KEY - CodeMeter

No.11 | Spring 2006 

KEY n o t e 

CONTENT 

CeBIT HANOVER 

March 9-15 | 2006 

Hall 7 | Booth A21 

Page 2 | Jump-start with CodeMeter | 10 good reasons 

Page 4 | AxProtector | Automatic integration of CodeMeter 

Page 6 | CodeMeter Producer | Trouble-free programming of CM-Stick 

Page 8 | CodeMeter API Guide | Integration into the source code 

Page 10 | Secure integration with WibuKey 

Page 12 | CM Password Manager | New features 

Page 15 | CA Computer Associates available in the CM-Shop 

n o t e 

WIBU-Magazine 

Jump-start 

with CodeMeter 

More and more software vendors are 

deciding to switch their software protection 

to CodeMeter. There are many different 

reasons for this. Here you’ll find 

the top ten reasons: 

WIBU-SYSTEMS is a well 

known international company 

Over 3,500 customers worldwide, with 

more than one million hardware keys in 

the field, have made WIBU-SYSTEMS one 

of the top three vendors of hardware 

based software protection. WIBU-SYS- 

TEMS has subsidiaries and distributors all 

over the world. 

Stability and reliability 

WIBU-SYSTEMS is the first provider of 

hardware-based software protection, to 

be certified by ISO 9001:2000 – ever since 

1997. Our products fulfill all important 

international standards like CE, FCC, UL, 

ROHS, WEEE, VCCI or VDE. 

Continuous backwards 

compatibility since 1989 

Any software, which was protected with 

WibuKey version 1 in 1989, is running 

smoothly today with the latest type of 

hardware without any modification in 

the software. 

Today’s WibuKey customers can use 

CodeMeter and WibuKey simultaneously 

to protect a single executable. 

Please read on the next page

2 


E D I T O R I A L 

Dear Customers and Partners, 

Many decisions are based on price. 

But what is the true price? It’s not the 

cost of purchase, for sure. What has 

to be added and what is your returnon-investment? 

Cheap prices do not 

always make sense. The “It is wiser to 

be a miser” mentality is often selfdeception. 

We invest continuously in our 

products, e.g. ROHS conforming 

production and better software 

enabling you easier and more rapid 

implementation with higher level of 

security and first class support. Some 

of our latest developments include 

perfect software protection without 

source code modification for Win 64bit, 

Java, .NET or MacOS X Universal 

together with protection of PDF 

documents and multimedia content 

are some of our latest developments. 

Our products are constantly winning 

awards for concept, security, design 

and handling. Have a look and decide 

yourself! 

Hope this edition will provide you 

with a few new ideas for your 

applications. 

Sincerely yours 

Oliver Winzenried 

Easiest implementation 

with CodeMeter 

With AxProtector you can protect your 

unsecured application (Windows 32-bit, 

64-bit, MS .Net, Mac OS X) without any 

access to the source code automatically – 

at your fingertips. 

Additionally to the AxProtector the CM 

API-Guide supplies the automatic creation 

of flexible source code fragments (in 

C, C++, C#, VB6, VB.NET, Delphi and Java), 

ready to be integrated into the source 

code or your own application. 

Last but not least the CM-Producer is a 

full database solution to create and manage 

your licenses. 

Highest security with 

CodeMeter 

WIBU-SYSTEMS is so far the only supplier 

of hardware based software protection, 

which has proven the security of its protection 

method in three public hacker’s 

contests with more than 1000 hackers in 

the field. 

With 128-bit AES and 224-bit ECC Code- 

Meter is based on internationally accepted 

encryption standards. 

Application 

dynamic 

Jump-start with CodeMeter | 10 good reasons 

With AxProtector you can select the bestsuitable 

anti-debugging strategy for your 

purposes. The CM-Stick can be locked 

immediately during a detected attack. 

Don’t give a cracker a second chance! 

Since 1989 WIBU-SYSTEMS has implemented 

a flexible encryption system. 

When accessing the hardware, you can 

change the keys used during the execution 

of your software. 

One hardware type for all 

purposes 

With CodeMeter, CM-Stick is the only 

multipurpose hardware design. You can 

use the same hardware device at single 

workstations and for managing licenses 

in a network. 

Each CM-Stick has several features, 

including the ability to accommodate 

more than 1000 different counters for 

pay-per-use; a certificate-controlled clock 

for time-limited licenses and Feature 

Maps for securely protecting more than 

100,000 individual modules. You can combine 

all these features in any way. 

You exclusively decide with the programming 

of the CM-Stick how your software 

licenses will be managed. To make things 

simple, the protected executable is identical 

for all licensing variants. 

One CM-Stick can be used simultaneously 

by more than 500 totally independent 

licensors to protect more than 1500 applications. 

Extensive multi platform 

support 

CodeMeter is available for Windows, 

Linux and Mac OS and can be used in 

heterogeneous networks – for example a 

license server running on Linux and the 

client systems running on Windows and 

Mac OS. 

Flexible licensing of 


Windows Mac OS Linux 

Application 

static 

WibuCm32static.lib libwibucmmac.a 

WibuCm32.dll WibuCmNet.dll 

WibuCmmacX. 

framework 

CodeMeter Runtime Service 

You will already have noted the flexible 

application of CodeMeter. The product 

also has flexible licensing available: 

p You purchase CodeMeter like classic 

protection hardware (“dongle”). 

p You license CodeMeter as pay-per-use 

product: You get the CM-Stick up to 

50% cheaper but pay a small amount of 

fee to transfer (“program”) the license 

into the CM-Stick. 

