The pc technician offers help with computer 
problems and virus removal got
a
virus?
pc technician says that even windows 7 needs a good anti-virus program, you can get free software 
from the
sources given on this page
virus help


PC Technician - nasty hacker trick - unicode exploit



Yet another hacker trick using a unicode exploit

This hacker trick exploits a special unicode character. Okay, what is a unicode character? First, all characters (letters, numbers, special characters, etc ) are represented by assigning a number for each one so that a particular character is readable by humans. For example, if a computer displays the letter "A" it has an internal ( to the computer) value of 41 ( in hexadecimal ) and when this value is displayed ( computer screen ) the letter "A" appears. This is the character encoding scheme used by computers. So if you use notepad you are creating text in ASCII code. The first 128 ASCII codes cover most of the characters needed to produce readable text. There is also an extended ASCII encoding. This covers another 128 characters which are mostly special characters. So if you wanted to print the greek letter "beta" you would need an ASCII code of 225 or hex code of "E1". I can type this letter by pressing down and holding the "alt" key and then on the numeric keypad (make sure the numlock light is is on ) type in the numbers 225 then release the "alt" key as shown here --> ß . If I wanted the capital letter A then the sequence is "alt"065 as shown here --> A .

Okay, let's get back to the unicode exploit. Unicode is just another character encoding standard with a lot more special characters. To print unicode characters requires a change to the registry. If you are not familar with editing the registry DO NOT ATTEMPT this. Open the registry and navigate to "HKEY_Current_User/Control Panel/Input Method". Highlight "Input Method" and then click on New -> String Value and enter this string EnableHexNumpad . It should have a type of REG_SZ. Now modify this value and make it the number 1.
Close the registry and reboot. If all went well you should be able to type in unicode characters. For example, to type in this strange character ( say in notepad )



I typed in this sequence alt(hold down) the plus sign on the keypad and the hex number 203b using the three digits from the keypad and the letter "b" on the keyboard and then release the "alt" key.

Now for the exploit, in unicode there is a special character that forces the next characters (after the special character) to be read in reverse order. Yikes! Why was this character ever added in the first place. So lets say you have a file name that looks like this

"This song is free from RCS.mp3"

which looks like an mp3 file BUT the name of the file was actually coded as follows:
"This song is free from {alt+202E} RCS.mp3"

In fact look at the screen shot below - which shows this name but then look at the description below the name - it says "Screen Saver" which is an executable file.


That is, windows will read this as "This song is free from" then the special character will make windows read the rest of the name as "3pm.SCR" which to windows looks like this

"This song is free from 3pm.SCR"

- which is an executable file and NOT an mp3 music file. Thus the code within the file is executed and not just read by your mp3 player. Bingo the hacker is in and you thought you were going to listen to a free song - wrong! Obviously, this reverse trick could have other file extensions which cause the file to be executed. Some of these names are .bat .cmd .com ....etc.

Footnotes:
1. Some info on unicode and the "character map" program

To get any unicode character you can use the "character map' utility in windows.
This program is in Start-> Accessories-> System Tools
and double click on "Character Map". See screen shot below:



So in the above image - I could click on the highlighted box and it would expand to a larger view of the character - then click the select button to select it and then click on copy to put the character in the clipboard. If you continue to click and select you can actually build up a string of characters. When finished just click on copy to send to the clipboard. Also note that when you mouse over a character box - a popup shows the unicode value and description. Have fun.

2. A comment on the execution of the mp3 file - described above

Just for giggles I actually tried to execute ( by double clicking ) on the .mp3 file shown above - the one with the fake file name which reads "This song is free from RCS.mp3" but in reality has the name of a screen saver file. The contents of the file is just some random text and not code for a screen saver. So when windows tried to execute the file ( as .scr is interpreted as an excutable ) I got an error message which is shown below:



Notice the error message is partly backwards as a result of the unicode special character imbedded in the file name. That is, it displayed

".notiacilppa dilav a ton si" --or "is not a valid application"

Of course it is not a valid application as a text file is not a program which can be executed.



PCTECHNICIAN.COM
Cool Counters @ pctechnician.com