Share Your Key - Share Your Costs - wibu-systems ag

FALL 2007
14
COVER STORY
Share Your Key - Share Your Costs
TOPICS
Scalable DRM Solutions
License Models with CodeMeter
Hacker´s Contest 2007

I N T R O
Content
FUTURE
Scalable DRM Solutions 3
KNOW-HOW
License Models with CodeMeter 4
PRODUCT
CodeMeter Field Activiation 6
KNOW-HOW
High Level Programming API 7
COVER STORY
Share Your Key - Share Your Costs 8
KNOW-HOW
Wibu Universal Protection Interface 10
BILLBOARD
Briefl y Presented 11
EVENTS
Hacker‘s Contest 2007 12
CASE STUDY
Easy to Switch to CodeMeter 14
Dear Customers and Partners,
most economists would agree that the world’s economy
is good; with sustained growth forecast into the
foreseeable future. I hope you are seeing growth in
your own company and are satisfi ed with the results.
I am satisfi ed – WIBU-SYSTEMS has good growth
and this allows us to continue to invest more than
20% of our revenue in research and development.
The countries with the fastest growing economies
offer a chance for established western companies
to increase sales by entering these markets. For
some industries (whose stock in trade is intellectual
property) entering these markets can offer special
challenges as well as bring opportunities. The consumers
in these countries have a thirst for knowledge,
but personal income, compared on a world scale is
low; creating an atmosphere for rampant piracy. This
is one of the great challenges for companies entering
global markets: How to bring great ideas, services
or products to people who see the value but are
unable to afford the price? Simply cutting the price
is no solution. Developing low cost alternatives for
markets that need simple solutions and reserving the
high-quality applications where quality is a must can
result in advantages for everyone.
WIBU-SYSTEMS always wants to be on the leading
edge and deliver products to you with the best
possible cost-effectiveness. That is why we work
with European associations and participate in R & D
projects, partially sponsored by German BMBF, BMWi
or the European Community. Innovation against
product piracy is the theme of a project which targets
the protection of machines and plants and the whole
manufacturing process. It also encompasses the
protection of production data, making it impossible,
for example, to produce a “knock-off” of a LACOSTE
polo shirt with the original data. Therefore, Share
Your Key, a licensing system for programs and the
data of different creators, will be used in the production
of a plant and could also in the building industry
or in the music and game industries as well.
Please read in this edition of the KEYnote magazine
more about these themes. I hope you will receive
useful ideas and appreciate the results of our R&D
investment. If you search for solutions you cannot
fi nd today, please talk to us. We are glad to hear
about your requirements and we accept the challenge
to provide a solution for you.
KNOW-HOW
Mobile Solutions 16
Yours Oliver Winzenried
2

F U T U R E
Scalable DRM Solutions
“Perfection in Software, Document, Media and Access Protection” is our company slogan, which expresses what
we do and how we do it. Since 1989, we have delivered highly flexible solutions to license your software or
digital content. You can use the WibuBox, or a CodeMeter-Stick, our two dongle based solutions, to securely
store your licenses.
Software Protection
Document Protection
Media Protection
Media Protection
AxProtector
IxProtector
WUPI
SmartShelter
HTML
PDF
Web-
Authentication
SmartShelter
Media
One Universal Solution
Both hardware products work on the same basic
principle: The protection is based on encryption
in the hardware and the storing of license keys
and options, in a very secure manner. A protected
program can be supported by WibuKey
and CodeMeter at the same time. Advantages
of hardware based protection include very high
security and license mobility.
WIBU-SYSTEMS Applications and Base Technologies
WibuKey CodeMeter CodeMeterAct
CodeMeterAct
With CodeMeterAct (coming in September
2008) we will also provide a pure softwarebased
license management for digital content.
CodeMeterAct will be fully compatible with
our classic dongle technology CodeMeter. The
difference is so simple… just another Firm Code.
You will be able to implement CodeMeterAct
using the tools you are already familiar with:
WebAdmin, AxProtector and SmartShelter as
well as our API.
Some High Lights of the Coming
Technology
Fully compatible with CodeMeter
Binding to a PC during activation
Easy integration with the AxProtector and
the Wibu Universal Protection Interface
(WUPI)
Create a single executable, which can be
protected simultaneously by WibuKey,
CodeMeter and CodeMeterAct.
Support for Windows, Linux and Mac OS X
Pricing compatible with CodeMeter
Supports License Borrowing and the
checking out of network licenses to a
single PC
CodeMeterAct loses the “license portability”
feature of CodeMeter and WibuKey because
the licenses and the license server are “married”
to a specifi c PC. Also, security will be lessened.
Why? Software security solutions are inherently
more susceptible to hack attacks than hardware
solutions.
But CodeMeterAct will benefi t the following
target groups:
Low price products in the consumer market
with simple license requirements, no
need for network licenses and low security
requirements.
Enterprise companies: In this segment,
one or several license servers are used; all
license models support accounting options
and the possibility of license check-out
or borrowing. The anti-piracy technology
relies on a trustful cooperation and permanent
analysis of the accounting data.
When you select CodeMeter today or if you have
selected WibuKey or CodeMeter in the past, you
are guaranteed that in the future you will be
able to simultaneously protect your application
with CodeMeter, WibuKey or CodeMeterAct, all
with one simple implementation.
3

