IDA Fonts of Eton

September 26, 2020 in Silly

The other day I twitted example of IDA Pro showing code using a very posh font called Harrington:

I also posted Comic Sans Serif version by special request from @silascutler 😉

and

If you are curious how I did it — well, I chose the hardest possible way w/o looking at alternatives.

If you open IDA Pro Font choosing Dialog Box you will only see a subset of fonts that have a fixed width (Monospaced fonts):

In order to adjust IDA’s behaviour to allow me to choose any font I… didn’t check configuration files or Registry – I went directly to the co(d|r)e.

If you ever played with GDI API functions you know that font selection is associated with a variety of CreateFont* functions. One of the lowest level user-mode functions that is eventually called is CreateFontIndirectW. If you know that, the recipe is simple – open IDA Pro under XDBG, put a breakpoint on CreateFontIndirectW, disable it, let IDA Run, Open Font Dialog Box, choose any font – now you are game, now enable breakpoint, hit OK – change font name in XDBG, run. Et Voilà!

Comments Off on IDA Fonts of Eton

RTF…M

September 26, 2020 in Archaeology

One of the best ways to generate ideas for research is reading manuals and original documentation. Not only we learn new stuff, we also re-learn the old stuff and if we happen to re-visit different versions of the same documentation over the years there are chances that a) we will be aware of changes & stuff that has been phased out b) we will be able to find stuff we missed in previous reading iterations.

Such is the case I want to quickly discuss today.

If I asked you what is the RTF file magic you would most likely reply:

{\rtf OR {\rtf1

Well, I thought so too until I looked at Rich Text Format (RTF) Specification again. It is where I found the following long-forgotten tags:

  • \pwdN
    • Substitute for \rtfN. Introduced by Pocket Word to distinguish its files from general RTF files. Currently only 1 is emitted and the number is ignored by the RTF reader.
  • \urtfN
    • Identifies an RTF file in which all text characters are encoded in UTF-8. Only binary data escapes this transformation. Word does not read this encoding of RTF.

So, there you have it… corner cases, you can’t exploit them per se (I think), but at least now we know.

Comments Off on RTF…M

← Previous Entries