Axprotector
Axprotector
Axprotector
IxProtector Windows
NET Assembly .NET commandline
AxProtector .NET
IxProtector .NET
Mac OS X Application or Dylib Windows commandline
AxProtector Mac OS X
Commandline available for Mac OS X
IxProtector Mac OS X (runs on Mac OS X operating systems)
Java Application (Archive Windows commandline
Format *.jar, Webarchive AxProtector Java
Format *.war) Commandline available for Java (runs on
Windows, Mac Os X, Linux, and Solaris
operating systems)
Linux Application or Shared Windows commandline
Object AxProtector Linux
Commandline available for Linux (runs on
IxProtector Linux Linux operating systems)
Files your protected application Windows commandline
uses AxProtector File Encryption
Table 2: AxProtector – Applications to be protected, Project Types, and Encryption Tools
AxProtector:
• supports the encryption of all existing CodeMeter® license options (Product Item Options). Thus all necessary license
information is integrated into the encryption, for example, network licenses, or license checks at runtime.
• features functions to identify debugger use: in the case a debugger is detected, a CmContainer can be locked.
• provides the feature of "on-demand-decryption", i.e. parts of the protected application (source code and resources) are
decrypted only when accessed. This "on demand decryption" effectively protects against memory dumping and the
extraction of unprotected versions.
• offers the use of freely customizable user message dialogs including the creation of individual texts for purchasing
options or errors and also the embedding of company logos.
Structure and Navigation
You access AxProtector by using CodeMeterStartCenter or, alternatively, by the "Start | All Programs | AxProtector"
system menu item.
Export Wbc file Selecting this menu item exports the protection settings into a *.wbc file you are free to name and save.
Later you may use this file in the AxProtector commandline tool.
This menu item is active only after the project has passed all necessary checks.
Exit Select the "File | Exit" menu item to close AxProtector. Alternatively, close the AxProtector by the "x"
control or the <ALT+F4> key combination. Before exiting AxProtector you are prompted to save the
changes you have made to a project.
Options menu
Element Description
Language AxProtector provides you with different language version for the graphical interface. Select from eight
different language settings: Chinese, German, English, Spanish, French, Japanese, Dutch, and
Portuguese.
? menu
Element Description
Content Select this menu item to open the AxProtector online help.
About Select this menu item to open a window holding AxProtector version information.
Navigation Window
For every project type, the navigation window displays the single protection steps in a tree view. The navigation allows
you to access each single step.
Input Window
For each protection step, the input window provides for specifying protection options using corresponding fields and
controls. You navigate through the single steps by using the "Next >" or "< Back" buttons at the bottom of each window.
This symbol informs you that you have set additional protection options using the "Advanced" button.
With a double-click on the and symbols you will automatically access the protection step to which the
information relates.
.NET Assembly
.NET Assembly
Other
File encryption
AxProtector Tab
This tab offers you the selection of the following project types:
Windows Application or DLL
.NET Assembly
Licensing Systems
After you select the file to be protected, the "Licensing systems" page displays in the input window. This is where you
can select which protection schemes will be used. Depending on your requirements, you can select one or all of the
check boxes (CmDongle and/or CmActLicense, WibuKey).
If you are switching from WibuKey to CodeMeter®, please activate both licensing systems.
In this way, you are able to ship updates and upgrades to existing customers who already have a WibuBox without
the need to replace the hardware. New end-users will be the ones to receive a CmDongle or a CmActLicense
together with the protected application.
For CmDongle and CmActLicense the following settings are available:
Element Description
Firm Code Specify the Firm Code to be used for encrypting the software.
The Firm Code 10 used in figure above is the CmDongle evaluation Firm Code found in the
®
CodeMeter Software Development Kit (SDK). In real life you would not use a Firm Code of 10,
since this would be insecure. As a registered licensor, you will be issued your own unique Firm
Code..The test Firm Code for CmActLicense is 5010.
As a registered licensor, you will be issued your own unique Firm Code(s).
Commandline option see here.