License Models with CodeMeter
If you use CodeMeter or CodeMeterAct
for a license management
solution you will receive your own,
unique Firm Code. With this Firm
Code you can create a custom
license container, known as a Firm
Item.
In this Firm Item you store your
licenses in Product Items, identified
by Product Codes. Each license can
have several options, for example an
Expiration Time or several counters.
Here are some examples:
Firm Code 100.002
Product Code: 1
Options
0 0 0 1 2
0 0 2 3 8
Single User License
Create a Product Item with a freely selected
Product Code. For your convenience, each license
is automatically a single fl oating license on
the network. By adding a License Quantity
option with “0”, you will create a strict local
license.
Floating Network Licenses
Store the maximum number of concurrently
usable licenses as a License Quantity option into
your Product Item. Then activate the computer
with the attached CmStick as a CodeMeter
License server: This server is already part of the
CodeMeter Runtime Kit; just select the checkbox
in the CodeMeter WebAdmin. With this adminis-
trator tool you can also keep track of network
licenses and how they are allocated.
To access a license you can chose between
different modes:
UserLimit: Each instance of your software
allocates exactly one license.
StationShare: The application can be
started by any number of instances on a
single computer, allocating one license per
client PC.
NoUserLimit: The software can be
started even after all possible licenses are
already allocated.
Overflow Licenses
You want to provide your customers with more
licenses than those actually purchased. Your
goal is to upgrade the number of licenses in the
future, after your customers learn the benefi ts
of using your program. Here is an example with
100 purchased and 50 overfl ow licenses.
You program 100 Licenses with Product Code
1 and 50 Licenses with Product Code 2 into
a single CmStick. In Product Code 2 you also
create a Unit Counter option with a very high
number (for example 16 million).
Now your software, will at fi rst, allocate licenses
from Product Code 1. When this is successful,
4

KNOW-HOW
your software is running in Normal Mode. If all
100 licenses are in use, the software tries to
allocate Product Code 2 and it is now running in
“Overfl ow Mode”. You can optionally ”cripple”
your software artifi cially or display a message
box “Please order more licenses!”; then reduce
the Unit Counter one time per start or every
running minute – just use your creativity to
defi ne the Overfl ow Mode.
Product Code = 1
License Qty = 100
Product Code = 2
License Qty = 50
Unit Counter = 16.000.000
And you do not have to give up the high security
offered by AxProtector: Simply create the
protection envelope for Product Code 1 and
select the NoUserLimit mode.
Leasing Licenes
To limit the available time on a license, add an
Expiration Time option. Here the CmStick has
much higher security than CodeMeterAct because
it can check the time against the pseudo
real-time clock in the CmStick, which can also be
further validated with a certifi ed time server.
The same mechanism can also be used to create
a time-limited demonstration version. It is easy
to extend a license lease or a demonstration
version automatically:
Prepare a license online with Cm-
Talk: You can activate the new license
in your eCommerce solution, ready to be
transferred to your customer.
Then, via the Field Activation Service:
You create, after receiving payment,
an update fi le for your customer and add
this to the next software update, may be
done on a CD or by an Internet download.
Licenses at the Terminal Server
Do you want to avoid license violations at the
terminal server? CodeMeter does this automatically
for you: Each session will be tracked as
a separate PC, including all modes. The same
mechanism also prohibits license violations
when in the multi user mode of Windows XP
or Windows Vista.
Limiting Licenses on Virtual PCs
Comparable to the Expiration Time, the Code-
Meter hardware has a much higher security
on a virtual PC than a software-based license
solution: Only one virtual machine can physically
address the CmStick directly. All other virtual
machines need to address their licenses via
TCP/IP – if there are enough available for a
multi-user solution.
Licensing Different Program
Modules
Do you have different program modules which
you want to control individually? No problem
with CodeMeter: For each of these modules
you assign a unique Product Code and you
can handle more than 1000 different modules
at the same time, each with individual license
options like Expiration Time or Network License
Control.
Version Management
Do you want your customers be able to use
the current as well as preceding versions of
your software; but not both at same time? For
this scenario simply use the Feature Map: Each
bit in the Feature Map represents for a specifi c
version which can be individually activated or
deactivated. With a Network Quantity of 1, the
user can only start one of the activated versions
at a time. And in a network environment, you
128 64 32 16 8 4 2 1
. . . 0 0 0 0 1 1 1 0
Version 4
Version 1
Version 2
Version 3
Binary
Calculus
14
can use similar version management to control
more than one license.
Specially Attached Licenses
Sometimes a software developer needs to bind
a dongle to a PC, a machine or a specifi c user. In
this case you could write a custom ID into the
Protected Data option of the Product Item.
Standby Licenses
Is your solution mission critical? Then implement
CodeMeter with a Cold-Standby or Hot-Standby
“Emergency Dongle” providing your customer
with an “always available” security solution:
Hot-Standby
Similar to “Overfl ow Licenses” a Product Item
will be created with a high Unit Counter value.
Unlike Overfl ow Licenses, the two different
Product Items are created in two different
CmSticks.
The end user attaches the CmStick without
Unit Counter to the standard license server.
Then he or she attaches the CmStick with the
Unit Counter to the backup license server. The
server search list controls the order that license
servers are searched, ensuring that the standard
license server is found fi rst, and then the
backup server.
License Server
Product Code = 1
License Qty = 100
Backup Server
Product Code = 1
License Qty = 100
Unit Counter = 16.000.000
Cold-Standby
You provide your customer with a second (Emergency)
CmStick containing a Usage Period option
of a couple of days. With fi rst usage, this
period will begin the countdown: The license is
available immediately and is locked automatically
after expiration.
License Server
Product Code = 1
License Qty = 100
Backup CmStick
Product Code = 1
License Qty = 100
Usage Period = 10 Days
The license can be used temporarily but not
permanently as a full second copy. Also the time
of the Usage Period is checked by the pseudo
real-time clock in the CmStick. The emergency
CmStick can be replaced or converted as your
business policies dictate.
5

