{"id":3128,"date":"2015-06-27T17:48:04","date_gmt":"2015-06-27T17:48:04","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3128"},"modified":"2015-06-27T17:48:04","modified_gmt":"2015-06-27T17:48:04","slug":"enter-sandbox-part-7-hello-%d9%85%d8%b1%d8%ad%d8%a8%d8%a7-%e6%82%a8%e5%a5%bd-%d0%b7%d0%b4%d1%80%d0%b0%d0%b2%d1%81%d1%82%d0%b2%d1%83%d0%b9%d1%82%d0%b5-%ce%b3%ce%b5%ce%b9%ce%b1-%cf%83","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/06\/27\/enter-sandbox-part-7-hello-%d9%85%d8%b1%d8%ad%d8%a8%d8%a7-%e6%82%a8%e5%a5%bd-%d0%b7%d0%b4%d1%80%d0%b0%d0%b2%d1%81%d1%82%d0%b2%d1%83%d0%b9%d1%82%d0%b5-%ce%b3%ce%b5%ce%b9%ce%b1-%cf%83\/","title":{"rendered":"Enter Sandbox \u2013 part 7: Hello, \u0645\u0631\u062d\u0628\u0627, \u60a8\u597d, \u0437\u0434\u0440\u0430\u0432\u0441\u0442\u0432\u0443\u0439\u0442\u0435, \u03b3\u03b5\u03b9\u03b1 \u03c3\u03b1\u03c2"},"content":{"rendered":"

Most of modern applications use Windows APIs that rely on Unicode (or, at least its subset) and as such they rely on ‘W’ versions of the APIs as opposed to older apps that used ANSI ‘A’ versions (f.ex. CreateFileW vs. CreateFileA). Of course, the native APIs rely on Unicode for a long time. Unicode makes it easy and avoids ambiguities associated with the ANSI encodings which can always be mapped to many character sets – depending on the OS\/application version. This is why running old localized applications on English OS leads to some unrecognizable garbage characters shown on the UI.<\/p>\n

The number of old apps that rely on ANSI functions is still very huge and not taking them into account makes it harder to cherry-pick some interesting clues from the samples. Some of these clues can make it to the final report as well and actually enrich it a lot.<\/p>\n

Let’s look at an example.<\/p>\n

An application does something, and then displays a message box with a caption ‘\u00ce\u00f8\u00e8\u00e1\u00ea\u00e0’ saying ‘\u00c7\u00e0\u00ef\u00f0\u00e0\u00f8\u00e8\u00e2\u00e0\u00e5\u00ec\u00fb\u00e9 \u00f4\u00e0\u00e9\u00eb \u00ed\u00e5 \u00ed\u00e0\u00e9\u00e4\u00e5\u00ed’.<\/p>\n

\"msgbox1\"<\/a>
\nObviously, it doesn’t tell us much.<\/p>\n

What if we attempted to translate it blindly into Unicode using the most popular ANSI encodings?<\/p>\n

