single executable with both a DOS part and Windows part (aka utilizing the stub) so that you have some sort of viable alternative that runs under DOS if that is used (which probably isn't too relavant nowadays, but what the hey?) then here is all you'll need to do for testing your DOS part under Windows.

Use a hex editor (or MS-DOS edit) and reverse the MZ at the first two bytes (should look like ZM) save the file then execute it. It will display the DOS behavior.:)

This works on both NE files (Win16) and PE files (Win32)

I think the reason for this is because ZM is a valid start of a DOS executable (though very rare) but is NOT for a Windows one.

Hence you can test out what the DOS part does of any program this way:)
Posted on 2004-05-02 00:54:22 by ShortCoder
Afternoon, ShortCoder.

Just tested that out. You're right - it works.

Thanks for the info.

Cheers,
Scronty
Posted on 2004-05-02 02:20:35 by Scronty
Nice trick:alright:
Posted on 2004-05-02 03:12:32 by Vortex
You could also just test the DOS stub part without appending a PE exe :p

And yes, ZM is a valid dos signature, some old virii used it to check if they had already infected a file...
Posted on 2004-05-02 08:29:18 by f0dder
Apparently programmers at Microsoft forgot to test for ZM as well when coding the PE loader.

As I recall, Luevelsmeyer's tutorial on PE files recommended to check for both signatures, but it appears not to be necessary then...
Posted on 2004-05-03 17:48:14 by QvasiModo

And yes, ZM is a valid dos signature, some old virii used it to check if they had already infected a file...

I wonder if a ZM signature triggers any heuristic flags... I think it did for TBAV but I have a very bad memory :P
Posted on 2004-05-03 17:49:30 by QvasiModo
It has in the past, dunno if it does anymore. But I wouldn't use it anyway.
Posted on 2004-05-03 18:13:03 by f0dder
Actually, 'ZM' is a valid EXE signature before DOS 2.0. I don't have an explanation for why it came to life, but I suspect some people were confused about the byte-order and just put something like mov word ptr ,'MZ'. And, then, DOS had to maintain the compatibility.
Posted on 2004-05-03 18:13:32 by Starless

It has in the past, dunno if it does anymore. But I wouldn't use it anyway.

For any particular reason? I'm still using that AV, always had a high concept of it. :confused:
Posted on 2004-05-04 12:06:53 by QvasiModo
Well, I was referring to ZM rather than MZ signature with "wouldn't use it anyway" :). So, TBAV still exists? I stopped using it not too long after the windows version arrived, it didn't work really well imo. ThunderByte was bought by some other company too, wasn't it?

These days it's Kaspersky and F-Prot for me... those are still decent products. Norton AV at the museum even though it sucks, but it catches the email spam and is automated + doesn't cause a fuss.
Posted on 2004-05-04 12:45:00 by f0dder

mov word ptr ,'MZ'. And, then, DOS had to maintain the compatibility.


Good explanation !
However, this shows a defect in assembler, it is not only a programmer's fault. A good assembler must assemble it properly. (sorry masm :) )
Posted on 2004-05-04 13:39:04 by pelaillo

Well, I was referring to ZM rather than MZ signature with "wouldn't use it anyway" :)

LOL! Sorry :grin:
So, TBAV still exists? I stopped using it not too long after the windows version arrived, it didn't work really well imo. ThunderByte was bought by some other company too, wasn't it?

These days it's Kaspersky and F-Prot for me... those are still decent products. Norton AV at the museum even though it sucks, but it catches the email spam and is automated + doesn't cause a fuss.

Yes, it was. I'm still using my ancient copy of TBAV because it's the only one I know of that still shows you the heuristic flags. F-prot doesn't do that anymore, but it's the one I use for detecting known viruses.

Is Kaspersky's AV freeware? I haven't checked in a long time...
Posted on 2004-05-12 15:20:39 by QvasiModo
No it's not, but I think there might be a trial version. You don't get (good) things for free these days, anyway. If you're still using an old dos TBAV, you might as well not use antiviral protection I'm afraid...
Posted on 2004-05-12 15:30:45 by f0dder
It's not THAT old... it's for Win95, one of the first. But I couple it with FPROT anyway. :)
Posted on 2004-05-12 15:34:18 by QvasiModo
I described the trick years ago :)
Posted on 2004-05-12 16:03:25 by The Svin