P R O D U C T
CodeMeter Field Activation
Static license models are history – today flexibility is important. And this is one of the strengths of CodeMeter
using Field Activation Service and CmTalk protocol: Updating, adding or removing licenses without replacing
the dongle – no problem.
In many scenarios it is necessary to modify the
software licenses in a CmStick, after it has been
shipped to the user: Options, features, modules
or a complete second product, purchased at a
later date will need to be activated. Or maybe
you will need to assign more pay-per-use units,
or extend the demo deactivation time limit or
convert a demo version into a full version. Here
are some examples:
Distributor
T
SOAP Protocol
CmTalk
via Internet
File Exchange
CmStick
Write It Again
The CodeMeter Field Activation Service (CmFAS)
is based on a simple but secure exchange of
fi les: The licensor does not need to provide a
CmTalk web service on the issuing website;
which can be diffi cult if it was outsourced to
a provider.
The license update or activation starts with the
Remote Activation Context fi le (RAC fi le): It contains
all of the information about the targeted
CmStick and the software license. The licensor
creates a Remote Activation Update fi le (RAU)
by using both the contents of the RAC fi le and
update parameters. It is easy to create this fi le;
use the CmBoxPgm command line tool or use
CmProducer, a simple GUI application.
When your customer receives the RAU fi le (usually
by email) he then transfers the contents
of this fi le via the CodeMeter Control Center
or the Windows File Manager to the attached
CmStick.
A Tool for All Situations:
CmProducer
With CmProducer, you can interactively update
your licenses with all parameters. You combine
all license parameters to packages. This
is especially a big advantage for developers
who only occasionally use the update feature
and are not very familiar with the CmBoxPgm
command line options.
More importantly, CmProducer can also be used
to program the CmSticks in your offi ce, before
they are shipped to your customer.
On the Fast Track
But the fastest and most convenient way for
your user is to update a license via a web
service. This allows your customer to update
a CmStick from anywhere in the world and
without any signifi cant delay. For this, WIBU-
SYSTEMS provides two products: An all-in-one
solution named CmTalk which is a complete
web shop solution or CodeMeter Shelf which is
a simple website which can be easily accessed
from existing eShop implementations.
Both products use the CmTalk communication
protocol, which is based on standard SOAP communications
and can be used to directly modify
the license contents of the CmStick at the user
site, without any manual exchange of fi les.
One powerful feature of CmTalk is the ability to
transfer secure licenses into the CmStick when
your customer buys your product. All of the
fl exible price and quantity options are in the
background – invisible and without hassles for
the user. Even allow your customers to return
the product if they are not satisfi ed. Secure
in the knowledge that they are not using the
program anyway, by simply deleting the license
in the CmStick.
A HIP Alternative
Another alternative to CmTalk would be to
use CmFAS with HIP, the new CodeMeter high
level API. (For HIP details, see page 7 in this
KEYnote.) On your user’s site, HIP can be used
to create the RAC fi le. On the licensor’s site, it
can be called out of a license server to create
an RAU fi le, based on the contents of the RAC
fi le. The exchange of these fi les can be easily
integrated into a customer-dependent web
service solution.
6

KNOW-HOW
HIP - High Level Programming
Again and again our customers have asked for an easy method to program CmSticks or to create Field Activation
Update files: The command line is too difficult for the sales team and the CmProducer does not provide for all
possible scenarios of a security concept. Now we have the answer: HIP (High Level Programming)
After all security concerns are resolved and
you fi nally know how great the protection with
CodeMeter is, your task is to program the license
items into the CmStick. The sales team also
might need a simple tool for activating the
parameters for a specifi c customer. Even after
shipping the CmStick, it should be possible to
easily update using Field Activation. And you
might want to track all programmed licenses
in your CRM/ERP system.
Fast Results
The new HIP API gives you access to all these
possibilities and more. It is an object-orientated
API which allows you keep your CmStick under
control. With just a couple of function calls,
you can increase a Unit Counter (see example
below) or modify the Expiration Time if your
customer makes his lease payment.
A Language Talent
The High Level Programming API is available
for many programming languages. We used
support tools to create suitable interfaces, for
example, for Delphi, Visual Basic, .NET, Java and
Pearl. So you can comfortably use the language
of your choice without the hassle of learning
external code calls.
// Initialisation
cmhip::ProgrammingEngine &progEngine(this->Engine);
progEngine.Initialize({Access Parameters});
// FSB and License available?
progEngine.Security()
->CanUpdateProductItem(ulFirmCode);
// Select the CmBox
const CmBoxTable *pCmBoxTable
= progEngine.TargetBoxes();
CmProductItemProgrammer *pCmPiProg
= progEngine.ProductItemProgrammer();
const CmBox *pCmBox = pCmBoxTable->At(nBoxIndex);
// Parameters
ProductItemParamSet pipars(ulProductCode);
pipars.SetRelativeUnitCounter(100);
// Programming
pCmPiProg->Update(usMaskCode, ulSerialCode, ulFirmCode,
pipars, false);
Distance – No Problem
Similar to CmProducer, HIP can access local
CmSticks or dongles which were already shipped
to the customer. You will not see a big
difference: You can use HIP for your simple
programming tasks as well as any highly complex
operations.
Are you HIP?
This new API, used to program CmSticks, will
make you very happy – just try it. Please contact
our technical support team to get the most
current version.
7

