Email Password Remember me?  Lost your password?

• Download source files - 3.21 KB
• Sample project - 33.73 KB

Introduction

At the time of installation most software asks for a product key or a serial number; this is to prevent software piracy, but how is this done? In this article, I'll try to cover one basic idea to achieve this.

In each Windows portable executable (PE image file) we can add some certificate (some sort of data) using the image integrity functions (Platform SDK's ImageHlp APIs). The certificate data can be generated using a combination of product keys and some unique IDs for the desktop where the user is installing the software. These unique IDs can be CPU ID, primary volume ID, network card ID etc. To increase the security we can do some encryptions on the certificate data. Writing certificate data in the executable should be done only once, i.e. at the time of installation. At the time of the application startup we can again generate the certificate data using the local machine (where the user is executing the application) unique IDs and compare it with the certificate data which is present in the executable. If there is any mismatch, stop the execution.

In the above approach there is a problem, what if the user changes some hardware component (for e.g. graphics card) and what if that component's unique ID was used to generate the certificate data? Certainly now our application will stop execution because of the mismatch in certificate data. But we do not want this to happen. To avoid this we can use 4-5 unique IDs to generate the certificate data. At application startup, we can make a rule; if any two IDs are matching go ahead otherwise show error for unauthorized copy.

In the demo application, to generate the certificate data, I am using the primary volume ID without any encryption. At the time of application startup, I'll check if there is any certificates present in Sample.dll, if no certificate is present, add a certificate to Sample.dll (actually this task should be done through the installation script) and only the certificate verification code should be present in the executable.

Using the Code

To integrate the certificate manager in your application you need to do the following:

1. Include "CertificateMgr.h", and imagehlp.lib in your project's additional libraries.
2. Create an object of CertificateMgr.
3. Call the Init() method with a portable executable (PE) image file name in which you want to manage the certificate.
4. Call SignDLL() to add a signed certificate (only inhouse job) so that later at the time of adding an actual client machine certificate it can be verified that we are adding certificate to right DLL. It will be better if you make a command line utility do this. Ofcourse you will not ship this with your actual application.
5. Call IsValidCopy() to check if the application has a valid certificate or not.

   CertificateMgr certificateMgr;
   
   // Specify dll or exe where you are adding certificate.
   
   if (!certificateMgr.Init("Sample.dll"))
   {
       cout <<"Initilization errors, some files are missing.\n\n";
       MessageBox(NULL, "Initilization errors, 
                     some files are missing", "MyApp", MB_OK);
       return 1;
   }
   if (!certificateMgr.IsValidCopy())
   {
       cout << "Running unauthorized copy :(\n\n";
       MessageBox(NULL, "Running unauthorized copy", 
                                        "MyApp", MB_OK);
       return 1;
   }

Certificate Manager Class

In this class, I am using ImageAddCertificate and ImageGetCertificateData Win32 SDK APIs.

GetUniqueData() method generates unique data to be put in the PE certificate. While adding a certificate using AddCertificate(), I am keeping the last modified time, and after adding the certificate, the executable is maintained with the previous modified time to simulate an impression of no changes. For the sake of simplicity, I first check if there is any certificate added, if no certificate is found, add it. From the next execution onwards, verify the PE certificate data with the data returned from GetUniqueData(). In real applications, AddCertificate() should be called at the time of application installation before executing the application.

I could not find any good documentation on image integrity functions (Platform SDK's ImageHlp APIs). If you know about any good URL/book for ImageHlp APIs, please add a comment. Discuss more on this at Activation code.

History

• 27^th November, 2005: Initial revision.
• 21^st August, 2008: Now a simple ImageRemoveCertificate will not break the copy protection, yes one can write something to copy certificate data. Thank you Daienl for pointing this.

