Delphi font modification

zhaozj2021-02-08  492

Delphi font modification

statement

Individuals can freely reprint this article, but should maintain the integrity of the original text and inform me; if the business reprint first contact me first.

There is no clear or unclear note that this article is completely correct, read and use this article is your own choice, I am not responsible.

If you find that this article has a wrong place, please give me a pointed out; if you don't understand anything, please give me a given.

Opinions, suggestions and proposed issues are best written in my home page http://llf.126.com's message.

Hint

After the last Delphi message box font problem, there is a problem with the Hannifier proposed Hint font correction. Before we say this, we have to be familiar with Microsoft recommended font settings:

NHEIGHT = -muldiv (Pointsize, GetDeviceCaps (HDC, Logpixelsy), 72);

Everyone also saw that the last parameter is 72, which is the hexadecimal 0x48, and it is a constant, so when this statement compiles to the executable, there will be a clear PUSH 00000048 statement, and Because 72 is the last parameter, this push statement is the first PUSH statement of this line program, so that the method we introduced by the modification message box will be used as a secondary judgment method, according to Daewoo, This method is judged that it has so far a hundred. :)

This time, the problem of Hint, because in the anti-compiled document, "Push 00000008 / N / N * Reference TO: Kernel32.Muldiv," or the above line is not "push 00000048", so you can't find what you need to modify Place, I found that for Hint's font settings, it is not directly embedded 8, which means that there is no obvious PUSH 00000008, but it is still modified.

Previously, Chinease has asked iProtect Soho's font issues, I was not familiar, thinking that the main interface is a font that uses enumeration. It does not solve it, but now I find that its main interface font is to set itself. So the remaining font is still the problem of hint, here is an example of iProtect Soho as an example.

Use W32DASM to compile iprotect.exe, generate iProtect.Alf, open it, find the push 00000048, find four, where the two one because the statement on the Call Muldiv is push 00000009, so it is already 9 pound fonts, There is no Call Muldiv at all, so it's not what we have to find, the rest is as follows:

* Reference by a call at addresses:

| 0412279,: 00416EAA,: 0041D93C,: 00425408,: 004BAFCA

| 004BB710

|

: 0041DB38 53 Push EBX

: 0041DB39 8BD8 MOV EBX, EAX

: 0041DB3B 8B4314 MOV EAX, DWORD PTR [EBX 14]

: 0041DB3E 50 Push EAX

: 0041DB3F 6A48 Push 00000048: 0041DB41 8BC3 MOV EAX, EBX

: 0041DB43 E864FFFFFF CALL 0041DAAC

: 0041DB48 50 Push EAX

* Reference to: kernel32.muldiv, ord: 0000h

|

: 0041DB49 E8A67BFEFF CALL 004056F4

: 0041DB4E F7D8 NEG EAX

: 0041DB50 5B POP EBX

0041DB51 C3 RET

: 0041DB52 8BC0 MOV EAX, EAX

* Reference by a call at addresses:

| 0412298,: 00416EB9,: 0041AE0F,: 0041D945,: 0045417

|: 0043CC63,: 0043D62A,: 00471F31,: 004914F4,: 0049CB09

| 004B6212,: 004BA4DA,: 004BA51E,: 004BB720,: 004D4955

|

: 0041DB54 53 Push EBX

: 0041DB55 56 PUSH ESI

: 0041DB56 8BF2 MOV ESI, EDX

: 0041DB58 8BD8 MOV EBX, EAX

: 0041DB5A 6A48 Push 00000048

: 0041DB5C 8B4314 MOV EAX, DWORD PTR [EBX 14]

: 0041DB5F 50 Push EAX

: 0041DB60 56 PUSH ESI

* Reference to: kernel32.muldiv, ord: 0000h

|

: 0041DB61 E88E7BFEFF CALL 004056F4

: 0041DB66 8BD0 MOV EDX, EAX

: 0041DB68 F7DA NEG EDX

: 0041DB6A 8BC3 MOV EAX, EBX

: 0041DB6C E843FFFFF CALL 0041DAB4

: 0041DB71 5E POP ESI

: 0041DB72 5B POP EBX

0041DB73 C3 RET

It can be seen that on the Call Muldiv is not a constant, but the register value, and the two-segment code is actually a function, so it is set by others call, this requires tracking to know who is calling I have recently found that W32DASM can also perform dynamic tracking because other processes are not suspended, so I prefer to use W32DASM to track - can listen to MP3 at the same time. :) But W32DASM's tracking interface is a bit zero, I will not introduce it. Here, tracking to the caller :: 0041adfa ba38ae4100 mov EDX, 0041AE38

: 0041ADFF 8B460C MOV EAX, DWORD PTR [ESI 0C]

: 0041AE02 E8ED2C0000 CALL 0041DAF4

: 0041AE07 BA08000000 MOV EDX, 00000008

: 0041AE0C 8B460C MOV EAX, DWORD PTR [ESI 0C]

: 0041AE0F E8402D0000 Call 0041DB54

The last Call 0041db54 calls the above set font code, we found that there is a MOV EDX, 00000008, we try to modify it into MOV EDX, 0000000F, run the program, found that Hint's font really became very Big, that is, change to the place.

In addition, the MOV EDX, 0041AE38 of the first sentence is actually pressed into the font name, so the final modification is: change the "MS SANS SERIF" at 0x1a239 to "Song", and change 08 at 09 at 09 to 09. (0x1a238 is the length counter of the font name, preferably also modified to 04)

Simple way

The above introduction is just to let everyone know why you want to modify it, in fact, there is a simple way to find the place to modify. I said that Delphi programmers generally do not create fonts themselves, so this is still a VCL problem, and the code compiled by VCL does not differ because of different programs, so there is still laws.

I don't know if you don't pay attention to it. The above changes are not big, a 0x1a239, a 0x1a208, only the difference is 0x31, for the UEDIT, it is three rows more characters, in fact, this is its law, we can first find it first Which word is the problem, go up to three lines, find a "ba 08", change it to "ba 09", I can use the success rate of several programs in this way is also 100%. :)

As for the problem of which one font name, I don't say - one of the top more is changed to "System" to test, it can be found. :)

转载请注明原文地址:https://www.9cbs.com/read-195.html

New Post(0)