mapfileandchecksum

acar · ‎02-22-2011

I understand that I can perform a checksum on my application and compare it with the value created at link.

I've tried using mapfileandchecksum in my application but the function is not found. I see that there is no imagehlp.mod file for me to use so I've tried adding imagehlp.lib into the additional dependencies of my project. That does not work either.

Is there any experience of using this function available within the community?

Thanks in advance for your assistnace.

ACAR.

Steven_L_Intel1 · ‎02-22-2011

You need more than just adding the library - you need an interface with the correct declaration of the routine and its arguments. I have attached an imagehlp.mod which declares just this routine (I'll add more to it later). I tested it and it worked.

I would ask what you expect this routine to do for you - why are you calling it?

acar · ‎02-22-2011

I was hoping to provide a first defense (although not foolproof) against allowing my application to run if it has been tampered with. I was hoping that this routine might do this for me?

Steven_L_Intel1 · ‎02-22-2011

Anyone who intentionally tries to tamper with your executable is smart enough to update the header checksum. that is really just a minimal defense against file corruption. Adding a digital signature to your EXE would be much better, but I suppose you'd need a way to ensure that the exe is still properly signed by you, as I think it would be easy to replace the file with a tampered copy lacking the signature. Windows will refuse to activate a signed image that doesn't hash out correctly. However, obtaining a digital signature certificate for applications can be expensive, depending on what your needs are, and needs periodic renewal.

What sort of application do you have that this is a concern? There may be a better way to deal with this.

acar · ‎02-22-2011

Hi Steve, many thanks for that it works fine and the function returned with two identical checksums. I then thought I'd check that it picks up a tamper so I converted the exe of my application to a dat file and deleted a single 'character' towards the end of the file. I converted it back into an exe and it failed to run with the complaint 'This program cannot be run in DOS mode' - which I note is at the top of the executable. So I guess that this form of editing has already corrupted the file - I noticed that opening and closing it changed the file size. So I tried editing with notepad++ and again removed a single character. I then ran the tampered executable and got an error message that the executable is not a valid Win32 application. So I guess (?) that somehow windows is already checking the checksum and rejecting the file?

acar · ‎02-22-2011

I was aware of that danger i.e. tamper and then update the header checksum. It is an engineering application which I'd like to protect. I'm just acutely aware that there are cracked versions of extremely expensive proprietary software out in cyberspace and I want to do all I can to avoid this. If you can point me to a minimum cost or cost free approach then I'd be really pleased.

Steven_L_Intel1 · ‎02-22-2011

Yes, Windows checks the checksum and will give an error if the checksum fails to match.

If you are looking for a "minimum cost or cost free approach", then your software can't be worth very much in terms of potential revenue lost to piracy. The more you stand to lose, and the greater you believe the risk of piracy, the more is reasonable to spend on antipiracy features. If you don't charge very much for your application, then I don't recommend spending a lot of time, effort or money worrying about piracy. I'll note that we protect our compilers with FLEXlm licensing, which we pay for, but I see serial numbers for our products all over the web. These serial numbers are of limited use, but they're out there. We put just enough effort into licensing to keep honest customers honest and to deter casual piracy.

acar · ‎02-22-2011

It's not the value of the software per se, rather it is a cautious attitude and a desire not to be ripped off. If you see software vendors out there using FLEXlm and the like (which are expensive options particularly for a small start-up like us) and you see also that their products have been cracked (and some of these products are leased out at a cost in the tens of thousands of pounds per annum) then it naturally makes one wonder if it is worth spending much if anything on a proprietary license manager. As such I am exploring alternative routes. I do agree though that one needs to rely, to a certain degree, on mutual honesty between licensor and licensee but it would be a pity to see one's effort used freely by the inhabitants of Lower Djapoopoo Land simply because you had failed adequately to protect your application. It seems to me also that many of the features that commercial license managers use will be standard windows functions, e.g. checksum, certificates etc. Clearly they will also have their own secret recipes but my impression is that what they are really selling is a management system that wraps around some basic functionality most of which is widely available elsewhere and often free-of-charge. As a Fortran programmer, one of the main issues I face is implementing windows functions written in C/C++. I'm getting better but it is still a time consuming and frustrating business because I don't have the necessary background to those languages. This is possibly where Intel could help by providing interfaces to these functions for the Fortran programmer. I realise that there often is a solution out there but it would be nice to find it as standard in the IVF help system. It would also be of value to have a recommended approach to protecting applications written in Intel's Fortran system.

Okay, so there seems no need to use mapfileandchecksum as it is already being done when windows runs the application. Except, however, if the software is cracked successfully then the original checksum would have been changed. So what I need to do is to perform checksum prior to release and incorporate that value in the application?

Thanks for your continued interest.

ACAR.

P.S. A further thought and justification for my exploration: Through my research, vendors of commercial license management systems do not have the foresight yet to cater, in their sales model, for start-up companies with potentially small but high cost unit sales. The cost to a start-up for a commercial license manager simply swamps the other costs. In developing my product I have managed to keep costs down to a sensible level. Even providers of essential solution routines have been happy to let us develop with their software and to negotiate on the sales model they would accept in renumeration.

Steven_L_Intel1 · ‎02-22-2011

If what you are concerned about is modifying the code to disable license checks, you can digitally sign the executable and check that the signature is still valid for your company. As I noted earlier, this can be expensive. Whatever license enforcement model you choose, you can make it hard for the "cracker" by not using plaintext for keys and doing some periodic verification that the license code path and data has not been corrupted. Use of computed checksums for data can help with this.

There are inexpensive license managers out there. You'll want to think first about how a user authenticates the license - is it just a serial number? Is there some sort of "activation" check that ensures a serial number is not reused? I still think that you have to balance the effort and cost of implementation of a license scheme against the predicted losses from piracy.

Steven_L_Intel1 · ‎02-22-2011

By the way, I Googled "inexpensive license managers" and found several likely-looking hits. I did not investigate further.

acar · ‎02-23-2011

I clearly need to contemplate further on this! Thanks for all your thoughts Steve.