7.2 Command Line Encryption
7.2.4 List of WKCRYPT Options
7.2.4.2 Options for Software Encryption
/1
This option selects the encryption algorithm 1 which is compatible with the WIBU-BOX version 1 or higher. For WIBU-BOXes version 3 and 4 use algorithm 2 which allows more security and additional functions.
/2
This option selects the encryption algorithm 2 which is only compatible with the WIBU-BOX version 3 and 4. The algorithm 2 has following advantages:
Q Much more secure that algorithm 1 because it uses the FEAL algorithm.
Q Permits 32 bit Selection Codes.
Q Supports via bit 31 and 30 the touching of WIBU-BOX Limit Counters
and the Network user limits.
Q Secure information transfer between the client and a WkLAN server.
Q Supports the test for an Expiration Date.
Q Supports enhanced and more secure indirect encryption algorithms.
The version of a WIBU-BOX is listed in the WIBU-BOX contents of the /L
command. The old silver WIBU-BOX had always version 1, the newer turquoise-colored WIBU-BOX has version 3 and 4.
/3
This option selects the encryption algorithm 3 which is only compatible with the WIBU-BOX version 5. The algorithm 3 has following advantages:
Q Much more secure that algorithm 1 because it uses the FEAL algorithm.
Q Permits 32 bit Selection Codes.
Q Supports via bit 31 and 30 the touching of WIBU-BOX Limit Counters
and the Network user limits.
Q Supports the test for an Expiration Date.
turquoise-colored WIBU-BOX has version 3 and 4, the WIBU-BOX/R has version 5. /CA /CAD /CAG [I] /CAI /CAL /CAR [Time] /CAS[p] /CAT /CAU [A] /CAV /CAX [A] /CLC [S|R] /CLN [S|R]
The /CA option encrypts all subsequently specified files. With each
execution, the encrypted files automatically decrypt themselves (“crypt automatic”). The option remains valid until a different encryption variant is
selected via the /C option. It presently ignores the specifications selected by
/S and /SI. An internal Selection Code depends on the Firm Code and User
Code.
The option /CAD defines that the DOS part of Windows or OS/2 programs
is encrypted. Normally this DOS section only receives a short code part which, when called on DOS, informs that the program requires Windows or OS/2. OS/2 Dual-Mode applications exist, which run both on DOS, OS/2 and so-called OS/2 BIND applications which run on DOS with a simplified OS/2 environment. For such programs, it is advisable to protect the DOS
Chapter 7 Encrypting Programs
The option /CAG[l] adds an anti debug checker to the automatic encrypted
program. There are two levels of anti debugging control. The first level (l=0) checks if the protected application is started or runs in a context of a
debugger. If the Runtime Check (see /CAR) is activated the check will be
done also during the runtime of an application. If a debugger is detected the application is terminated without any feedback! The second level (l=5) checks is a kernel debugger is installed on the current machine. If the installed kernel driver is detected the application will not be started. The second level also includes the first level.
3
Example: WKCRYPT /4 /F10 /U13 /CAR120,2GX WinMine.exe encrypts the WinMine application with algorithm 4, an exclusive access to FirmCode 10 and UserCode 13 automatically with a runtime check every 2 minutes and 2 retries and an anti-debugging controlThe default use is the protection of the complete programs with the /CA
option. When the /CAL (”limited”) option is specified, the program
protection is reduced to the interrogation whether the WIBU-BOX is available. It primarily serves to deactivate the default complete encryption.
The option /CAI defines that the root of programs with overlays can be
expanded, since the applied overlay technique automatically searches for the new overlay location in the encrypted program. This is, for example,
possible with the Microsoft-Linker overlay technique, version 3.0, but not with the Phoenix-PLINK, Borland-VROOM and a number of others. Should
the technique allow the /CAI option, this should be employed. It offers the
following advantages:
The program is called faster and is shorter.
Programs which are self-modifying, and which file the modified data at the file end may run with less problems.
