test ds,4

Anyone knows what it does?

mov ax,ds
test ax,4

it might be a NT\9x detection or... sice detection..

ds in ring3 (NT) = 23h = 100011b
4=100b

thanks in advance

yes, it's seems to be a 9x/NT detection, cos at 98 ds is 167h = 101100111b

[omidgl]

I've tested that in win 98,ME,2000,XP,2003. and it seems that it's a vay to detect NT/9x family.
I think that it's because of some differences between 9x and NT family in Data-Section alignment rules.
Very interesting...
Regards
OMID

[Mkz]

That bit is not related to alignment, but with the place where the selector points to.
The DS segment register (and others) are divided in 3 fields. The lower 2 bits are the RPL - Request Privilege Level, which map to ring 0 or 3 in Windows; the next bit is the TI - Table Index, and indicates if the segment (remainging bits to the left) are defined in the GDT (0) or in the LDT (1).
Probably, Win9x uses LDT for application segment selectors, while NT+ always use GDT.
You can find more info on this topic on http://www.acm.uiuc.edu/sigops/roll_your_own/i386/regs.html#segments or google for more.

ok, thanks for the infos
I think I saw some snippet like this in some y0da's source code
and it was to detect 9x\NT thats why I assumed it could be the same...