00012
00012
Share Your Key -
Share Your Costs
A license server with many different dongles, each with its own kernel driver – this is a system administrator’s
nightmare. Additionally, the license server may not be available on the desired platform, so the system administrator
must run a second license server on Windows just for one software package. These problems and others
cause a company with lots of software needs from many different vendors to follow the rule “if possible, always
buy software without dongles” – an understandable situation.
CodeMeter License Management
But does this mean that you must send an
unprotected copy of your software to such a
”software without dongles” customer? The
answer is no, CodeMeter provides you with
the perfect solution:
No kernel driver required
One CmStick to protect software from
many different providers
More than 1, 000 different products in
one CmStick
License Server available for the usual
platforms (Windows, Linux, Mac OS, and
Solaris)
Just use CodeMeter with a standard license
management system: The administrator simply
needs one CmStick at his or her license server.
You, as the software provider, can transfer your
license via Field Activation into the CmStick
Firm Code 100.002
Product Code: 1
Options
Firm Code 100.004
9
12
6
0 0 0 1 2
Product Code: 1
Options
3
0 0 0 1 8
(see article on page 6). You can program your
licenses quickly and cheaply into a “shared”
dongle either manually through an exchange of
fi les or automatically over the Internet.
Separated Areas
Is it dangerous if several software providers
share a CmStick? Is it possible that someone
else might delete our license or more importantly
add our license without our knowledge?
Again there is a clear and short answer: “No,
this is not possible”. CodeMeter was designed
to prevent one company from tampering with
another company’s CodeMeter licenses.
Each software provider receives his own Firm
Code. With your own Firm Code you can create
a license container in the CmStick. After that you
can store the actual licenses in this container.
Only you, with your Firm Code can create, modify
or delete such licenses in your container (Firm
Item). This is protected by sophisticated and
8

P R O D U C T
unique cryptographic methods; only you have
the key to unlock this container.
Overview for the Provider
Each license has visible and invisible parts. In
the visible parts of the license container you
can write your company name (and for each
product, the product name).
Using the CodeMeter WebAdmin tool, even
the users can see which licenses are stored
in their CmSticks. But the security and the encrypted
license is found only in the invisible or
hidden part.
“locked” or not. And you can check the locking
list frequently to see that lost CmSticks are also
really defi ned as lost – even if they unexpectedly
appear again.
Not only for Enterprise
Customers
The shared use of a CmStick is not only interesting
for enterprise companies utilizing a
license server. But is also useful for the typical
single-PC user: He or she has the safety of
license backup and also the benefi t of license
“portability” without the need to contact the
software developer’s help desk every time they
install the protected application on another
software product, can transfer and activate their
licenses in a CmStick which is already used to
protect the core software at the user’s site.
The whole order process can be implemented
many ways: via the online shop of a provider, via
a branch portal, the portal of a WIBU-SYSTEMS
co-op partner or via the CodeMeter portal which
is provided by WIBU-SYSTEMS.
Complete Protection Solution
Not only can software be protected against
piracy with CodeMeter. The protection is also
available for documents (PDF) and additional
data.
Without
CodeMeter
With
CodeMeter
Loss of the CmSticks
What happens if several providers share a
CmStick and the users destroys or loses this
stick?
For this we supply a technical framework;
however, each software provider must defi ne
the actual license conditions directly with their
customers.
The technical framework allows a user to create
a signed license backup. This backup will
preserve a certifi ed time, all vendor license
information including the states of any licensing
parameters or usage counters which were in the
CmStick at the moment of backup. If the user
or vendor reports a specifi c CmStick as lost or
stolen to WIBU-SYSTEMS, we will add it to a
public “locking list”. CmSticks on the “locking”
list will be deactivated the next time they communicate
with a certifi ed time server. Finally
you, as the software provider, defi ne which
licenses should be restored to a new CmStick
– also if the old CmStick should be defi ned as
computer or change operating systems, etc.
Simply attaching the existing CmStick at the
new PC is enough to move the license!
Last but not least a single user can use the Firm
Item with Firm Code 0, in the user area to store
passwords or keys, possibly for an encryption
of the hard disk.
By sharing an existing CmStick, you do not have
to pay for the CmStick hardware: You are only
paying a small license fee to program the Firm
Items and your program’s parameters into a
shared CmStick. This means that CodeMeter is
also attractive for software having a value far
below the cost of a CmStick. As a result, the
user can manage all protected software licenses,
including those for low-cost software or even
digital documents in a single CmStick.
Industrial Branch Solutions
In some industries, CodeMeter is already an
established Standard. Providers of additional
modules, usually third party plug-ins, to the core
Think about electronic manuals, provided with
your software, pictures or graphics which can
be browsed with your software, or fi nally the
data of the user who uses your software. If your
software, for example, creates production data
or creates intellectual property, then each of
your customers can protect his data individually
with the CmStick and can also defi ne, which
employee, partner or even customer, can access
the protected data.
Optionally in Software
In 2008, CodeMeterAct, a complete softwarebased
license management system will be
available. The functions are identical to the
existing CodeMeter system. The administrator
could use CodeMeterAct instead of a dongle
to manage licenses. But you as our customer
can decide which protection variant (WibuKey,
CodeMeter or CodeMeterAct) you will provide
to your customers individually.
9