Mass storage device driver USB storage device driver USB storage device driver 

CM-Stick 

Application 

.Net 

Application 

dynamic 

Application 

static 

Application 

dynamic 

libwibucmlin.so 

CM-Stick CM-Stick 

Application 

static 

libwibucmlin.a 

knowhow 

32.000 Modules 

p You can reuse any existing CM-Stick at 

user site by the small pay-per-use fee. 

Complete reprogramming 

of a CM-Stick via file transfer 

or Internet 

1.000 Products 

Any CM-Stick, which is already at user site, 

can be reprogrammed by transferring a 

file or via the CM-Talk Internet protocol. 

This also includes storing totally new 

licenses or updating a single workstation 

license to a multi-user network license. 

It is guaranteed that the data for such a 

programming operation can be used only 

for one specific CM-Stick and even then 

only once! 

Possibly the best solution is to integrate 

CodeMeter into your current online shopping 

solution. An option for such an integration 

is to use the existing infrastructure 

of www.codemeter.com without any 

initial cost. 

CodeMeter is available for Windows, Linux 

and Mac OS 

1.000 Expiration Date 

1.000 Network Counter 

1.000 Pay-Per-Use Counter 

1.000 Activation Date 

Readily accepted by your 

customer 

CodeMeter uses the Mass Storage Driver, 

which is already provided by the operating 

system. In practice your user just plugs 

the CM-Stick into the PC; it will be detected 

automatically without installation of 

any additional driver and can be immediately 

used. 

Beyond this simple installation, CM-Stick 

provides users with a neat password management 

tool and an ability to encrypt 

data on the hard disk via a virtual drive. 

Optionally, a CM-Stick is available with 

additional Flash memory – up to 2 GByte. 

Due the possibility of sharing licenses 

from different licensors on one CM-Stick, 

a customer needs only one CM-Stick for 

all his or her licensed applications. 

Please read on the next pages: 

p Automatic integration with AxProtector 

p API Integration with the CodeMeter 

API-Guide 

p Programming of CM-Sticks with the 

CM-Producer 

No.11 | 2006 

3

KEY 

n o t e product 

How memory dumping 

works 

The cracker analyses the software 

(typically automatically using tools) 

to find the OEP of a software. At this 

location, the execution of the software 

will be interrupted and the 

content of the RAM will be written 

back to the hard disk (dumped). 

Another tool then reconstructs the 

IAT (Import Address Table) in this 

memory dump. As result, the software 

can be executed without 

checking for a dongle. 

In practice, an experienced cracker 

can complete such a dongle remove 

in less than 15 minutes. 

4 

PE Header Link to new OEP 

Code section 

Data section 

Resource section 

Security section 

PE Header Link reconstruction to OEP 

Code section 

Data section 

Resource section 

Security section 

OEP 

OEP 

Security code 

Anatomy of a wrapper 

Dumping und reconstruction 

IAT 

IAT redirect 

IAT 

(reconstrution) 

April 4 | 2006 | Wien 

April 6 | 2006 | Graz 

You will find further dates and more 

information on www.wibu.com 

IAT 

Operating 

System 

Operating 

System 

AxProtector | Automatic inte gration of CodeMeter 

The AxProtector is a powerful tool, which 

automatically protects your ready-to-execute 

application for CodeMeter without 

requiring any source code access. 

AxProtector encrypts the code of your 

software and adds the AxEngine. This 

decrypts the code after starting in the 

RAM and continues the execution at the 

Original Entry Point (OEP). 

Security against memory 

dumping 

Frequently we have to answer following 

question: “Is it not possible to bypass the 

CM-Stick access by a memory dump?” 

No, this is not possible! The AxProtector is 

supplied with the security options 

Resource Encryption, Static Modification 

and Dynamic Modification which are 

three methods against memory dumping. 

Additionally AxProtector makes it difficult 

for the tools used by crackers to find the 

OEP. This is done by complex but configurable 

debugging detection methods. 

The AxProtector checks if your software 

was started within a debugging process 

and terminates it in such an environment. 

You can decide to lock the CM-Stick. 

Don’t be worried about this option, as 

you always can unlock again via Remote 

Access. By additional integration of the 

CM-API (and encryption of single code 

areas in your application) you can further 

increase the security level against memory 

dumping. 

Compatibility with WibuKey 

As a WibuKey customer you can protect 

an executable file, which will automatically 

accept either WibuKey or CodeMeter 

as hardware protection. 

Just select the desired hardware variant 

or select both! 

Supported platforms 

The AxProtector is available on following 

platforms: 

p Windows 32-bit 

p Windows 64-bit 

p .Net 1.1 and 2.0 

p Mac OS X (Power 

PC, Intel and 

Universal Binaries) 

p Java 

Further platforms – for example Linux – 

are under development. 

Error messages – 

as you want them 

In the previous KEYnote we wrote about 

CmUserMsgXx.dll which gives you the 

ability to customize your own error messages. 

This interface also offers other 

advantages: 

p Try Before You Buy 

In AxProtector you set the threshold value 

of the Expiration Date to the end of the 

test period plus one day (default is 100). 

Then you show in your warning message 

how many days the user has until the 

evaluation expires. 

p Demo versions 

Your application is protected with Ax- 

Protector. When the matching AxProtector 

is not available, CmUserMsg.dll will 

be called. However, this does not show its 

own dialog but starts the demo version 

instead of the full version. 

p Server in the background 

If your application is a service, displaying 

a message box (or another dialog box) is 

difficult. Again CmUserMsg.dll shows its 

power: You can handle the error, write it 

into a log file or send the error “to home” 

and have full control of how you handle 

the error (retry, terminate etc.) 

First steps with the 

AxProtector 

After selecting the project type you will 

see the file selection dialog. Just choose 

the file which you want to protect. The 

destination file is created by default – 

with your freedom to change this. 

