Date: Mon, 11 Oct 1999 22:05:26 -0500 To: ACM@UIUC's Mac Warriors From: Steven Bytnar Subject: Hacking SetThemeFontSmoothing Rick mentioned on Sunday at the ACM Conference that he wanted to change the minimum font smoothing size. I took it as a challenge. Consider this a tutorial of how you can use Macsbug to do some really cool stuff. Be careful. I haven't fully tested this hack yet, and it requires you to follow along and apply the ideas I present... numbers and code listed here are NOT absolute. You will most likely have to formulate these numbers by yourself. Remember, this is my documentary of how this was accomplished, not the exact steps you need to take!!! Read the last part of it to see what you essentially need to change. What did it take for me to figure this out? ResEdit Macsbug PEF Viewer HexEdit 30 minutes of running around in Macsbug and 20 minutes to write this in a coherent fashion, and verify the steps I took. What shareware tools would have helped? The Fragmanalyzer ($25) (disassembly of the AppearanceLib fragment from the "System" context.) MacNosy to disassemble any cfrg. Resourcerer to take apart extended 'cfrgs' and maybe to do the data fork editing. How did I start? I opened the Appearance control panel in ResEdit. I remembered that I had tried hacking it before by just changing the MENU resource that lists all the values you can enter, so I didn't take that path. I then disassembled AppearanceLib (using PEF Viewer) and found a global symbol named SetThemeFontSmoothing in the Imports list of the Loader Section. I dropped into Macsbug. "tvb SetThemeFontSmoothing" TVector Break at ÒSetThemeFontSmoothingÓ (TVector at 0050285C) every time "wh ." Address 0050285C is in the System heap at 00002800 It is 00000B8C bytes into this heap block: Start Length Tag Mstr Ptr Lock Prg Type ID File Name ¥ 00501CD0 0000C92C+08 N "dm ." Displaying memory from 050285c 0050285C 3655 1F6C 0050 9CD0 3655 1EAC 0050 9CD0 6U¥l¥PœÐ6U¥¬¥PœÐ 0050286C 3655 1D70 0050 9CD0 3655 1CD4 0050 9CD0 6U¥p¥PœÐ6U¥Ô¥PœÐ "g" ...hack to reality... I ran the Appearance control panel. Opened AppleScript. Opened the Appearance control panel's dictionary. Made the script: tell application "Appearance" set minimum font smoothing size to 11 end tell Ran it. Macsbug enters: PowerPC TVector break at 36551F6C SetThemeFontSmoothing I noticed PowerPC register 4 was 0000000b (11 decimal). This makes sense since the MacOS Application Binary Interface states that parameter passage is done in registers r3, r4 and r5, (any others come on the stack). So I listed the code. "ilp SetThemeFontSmoothing" (hit return a few times to see more of the disassembly.) < INSERT MACSBUG DISASSEMBLY HERE, if I actually disassembled it. ;) > < I will not repost any code I saw, just some opcodes that are interesting > < since it's against the license agreement to disassemble any part of MacOS. > You might see that r4 is stored in 0x006E+SP. Later, you might see that 0x006E+SP is compared against 0x000C: cmplwi r0,0x000C | 2800000C BINGO. That's the limit. 12 decimal (0c hexadecimal) is the current minimum. "wh SetThemeFontSmoothing" Address 36551FAC is in VM file-mapped logical memory space It is in the CFM fragment ÒAppearanceLibÓ at 3654DAB0 It is 000044FC bytes from the start of the fragment and 00000A9C bytes into a non-writeable code section at 36551510 Well. Now we just need to find out where AppearanceLib is stored at on disk so we can change it permanently. This is the tough part. I looked in the extension folder. Doh! 8.6 no longer has an "Appearance Extension". If you want to hack 8.5 or any earlier system, things are immensely easier because you can edit the "Appearance Extension"... much easier than hacking 8.6's System file's 4MB data fork.... where almost all Toolbox APIs are stored. Open ResEdit. Open the System file. Check out the 'cfrg's. 'cfrg' 49 contains: (you might have to search through all of the 'cfrg' resources to find it.) Member 11: arch: ppc ... Where: 1 Offset: 2464432 Length: 315821 Member Size: 56 Member Name: AppearanceLib This means, AppearanceLib is located in the data fork of the System file at offset 2464432. Open HexEdit. Open A COPY OF the System file. Goto Offset 2464432 decimal. You should see: Joy!peffpwpc.... Now, we need to do a search for our code snippet above since the offsets Macsbug sees are not accurate in practice. Find Hex: (Note these are the hex code for the three instructions that do the cmplwi...0x000C, blt, cmplwi...0x0018) 2800000C 4180000C 28000018 Modify the 2800000C to be whatever minimum you'd like. Be careful as the scaling algorithm MIGHT not be able to handle small sizes!!! If you haven't figured it out by now, 2800xxxx is the opcode where xxxx can be any 4 digit value you'd like to compare against. Save your changes. Put your current System file in the trash. This unblesses your System Folder. Move or copy the modified one into your System Folder to rebless it. Reboot. Enjoy. Have any other challenges? :) --Steve, who needs to be enrolled in hackers anonymous Date: Tue, 26 Oct 1999 18:05:09 -0500 From: Rick Roe Subject: Re: Hacking SetThemeFontSmoothing To: ACM@UIUC's Mac Warriors I just successfully applied this hack on Mac OS 9... it runs fine with the minimum size set to 9 point. Only difference from Steve's exploratory surgery is that the offset of AppearanceLib in the system file is 2471952 under OS 9. Also, something that Steve didn't point out: this hack allows you to set the minimum size below 12, but it doesn't allow you to edit the number below 12 in the Appearance control panel. Looks like that'd be a separate hack. :) You can, however, use this snippet of applescript to do the deed: tell application "Appearance" to set minimum font smoothing size to 9 Incidentally, there's no longer a memory leak from opening and closing the Appearance CP in OS 9, so AppleScripts that pop into it just to change a setting and then quit are much more useful. --Rick Roe