KNOW-HOW
WUPI - Wibu Universal
Protection Interface
Individual software protection is difficult to implement, requires a lot of security knowledge and after two years,
the security quality is probably obsolete. With WUPI this nightmare vanishes. You simply specify the general
framework of what you want to protect and our IxProtector solves the rest. And with the next update of our
protection application you bring to your application the newest security level.
To bring individual copy protection to a high
security level, you need updated knowledge
about hacker technology and attack methods.
Acquiring this knowledge and implementing suitable
protection methods in your own software
updated, varied and enhanced, based on our
latest security knowledge. You simply download
the latest version of our tools before you release
your software – that is all.
calling external functions. And this is supported
by nearly every language: The settings, which
licenses are required and which protection parameters
are set, are all stored in an external
control fi le.
WupiDecryptCode
WupiCheckDebugger
WupiCheckLicense
WupiDecreaseUnitCounter
WUPI - Wibu Universal Protection Interface
WibuKey
CodeMeter
CodeMeterAct
is time-consuming and very expensive. And in a
few short years, your home-grown solution is
obsolete and the time has to be invested again.
And – let’s be honest – most software providers
cannot afford to go through this cycle time after
time; hoping instead that no one will crack the
current version. But when the fi rst copies of the
just released software package appear on the
hacker’s websites, the pressure to create another
security solution is enormous.
Always the most current
security tools
In the future, you can relax after a new release,
because you will be sure that your application
is protected with the very latest in anti-piracy
technology. Just trust in our security expertise
and use WUPI, the new universal API for all
WIBU-SYSTEMS copy protection products. You
simply provide your security framework and
the IxProtector adds, at the desired locations in
your program execution, several security checks.
In future WUPI versions these checks will be
Safe for the Future
WUPI supports all of WIBU-SYSTEMS’ copy
protection systems; this includes WibuKey, CodeMeter
and in the future CodeMeterAct. Using
WUPI will bring a permanent enhancement of
the security, independent of which of our products
you use. Any extension, for example from
CodeMeter to CodeMeterAct, will be realized
with few modifi cations. You can use several protection
technologies at the same time – possibly
you know this already from AxProtector.
Versatile
Possibly you are now thinking: This is only for
C++, and me with my good old Visual Basic, I’m
left out. Far from it! You should be able to work
with your favorite language and still receive a
high level of security. That’s why WIBU-SYSTEMS
developed beyond a fi rst, pointer-based WUPI
variant, which only works with pointer-based
languages like C/C++ and Delphi, a second
variant, which is index-based. For this, the language
should support the loading of DLLs and
Lean but Powerful
WUPI has only twelve simple API functions.
Examine just one and WUPI shows its full power:
Just call WupiCheckLicense() and automatically
a referenced license will be searched, allocated
and used for encryption. And if you want to do
something what WUPI has not provided, for
example the reading of data entries (WibuKey)
or data options (CodeMeter), just call WupiGet-
Handle() to return the entry’s handle and then
continue using the normal, classic API.
WUPI – the API of the Future
Please use WUPI for your next project or for your
next version release – it will be worth doing. And
here is an offer which you should not turn down:
Just download the latest AxProtector package.
The new WUPI tool is already integrated. Or
contact our technical support team.
10

BILLBOARD
Briefly Presented
CodeMeter
– Ready for Windows CE
Verband Deutscher Maschinen- und Anlagenbau
e.V. (VDMA), the German association of mechanical
and plant manufacturing companies,
published a new study concluding that 60%
of this German industry will be the target of
counterfeiting complete machines. On the other
hand, manufacturer of devices, machines and
plants support standard operating systems for
the software in their products. And the part of
the functionality which is realized in software
is getting larger and larger.
The CodeMeter System is now available for
Windows Embedded CE 5.0 and 6.0 on Intel
x86 and ARM processors. Other processors can
be supported in a short time on demand. If a
developer specializes in embedded programs,
he can use CodeMeter in the ARM environment
via the Microsoft ARM device emulator, even
without having the fi nal hardware available.
“As a new Windows Embedded Partner WIBU-
SYSTEMS supports building the International
market for embedded products by engagement
and know-how” said Manjo Rami, Senior Marketing
Manager of the
Windows Embedded
Business Group of
Microsoft Corp. “By
supporting Windows
Embedded CE, CodeMeter will gain a lead because
of fl exibility, security and reliability.“
“According to a study from BITKOM and Roland
Berger (a well-known German consultant company),
the embedded market is one of the largest
areas for potential growth. By using embedded
Picture: Protection for Embedded Systems (e.g ZSK)
racy. The value of a machine will be determined
more and more by the implemented Embedded
Software.”, explained Oliver Winzenried, CEO
and co-founder of WIBU-SYSTEMS AG. “Today,
more than 30% of our customers are already
in the industrial area. With enhanced solutions
in the Embedded Area, we will support these
customers even better”.
Expanding in China
In the middle of July, Wibu-Systems (Shanghai)
Co. Ltd., a wholly owned subsidiary of WIBU-
SYSTEMS, AG, moved to new offi ces located
in Shanghai’s Yangpu district, close to Fudan
and Tongji Universities, both known for their
academic excellence. The new offi ce has more
than triple the space of the former facility and
will allow for consolidating sales, support, and
operations and provide larger inventories for
“just-in-time” deliveries. The increasing demand
for sophisticated software protection solutions
to meet the needs of both Chinese companies
and International companies with offi ces in
Picture: WIBU-SYSTEMS Offi ce in Shanghai
China was one of the reasons Wibu-Systems
needed to expand. Another reason was the
desire to provide a powerful center of antipiracy
excellence.
Oliver Winzenried, C.E.O. of Wibu-Systems AG,
explained, “In addition to the high quality of
our security solutions, our customers also rely
on us for competent consultation regarding
the complex nature of the different protection
concepts. That is why qualifi ed employees are
an important part of our growth policy. Another
element of our expansion strategy is to locate
close to colleges and universities. Not only do
we have a resource that can help us understand
local requirements and restrictions, but we also
have a ready pool of well qualifi ed potential employees.
Therefore, the location of our new offi ce
is perfect and it provides us with plenty of space
operating systems like Windows Embedded CE,
manufacturers of industrial plant controls and
machines can protect their products against pifor
additional personnel and inventory.“
“Shanghai is one of the biggest economic centers
in China, as well as an important technology
site for IT”, explained Hailiang Li, Managing
Director of Wibu-Systems (Shanghai) Co. Ltd.
“For this reason many national and International
companies are often located in Shanghai. The
Study: Protection against Piracy in
Machine Industry
By supporting Windows CE, we have a first
solution available for Embedded Systems.
We are conducting a study and we want to
hear from you about your individual requirements
for protecting against piracy. Please
download the questionnaire file and complete
the form online (www.wibu.com).
As thank you, you will receive a copy of the
results of the study.
protection of intellectual property as well as
license management of software and other
digital content are important requirements for
many of these companies. We now have on staff
an employee who will concentrate all his efforts
in meeting these important requirements.”
CeBIT asia 2007
At CeBIT Asia 2007, WIBU-SYS-
TEMS will again have a booth
presenting its solutions in the
Shanghai New International Expo
Centre. As an added bonus attendees of the PTC
and CeMAT shows will also be able to attend
CeBIT. WIBU-SYSTEMS will again organize its
popular workshop “IT security and protection
of software, documents, media and access”.
Prof. Cao Zhaomin from the Jiaotong University,
specializing in information security, will be the
keynote speaker. In addition to speeches from
WIBU-SYSTEMS, we will also have a presentation
from Jörg Heil, CEO of Hartung Consult
in Shanghai, about information security in the
SAP world.
11