In the next window you choose the protection 

hardware type. You can protect 

your application with CodeMeter, with 

WibuKey or with both (only one type 

must be available at user site). 

The Firm Code is assigned by WIBU-SYS- 

TEMS: Only you have the permission to 

program CM-Sticks or WIBU-BOXes with 

your individual Firm Code. For this you 

need a master key, the Firm Security Box 

(FSB). 

You can freely choose the Product Code 

respectively the User Code. Most of our 

customers assign one code per product or 

module. 

With CodeMeter you have the option of 

protecting specific modules of your application 

via the 32-bit Feature Map. For this 

the Feature Code in AxProtector should 

be set to 0 and each individual protected 

module has a specific power-of-2 value (1, 

2, 4, 8 etc.). 

We recommend choosing Firm Code 10 

and Product Code 13 for a first test. This 

license item is already stored in the CM- 

Stick shipped in the CodeMeter SDK. 

All other settings you can set on default 

for a first test. 

Go then to the summary page of the 

AxProtector, verify that the FSB master 

key of the SDK is plugged and click 

Create: Now you have protected your first 

software with CodeMeter! For further 

settings, for example network and security 

options please refer to the Developer’s 

Guide. 

AxProtector also supports the non-interactive 

(batch) encryption of your software 

(for example in a make file). For this we 

have an additional command line tool. 

The corresponding command line options 

of a specific dialog setting can be easily 

found in the AxProtector itself. 

You can also find the output of the 

encryption in the same dialog. You can 

easily check whether your application was 

correctly encrypted with the set options 

or viewing the issued warnings. 

No.11 | 2006 

5

6 


Your CodeMeter protected software only 

can be started when the matching license 

item is stored in a connected CM-Stick. In 

our example this is Firm Code 10 with 

Product Code 13. This item is already 

stored in the CM-Stick of the SDK. 

You have several choices when programming 

your own license items into a CM- 

Stick. You can modify existing items or 

add them with additional options using 

any of the methods below: 

p Manual programming via CmBoxPgm, 

p With a web shop via CM-Talk 

p Using the CodeMeter-API out of your 

application source code 

p Easily and efficiently with the CM- 

Producer 

In all these cases you will need a Master 

CM-Stick, the Firm Security Box (FSB). The 

FSB contains your Firm Code and guarantees, 

that only you can program a license 

based on your Firm Code, into a CM-Stick. 

The CM-Stick of the SDK is also by default 

a FSB for the Test Firm Code 10. 

CM-Producer | Trouble-free programming of CM-Sticks 

Process orientation 

The CM-Producer is process orientated: 

p Defining the product and the module 

by product management and software 

development. 

p Definition of sales packages by product 

management or sales department. 

p Definition of order templates by the 

sales department. 

p Order management and correspondent 

CM-Stick programming by the sales 

department. 

Definition of products 

The Products are your atoms, the smallest 

units within your software licensing. 

These atoms are defined by: 

p Firm Code: This is assigned by WIBU- 

SYSTEMS to you. Only you with your 

unique FSB can program CM-Sticks with 

your Firm Code. 

p Product Code: A 32-bit value, which can 

be freely assigned by you. 

p Feature Map: Another 32-bit value, 

which can be assigned by you. Such a 

map will be analyzed by their binary 

bits – for example a Feature Map of 9 

includes automatically Feature Codes 0, 

1 and 8 but not 2 or 4. 

Products are mapped directly with Firm 

Code, Product Code and Feature Code to 

protected applications – maybe by the 

setting of AxProtector or by the parameters 

used when calling the CodeMeter 

API. 

Definition of packages 

Packages are used to map the defined 

products into your business and sales 

model. Several products can be combined 

and license options can be assigned so 

these products. 

Usage Units can be used for pay-per-use 

models. If a Unit Counter is available in 

the CM-Stick, it is reduced automatically 

by 1 each time a software product starts, 

which had been protected by AxProtector 

with the appropriate option set. (see 

advanced license settings in AxProtector). 

You can also reduce a Unit Counter by the 

CodeMeter-API explicitly. 

CM-Producer lets you define whether a 

Unit Counter is set to a fixed new value or 

a delta value is added to an existing Unit 

Counter. It is also possible to convert a 

pay-per-use license into an unlimited full 

version just by deleting the Unit Counter 

in the CM-Stick by the CM-Producer. 

Activation and Expiration Time defines 

the time frame of a valid license. This is 

useful for creating demonstration, renting 

or leasing licenses. 

For example, CM-Producer allows you to 

set such times to fixed dates, add a delta 

to an existing time, or just delete such 

dates for an unlimited-time license 

access. 

The Network Counter defines the maximum 

of simultaneously available licenses 

in a network from any workstation 

(floating licenses). 

By setting the Network Counter to 0, the 

license can be used only locally at that PC 

were the CM-Stick is plugged. The 

default value is 1. Such a license can not 

only be used locally but alternatively also 

in the local network from another PC. 

The Product Item Text gives your license a 

specific name. This text is not securityrelated 

and may be changed later by the 

user too. 

Furthermore you can decide whether 

available license items should be deleted: 

p Don’t delete: a possibly available item 

with matching Firm Code, Product 

Code and Feature Map will be modified. 

Please note that the checking of 

the Feature Map interprets this as a 

bitmap. 

p Delete Product Item: a possibly available 

license item will be deleted. 

p Delete Firm Item: All License items with 

this Firm Code will be deleted. 

Each product in a package can be individually 

configured. 

Order templates 

In the next step you define your order 

templates. You can also summarize several 

packages to a single order template. 

Orders 

From an order template it’s easy to create 

your order. Just click at Execute. 