Product Code Enter the Product Code which defines the encryption of a specific product. You can freely choose this
identifier, e.g. for a separate module of a software application, or for a single application.
Commandline option see here.
Feature Code Enter the Feature Code which defines, for example, the encryption of different software versions.
By default, a Feature Code of 0 is set. This deactivates the use of the Product Item Option Feature
Map.Enter a 32-bit value to use the option.
Using the "…" button you may enter the feature map value in hexadecimal, decimal or binary format.
WibuKey
For setting WibuKey options, see the separate "WibuKey Developer Guide".
License Handling
This input window lets you to define whether the protected application is to search for existing licenses locally in the
CmContainer, on the network or both. Moreover, you can define the license allocation (access) mode.
Subsystems
Here you can define in which subsystem (local or network) the protected application is to search for matching license(s)
(commandline options see here).
Element Description
Local This setting determines if the protected application searches exclusively for licenses located on the same PC or
allocated to the same VM.
Network This setting determines that the license of the protected applications is to be sought in the network, i.e. only PCs are
accessed where CodeMeter License Server runs and is activated as network server.
On selecting both subsystems at the same time, the license is first sought locally and then subsequently on
the network.
License Options
In this group you define how started instances of the protected applications perform together with the allocation of
licenses (commandline options see here).
Element Description
Normal user limit Here each started instance allocates a single license. It does not make a difference if the CmContainer was
found locally, or on a network.
Station Share Here multiple instances can be started on a single PC but allocate only a single license.
You use this setting, for example, when you want to provide the end-user with the option of starting
the application several times. On a terminal server each session allocates a license. In virtual
machines each machine allocates a license.
WibuKey Compatibility Here each started instance in the network allocates a license (normal user limit) but the local access is
Mode unlimited (no user limit).
This allocation option exists only because of compatibility issues with WibuKey. Wibu-Systems
recommends the setting 'normal user limit' and 'station share'.
Exclusive Mode Here a protected application can be started only once on a PC.
No user limit Here any number of instances of the protected application can be started locally or in a network, and no
additional licenses are allocated. Allocated licenses in this mode can be re-used.
Linger Time
Element Description
Ignore Linger Time Activate this option to ignore a programmed LingerTime.
This license option allows to define an allocation time of the license after the license of a protected application
has been released or the protected application has been closed.
Runtime Settings
This input window lets you define the application's runtime settings, e.g. license checks for CmContainer, issue warnings,
etc.
Runtime Check
In this group you define whether and how often the protected application checks the license at runtime.
Element Description
Activate Runtime Activates or deactivates the check at runtime of the protected application.
Check Commandline options see here.
Period Defines the period between two checks. You specify this time interval in the format: hours: minutes:
seconds.
Max. Allowed Ignores Defines how often the end-user is able to ignore a failed check
If the connection to a CmContainer should fail or the license cannot be accessed, you can assign a
reasonable number of “ignores” allowing the end-user to continue working without a license access.
Activate Plug-out This option closes the protected application when the CmDongle is removed while the application is running.
Check Immediately, an error message is issued. This option is valid for CmDongle only.
(only CmDongle) Commandline option see here.
Unit Counter Decrement
Decrementing an Unit Counter can serves to establish the validity of licenses in a CmContainer. This group allows you to
define this behavior (commandline option see here).
Element Description
Decrement by Defines the value by which the Unit Counter is decremented. This option causes a decrement of the counter
when the protected application starts.
If the "Also at Runtime Check" option is activated and the specifications are set as shown in the figure above
every 30 seconds (see the defined period) a set Unit Counter is decremented by a value of 1.
Also at Runtime Check Decrements the Unit Counter also at runtime of the protected application.
This option works only when the "Also at Runtime Check" option in the "Runtime Check" group is
activated.
Thresholds
In this group you define when a message is issued to give information on the validity of a license.
Element Description
Unit Counter If the defined threshold falls short, a warning message is issued.
Commandline option see here.
Expiration Time (days) If the specified Expiration Time (in days) is achieved within the defined threshold, a warning message is
issued.