Hacker´s Contest 2007
How important is software protection?
Isn’t it possible that every
protection scheme can be cracked?
These are typical questions from
nearly every software producer;
because implementing a software
protection system requires a lot of
effort and some expense.
Every Third License
is a Pirated Copy
The newest software piracy study, published in
August 2007 by the Business Software Alliance
(BSA) and IDC, showed the average worldwide
piracy rate, unchanged from last year, to be
36%. The USA is low with 22%, but leads in
the absolute fi nancial damage with 7.3 billion
US-$, in front of China and France. Germany is
number 7 on the absolute damage list and is
part of the European piracy average of 36%.
This means: One pirated copy for every two
legitimate licenses. In established markets like
the European Community and the USA, the
most damage comes from under-licensing – for
example, fi ve licenses are legally purchased but
twenty are illegally used. In the new growing
economies, Eastern Europe and Asia, nearly all
licenses in use are pirated, or “self-proclaimed”
dealers sell pirated copies, sometimes without
the knowledge of the customers, for example
when an illegal online dealer implements
his own activation schema for Original Adobe
software.
How Safe Can Software
Protection be?
No protection system can be 100% safe. But
we keep trying. In the past, WIBU-SYSTEMS
arranged competitions to check the security
quality of our products. In these previous competitions,
a protected program was published
and it was shown that its protection could not
be cracked and made to run without a suitable
license in the WibuBox. This is a serious praxisrelevant
test for software producers who want
to publish a protected software product for free
download on their website.
1092Participants
Partial
Solutions
8
In our Hacker’s Contest for 2007, we went
one step further and the participants in the
competition received not only the protected
application, but also a CmStick with the appropriate
license. 1,092 contestants from 27
countries entered the contest and had up to
six weeks to remove the copy protection and
claim the attractive prize of 32,768 Euro (or
US-$ 40,000). No one succeeded.
12

E V E N T S
Why did Not One of the 1092
Contestants Succeed?
Although the challenge was theoretically solvable,
not one of the contestants could fully
remove the protection. Most of the contestants
fell in the trap of trying to by-pass the intruder
detection and had their license locked in the Cm-
Stick. This resulted in further brute-force attacks
to the encryption. The chance of breaking the
128-bit AES encryption was slim to none. Other
contestants failed to jump other hurdles. But
we did receive some excellent partial solutions
and we awarded those contestants with 500 to
2000 Euro each. Hackers or Crackers go down
different paths than developers and the partial
solutions were important input for us. These
partial winners discovered some weaknesses
in our system which we not seen before. And
the discovery of these weaknesses allowed us
to strengthen our overall security.
The partial solutions included creating memory
dumps and also the attempt to replace the
CmStick with record-playback simulation within
the communication of the protected application
with the CodeMeter runtime. One of these
attacks is described in detail in the renowned
Germany computer magazine “c’t”, 21/2007,
describing the tools used, like IDAPro, ImpRec,
OllyDebug and NetCat. But, this attack did not
provide a completely successful solution to the
Hacker’s Contest: A second function also had
to be decrypted – its license item was already
in the CmStick, but not activated by a single bit.
Since the contest we have added enhancement
to the CodeMeter Runtime Kit – the attack of
the “c’t” is now no longer possible.
Attacking Methods
Attacking Methods and why they don’t work
with CodeMeter:
Memory Dumping: CodeMeter uses
“On Demand Decryption“, this means
there is no time after running the complete
program when code and resources are
completely decrypted in the main memory
of the PC.
Dummy Driver: By using complex
encryption, a simulation of the encryption
by dummy drivers is prohibited, because
there is no limit to the number of answers
for calling a function.
Cracking Tools: Most of the usual
cracking tools will be detected by the
protected application and this detection
1092 Contestants from 27 Countries
Germany 33%
Rest 14%
can be used to lock the license in the
hardware (CmStick), avoiding any further
attacks.
Record-/Playback Driver: The use of
randomly varied encryptions and changing
of the Encryption Code avoids a successful
use of recording and playback for a longer
time range.
Emulation of the CmSticks: The use
of strong encryption (AES) and the use of
secure hardware – a smart-card controller,
make a complete emulation of the hardware
nearly impossible.
Patching of some bytes: With CodeMeter,
protected applications are no longer
using single checkpoints. But large areas
of code and data are encrypted and such
patching is impossible, especially when
the automatic protection offered by AxProtector
is used.
Competition Program
As an example, we show the competition
program below, after the start, loading and
decryption with the correct CmStick, in the
memory of the PC: The green areas are still
encrypted. The resource data areas are always
encrypted and are only partially decrypted on
demand. The IAT (Import Address Table), which
is the connection to the called operating system
remains encrypted as well as the individual
functions – with two in the hacker’s contest. It
is easy to understand that a memory dump will
be not successful.
India 2% Spain 2%
Ukraina 2%
PE Header
Code Section
Data Section
China 18%
France 3%
Bangladesh 3%
Poland 2%
OEP
Resource Section
The Netherlands 4%
Hungary 4%
Link to new OEP
IAT
IAT redirect
Security Section
Security Code IAT
USA 10%
Operating
System
The Bottom Line
We accept that no security system is 100%
secure. But a high level of security can be
reached by:
Secure Hardware: The CmStick provides for
secure key storage and strong encryption
in a smart-card chip. The CodeMeter
System includes a crack detection, which
can lock the license key.
Secure Integration Technology: The code
and resources of the protected application
will never be completely decrypted in the
main memory of the PC. Variable encryption,
anti-debugging and obfuscation
technology as well as tools to individually
integrate the source code increase the
security level again.
The “simple to use” tools from WIBU-SYSTEMS
like AxProtector for automatic protection and
the IxProtector to individually integrate the
source code provide a maximum of protection.
These are some of the main advantages of our
solution… in addition to the high fl exibility of
CodeMeter.
13