Additionally you can specify, who has created 

the order and for which customer 

(user) the CM-Stick was programmed 

(order number and name). 

CM-Producer permits local CM-Stick programming 

as well as the remote programming 

via CM-FAS. Just select the 

desired option Direct or Remote. 

After a successful programming the 

green light of the CM-Stick is on, while 

the programming the red light is on. 

To execute a CM-FAS programming you 

need a context file, which your customer 

product 

TIP FSB in the network 

To program a CM-Stick or to protect 

your software with AxProtector you 

will need your FSB. This can be either 

plugged at your local PC or any PC in 

the network. 

On both PC (the server with the 

plugged FSB and the client with the 

CM-Stick to be programmed) the 

CmFirm.wbc file with your Firm Code 

must be stored in the runtime\bin 

folder. Please restart CodeMeter.exe 

after copying this file to the two 

locations. 

Activate via CodeMeter-WebAdmin 

the CodeMeter-Server at your server 

system. To avoid the use of the FSB 

from other PCs in the network, you 

can define via the Codemeter- 

WebAdmin which client PCs have 

access rights to the server with the 

FSB. 

(user) has sent to you – just select then 

the desired file in the CM-Producer. If a 

context file or a local PC contains several 

CM-Sticks, you have to choose a specific 

CM-Stick via its serial number. 

Then the created CM-FAS update file can 

be just sent to the customer per email. 

Order history 

In the order history you will find all executed 

orders with the chosen options. 

No.11 | 2006 

7

8 


Customer example 

Visual FoxPro (Extract) 

In this example the WibuCm32.dll is 

called directly from Visual FoxPro. 

Declaration 

Declare Long CmAccess IN 

"WibuCm32.dll"; Long FlCtrl, 

String @stCmAccess 

Declare Long CmRelease IN 

"WibuCm32.dll"; Long hcmse 

Declare Long CmGetLastErrorCode 

IN "WibuCm32.dll" 

Call (Firm Code 0, Product Code 0, 

Feature Map 0) 

stCmAccess = Repli(Chr(0), 176) 

flCtrl = CM_ACCESS_LOCAL 

hCmAccess = CmAccess(flCtrl, 

stCmAccess) 

iError = CmGetLastErrorCode() 

IF (hCmAccess 0) 

CmRelease(hCmAccess) 

ENDIF 

Many thanks to Mr. Walter Nix for 

providing this example! 

CodeMeter API-Guide | Integ ration into the source code 

AxProtector lets you protect your software 

easily and securely. However, if you 

want to further enforce this security or if 

you plan protect different parts of one 

single executable with different licenses 

(modular protection) then you have to 

use the Codemeter-API. 

The CodeMeter-API is identical for all CM- 

Stick variants and operating systems. It is 

available for following programming languages: 

p C, C++, C# 

p VB 6, VB.Net 

p Delphi 

p Java 

Is your favorite programming language 

missing? Please speak with our support 

team for an individual solution. 

The CM API-Guide 

The CM API-Guide gives you the ability to 

create the desired CM-API calls in your 

favorite programming language and also 

to test such calls. 

The CM API-Guide creates source code 

fragments, which you just transfer with 

Copy and Paste into to the source code of 

your application. 

Basic API Calls 

p CmAccess 

To access a CM-Stick you start with the 

CmAccess call: Here you specify via Firm 

Code, Product Code and Feature Map 

which license item you want to access. 

You can also setup the access options 

here. 

p CmRelease 

The handle, which was created and 

returned from CmAccess, can be released 

with a CmRelease call. 

p CmGetLastErrorCode 

CmGetLastErrorCode can be used to check 

any error which was returned from 

CmAccess or CmRelease. 

With these three commands you have 

implemented a very simple check of the 

CM-Stick. 

Of course, the security of such a simple 

checking is very restricted: The software 

protection is reduced to a simple Jump- 

Zero or JumpNotZero assembler instruction. 

A cracker only needs to modify the 

single byte of this instruction in the executable 

and the protection is dead. That’s 

why we always recommend the use of 

additional encryption. 

Basic API Call: CmCrypt 

The CmCrypt function is a powerful interface 

to encrypt or decrypt data within 

your application. 

To use CmCrypt, you need a handle which 

was previously returned by CmAccess to 

address a specific license item (Firm Code 

and Product Code). 

The actual used key for an encryption or 

decryption is calculated by a hash function 

from different parameters. These are: 

CM-Stick internal constants, your Firm 

Key, Firm Code and Product Code, the 

Feature Code and options which defines 

functions like reducing a Unit Counter or 

checking the Expiration Date . 

You can define additional parameters 

yourself: 

The Encryption Code, which you can also 

freely change while your program is running. 

Instead of the fixed Firm Key you 

can also get additional keys from Secret 

Data or Hidden Data items. 

Hidden Data items can be written into the 

CM-Stick with your FSB (also remote). This 

data can also read back from your application 

with a secret password. 

Secret Data items can be written into the 

CM-Stick with your FSB (also remote). 

However this data can never be read 

back, not even from WIBU-SYSTEMS. 

The Firm Key is your own secret key which 

you receive with your FSB. You can use 

the initial Firm Key or define your own 

(secret) Firm Key. Such an individual Firm 

Key should never be changed after the 

first delivery of licenses using this key. 

Otherwise encrypted data for this Firm 

Key can no longer be decrypted by the old 

Firm Key. You should save your Firm Key 

in a safe location. Alternatively you can 

use the initial Firm Key. This is cryptographically 

created and known only by 

you and WIBU-SYSTEMS. Firm Key, secret 

data items or Hidden Data items are programmed 

as part of a license into a CM- 

Stick. 

