Modify the procdump font size

Modify the procdump font size Dianjing studio-liang lifeng

Statement Individuals can freely repost this article, but they should maintain the integrity of the original article and notify me. For commercial reprinting, please contact me first. This article does not explicitly or explicitly indicate that this article is completely correct. You may choose to read and use the content of this article, and you shall not be liable for it. If you find any mistakes in this article, please point out to me; if you do not understand anything, please give it to me. Comments, suggestions and questions are best written on the message board of my home http://llf.126.com. Procdump Problems If you have used the Chinese version of procdump (here it refers to the Chinese version of version 1.5, which I have not seen), you should have an impression that the font of its main form is too small, it's not a familiar ", 9", but other forms are normal. Why? All other forms are created using resources in the dialog format. In this case, the font size can be modified using the exescope resource editor, but its main form is not like this, the createwindow function is used to create and initialize the object. This is a common situation. If you do not set the font intentionally, the font will be "system, 8", and the "system, "8" shows that it is basically the same as ", 12". Although it is a little bigger, it can pass through, so it is certain that procdump has set the font here. This time I used the procdump 1.6 ultra 2 English version. To facilitate the detection, I found the "unpack" button in the main form and changed it to "decompress" to run the program. The font is really ugly! :) Use trw2000 again, select procdump.exe, and use "BPX createfont" for interruption. The program runs without interruption, so it does not call the createfont function, which is strange, how can I set the font without using the createfont function? Run exists and select procdump.exe to check the import items (Function Import table, by the way, the program that was last extracted using trw2000 cannot be run on other machines, the reason is that the import table is incorrect, but I still don't know how to fix it.) In gdi32.dll, we can see that it only has one: createfontindirecta. In this case, it uses the font directly set by createfontindirecta. (Apis like xxxxindirect are generally called directly. For example, the createfont function calls createfontindirect internally to set the font. However, the program can also directly call createfontindirect instead of createfont) First, get familiar with the createfontindirecta function call method. By searching for msdn, we know that this function only has one parameter, which is a pointer to the logfont structure. Use trw2000 again, select procdump.exe, and use "BPX createfontindirecta" to interrupt the debugging screen. The breakpoint is at the entrance of createfontindirecta. Type "pmodule" and return to the procdump code area. The previous call was createwindow, which is not the expected createfontindirecta. This indicates that createfontindirecta is also called in createwindow, but it has nothing to do with us, so let's continue, until the next encounter with the previous statement is "Call GDI! Createfontindirecta, and the above statement is "Push 00405b37" (This number may be different and I cannot remember it clearly, so it is only used as an example). As we know above, this 00405b37 is the pointer parameter. Therefore, type "DD 00405b37" and the displayed data is "FF F5 ............", Then there are "90 01" and "Ms sans serif" and so on. The last time we modified the font of Winamp, we knew that we needed to change F5 to F4. this time we tried again, use the "e 00405b37" command to change F5 to F4. continue to run the program. After that, the program will call this place multiple times and finally run the program. The font is normal. Then, find "FF F5" in the executable file. If it is not found, find "Ms sans serif" and find only one, so we are looking for it, look up, it turns out not "FF F5", but "F5 FF". In this way, this is not a whole, but because the source program is initialized together, therefore, the compiler puts them together. However, in any case, it does not affect us. We need to change "F5 FF" to "F4 FF" and run the program again, the font is normal. (Similarly, you can change the font names to spaces to use the default font) Well, as I said, there are a lot of programs that do not use resources for this main form, so if there are other programs with such font problems, you can also use this method, however, whether to use createfont or the createfontindirect function is not necessarily required. You need to test it yourself.