Jump to content

Protecting UACD ! -Some Insight


Recommended Posts

Here's My stream of thought about protecting unattended Windows XP CD.

Unfortunately, very little could be done about protecting unattended cd, just because no unique marker could be attached to UACD that can distinguish between

two different installation CDs as well as two different installation environments. Martin Zugec posted an original but self-limited method of protecting UACD by using MAC address checking of installed LAN card. Brilliant implementation of idea, but to be appreciated with its limitation of mandatory availability of a LAN card for genuine success which, in, reality, may not be the case in many cases.

I have one suggestion about some modifications to be implemented in Martin's method. Here is it :

1. instead of LAN card and MAC address , we may think about system BIOS version as the unique identifier of installation environment and the machine. Windows xp stores in registry, in different places, a lot of information about system BIOS including version, date etc.

while date can be a marker, for sure, but it is not going to be the ultimate solution, because it can be same in two machines.

2. what xp , in my limited idea, spares from storing in the registry, is the system BIOS build time which is displayed in either entering BIOS setup or in mere wakeup logo screen of system bios display during boot-up.

in my opinion, this build time is crucial if any seperate hardware independent protection is to be imagined.

3. what we basically need is a program which , if run from CMDLINE.txt before runoncex.cmd, automatically detects System BIOS version+date+time, then cross-checks with a file in the cd for acuuracy of information. for next part i owe it to Martin for his unique mind - if cross-check is successfull then silently proceed with installation, but if it fails then silently delete NTLDR and restart the machine. although, here's a suggestion from me - as NTLDR can be restored from at least REcovery console, better is to delete NTLDR and boot.ini both.

if there is any ignorance on my part , please let me know. give your piece of mind, please, - anybody.

EDIT by Martin Zugec (with Moonlight Sonata permission)

AnalyzeUA.vbs:

Option Explicit
'On Error Resume Next

Dim objWMIService : Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Dim colItemsBios : Set colItemsBios = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Dim colItemsBaseBoard : Set colItemsBaseBoard = objWMIService.ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Dim strItemBios, strItemBaseBoard, strAllowedValue
Dim objItemBios, objItemBaseboard

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20

 
For Each objItemBios In colItemsBios
  For Each objItemBaseboard In colItemsBaseboard
     strItemBios = Trim(LCase(objItemBios.ReleaseDate))
     strItemBaseboard = Trim(LCase(objItemBaseBoard.Product))
   strAllowedValue = InputBox ("BIOS Release identificator","BIOS Release",strItemBios & strItemBaseboard)
  Next  
Next
 
Set objWMIService = Nothing
Set colItemsBios = Nothing
Set colItemsBaseboard = Nothing
Set objItemBios = Nothing
Set objItemBaseboard = Nothing

ProtectUA.vbs:

Option Explicit

Dim objWMIService, arrayBIOS, objBIOS, strAllowedHost, strYouAreWelcome
Dim strOperatingSystem, colOperatingSystems
Dim objFSO, objShell, strSystemDrive
Dim objBaseboard, arrayBaseboard, strComputerHost, strPassword

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
Const wmiRestartForce = 4

strPassword = "Passw0rd"
Dim arrayAllowedHosts(1)
arrayAllowedHosts(0) = "20030716000000.000000+0000x1078"
arrayAllowedHosts(1) = "20030814******.******+***virtual machine"

Set objShell = CreateObject("Wscript.Shell")

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set arrayBIOS = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Set arrayBaseBoard = objWMIService.ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)

For Each objBIOS In arrayBIOS
For Each objBaseboard In arrayBaseBoard
 strComputerHost = objBios.ReleaseDate & objBaseboard.Product
 For Each strAllowedHost in arrayAllowedHosts
   If Trim(LCase(strComputerHost)) = Trim(LCase(strAllowedHost)) Then strYouAreWelcome = 1
 Next
Next
Next

If strYouAreWelcome <> 1 Then  
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set colOperatingSystems = GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")
strSystemDrive = objShell.ExpandEnvironmentStrings("%SystemDrive%")
 objFSO.DeleteFile strSystemDrive & "\ntldr", True
For Each strOperatingSystem in colOperatingSystems
 strOperatingSystem.Reboot()
Next
Else If strYouAreWelcome = 1 Then
 ObjShell.Run ("C:\PKUNZIP -e -d -s" & strPassword & " C:\CzecMate.zip C:\"), 0, True
End If
End If

objFSO.DeleteFile "C:\ProtectUA.zip", True
objFSO.DeleteFile "C:\Pkunzip.exe", True

Link to comment
Share on other sites


Do you have a link to Martins' original post?

At first I didn't really understand what you ment by "protecting" a UACD. Now I understand.

I'll throw in my two cents on this subject. Personally, I think the most important thing to "protect" in your UACD is the CDKey that is almost certainly embeded in it. If someone gets hold of your UACD you have a lot more to worry about than them using it to install "Uncle Joes" computer.

At my work we have a Volume Liscense agreement with Microsoft and thus we have one of those VLP CDKeys that hackers just love to get. This CDKey is directly traceable to my company and untimately to myself. I have nightmares of one day googleing my CDKey and getting 100's of hits.