Typically the Firm Key is used as basis of 

an encryption. Due to the dependency of 

the actual used key from the Product 

Code by hash you will have for every different 

Product Code another encryption. 

It is recommended that you encrypt and 

decrypt the data with random-based 

encryption codes during the execution of 

your program (RED) and to store encrypted 

data with fixed encryption code (RID) 

into your source code. Mix RED and RID as 

much as possible! See also secure encryption 

with WibuKey on the next page. 

Runtime check 

knowhow 

You have got with CmAccess a handle to a 

license. Now you want to check at frequent 

time intervals whether the handle 

is still valid. For this you call a CM-API 

function with this handle and check the 

return value. In the case of an error call 

CmGetLastError too. 

For highest security implement an encryption 

with CmCrypt. At time critical locations 

the CmGetInfo call can be used 

instead. This API function returns information 

about the accessed CM-Stick. If 

the CM-Stick was unplugged, an error is 

returned. 

March 

August 

Complete function blocks 

In addition to the basic API calls you can 

find in the CM API-Guide complete function 

blocks. Such function blocks demonstrate 

the reading and writing of data 

into the CM-Stick, the implementation of 

several encryption variants and the 

addressing of the CM-Stick LEDs. 

History list 

CeBIT 2006, Hanover, 

Germany | March 9 - 15 | 2006 

Hall 7 | Booth A 21 

www.cebit.de 

GAMES CONVENTION 

DEVELOPER CONFERENCE, Leipzig 

Germany | August 21 - 23 | 2006 

www.gcdc.de 

You can also execute CM-API calls interactively. 

You can find in the history list all 

executed commands and the corresponding 

source code. 

TRADE SHOWS 

Lectures CeBIT Forum | H5 B48 

PC-Security for business and users 

March 12th | 15:20 - 15:40 

March 15th | 10:15 - 10:35 

No.11 | 2006 

9


The WibuKey hardware has demonstrated 

in three seperate Hacker’s Contest its 

powerful security. However, you can still 

sometimes find on the Internet available 

cracks of software which were protected 

with WibuKey. 

Such cracks attack the weakest location in 

the complete package – the interface 

between your software and our hardware. 

The following tips will provide you 

with hints, ideas and concepts on how 

you can significantly reduce this potential 

for weakness. 

With the selection code WibuKey supplies 

a powerful tool for modifying the encryption 

during your protected program runs. 

Take advantage of this! 

Encryption strategies 

Random Encryption Decryption 

Encrypt data at runtime with a random 

selection code. Decrypt it again if you 

need this data. Possibly use a checksum 

to validate the decrypted information but 

use it directly without further comparison. 

Instead of data you can also encrypt and 

decrypt a random number of sequences. 

Required Information Decryption 

Encrypt constants or tables while developing 

a software product and store these as 

binary sequence into the source of the 

program. Decrypt this data whenever you 

need it in your software at runtime using 

a fixed selection code, which is also stored 

in the source code. Encrypt the data after 

the use again. 

p Tip 1 

Use encryption. Mix RED and RID sequences 

in your application. 

p Tip 2 

Use code instead of data (AXAN, available 

for C/C++/Delphi under Windows). 

10 

Secure integration of WibuKey News 

p Tip 3 

Store for the same data different RID 

sequences with different encryption 

codes. 

p Tip 4 

Don’t show any error messages directly 

after the failure of an encryption. 

Otherwise a cracker can easily find via 

two or three jumps back the relevant 

location in the source code. 

p Tip 5 

Integrate the encryption and decryption 

at different locations into your software. 

If possible, duplicate the source code and 

insert small modifications. Use this for 

locations which are both frequently called 

and also rarely called. 

AxProtector 

In addition to the use of encryption methods 

in the WibuKey-API, the software for 

Windows and Mac OS X can be protected 

with the AxProtector. 

The AxProtector supplies extensive anti 

debugging methods and the ability to 

lock the hardware as result of a cracker 

attack. This can be achieved by setting a 

Limit Counter to 0. You program into the 

WibuBox your Firm Code with the desired 

User Code. Additionally you set the limit 

counter to the number of permitted 

cracker attacks (for example 1). With each 

detecting of a cracker attack by the 

AxEngine this counter will be decreased 

by 1. After the counter has reached 0, no 

more encryption is possible and your software 

cannot be started any more. Now 

the cracker has to wait until you (if ever) 

reactivate the WibuBox by a remote programming 

update. 

If you want to also use a Limit Counter for 

pay-per-use, then use a second entry with 

another user code for this operation. This 

Limit Counter is then reduced by explicitly 

calling the WibuKey-API. 

Static versus dynamic 

Another weak point is the wkwin32.dll. 

This link library provides the WibuKey-API 

functions for you. 

To avoid a crack replacing this library, you 

can also use a static driver, providing the 

same API for MS Visual C. The disadvantage 

is that you loose the flexibility of the 

DLL-API, for example the support of 

future WibuKey hardware variants. To 

support this, you have to recompile your 

software again. 

For all other programming languages, 

which do not support static link libraries, 

you can check the validity of the 

wkwin32.dll. Load the library module 

dynamically via LoadLibrary and read 

back the entry point addresses via 

GetProcAddress. Compare these addresses 

with those which you stored previously 

into your protected application. Also, 

here you have to update your software to 

future versions of the wkwin32.dll. 

Win one 

Software Development Kit 

CodeMeter and WIBU-BOX 

together in one CardBus card 

The new CodeMeter card is coming! As a 

CardBus card, it combines the functionality 

of a WIBU-BOX/+ and a CM-Stick/M 

with a Flash Disk and it can be used for all 

current notebooks. It is even possible if 

the present PCMCIA cards don’t work. 