Commandline option see here.
<>0
not specified
Unit Counter
Defines the handling of a Unit Counter set in a license (commandline option see here).
Element Description
Standard Decrements at runtime and/or start time an existing Unit Counter entry in a license by the value defined on the
previous page.
If the Unit Counter reaches 0 (null) the encrypted application does not start.
Required A Unit Counter entry < > 0 in a license is required. Without such an entry the encrypted application does not start at
all.
Ignore An existing Unit Counter entry in the license is ignored. The application does not decrement the Unit Counter. The
application will start with a Unit Counter entry set to 0.
Expiration Time
Defines the handling of an Expiration Time set in a license (commandline option see here).
Element Description
Standard Checks for an existing Expiration Time entry in a license. However, the application also starts if no Expiration Time
entry exists, or the current date precedes the Expiration Time.
Required An Expiration Time entry in a license is required. Without such an entry the encrypted application does not start.
Ignore An existing Expiration Time entry in a license is ignored. Also, if the current date exceeds the Expiration Time.
Activation Time
Defines the handling of an Activation Time set in a license (commandline option see here).
Element Description
Standard Checks for an existing Activation Time entry in a license. However, the application also starts when no Activation
Time exists, or the certified time is later than the Activation Time.
Required An Activation Time entry in a license is required. Without such an entry the encrypted application does not start.
Please note that in that case, an Internet connection for getting the certified time is also required.
Ignore An existing Activation Time entry in a license is ignored. Also, if the current date precedes the Activation Time.
Maintenance Period
Defines the handling of a Maintenance Period saved to the license. Then the use of a license is limited to software
versions which have been created, i.e. released, within this Maintenance Period. The Release Date is stored in the
protected application and at runtime a check is executed whether the date is within the defined period (commandline
option see here).
The option is available only, if you activated the checkbox Release Date on the page "Licensing systems.
Check Certified Time This option checks to see if the Certified Time is older than the 'Maximum Certified Time Age' you defined
here. If the 'Maximum Certified Time Age' is exceeded, the application will not start.
Maximum Certified Time If you select the option "Check", you are able to define here the Maximum Certified Time Age in hours.
Age (hours) The age is calculated by the difference between the running System Time and the Certified Time.
Period without time checking Specifies the period (in hours) when no check of the Certified Time certificate is performed.
(hours) If this period is not reached, a check is not performed. If the Certified Time certificate is located between
this period and the 'Maximum Certified Time Age', an attempt to update the Certified Time certificate is
performed. If this is not successful, however, the application continues running until the 'Maximum
Certified Time Age' is reached. Not until this happens, is an update of the Certified Time certificate
required.
System Time
In this area you define settings for additional protection preventing license manipulation by faked PC Time setting
(commandline option see here).
Element Description
Encryption Time check This option saves the time when the encryption takes place (PC Time) in the protected application. Then
the application runs on the user PC only when the CmContainer System Time is newer than the
encryption time.
®
Requires at least CodeMeter 4.10.
CmContainer / PC System If activated, these options define a time corridor in which a difference between CmContainer System
Time check Time and PC Time is allowed. If the PC Time does not fall into this defined time corridor, the protected
application will not run on the user PC.
Minutes to be allowed older States in minutes how much the PC Time is allowed to be older than the CmContainer System Time.
Minutes to be allowed States in minutes how much PC Time is allowed to be younger than the CmContainer System Time.
younger
Advanced options
This group allows to set further options.
Element Description
Add control and about menu Adds the "About" and "Control" menu items to your application (commandline option see here).
Terminate host application When no valid license is found, in the case of protected DLL application files the calling *.exe is
terminated (commandline option see here).
Create mobile application [not yet implemented]
Security Options
This input window lets you select from different mechanisms and methods for protecting your application. You are able to
scale the degree of security for yourself, for example, how intensive the search for debugger is to be, or whether a
CmContainer is locked.
If the options you set here turn out to be incompatible with your protected application, you are also able to
separately deactivate single security options.
