Software protection by USB-memory-stick

'USB memory stick' is a protected trade name of SONY
'USB mass storage device' is the non-protected but rather ambiguous acronym
------------------------------------------------------------------------

After having some troubles using the Rockey2 USB-dongle [www.ftsafe.com] in a stored procedure on a Windows Vista 64 system (the DLL can't be registered), I started to think - once again - about software protection. Licensed users should be able to execute THEIR program on any computer they want. Any binding of software to the hardware implies that users would have to call and have to re-enter a new license key. The questions are: what happens after hours and on weekends and can the user fake a situation of a defective computer only to get a second license cheap.

Only a portable hardware key can get those things straight.

So, I found out that <b>nearly every USB-memory-stick has a unique serial number</b> (for Vendor & revision) burnt into it. So, no one can replace it with a stick of the same serial#. Beware: This is NOT the volume serial number of the formatted USB-drive! Leaves the 'problem' of how to retrieve the hardware-serial# of a USB memory stick ..

As it turned out, it is no problem at all, because the WinDev 11+12 USB functions deliver this serial# without a need to resort to Windows API calls !!

Look at the program example of the USBListDevice(..) command. The variable sDevice holds a long string which in fact are some concatinated infos, all parts separated by a '&' character. Near the end you'll find the hardware serial number of the memory stick!

PC Soft has extracted 5 parts of this strings - but not the serial# - as USBProperties. However, we can extract the serial# from the unique USB-device identifier (sDevice)!

sDevice:
USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MINI&REV_0.1\SNDK3EE594080EB00406&0

Serial#:
SNDK3EE594080EB00406

If you want to check whether the serial# is correct or not and/or dig a bit more into USB characteristics, you can use NirSoft's freeware utility USBDeview: [www.nirsoft.net]

Idea for a software protection mechanism:
We will put an encrypted file onto the dongle that contains textual customer information, features of the software and the serial number and vendor name of the USB memory stick. The software just has to read / decrypt the information contained in that file and check whether the actual hardware serial# of the memory stick equals the serial# retrieved from the encrypted file. License changes can be distributed as an attachment file to an e-mail and copied to the memory stick. No interruption of customer's use of the software will take place.

Advantage 1: Even small numbers of software can be protected. Just buy 5 USB memory sticks for a small project ..

Advantage 2: Independence from a certain dongle maker and their more or less complex schemes of contacting their dongles.

Advantage 3: It's way cheaper to buy a standard USB memory stick than to buy a dongle. Cheap dongles come in minimum quantities of at least 100. USB memory sticks with 64 mb storage start at 3,- Euros - you can even have them with custom logo (and your program's name on it!) e.g.: [www.tlntradecompany.com]






Edited 1 time(s). Last edit at 08/06/2008 11:55AM by GuenterP.

Quote
GuenterP
'USB memory stick' is a protected trade name of SONY
'USB mass storage device' is the non-protected but rather ambiguous acronym
------------------------------------------------------------------------

After having some troubles using the Rockey2 USB-dongle [www.ftsafe.com] in a stored procedure on a Windows Vista 64 system (the DLL can't be registered), I started to think - once again - about software protection. Licensed users should be able to execute THEIR program on any computer they want. Any binding of software to the hardware implies that users would have to call and have to re-enter a new license key. The questions are: what happens after hours and on weekends and can the user fake a situation of a defective computer only to get a second license cheap.

Only a portable hardware key can get those things straight.

So, I found out that <b>nearly every USB-memory-stick has a unique serial number</b> (for Vendor & revision) burnt into it. So, no one can replace it with a stick of the same serial#. Beware: This is NOT the volume serial number of the formatted USB-drive! Leaves the 'problem' of how to retrieve the hardware-serial# of a USB memory stick ..

Hi
As it turned out, it is no problem at all, because the WinDev 11+12 USB functions deliver this serial# without a need to resort to Windows API calls !!

Look at the program example of the USBListDevice(..) command. The variable sDevice holds a long string which in fact are some concatinated infos, all parts separated by a '&' character. Near the end you'll find the hardware serial number of the memory stick!