There are no additional drivers necessary 

because it will be recognised as a USB hub 

including both functions. Now there is a 

highest level of flexibility and a guaranteed 

future. 

Your feedback is important 

Dear readers. Now you have been 

reading the eleventh issue of our 

KEYnote magazine and now we would 

like to ask for your feedback. Just fill 

out our survey and you can win one 

CodeMeter Software Development Kit 

with CM-Stick/M. Please visit our 

homepage www.wibu.com/keynote. 

It will take you just five minutes. 

CodeMeter 2.20b 

There are many improvements and extensions 

for the CodeMeter software. The 

AxProtector protects applications without 

changes to the source code for 32-bit 

Windows and 64-bit Windows, Java, .NET 

and Mac OS X Universal. These are 

Macintosh computers with PPC or Intel 

processor. To ease individual integration, 

the CM API-Guide generates the source 

code for the most important applications 

in C, C++, C#, Java, Delphi, VB6 and 

VB.NET. The CM-Producer makes delivery 

of your CM-Sticks a walk-over! First you 

have to define your products, then your 

sales department can easily create licenses, 

even for CM-Sticks that have been 

delivered to your customers. All actions 

will be stored in a data base so that you 

always have an overview. A new 

Developer’s Guide helps you understanding 

and integrating CodeMeter. You can 

read more about the tools and the integration 

with CodeMeter in this issue of 

the KEYnote magazine. 

Soon all WIBU-BOXes will be 

available with a „+“ 

For two years now, WIBU-BOXes have 

been available with an additional 

memory of 16 kByte. It is helpful for storing 

extensive configuration data or 

license data in addition to the Firm 

Code/User Code that is required for secure 

protection. Because of the big demand 

we have decided to deliver all WIBU- 

BOXes with a “+” in the future and to 

reduce the prices. While stock lasts, the 

versions without “+” can be ordered. The 

OEM version will be unchanged. The version 

with the “+” are 100% backward 

compatible and are another example of 

the way we continue to improve our 

products. It is not necessary to change 

your applications – just the WibuKey drivers 

version 4.0 (available since autumn 

2003) or higher have to be used. 

Mac OS X Universal Support 

In good time for the availability of the 

new Apple Macintosh computers with 

Intel CPU, WibuKey and CodeMeter will 

support them. Our automatic encryption 

even supports Mac OS X Universal Binaries 

running on PPC and Intel and of course it 

protects both executable code resources. 

news 

SmartShelter PDF Media 

Since February 2006 our new Smart- 

Shelter PDF plug-in for the free Adobe 

Acrobat Reader is available – free of 

charge and officially licensed by Adobe. 

Create and protect your documents with 

Adobe Acrobat. You can just choose the 

protection type CodeMeter Security via 

document options. The protected document 

can be read with both Adobe 

Acrobat and the free reader if our plug-in 

is in the directory and a CM-Stick with the 

right license is connected. 

Furthermore in February we are starting 

the first projects with a media player. Now 

you can easily protect videos and sounds 

with CodeMeter. Are you interested in it? 

Ask for your Development Kit. 

Design Award 2006 in the 

Federal Republic of Germany 

The CM-Stick/M was awarded 

with the iF Design Award in 

Hanover and Shanghai and 

now it has been nominated 

for the German design prize. 

This is a sign for the compatibility 

of function, aesthetics 

and manageability. Special thanks goes to 

our designer “Design Team Quer” in 

Gelnhausen (Germany) and the employees 

involved. 

WEEE registration 

WIBU-SYSTEMS is enrolled in 

the German electronic waste 

register EAR via WEEE-Reg.- 

No. DE 90465365. 

It includes all CM-Sticks and 

WIBU-BOXes. 

No.11 | 2006 11


SIIA Codie Awards 2006 Finalist 

Best security software 

At SIIA Codie Awards 2005, Code- 

Meter has been selected as finalist 

in the category “Best Digital Rights 

Management Solution: Software” 

by an international jury and now at 

the SIIA Codie Awards 2006 in the 

category “Best Security Software”. 

It shows that with CodeMeter there 

is a product with benefits for both 

the vendors of software and digital 

content by a unique solution providing 

the highest level of security 

and flexibility. Users get a superior 

DRM systems and additional PC 

security functions such as secure 

login and file encryption and a 

mobile password manager. 

SIIA Codie Award 2005 Finalist 

Best Digital Rights Management 

Solution: Software 

iF Product Design Award 

2005 CeBIT 

iF Design Award 

China CeBIT asia 2004 

CM Password Manager 2.20 | New features 

Every user should get assistance through 

the CM Password Manager while trying 

to manage his or her passwords and 

taking advantage of the new security 

features. 

The new version 2.20 memorizes new 

passwords using the Internet Explorer, 

Firefox, Mozilla and Netscape running 

under Windows. This helpful tool for 

password management recognizes the 

various fields required for access to 

Internet pages. 

Calling an Internet page typically requires 

mandatory entry of a user name and a 

password. This causes the password manager 

to check for the required field data 

stored on the CM-Stick and initiates the 

transfer and the insertion of the data 

available. If data is not present, the software 

asks the user for input and memorizes 

the required data. In addition fields 

and marked control fields of a template 

will be stored together with any state 

information coming from selected fields 

or check boxes. 

Also, multiple accounts can be setup for a 

single web page, i.e. if you have multiple 

Convenient and mobile 

access control 

You are using various user accounts? 

The CM Password Manager stores many 

different passwords and data in your CM- 

Stick. You can make use of them on any 

PC very conveniently while maintaining 

your mobility. 

e-mail accounts using one provider. You 

choose your account before you enter 

your data. Learning forms on websites is 

another new feature. Changes in a website 

form will be updated automatically in 

your CM-Stick 

All access data is encrypted inside a 

SmartCard chip as an essential security 

component of the CM-Stick. Data would 

be kept safe and available as if they are 

memorized by someone’s excellent brain. 