Advanced Protection Schemes
The advanced protection schemes deeply intervene into your application. In some cases, this may mean that some single
mechanisms will not work due to compatibility reasons (commandline options see here).
Element Description
Resource Encryption Also encrypts the resources of your protected application. After the start of your application, the
resources located in the PC memory and are decrypted "on demand".
Static Code Modification Your software is modified in a way so that it is protected against debugging, dumps and reverse
engineering. These modifications are added to your application when encrypted.
Extended Static Modification This option adds extended multi-nested security mechanisms to the static code modification.
Dynamic Code Modification The source code of the application to be protected is modified dynamically at runtime of the application.
The options "Static Code Modiification" and "Extended Static Modification" conflict with an activated option
"Activate Automatic File Encryption" on page "Advanced Options".
Anti-Debug Schemes
Debugger programs serve an honest role in searching for error and finding bugs. But they may also be used by hackers
to analyze software. In this group you determine how to react to debugger programs (commandline options see here).
Element Description
Basic Debugger Check Checks if a debugger is attached to your application. If a debugger is found, your application will not be
started or exited.
Kernel Debugger Check Additionally checks for Kernel debugger programs, such as, SoftICE. If a debugger is found, your
application will not be started.
The next two mechanisms comprise methods for detecting specific debugger programs and tools.
Advanced Debugger Check Checks in an advanced search for debugger programs which may run parallel to your application, also
cracker tools, such as, ImpREC, are detected. If a debugger is found, your application will not be started.
IDE Debugger Check Checks for all debugger programs. With this option, debugger programs are not allowed at all, i.e. even
within developer environments, e.g. Visual Studio, Delphi. If a debugger is found, your application will not
be started.
Generic Debugger Adds a mechanism to the application preventing the attachment of a debugger program to the application
Detection at runtime.
Virtual Machine Detection Detects if the application is to be started on a virtual machine, and prevents this.
Activates license access This option locks the license access to the used Firm Item in a CmContainer as soon as a debugger
lock program is detected.
If this option is activated, the settings are applied you defined in the dialog to be opened by the
"Configuration" button.
Configuration If the option "Activates license access lock" is activated, you are able to define further settings in the dialog
which opens by clicking the "Configuration" button:
Depending on the Firmware used this dialog allows to define separate locking scenarios.
Locking Scenario Description
immediate locking is performed starting with Firmware Version 1.14 as soon as a debugger is
detected.
prepared locking is performed by checking the Firm Access Counter (FAC). The Firm Access
Counter locates at the Firm Item level of a CmContainer. This counter allows you to
control whether a Firm Item can be used for encryption and decryption operations.
By default, the FAC is deactivated and has a value of 65535 (0xFFFF). A software
vendor is able to program it to any other value. On detecting a debugger the FAC is
decremented by a value of 1.
If the FAC reaches a value of 0, the Firm Item is locked.
The owner / end-user of the locked Firm Items must contact the software vendor for
unlocking codes. This can be done by remote programming.
This input window lets you define the messages displayed if errors occur. You define whether a user message DLL with a
separate error display is used, or whether you use default error message windows.
Error Messages
Figure 5: AxProtector – UserMsgUs.ini
File name (without Language Extension)
Enter the file name without specifying path and language file extension.
The UserMsgDll is copied from the directory
This input window lets you set further options for the encryption using IxProtector and for the project type file encryption.
This menu item lets you manage license lists. Those you need to protect using IxProtector via the Software Protection-
API (WUPI) .
License lists consist of a unique identifier (ID), a Description, and hold specifications on Items and Item Details.
Using this menu items also allows you to create License Lists. Please proceed as follows:
Click the "Add" button.
Assign in the area License List an Id and complete the field Description.
Element Description
Id This ID uniquely identifies a license list and serves for referencing.
By default, an ID of 0 is initially set by the selection of the licensing system. Following, you are able
to add license list entries starting with IDs starting from 1.
Description Here you will describe a license list with text.
3. Define the license by completing the fields in the License item details group.