PC Soft has extracted 5 parts of this strings - but not the serial# - as USBProperties. However, we can extract the serial# from the unique USB-device identifier (sDevice)!

sDevice:
USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MINI&REV_0.1\SNDK3EE594080EB00406&0

Serial#:
SNDK3EE594080EB00406

If you want to check whether the serial# is correct or not and/or dig a bit more into USB characteristics, you can use NirSoft's freeware utility USBDeview: [www.nirsoft.net]

Idea for a software protection mechanism:
We will put an encrypted file onto the dongle that contains textual customer information, features of the software and the serial number and vendor name of the USB memory stick. The software just has to read / decrypt the information contained in that file and check whether the actual hardware serial# of the memory stick equals the serial# retrieved from the encrypted file. License changes can be distributed as an attachment file to an e-mail and copied to the memory stick. No interruption of customer's use of the software will take place.

Advantage 1: Even small numbers of software can be protected. Just buy 5 USB memory sticks for a small project ..

Advantage 2: Independence from a certain dongle maker and their more or less complex schemes of contacting their dongles.

Advantage 3: It's way cheaper to buy a standard USB memory stick than to buy a dongle. Cheap dongles come in minimum quantities of at least 100. USB memory sticks with 64 mb storage start at 3,- Euros - you can even have them with custom logo (and your program's name on it!) e.g.: [www.tlntradecompany.com]






Edited 1 times. Last edit at 08/06/08 11:55AM by GuenterP.

Hi GuenterP,

Thank you for this info !

Regards,

PETER ZHOU

Hi Guenter

Are you sure that no one can replace USB memory stick serial#?

Great idea :spos:
Thanks for sharing

Best Regards
Toddy

Yes, I'm sure. It's burnt into the memory stick and it's NOT the volume serial number of the formatting process. Kind regards, Guenter

Hi Guenter

Great! It is a good idea..but only for small number of clients.

What about an installation for 10/15 clients? Do i have to buy 10/15 usb mem-stick?
Probably yes.

I agree with you when you say that a customer can format/change a hard disk, but the usb mem-stick still contains the necessary informations to restart using the application.

Yes...it is a cheap solution...my congratulations for this good idea.

Gianni

Hi Gianni,

my additional trick is it to put the dongle / usb-stick on the hf c/s server computer only and let it control access to the database by use of a stored procedure. Each workstation looks for the number of logged-in workstations by HListUser(...) i.e. counting the users . So, only a single usb-stick per network has to be used. This is fine for remote access over the web and for mobile computers too. No one has to fear a lost dongle.

usb-sticks (3 - 8 Euros) are cheap compared to regular dongles (~ 25 - 40 Euros) like the aladdin-dongle that's used by PC Soft. Regular dongles do need drivers which sometimes fail work properly. A usb stick doesn't need any unusual drivers. If a single piece of your application is stolen, how many usb sticks can you buy for that? My experience is that unprotected software will be 'distributed' by your customers in one or another way. It even hurts when you find that your customer uses your software on five computers instead of just a single one.

However, inventory of dongles can easily become expensive while usb sticks can be bought in small batches - if you don't choose to have your logo on them. Minimum quantities are 50 - 100 for that purpose.

Kind regards,
Guenter

Hello Guenter

I think it's a great idea, very innovative.

One thing to keep in mind running it on a server. Because the device is actually a drive and some boards can boot from a USB drive, you may run into some opposition from sysadmins, because your usb stick may interfere with the startup.
We have a couple of sites where they run backup hard disks connected by USB and these have to be unplugged before the servers will reboot, which makes remote reboots impossible, because the servers try and boot from the usb drives.

Regards
Al

Kudos GuenterP... Truly outstanding idea!

Cheers!
Ken

Of course it's not difficult for someone to create a virtual USB driver which will give your app the serial number required, or simply to debug your exe to bypass the serial number check. As far as security goes, HASP HL dongles are still a far better option. But for a cheap and cheerful security measure, the USB mass storage device is a good idea.

-Peter

Quote
Al
Hello Guenter

I think it's a great idea, very innovative.

One thing to keep in mind running it on a server. Because the device is actually a drive and some boards can boot from a USB drive, you may run into some opposition from sysadmins, because your usb stick may interfere with the startup.
We have a couple of sites where they run backup hard disks connected by USB and these have to be unplugged before the servers will reboot, which makes remote reboots impossible, because the servers try and boot from the usb drives.

Regards
Al

Hi Al,

yes, the memory stick will force Windows to generate a drive number and this could interfere with the boot sequence. However, the boot-sequence is to be defined in the BIOS of the motherboard of that computer. If 'USB-device' is the first to boot (which could be put as such in the BIOS for debugging purposes) we'd be bad off. So, a warning to our customers will be in order.

