In my hex editor, the "MZ" signature is displayed as 0x4D5A.  Reading an article on MSDN (http://msdn.microsoft.com/en-us/magazine/cc301805.aspx) I've noticed that the author (or maybe convention?) has it as 0x5A4D.  Why?

Perhaps I should know the answer, but being a newb perhaps not.

Posted on 2010-07-07 18:54:36 by SyWiles
Your hex editor is showing you that the first two BYTES of the PE header are 0x4D and 0x5A respectively, which are the ascii codes for M and Z. The author of the article you refer to considered those first two bytes as a single WORD, i.e. correctly as 0x5A4D. When expressed as a WORD, the two memory bytes are thus reversed (standard little endian convention).

Your statement that your hex editor showed it as 0x4D5A (which by convention would be a WORD) was thus incorrect.
Posted on 2010-07-07 20:22:41 by Raymond
Confirm that you are seeing 4D 5A and not 4D5A, otherwise you need to check/correct the endianness mode of the hex editor you are using.
Posted on 2010-07-08 02:28:44 by SpooK
Thanks for your replies.  I'll have to keep that in mind and it sounds like I have some more reading to do. :-)

Posted on 2010-07-08 08:29:18 by SyWiles