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Assuming certificate index is always 0 ubivetz 4:20 7 Apr '09   success = ImageAddCertificate(mFileHandle, pWinCert ,&nIndex); free(pWinCert); // Assuming that our certificate will be always at index 1 success = success && (nIndex == 0); Why do you assume that nIndex is always zero? Sign In·View Thread·PermaLink Re: Assuming certificate index is always 0 Manish K. Agarwal 22:35 7 Apr '09   for simplicity reasons. If you are not sure on which index your certificate will be you can use ImageEnumerateCertificates() and check every certificate for your data. Manish Agarwal manish.k.agarwal @ gmail DOT com Sign In·View Thread·PermaLink nice, But it's an simple & hot........ Member 4235601 11:30 18 Feb '09   same type of technique used to develope,and more controls addionaly add to build in the security & as protection side. and i have send ur mail one ideas......... please reply .. Sign In·View Thread·PermaLink 1.00/5 if hacker jump out your if statement mike1018 23:26 21 Aug '08   if hackers use some tool, they can jump out your logic statement..if by using assembly... Michael ~ Sign In·View Thread·PermaLink Re: if hacker jump out your if statement Manish K. Agarwal 3:18 22 Aug '08   Quite possible, this is just a concept for hiding the license info, especially for desktop applications. Most of the developer hides this info some where in hidden registry entries or in hidden file. I think, certificate also a good and easy place for hiding license info. Manish Agarwal manish.k.agarwal @ gmail DOT com Sign In·View Thread·PermaLink Great and simple idea, but dangerous... Daniel Schade 4:29 16 Aug '07   ... if you make a secret about the existing of ImageRemoveCertificate (Removes the specified certificate from the given file - http://msdn2.microsoft.com/en-us/library/ms680214.aspx). In combination with your sample, the protection is useless, because a small utility calling the ImageRemoveCertificate function removes the certificate and the next start add's a new one. Daniel Sign In·View Thread·PermaLink Unique Information Jeffrey Walton 8:25 24 Jun '07   > To avoid this we can use 4-5 unique IDs to > generate the certificate data. Installation IDs Based on Truncated Hashing[^]. Jeff Sign In·View Thread·PermaLink Copy protecting a Video DVD Godwin Sam Josh 20:54 15 Jul '06   Is there anyway to copy protect a video DVD? It doesnt have to be fool proof...but atleast not allowing the user to copy and paste the files into the harddisk.Is it possible? Thanks Godwin Sign In·View Thread·PermaLink Re: Copy protecting a Video DVD Manish K. Agarwal 22:50 16 Jul '06   sorry, I don't know how this can be done. Manish Agarwal manish.k.agarwal @ gmail DOT com Sign In·View Thread·PermaLink Re: Copy protecting a Video DVD vmihalj 2:24 18 Sep '06   DVD video - CSS is the standard. If you're speaking of some interactive computer course, that doesn't have to be played in DVD players, you can use usual protection solutions (SecuROM, SafeDisc etc.) which demand a CD/DVD to be in the drive. -- "If you think that knowledge/education is expensive, would you try ignorance?" Vatroslav 'Ziggy' Mihalj, B.Sc.Computer Science Member of HUPRO, ACM, IEEE, IEEE Computer Soc. and Communications Soc. Sign In·View Thread·PermaLink Re: Copy protecting a Video DVD Godwin Sam Josh 9:19 18 Sep '06   No I mean copy protecting the DVD...preventing the DVD from just being copied.Doesn't have to be 100% fool proof..but just something that atleast works so not every lame computer user can copy. Godwin Sign In·View Thread·PermaLink Re: Copy protecting a Video DVD vmihalj 23:11 18 Sep '06   As I have already written, DVD video is protected by CSS. You can't use this protection unless you sign a contract with a big name (Columbia, Warner etc.). Each one of them has a secret key, officially approved, and DVD player (both HW and SW) vendors have to sign an NDA. Read http://en.wikipedia.org/wiki/Content_Scramble_System Regarding CD-ROM/DVD-ROM protection methods, search Wikipedia and Google ("copy protection"), and find the solution you like. -- "If you think that knowledge/education is expensive, would you try ignorance?" Vatroslav 'Ziggy' Mihalj, B.Sc.Computer Science Member of HUPRO, ACM, IEEE, IEEE Computer Soc. and Communications Soc. Sign In·View Thread·PermaLink