I'll take care of that in my help system for the program - we usually don't see our customers. There are hundreds of them, mostly with single workstations up to about 10 computers in small networks maximum and we have to give enough info to the consultant who does the real work there.

Thank you for pointing us to a potential cause of disaster!

Kind regards,
Guenter

Quote
Peter Raines
Of course it's not difficult for someone to create a virtual USB driver which will give your app the serial number required, or simply to debug your exe to bypass the serial number check. As far as security goes, HASP HL dongles are still a far better option. But for a cheap and cheerful security measure, the USB mass storage device is a good idea.

-Peter

Hi Peter,

of course, the thing is vulnerable - like any protection device is. For dongles there are some companies like [www.endlessvisions.com] plus a lot of hackers like [www.woodmann.com] who specialize in removing dongle protection. Usually, dongles don't have lots of information on them. A serial number, some feature bits and thats it.

Replacing the USB driver is a nice idea but the contents of the memory stick has to be there too - otherwise the software itself or the encrypted file have to be changed. The encrypted file contains textual customer information, the serial# of the memory stick, fetures like licensed seats and three checksums for all and parts of the information with weird algorithms. There is no real limitation of license data you can put onto the memory stick - this is the difference between a dongle and a memory stick.

As I see it, a hacker would try to crack the encrypted file on the memory stick first. Since RC516 on a previously compressed text is not a simple to be cracked encryption method, he'd concentrate to find the unencrypted data somewhere in memory, which is not a hard job to do. So, he'd know what's in the file soon - but the real hack is to change the serial number of the memory stick plus the textual customer identification in the file, re-calculate the checksums and re-encrypt the data into a new file. I'm using three checksums with different algorithms - this calls for decoding and understanding parts of the software.

Debugging a WinDev-program is much more of a challenge for a hacker than you'd expect. Long ago, we tried that to find out how hackers could decode our WinDev software or how they could apply changes in order to bypass protection mechanisms. Since a WinDev program is represented in memory in p-code and not in x86 machine code, the hacker would have a good time in learning and decoding the representation of WinDev p-code first. There is no published standard available. Buying a copy of WinDev is recommended - something hackers do hate. They don't buy software, they steal it. Without studying the p-code, he'd find a rats nest of calls to functions and procedures without knowing why it is done and what is done. Identifying the pieces of code which check for compliance of the memory stick is real hard work.

I don't say: it can't be done. But it would be hard work and who pays for that?

Kind regards,
Guenter

Sounds reasonable Guenter, well done.

Thank you very much Guenter for this suggestion, It is really a good alternative for dongles and I would add another advantage: Put the whole software installation on this USB instead of handing out the CD we can hand out the USB with the installation, documentation and also the Protection.

Once again it is a great Suggestion.
Aelfassi.

Hi
I like to know if there is a method to do this in windev 10?
Thanks

No sorry, you'd need the USB-commands of WD11 or WD12. Warning! USBFind(..) still doesn't work with the USBDrive parameter ! Kind regards, Guenter

Hi Tunidev,

I have to disagree on WD10 since I am using it with WD10 applications. Here is my code -

//Set variables
sDevices is string = USBFind(USBPropertyManufacturer," ")
gSerialNumber is string
gProceed is boolean

I have a table called "Unlock" in which I store all the USB device serial numbers for my application - these can be encypted as required. To get the serial numbers I use the free utility suggested by Guenter from [www.nirsoft.net]

The person has to first logon with a valid username and password and if this is okay then I run the following code which also checks if the person is on our Citrix Network in which case they do not need the hardware lock as they are running the centralised application rather than the one on their standalone workstation -

//Check for valid hardware lock
HOpen(Unlock,"",hORead)
HReadFirst(Unlock,UnlockID)
WHILE NOT HOut(Unlock)
IF Position(sDevices,Unlock.SerialNumber)=0 THEN
HReadNext(Unlock,UnlockID)
ELSE
gSerialNumber=Unlock.SerialNumber
gProceed=True
END
HReadNext(Unlock,UnlockID)
END

//Proceed or show message
IF gProceed=False AND fDirectoryExist("H:\TSProfile")=False THEN
Iconize(Menu)
Error("YOU MUST HAVE A VALID HARDWARE LOCK TO RUN THIS PROGRAM - PLEASE INSERT YOUR HARDWARE LOCK AND TRY AGAIN ")
Close(Menu)
END

I hope this helps but if you need further info please ask.

Milton

@milton
Thank you it's a great point to start protecting my software