We would get sth like this:<\/p>\n

1250 (Central Europe)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u00ce\u0159\u010d\u00e1\u0119\u0155\r\n1251 (Cyrillic)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u041e\u0448\u0438\u0431\u043a\u0430\r\n1252 (Latin I)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u00ce\u00f8\u00e8\u00e1\u00ea\u00e0\r\n1253 (Greek)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u039e\u03c8\u03b8\u03b1\u03ba\u03b0\r\n1254 (Turkish)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u00ce\u00f8\u00e8\u00e1\u00ea\u00e0\r\n1255 (Hebrew)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u05be\u05e8\u05d8\u05d1\u05da\u05d0\r\n1256 (Arabic)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u062e\u0651\u00e8\u0644\u00ea\u00e0\r\n1257 (Baltic)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u012a\u0173\u010d\u012f\u017a\u0105\r\n1258 (Vietnam)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u00ce\u00f8\u00e8\u00e1\u00ea\u00e0\r\n\u00a0874 (Thai)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u0e2e\u0e58\u0e48\u0e41\u0e4a\u0e40\r\n\u00a0932 (Japanese Shift-JIS)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \uff8e\ue687\u788e\r\n\u00a0936 (Simplified Chinese GBK)\u00a0\u00a0 = \u7852\u6833\u8d45\r\n\u00a0949 (Korean)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u4e18\u77ee\u9b4f\r\n\u00a0950 (Traditional Chinese Big5) = \u662e\u9b68\u7f7b<\/pre>\n
for the caption, and for the message:<\/p>\n
1250 (Central Europe)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u00c7\u0155\u010f\u0111\u0155\u0159\u010d\u00e2\u0155\u013a\u011b\u0171\u00e9 \u00f4\u0155\u00e9\u00eb \u00ed\u013a \u00ed\u0155\u00e9\u00e4\u013a\u00ed\r\n1251 (Cyrillic)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c\u044b\u0439 \u0444\u0430\u0439\u043b \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d\r\n1252 (Latin I)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u00c7\u00e0\u00ef\u00f0\u00e0\u00f8\u00e8\u00e2\u00e0\u00e5\u00ec\u00fb\u00e9 \u00f4\u00e0\u00e9\u00eb \u00ed\u00e5 \u00ed\u00e0\u00e9\u00e4\u00e5\u00ed\r\n1253 (Greek)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u0397\u03b0\u03bf\u03c0\u03b0\u03c8\u03b8\u03b2\u03b0\u03b5\u03bc\u03cb\u03b9 \u03c4\u03b0\u03b9\u03bb \u03bd\u03b5 \u03bd\u03b0\u03b9\u03b4\u03b5\u03bd\r\n1254 (Turkish)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u00c7\u00e0\u00ef\u011f\u00e0\u00f8\u00e8\u00e2\u00e0\u00e5\u00ec\u00fb\u00e9 \u00f4\u00e0\u00e9\u00eb \u00ed\u00e5 \u00ed\u00e0\u00e9\u00e4\u00e5\u00ed\r\n1255 (Hebrew)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u05b7\u05d0\u05df\u05e0\u05d0\u05e8\u05d8\u05d2\u05d0\u05d5\u05dc\uf894\u05d9 \u05e4\u05d0\u05d9\u05db \u05dd\u05d5 \u05dd\u05d0\u05d9\u05d4\u05d5\u05dd\r\n1256 (Arabic)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u0627\u00e0\u00ef\u064b\u00e0\u0651\u00e8\u00e2\u00e0\u0647\u0649\u00fb\u00e9 \u00f4\u00e0\u00e9\u00eb \u064a\u0647 \u064a\u00e0\u00e9\u0646\u0647\u064a\r\n1257 (Baltic)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u0112\u0105\u013c\u0161\u0105\u0173\u010d\u0101\u0105\u00e5\u0123\u016b\u00e9 \u014d\u0105\u00e9\u0117 \u0137\u00e5 \u0137\u0105\u00e9\u00e4\u00e5\u0137\r\n1258 (Vietnam)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u00c7\u00e0\u00ef\u0111\u00e0\u00f8\u00e8\u00e2\u00e0\u00e5\u0301\u00fb\u00e9 \u00f4\u00e0\u00e9\u00eb \u00ed\u00e5 \u00ed\u00e0\u00e9\u00e4\u00e5\u00ed\r\n\u00a0874 (Thai)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \u0e27\u0e40\u0e4f\u0e50\u0e40\u0e58\u0e48\u0e42\u0e40\u0e45\u0e4c\u0e5b\u0e49 \u0e54\u0e40\u0e49\u0e4b \u0e4d\u0e45 \u0e4d\u0e40\u0e49\u0e44\u0e45\u0e4d\r\n\u00a0932 (Japanese Shift-JIS)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \uff87\u745c\ue09f\ue687\u7c75\u890c\uf9dc \ue38f\u9d09 \u6df2 \u6d6f\u9c60\u890a\r\n\u00a0936 (Simplified Chinese GBK)\u00a0\u00a0 = \u9752\u9573\u5e0f\u6860\u5671\u79a7?\u7fbf\u6ba1 \u7924 \u78ec\u6b87\u5c59\r\n\u00a0949 (Korean)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = \ud589\u7a7d\u661f\u5916\u9f67\u834f?\u7252\u96e8 \u5f35 \u58ef\u85d5\u5b7c\r\n\u00a0950 (Traditional Chinese Big5) = \uf78d\u7014\u50e4\u9b64\u99b2\u6a9e?\u908d\u6fa3 \u7ff4 \u7e3a\u6bc8\u6a07<\/pre>\n
Even without the knowledge of the specific languages it’s easy to pick up the correct mapping which is ‘\u041e\u0448\u0438\u0431\u043a\u0430’ (meaning ‘Error’) for the caption, and ‘\u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c\u044b\u0439 \u0444\u0430\u0439\u043b \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d’ (meaning ‘File not found’) in Russian.<\/p>\n
We can confirm it by running it on the Russian OS:<\/p>\n
\"msgbox2\"<\/a><\/p>\n
The exercise above my friend is an attempt to make a sandbox polyglottic. Add some modules to recognize the most common languages and who knows, maybe it will be able to recognize that these calls to FindWindow know no linguistical boundaries and are… not too friendly:<\/p>\n