CASE STUDY
Easy to Switch to CodeMeter
A system for software protection and license management is not changed daily. After a decision is made, it
should be the solution for a long time..
Good Reasons
A system for software protection and license
management is not changed daily. After a decision
is made, it should be the solution for a
long time.
Customers who changed to WIBU-SYSTEMS
have given us the following reasons for doing
so:
Weak Security: In many cases the customer
had found a hack of his software
on the Internet, but their old solution
provider did not come with new protection
schemas.
Missing Features: Our new customers
especially like the license management
features of CodeMeter. The ability to offer
their customers various ways to purchase
their software has opened new sales
channels. And all of these different distribution
methods can be handled by one
license management tool: CodeMeter.
Outdated Technology: Any software
protection has a viable quality level for
a short period of time, and then hacker
tools and methods catch up. Like a virus
scanner, a software protection system
needs permanent enhancement, and
WIBU-SYSTEMS outshines the competition
in staying one step ahead of the hacker
community.
Continuity at WIBU-SYSTEMS
But of all the reasons to switch, continuity is
the one that will save you the most money in
the long run. And continuity is a major goal
at WIBU-SYSTEMS. Our products have always
been backwards as well as forwards compatible
and now you can see that we offer continuity
between our product lines as well. Whether
you have decided for WibuKey, CodeMeter or
CodeMeterAct – or when you decide – you
cannot make a wrong decision.
No matter which of our products you choose,
you can integrate a mix of our products and
three basic technologies without trouble. By
strictly separating the basic system and solution,
any enhancement in the automatic protection
of AxProtector and WUPI (Wibu Universal Protection
Interface), our unique API, will be within
reach of all our customers.
Steps if you Change
You may have a few, many or very many customers.
But, the principle steps and the open
questions are always similar:
What must I change in my software to
support CodeMeter?
How will I program my dongles in the
future?
How should I change the installed base?
Completely in a big bang or step by step?
Integration into Software
In many cases, the integration into the software
is the easiest point. Naturally it depends which
system you had before.
Using a Wrapper
In this case you simply replace the previous
wrapper with AxProtector. You can use the graphic
user interface or the command line tool
in an automatic build process – in both cases
our support experts can help you in the fi ne
tuning of the AxProtector options, targeting
your special application.
Login, Logout, Crypt
If you use an API with functions like xxLogin,
xxCrypt and xxLogout. Then the CodeMeter API
provides you with similar functions:
API (former) Cm API
xxLogin CmAccess
xxCrypt CmCrypt
xxLogout CmRelease
With CmAccess you specify the Firm Code and
Product Code which you want to use – parameters,
which defi ne your license.
In contrast to your previous dongle, you can also
modify the key for the encryption and decryption
during execution. Use this feature to increase
the security against hacking.
Writing and Reading Data: Are you used to
writing data into your previous dongle during
runtime and reading it back later? This is also
possible with CodeMeter, we even provide you
with several access rights.
14