Confused??!!?? Anorexic Tribble 7:36 3 Dec '05   If the installation program generates the certificate, what is to stop someone just installing the program on different computers? This method just seems to stop the manual copying of the executable to another computer. Sign In·View Thread·PermaLink Re: Confused??!!?? Manish K. Agarwal 18:04 3 Dec '05   Installation program will generate the certificate data based on 2 values- i) Unique key (Product Key) for that installtion entered at the time of installtion. ii) Unique IDs for local system (like CPU ID, graphics card ID, primary volume ID etc.) Now only one who have installtion program and product key can install the software. To further stop the piracy you need to manage some licencing server but this is restricted where the desktop machine is connected to internet. Manish Agarwal manish.k.agarwal @ gmail DOT com Sign In·View Thread·PermaLink Good Idea Sumit Kapoor 19:38 28 Nov '05   Hi Manish, Nice article..I like concept.. I also needed to do such work, but I had to use registry, that's why asking. With this I think we need not hide file or registry entry. But Certificate can be removed, that need to protect. But still Good Idea.. Missing thing: This is single threaded APIs. Regards, Sumit K. Never consider anything impossible before trying to solve that..---Sumit Kapoor--- sumit_kapoor1980@hotmail.com Sign In·View Thread·PermaLink Re: Good Idea Manish K. Agarwal 1:24 29 Nov '05   Yes, thats true certificate can be removed but you can always force your application to locate certificate and if not found stop the execution. About single threaded or multithreaded, I am not getting how does it effect you. Manish Agarwal manish.k.agarwal @ gmail DOT com Sign In·View Thread·PermaLink Re: Good Idea Luiz Salamon 12:08 1 Dec '05   Do You know about reghide (by Mark Russinovich). Search for reghide.zip or try http://vmsone.com/~decuslib/vaxlanguageandtools/vlt99a/nt/ Sign In·View Thread·PermaLink Re: Good Idea Sumit Kapoor 13:50 1 Dec '05   Oh..that's great, One more trick..I have checked code. Thanks Dear.. Regards, Sumit K. Never consider anything impossible before trying to solve that..---Sumit Kapoor--- Sign In·View Thread·PermaLink Misunderstanding? Darren Schroeder 11:20 26 Nov '05   Maybe I'm misunderstanding the point of this article. I've modified your sample.dll with a hex editor and it still thinks nothing has changed. What are these routines supposed to do again? Darren Sign In·View Thread·PermaLink 3.00/5 Re: Misunderstanding? Neville Franks 12:28 26 Nov '05   Darren, I think he is saying that if you move the DLL to another PC it will fail. More information would be good. Neville Franks, Author of Surfulater www.surfulater.com "Save what you Surf" and ED for Windows www.getsoft.com Sign In·View Thread·PermaLink 4.00/5 Re: Misunderstanding? Manish K. Agarwal 16:57 26 Nov '05   This article shows a basic idea how to protect application's unauthorized copy by using PE certificates. As I already mentioned that the actual use to put PE certificate in main executable and dlls through the application installation. On application startup we can check for a valid certificate. Any way for good hacker its not a tough job to break this. Manish Agarwal manish.k.agarwal @ gmail DOT com Sign In·View Thread·PermaLink Documentation Avis p 1:14 26 Nov '05   http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/image_help_library.asp[^] and... Thanks for a very enlightening article! Sign In·View Thread·PermaLink 4.00/5 Re: Documentation Manish K. Agarwal 17:20 26 Nov '05   Thanks, but this is only APIs syntax and available API names. No examples. I am looking for some other books/URLs on copy protection and software watermarking. Manish Agarwal manish.k.agarwal @ gmail DOT com Sign In·View Thread·PermaLink Re: Documentation ThatsAlok 3:26 30 Nov '05   Manish K. Agarwal wrote: Thanks, but this is only APIs syntax and available API names. No examples. I am looking for some other books/URLs on copy protection and software watermarking. Nice Article Buddy! Cheers "Opinions are neither right nor wrong. I cannot change your opinion. I can, however, change what influences your opinion." - David Crow cheers, Alok Gupta VC Forum Q&A :- I/ IV Sign In·View Thread·PermaLink 3.00/5

Last Visit: 14:09 9 Feb '10     Last Update: 14:09 9 Feb '10 1