Use signed offsets to reduce false positives (Christoph Biedl)
And here is your reward: Reduce the number of false-positive
detections of "DOS executable (COM)" big time, especially for small
files. In my case, modulo further checks, the number of files reported
that way went down from some 2500 to 35, with perhaps 6
false-positives.
The trick: The target of the JMP instruction at offset 0 must be valid
and sound: For 0xeb (8bit offset) the offset must be positive as
negative offsets would lead into the program segment prefix (PSP), and
the file must be long enough that jump target actually exists. Similar
for 0xe9 (16bit offset). Here negative offsets (wrapped around at
16bit) are acceptable as long as they don't lead into the PSP. Such
files do exist. And that's where I needed a signed indirect offset.
projects / file / commit