When the /CAL or /CR function is used to encrypt a number of program file
sections for programs with overlays, the /CAI option must be specified.
Otherwise, the WIBU-KEY overlay loader will not be able to find the partly encrypted program file root, and subsequently aborts with the error message “WIBU-KEY Loader Error”. Because only few overlay processes function
after setting the /CAI option, the use of the WIBU-KEY is somewhat
confined in this sector. The use of the Microsoft Overlay Linker (version
3.65, 5.0x, or 5.10) for DOS is straightforward. The option /CAI in connection
with overlays and the option /CR or /CAL can inevitably be omitted when
the following message to be printed:
Root module in destination file reduced by xxx bytes The technique will then function with other overlay processes.
/
Note: One can provoke the shortening via packing, by specifyingdummy ranges in the non-encrypted root module which consist of identical data (e.g. a larger field containing 0-bytes). Such ranges can be shortened by the WIBU-KEY packing algorithm.
The option /CAR permits a runtime check of an automatically encrypted
Windows program. In addition to the check in the start phase of the
program, the WIBU-BOX is checked during the execution of the program. In the argument of the option the time interval for checking the WIBU-BOX can be specified. The time can be specified as single value in seconds. It is possible to specify a value in minutes and seconds or in hours, minutes and seconds. Successive numbers must be separated with colons. The default value of the checking interval is set to 300 seconds (or five minutes). The runtime check of the WIBU-BOX is only implemented for Windows programs.
3
Example: /CAR time specifications /CAR85000 specification in seconds/CAR1416:40 specification in minutes and seconds /CAR23:36:40 specification in hours, minutes and seconds
Another argument for the /CAR option specifies the number of consecutive
ignore dialog boxes. It is separated from the first value by a comma. The ignore dialog box appears if a proper WIBU-BOX is not found by a runtime
check. By pressing ignore the user can continue the application for 10 more
seconds. This time can for example be used to store application data. The default value allows to ignore such a dialog three times. This means that without a proper WIBU-BOX the user can continue to work with an application for up to 30 seconds.
Chapter 7 Encrypting Programs
3
Example: Setting an Ignore Value /CAR30,10sets the time interval to 30 seconds; it is possible to ignore a dialog box 10 times or 300 seconds
/CAR30,0
in this case it is not possible to ignore /CAR,10000
with 10000 retry possibilities the program use is unlimited
The option /CAS [p] reduces the seize of the code to be encryptedto the
percentage rate specified in p=[0%…100%]. If this option isn’t specified, the code will be encrypted 100%. This option should be used for very large programs, since the encryption can take a long time due to the high number
of data. Setting this option/CAS [p] improves the performance when
starting the program. For small programs (1 MB), this option isn’t required.
The option /CAU sets a specific user identification to access a
WkLAN/WkNet server slot. The /CAUA option sets a specific user with
auto-cancel previous network user. Please, see Chapter 10.5.2 for more details.
The option /CAV activates the virus checker. It establishes with every start
of an automatically encrypted program whether the program is infected. This is accomplished by checking specific critical program locations for
changes. The disadvantage of the /CAV option is the reduction of the speed
at the program start. Should the virus checker locate a virus, the program execution is automatically stopped and a warning displayed on the monitor.
WKCRYPT /F10 /U13 /CA TEST.EXE
Automatic Encryption of the program TEST.EXE. WKCRYPT /F10 /U13 /CAI OVLDEMO.EXE
encrypts the program OVLDEMO.EXE with overlays; the program root
is expanded, as this is admissible with the overlay procedure. WKCRYPT /F10 /U13 /CAV /CAD OS2DEMO.EXE
encrypts the DOS section of the OS/2 program OS2DEMO.EXE; the virus check is activated.
WKCRYPT /F10 /U13 /CAVD OS2DEMO.EXE
illustrates how a number of /CA options may be combined.