Data therefore can be carried conveniently 

in your pocket or on a bunch of keys. 

Protection against phishing 

As the CM Password Manager checks for 

the exact URL or domain before fill in of 

access data, phishing attacks have no 

chance, even if your browser shows a 

counterfeited URL. Protection is assured, 

since Internet pages are either entered 

manually or are filled in automatically 

one time with the right address. 

In addition it can be made obligatory to 

select HTTPS for ensuring a higher level of 

security. 

Auto-Fill of web forms 

Upon detection of a form on a web page 

the password manger fills in the required 

data. The relevant access data will only be 

decrypted at the time of the data transfer. 

You can leave your computer unattended 

for a longer time without risking that 

unauthorized persons might get access to 

your accounts. The CM Password Manger 

allows you to determine that each automated 

fill in requires the input of your 

personal password. The same applies for 

accessing any data managed by the CM 

Password Manager. 

Identification of web pages 

Most of the URLs for web pages contain 

session IDs. On each visit of such a page a 

unique ID will be generated. Some of the 

password managers available can memorize 

the pages, but are unable to recognize 

them upon a next visit, since the 

stored session ID does not correspond to 

the one encountered. 

The contrary is the case with the CM 

Password Manager. You can determine on 

your own, whether a web page shall be 

identified by domain, by sub-domain or 

by the complete information of the URL. 

The portable Firefox 1.5 

The portable Firefox 1.5 is optimized for 

USB-Sticks and portable drives. It offers 

full browser capability and in addition 

supports themes and extensions. WIBU- 

SYSTEMS has developed a special plug-in 

for the portable Firefox to cooperate with 

the CM Password Manager. The plug-in is 

pre-installed and may be used together 

with CM Password Manager immediately. 

Having this stored in your CM-Stick/M, 

you can use it on any PC without need to 

install anything on this PC. 

Additional news 

There is a new category iTAN to store the 

new more secure indexed TAN-lists from 

many banks with upto 100 TAN numbers 

per list. You can check the quality of passwords 

or even generate good ones. The 

new utility dialog allows a secure deleting 

of all password data from your CM-Stick 

as well as writing to and reading from a 

file. Furthermore a new online help function 

offers useful hints. 

The CM Password Manager supports 

Windows, Linux and Mac OS X. 

Furthermore CM-Stick provides capabilities 

for personal security such as data 

product 

Easy to handle editing 

web forms 

encryption and data protection by access 

control. In addition there are options for 

advantageously purchasing software and 

the usage of a large flash storage capacity 

of up to 2 gigabytes. 

The CM-Stick or CM-Stick/M is a perfect 

gift for every PC user, for you, for your 

customer or your friends. 

www.codemeter.de 

12 No.11 | 2006 13


The new CodeMeter Development Kit 

comes with two universal sample applications 

that cover the most common 

protection and licensing schemes. 

The CodeMeter Development Kit comes 

with sample applications in multiple programming 

languages. The current release 

covers the programming languages C++, 

C#, VB6, VB.NET, Delphi and Java. 

Additionally the CodeMeter API-Guide is 

a perfect tool to assist you with the 

CodeMeter-API. The CodeMeter .NET 

framework can be used with all .NET languages, 

so the samples implemented in 

C# or VB.NET can be adapted easily. 

CmDemo | A universal sample 

The CmDemo sample application is a universal 

project that demonstrates the 

implementation of the most common API 

functions. CmDemo is implemented in 

almost all of the programming languages 

that are supported by the CodeMeter 

Development Kit. 

For a better clarity the API functions are 

used in self-contained subroutines that 

are accessed by thematically tabbed 

pages: 

p Basics 

This tab page demonstrates the accessing 

and reading of entries, as well as the 

encryption feature. So this section contains 

the code that is needed in most of 

all CodeMeter implementations. 

p Managing 

This tab pages demonstrates the listing of 

complete CM-Sticks, the reading of CM- 

Stick related information like runtime version, 

hardware version etc. The accessing 

of the LEDs is demonstrated as well as the 

network access and the error handling. 

p Programming 

Here the programming and deleting of 

different entry types is demonstrated. The 

code in this section can, for example, be 

used to develop your own programming 

tools. 

14 

p Remote Update 

This tab page demonstrates the CM-Field 

Activation Service (CM-FAS) feature, 

which allows you to re-program a CM- 

Stick from remote without shipping the 

CM-Stick itself. 

The event that corresponds to pushing 

the Run MyCode button executes code 

that can be entered in a separate subroutine 

to evaluate your own code fragments. 

CmCalculator | Modular 

protection and pay-per-use 

The CmCalculator example demonstrates 

the possibility of modular software protection 

combined with pay-per-use 

modality. The idea behind this is to send 

the user a protected application. In order 

to be able to use this program the user 

needs to have a predefined entry in his 

CM-Stick. For different modules he needs 

different additional entries; here in this 

sample this is implemented by the 

Feature Code of the license entry. 

Each mathematical operation of the 

CmCalculator decreases the tick counter, 

controlled by a Unit Counter, by a defined 

value. Different mathematical functions 

have different decrement values to implement 

pay-per-use with different costs for 

the multiple modules. 

p Basic functions will decrease the Unit 

Counter each time by one. 

p Power functions will decrease the Unit 

Counter each time by two. 

p Angle functions will decrease the Unit 

Counter each time by five. 

p Memory functions will not decrease the 

Unit Counter; this module is for free. 

p Factorial functions will decrease the 

Unit Counter each time by ten. 

