Jump in header
Hi, i was wondering how do you check for string behind jump in executable. if it is image_base + 2, how do you assure jump is short? because i didn't see any jump-size operator in tutorial.

Very good point vid :). But we check it in the CLI, with code like this: mov esi,0x200000 add esi,2 cmp dword[ds:esi],'DEX1' je ItsaDexProg add esi,3 cmp dword[ds:esi],'DEX1' jne NotaDexProg ItsaDexProg: One other thing, that is not what it seems, is that the programs are not loaded to 0x200000, but to 0x200000 + base (descriptors), the base is set at boot time, so that its the same as realmode, this makes going to and from realmode very easy and you can just think of it as say 0x200000, because all address will get that base added on, the only time you need, use any other base (a 0 base) is for direct access to things like screen, vesa etc, but most of these are done with function that do this for you, even if you do need a 0 base, its as simple as this, to do. mov ax,8h mov es,ax Hope this helps