3
Example: Automatic Encryption of Program RangesWKCRYPT /F10 /U13 /CAI /CR48 /V CHAINBAS.EXE
starts the encryption at byte 48. This specification is necessary if Microsoft PDS-BASIC program chaining (version 7.1) is used in the
program. If overlays are used, they must be shifted via the option /CAI
WKCRYPT /F10 /U13 /CAI /CR512 /V DOSX.EXE
starts the encryption at byte 512. This specification is necessary if the
program has been developed with the Phar-Lab-DOS-Extender (Version
4.0 or higher). In this case you should not use the option /CAI.
With the /CAT option the automatic checking of an Expiration Date is
enabled. The check happens at the start of the application and during the runtime in the specified interval.
The option /CAX sets the exclusive mode to access a local entry and/or a
WkLAN cluster. The /CAXA option sets the exclusive mode with auto-
cancel. Please, see Chapter 10.5.2 for more details.
/
Note: The runtime check of the WIBU-BOX is only implemented forWindows programs.
/CH:HeaderAddress
With this option, the address of the AXAN header structure is specified. Typically, this address is specified as symbol name which is read from the MAP file by WKCRYPT.
Chapter 7 Encrypting Programs
AXAN is a variant of the Explicit Encryption technique which specifies all encrypted ranges as areas in the source code of a C, C++, Borland Pascal or
Borland Delphi file. WKCRYPT analyzes these ranges the compiled and
linked executable file and encrypts the code or the data of the specified ranges compatible to the decryption within the program code.
i
For more information about AXAN see the WIBU-SYSTEMSProgrammer’s Guide and the AXAN examples on the CD-ROM.
3
Example: AXAN Encryption MethodWKCRYPT /F10 /U13 /V /CH:_wkbaxhSample TEST.EXE encrypts the TEST.EXE program by the AXAN Explicit Encryption method which is started at address wkbaxhSample
/CLC [S|R]
The /CLC option controls the use of the Limit Counter during Automatic
Encryption. If an S follows, the Limit Counter is reduced at the start phase of
the program by one. This feature permits to control the maximum number of
program starts. If an R follows, the Limit Counter is also reduced during the
execution phase of the program. During each runtime check, the counter is reduced by one. This feature permits to control the maximum execution time of a program.
The /CLC option is only supported with encryption algorithm 2. Currently
the Limit Counter cannot be used in combination with the Automatic Encryption of DOS programs.
3
Example: Limit CounterWKCRYPT /F10 /U13 /CAR /CLCSR TEST.EXE
/CLN [S|R]
The /CLN option is similar to the /CLC option, but touches the network User
Limit Counter.
The /CLNSR option restricts the number of users within a network, but
counts a single workstation as one license, even if the protected program has been started various times.
/CR:Address[+OffsetSystemNumber]:LengthSystemNumber
/CR:StartAddress[+OffsetSystemNumber],EndAddress[+OffsetSystemNumber
This option specifies an encryption range within the subsequently specified files. The ranges can be either directly, or indirectly encrypted with the specified Firm Code and User Code. The current Selection Code is used to select the encryption algorithm variant. If only one address is specified, the file is encrypted from this address to the end. Two specifications serve to confine a range. One can either specify the length of the required range or
the address, which designates the byte following the range. Addresses can
be allocated with offsets, the value of which may be either added to, or subtracted from, the address value.
A number of /CR options can be specified in succession. The sorting of start
addresses is not necessary. The specified ranges should not overlap. Otherwise the range with the smallest address will be shortened. The
specified /CR option refers to the list of file groups specified below. When a
number of file lists is entered in a number of lines within a command file,
each file list must be preceded by its own /CR options.
For programs, the actual address within the code is to be specified. With COM files, this is the byte position within the file added by 256 (100h). With EXE files, the variable length of the EXE header must be regarded.
Moreover, when the code of an EXE file happens to be filed relatively, it begins at the relative address 0.
The option /CR may be used to automatically encrypt a number of program
sections. In such cases, one often leaves the initial section of the program unchanged. The program is then automatically encrypted from this address
to the program end or the end of the root in the case of programs with
overlays. The address specifications inevitably refer to the actual program code. In the case of a direct address determination, the length of the EXE header is to be added (i.e. via a file dump).