CASE STUDY
However such a technology does not increase
the security of the protected application. Instead
of writing data, our customers use the following
methods:
During the development process, data is
encrypted and then stored into the source
text.
This data is decrypted during the runtime
and then used.
This even permits you to change the key to
decrypt the data during runtime. By such
changes, the same location in your software
sends different sequences to the CmStick, which
inhibits a crack by simulation with a recordplayback
attack.
Reading License Information
Today, do you write a license number into the
dongle and read it back during runtime? Then,
depending on this number, do you activate specifi
c modules or control the number of licenses
in the network?
This is also possible with CodeMeter. But with
your current dongle, you have more effort and
less security. Such features are supported directly
by CodeMeter and permanently enhanced. A
radical “break away from the past” change to
CodeMeter is in the long run always cheaper
than creating your own license schema to a
“I just write an ID” dongle. Keep your license
schema simple and secure and use the knowledge
we learned from more than 50 migrations
to CodeMeter, alone, in Germany, in the last
six months.
Programming the Dongles
Again, CodeMeter provides you with full fl exibility:
With CmProducer you have a simple but
powerful data base application to program
the CmSticks. A programming API and command
line tools extend the CmProducer – it
will be always easy and effi cient to integrate
the programming of the CmSticks into your
own operations.
Exchange Legacy Dongles
in the Field
Our experience shows that a complete exchange
of all existing dongles in the fi eld with Cm-
Sticks can be a sensible solution. This is the
favorite decision for customers who switched
to CodeMeter for security reasons and at the
same time released a new main version of
their software.
Other customers decided to go the smooth
“step by step” route and protect the current
version with CodeMeter, but will continue to
support their existing customers who already
have the previous dongle. The problem is that
the old solution is the weak link in the whole
security chain – therefore the support for the
old dongle should end with one of the next
version releases.
Sometimes even the user – your customer
– wants you change to CodeMeter. Why?
CodeMeter is attractive for a lot of users because
the CmStick can come bundled with a
Personal Security Suite of applications that will
make the user’s computer life more secure, for
example: The CodeMeter Password Manager.
In this case, the user buys his or her CmStick
and you simply provide the license, which can
be transferred for a small fee into this CmStick.
Optionally the Password manager can also be
adapted to your Corporate Design.
Customer Endorsement
EverFocus ® Electronics AG
Emmerich am Rhein
Dipl.-Inf. (FH) Ingo Jansen
(R&D / IT Manager):
“EverFocus already had an
excellent experience with
WibuKey as our fi rst software
protection system. We switched to CodeMeter
because of its fl exibility and effi ciency, whereby
we could integrate network license models
just as simply as single-user license models
into our software. We also liked the remote
programming features of CodeMeter, which
allowed us to keep our customers happy and
have an effective worldwide license management
system at the same time. “
SOFiSTiK AG
Oberschleissheim
Dr.-Ing. Casimir Katz
(CTO Member of the Board):
“We decided, above all other considerations, to
switch our software protection to CodeMeter,
because of the substantial and sophisticated
license management features. We were impressed
by the automatic release of licenses
from crashed programs; also by the ability to
combine network licenses with an expiration
date; and especially by the ability to completely
re-program a dongle, already delivered
to a customer. The uniform appearance under
Windows and Linux, especially the support for
64-bit operating systems were also important
reasons for our decision.
The fact that all CodeMeter dongles are the
same, and that they are available from worldwide
distributors, makes it possible to save time
money when dealing customs. The extraordinary
high quality of WIBU-SYSTEMS’ support, before
and after we became a customer, together with
secure and fl exible remote programming, has
convinced us that we made the right decision
with CodeMeter.”
15

KNOW-HOW
Mobile Solutions
Standard Driver
If you want to use CodeMeter for software protection and as
a license management system, you do not need a proprietary
driver. CodeMeter utilizes the Mass Storage Driver, which is
a standard part of Windows.
Several Advantages for You
No installation problems
Availability also for newer Windows versions
Mobile delivery of your software on the CmStick
Security of the USB Driver
Usually security concerns arise if a standard driver is used
for security.
Mobile Shipment
If you (or more importantly,
your customers) would
like the convenience of
delivering your protected
software on a portable
“thumb drive”, simply
request a CmStick with
additional fl ash memory.
They can be ordered from
WIBU-SYSTEMS with 256
Mbytes, 1 GBytes and 2
GBytes (other memory
sizes on request).
Imprint
KEYnote
14th edition, Fall 2007
Publisher:
WIBU-SYSTEMS AG
Rueppurrer Strasse 52-54
76137 Karlsruhe, Germany
Tel. +49-721-93172-0
Fax +49-721-93172-22
info@wibu.com
www.wibu.com
Responsible For The
Contents:
Oliver Winzenried
Is it possible for a hacker to insert a filter driver?
Yes… he can do this, but he cannot interpret the data stream
because it is encrypted and the encryption is changed on
the fl y.
Is it possible for a hacker to crack the encryption?
With enough effort anything is possible. But it takes less
effort to crack a proprietary driver. That’s why we included
the polymorph encryption in CodeMeter: The data transferred
in the encrypted channel is modifi ed and varies. Hacking the
transfer channel is not enough to implement a successful
record-playback attack.
The Bottom Line
CodeMeter used with the USB standard USB driver is safer
than a proprietary dongle driver.
Protect your software with the AxProtector and simply
copy it to the CmStick.
Program the required license items into the CmStick.
Copy the CodeMeter runtime to the CmStick (Code-
Meter.exe and CodeMeterCC.exe).
Optionally, you can copy your own startup program
on the CmStick – it can check if the CodeMeter
Runtime has already started or starts it on demand
and terminates the runtime again after your software
has terminated.
Beyond protected software you can also deliver protected
documents on the CmStick. Again everything runs without
installation, directly from CmStick, including the Adobe
Reader.
Editors:
Rüdiger Kügler
Stephan Süptitz
Wolfgang Völker
Oliver Winzenried
John Poulson
Marcellus Buchheit
Design and Production
Manuel Künstler
Gunnar Petersohn
Letters are welcome at any
time. They are protected by
the press secret. Articles identifi
ed by name do not necessarily
refl ect the opinion of
the editors.
WIBU-SYSTEMS on Tour:
Cebit asia
October 10-13, 2007
Shanghai, China, Hall W5, Booth 5F51.
Embedded Systems Show
October 17-18, 2007
Birmingham, England, NEC, Hall 10.
SYSTEMS
October 23-26, 2007
Munich, Germany.
European Shareware Conference
November 3-4, 2007
Cologne, Germany.
Prio Conference
November 13-14, 2007
Baden-Baden, Germany.
WIBU-SYSTEMS USA Inc. -
Protection Days in Canada
December 4, 2007 - Toronto Area
December 5, 2007 - Toronto Area
December 7, 2007 - Montreal Area
Details see www.wibu.us/events
NAMM
January 17-20, 2008
Anaheim, California
WIBU, CodeMeter and Smart-
Shelter are international trademarks
of WIBU-SYSTEMS. All
other trademarks belong to
their respective holders.
© 2007 WIBU-SYSTEMS.
All rights reserved.
5060-002-02/20071001
SoftSummit
November 12-14, 2007
Santa Clara, California
MacWorld
January 15-18, 2008
San Francisco, California