For implementing the modular protection 

every module of the CmCalculator is represented 

by a bit in the Feature Code of 

the license entry of the CmCalculator. By 

re-programming the Feature Code, either 

directly, by CM-FAS or via CM-Talk, the 

modules can enabled or disabled. In the 

same way the tick counter can be reset to 

a new initial value. 

Antivirus solution combined with 

Digital Rights Management. 

CA and WIBU-SYSTEMS have started a 

strategical partnership in November. 

CA Computer Associates GmbH (CA), a 

German subsidiary of one of the worldwide 

leading companies for IT management 

software, and WIBU-SYSTEMS AG 

have been working together as partners 

since November. The aim is the creation of 

even more extensive levels of security for 

companies and users, combined with 

additional benefits such as password 

management and user friendliness. As a 

first product, CA provides the antivirus 

software eTrust Antivirus version 7.1 that 

is protected with CodeMeter (CM) of 

WIBU-SYSTEMS. The software can be purchased 

at a reduced rate via the shop 

www.codemeter.com by the users of the 

USB hardware CM-Stick. 

Birgit Bamberg, Channel Manager Indirect 

Sales at CA, explains: „Our customers 

are already aware of our security 

through our complete product portfolio. 

Therefore CodeMeter of WIBU-SYSTEMS 

is the perfect basis for our partnership. 

We can provide our customers with an 

optimal full service to eliminate dangers 

from the Internet with eTrust Antivirus. 

Now the users can use complex passwords 

via the CM Password Manager and so the 

level of security can be easily improved. 

We intend to offer other CA products 

CodeMeter-protected such as eTrust 

PestPatrol AntiSpyware via the online 

shop.“ 

And Oliver Winzenried, C.E.O. of WIBU- 

SYSTEMS, adds: “Since its appearance, the 

well-known email worm “I love you” in 

2000 has increased awareness of virus 

dangers for many users. Securing the PC 

at work and at home needs correct handling 

of passwords. Especially helpful for 

the user is that the CodeMeter version of 

eTrust Antivirus combines both. It is 

important that security can be used easily 

and comfortably.” 

eTrust Antivirus 

eTrust Antivirus achieves protection for 

companies in real time against the most 

important attack – Viruses. The powerful 

virus protection software sniffs viruses out 

automatically and eliminates them. It 

combines the advanced use of virus 

removal and signature updates. The soft- 

hotspot 

New CM sample applications CA available in the CM-Shop 

ware secures the communication through 

the protection of critical mail servers and 

the IT infrastructure, starting with servers 

and desktops up to wireless end devices. 

CM-Stick 

The CM-Stick is a mobile device, which 

allows the user to store passwords securely 

and always have them at hand. The 

device can be used everywhere to encrypt 

files, purchase software at a reduced rate 

and to lock or unlock the computer. 

The CM Password Manager is an extremely 

helpful facility: it administrates a variety 

of different passwords and fills in the 

access data of required web sites automatically. 

All this information is of course 

stored in the CM-Stick. Additionally the 

CM-Stick stores the correct web sites and 

they will be checked automatically. Consequently, 

the user is protected against 

phishing attacks and spying through keyboard 

entries via trojan horses. The CM- 

Stick will be especially useful for online 

banking users. A serially numbered TAN 

list helps with the execution of all transactions. 

The CM-Stick is available with a 

memory of 128 MByte up to 2 GByte. 

www.codemeter.de 

I M P R E S S U M 

KEYnote 11. Edition, Spring 2006 

Publisher: WIBU-SYSTEMS AG 

Rueppurrer Strasse 52-54 · D-76137 Karlsruhe 

Phone: +49-721-93172-0 · Telefax: +49-721-93172-22 

Email: info@wibu.com · www.wibu.com 

Responsible for the content: Oliver Winzenried 

Editors: Marcellus Buchheit · Norbert Geissler 

Rüdiger Kügler · Stefan Nikolaus · Elke Spiegelhalter 

Stephan Süptitz · Oliver Winzenried 

Letters are welcome at any time. They are protected by 

the secret of the editorial staff. Articles identified by 

name don’t absolutely reflect the opinion of the editors. 

No.11 | 2006 

15


No. 1 

in Software and 

Document Protection 

p Highest security 

p Vendor selectable secret and private key 

p Strong encryption algorithms with AES 128 bit and ECC 224 bit 

p Best-in-class tools for automatic protection (envelope, no source modification) 

for Win32, Win64, .NET, Java and MacOS X Universal (PPC, Intel) 

p Best flexibility 

p More than 1000 independent licenses can be protected by one CM-Stick 

p One versatile hardware key for all license models including floating network licenses 

p Multi platform support including Windows, Mac OS X and Linux 

p New distribution channels 

p License transfer by SOAP based CM-Talk or file based Field Activation Service in eShops 

p Multiple purpose, including protecting low cost software and content 

p Unique end user advantages 

p First and smallest dongle with up to 2 GByte Flash Disk 

p No drivers necessary – can be used without administrator rights 

p CM Password Manager, secure virtual drive and secure login 

Order your free Software Development Kit now! 

Phone 1-800-6-GO-WIBU | testkit@wibu.com 

2005 | Best Digital Rights Management 

Solution: Software 

2006 | Best Security Software 

The very highest quality by 

WIBU-SYSTEMS! 

More than 3000 application developers 

and creators of intellectual 

property trust in WIBU-SYSTEMS 

solutions since 1989. 

WIBU-SYSTEMS USA Inc. 

2429 NW 197th Street 

Shoreline, WA 98177, USA 

www.wibu.com 

Tel: 1-206-546-4891 

Fax: 1-206-237-2644

KEY - CodeMeter

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?