The Automatic Encryption byWKCRYPT is realized in a fashion allowing
the relocation addresses of non-encrypted ranges to remain in the header of the EXE program. Furthermore the position of the data in non-encrypted ranges is not changed in respect to the start of the protected program file in comparison with the original program. The packing of the Automatic
Chapter 7 Encrypting Programs
Encryption begins at the start of the last encrypted range, which must extend to the end of the file. Non-encrypted regions will not be packed.
Addresses, offsets and length specifications may be octal or hexadecimal. Another possibility is the use of symbols instead of numeric values. These are the names which are also used within the source codes, and which will be located within the MAP-file created by the linker. A symbolic address has the following format:
[SegmentName!]SymbolName
The segment name must be specified when the symbol used is defined in a number of segments, which is not usually the case. The defined segment names may be extracted from the compiler description. Due to the fact that the MAP file is a text file, one can easily determine the segment name by analyzing it. The segment name is separated from the actual symbol name by an exclamation mark. No blank may exist between the names.
The addresses in the vicinity of symbols can also be designated with the aid of offsets. These offsets may either be positive or negative. In the second instance, this is defined in conjunction with a minus character after the address. No blanks may exist between addresses and offsets. Offsets or lengths may not be specified via symbols. They must be fixed numbers.
When reading,WKCRYPT differentiates between capitals and lower case
letters. The names in the argument of /CR must be identical to those in the
MAP file. Please note that with the linker, one can usually specify whether names are to be automatically converted to capitals or not. Moreover, one should know that the Microsoft-C-compiler and products compatible to it, set an underline (_) in front of variables and function names.
C++ compilers export their function names normally in the “decorated name” type. WKCRYPT removes this decoration automatically for the Microsoft C++ compiler and compatible products. That’s why the original function name, leaded with the underline character, may be specified in the
argument of the /CR option.
In each of the subsequently specified files, the symbols are sought in the MAP file and evaluated. Hence, the same symbol can possess a completely different address in a different file.
Should any difficulty arise regarding to the addresses of specified ranges,
simply select the /V option. This will display a list of the currently used
This option specifies which subsystem will be used for the Automatic Encryption. The following flags may be used:
K to select the local (kernel) subsystem
L to select the WkLAN subsystem
N to select the WkNet subsystem (currently not supported)
The default setting is /CSLK to search first on the local computer and then
on the local network. The end user can change the search order for the
subsystems with the Control Panel Applet. It is not possible to add a
subsystem that has not been specified with the /CS option.
/
The selection of subsystems is only supported for Windowsprograms.
/CVn.nn
With this option, the minimum driver version for automatic option is specified. Valid values for v are: 2.50 (default), 2.51, 2.53, 3.00.
/CX
With this option, the subsequently specified files are interpreted as
programs. The program code or data ranges are encrypted on the byte level (crypt execute). These ranges can then be explicitly decrypted. The option remains valid until a different encryption variant is activated.
The option /CX expects a pattern in the executable file, which WKCRYPT
replaces by the Firm Code and User Code specified with the /F and /U
option. Should this pattern not be found, the warning WK4002 will be issued. In this event the following causes are possible:
The program has already been encrypted via the option /CX and the
pattern is already substituted by a valid Firm Code and User Code. The program has been encrypted twice. It probably contains errors.
The program has not been linked by the WIBU-KEY driver, as this always files the Firm Code and User Code pattern in an application. This can therefore indicate an incorrectly linked program.
Chapter 7 Encrypting Programs
With the option /CX, no encryption ranges are set as default. When no /CR
option is specified, WKCRYPT will only search for the Firm Code and
User Code pattern in the program file. Using the /CX option,WKCRYPT
recognizes relocation addresses within the codes of executables. Due to the fact that such information cannot be encrypted, an encryption sequence is stopped at the first detected relocation address, and the warning WK4001 will be printed. To guarantee that the decryption of this range is compatible