Ok, I've been taking a few notes about the new (post-2003 SP1) setupldr.bin format versus the old (pre-2003 SP1) one. So far, I've only found a few points of interest, which may or may not already be known: setupldr.bin is actually two parts. The first is the "boot image" (the correct term escapes me at the moment), and the second being a PE (exe) file. setupldr.bin and ntldr are identical up until a little ways into the PE header. If you strip off the first part, you can disassemble the remaining EXE portion with any disassembler. The checksum portion of the PE header isn't used, much less used to verify that the file has been modified. You can edit the first part without it throwing a "NTLDR is corrupt" message. Tested by editing only the three occurances of "NTLDR is corrupt". The third occurance of "NTLDR is corrupt" is the one that is actually printed when editing an occurance of "I386". I haven't tested editing each occurance of "i386", "I386", and "amd64", one at a time, to see if the other messages are used anywhere. I think the most important thing here is the separation of the two parts: the boot image that calls the setup loader, and the setup loader .exe itself. It's only logical that the checksum exists in the boot image portion, which is under 20kB in size, and is only a couple kB larger than the pre-2003 SP1's boot image portion. This is good, because it almost entirely rules out any "complex" integrity checking, which leaves the only viable option that comes to mind being CRC/CRC32. I've been known to get bored of projects and put them off indefinitely, so I figured I should dump my notes/thoughts here before that happens. I still have a few more ideas though, and I'll let you know if they turn up anything interesting.