Winners of Bonus Points from Yesterday?s FTBM
Last Updated: 2005-09-23 00:15:07 UTC
by Ed Skoudis (Version: 1)
Yesterday, Tom Liston posted his latest Follow the Bouncing Malware. In it, he posed a question for extra credit, namely:
"Those of you with taped, horn-rimmed glasses who were in the AV club in Jr. High will note that the numbers assigned to o(0) look strangely familiar. [They were 4d5a] They're the hex equivalents of the "magic values" that begin every program on the PC (extra-credit: anyone know what they stand for?)."
We had several readers point out the answer, but the first was Frank Knobbe:
"Actually, it is every MSDOS program. Every Portable Executable (PE) file starts with a header. The first two bytes is a 'magic' that identifies the file as an MSDOS executable. The magic is 0x5A4D which is MZ in ASCII. MZ are the initials of Mark Zbikowski, one of the original architects of MS-DOS. :)"
Tom described this as the ultimate in vanity-license-plate equivalents for geeks. Indeed it is. And, I might point out that the file encryption solution built into modern Windows systems is called?.
Edward Frank Skoudis