So I ALWAYS encrypt my CDKey in my WINNT.SIF and UNATTEND.TXT answer files. This only works in WinXP and 2K3 as far as I know. I use the following batch file to encrypt my CDkeys:

@ECHO OFF
TITLE WindowsXP SP1 UNATTEND.TXT CDKeyGen
COLOR 74
MODE CON COLS=60 LINES=30
CLS
ECHO [Last Edited on 11-03-2003]

ECHO   *** Defining Variables
SET WORKDIR=%~dp0

ECHO.
ECHO This will refresh the encrypted CDKey on the
ECHO UNATTED.TXT file used for the XP Build.
ECHO Note: This script must be run under WinXP
PAUSE

ECHO *** Reality Check
if not exist "%WORKDIR%UNATTEND.TXT" goto ERR1
if not exist "%WORKDIR%I386\WINNT32.EXE" goto ERR2
ECHO   - passed

ECHO *** Updating ProductKey entry in
ECHO     %WORKDIR%UNATTEND.TXT with Corporate Volume License
ECHO     The encrypted key will be valid for *30* days.
"%WORKDIR%I386\WINNT32.EXE" /ENCRYPT:"FJDTR-YFLO83-EWHG3-LPXW5-TE65T:30" /UNATTEND:"%WORKDIR%UNATTEND.TXT"
ECHO.
ECHO *** Complete!
ECHO     The results of this operation shown below:
TYPE "%WINDIR%\WINNT32.LOG"
PAUSE
goto END

:ERR1
ECHO !!! ERROR !!!
ECHO %WORKDIR%UNATTEND.TXT was not found.
ECHO Please make sure this file is in the same
ECHO directory as this script before executing.
PAUSE
goto END

:ERR2
ECHO !!! ERROR !!!
ECHO %WORKDIR%I386\WINNT32.EXE was not found.
ECHO Please make sure the I386 structure is OK.
PAUSE
goto END

:END
ECHO *** End of script

And no, that's not my real CDKey in the script. That would have really dumb :)

Link to comment
Share on other sites

actually, what i do is when im done installing, I run a xcopy command at the end that copies the entire cd minus the $OEM$ folder...I have a txt file with the exclusion for the txt file itself and the $OEM$ folder...ill prolly add winnt.sif to that list also...so that way nobody can copy my cd structure in its entirety or have my unnatended settings. This is only useful if I physically install the cd myself.

Edited by evilvoice
Link to comment
Share on other sites

@Nois3

This is great thanks :thumbup

I do have a question now

ECHO     The encrypted key will be valid for *30* days.

Could you please explain this, does this mean that after 30 days, your windows stops functioning, and you need to reaply your serial?

EDIT:

or does this mean that in 30 days your CD won't accept the code?

Edited by erik_demon
Link to comment
Share on other sites

@Nois3 and @ evilvoice

Thanks, for your contribution. Great.

What i had when i started this topic was the unavoidable situation where any of our forum member has to conceed his uACd to someone close enough to ask for it and someone generous enough to give it to some other without even thinking about how much effort from the side of original builder has been put into it. such scenario is neither unthinkable nor unavoidable. just imagine if such unfortunate things happen what is the solution ? we, all forum members, are men and do men cry?

I forgot to mention martin's post. here's the link to first page:

http://www.msfn.org/board/index.php?showtopic=47383&st=0

Edited by MOONLIGHT SONATA
Link to comment
Share on other sites

Erik,

The line in the script below determines how long the encrypted CDKey is valid:

"%WORKDIR%I386\WINNT32.EXE" /ENCRYPT:"FJDTR-YFLO83-EWHG3-LPXW5-TE65T:30" /UNATTEND:"%WORKDIR%

I have it set to 30 days in the above example. But you can change anywhere from 1 day to a couple months (I believe). It does have limits however, I forgot what they were.

When you run the batch file, Windows uses the current systems time as a start date. So make sure your clock is correct. When you use your UACD Windows will check the PC's time (CMOS Clock) during installation. If it's past the specified number of days Windows will give an error during installation and prompt for the CDKey. So you have to make sure your the CMOS Clock is set correctly on the PC's being built.

Obiviously, you can easily get around this time limitation by setting the CMOS date to something that falls within the specified time period. But very few people will realize this. And the real goal here is not to have your CDKey in plain text on your UACD.

Link to comment
Share on other sites

@Nois3

Please forgive me for being confused. I would definitely like to use your script, but I need to know some stuff.

1. When does one run this batch? Should it be on the physical CD itself, and run during Windows setup? If so, doesn't that mean that someone can just look in the batch file to get the CD key? Or do you run it in the Windows environment before even creating the CD?

2. I removed winnt32.exe, along with all of the other files that are required to do an install from within the Windows environment. If I *only* copy over winnt32.exe, will that work okay?

3. Is this essentially putting an expiration date on your CD? Does this mean that if I make a CD today, then 30 days from now, one won't be able to install Windows? Or does this mean that if one installs Windows XP, it will be active for 30 days?

Thanks in advance. :)

Link to comment
Share on other sites

@Nois3

why are you absorbed in limiting security to setting some expiry date and why CDKey is under scanner so much? your cdkey inn Winnt.sif can always be encrypted and if during cd preparation you, using UltraISO , hide $OEM$, your Install folder and particularly, winnt.sif in i386 folder , then how an intruder will ever get his eye into it?

it is better to think about implementing BIOS version+date+time for killing unauthorised use of CD in conjunction with what i said about UltraISO method.

-Thanks.

Link to comment
Share on other sites

Droopy,

1. You run this batch file before you burn your CDROM. In my batch file I call the WINNT.SIF file UNATTEND.TXT - but its the same thing. I should have simplified the batch before posting it, but I just copied and pasted what I already had (and put in a fake cdkey)

2. Yes, if you copy over winnt32.exe it should work OK.

3. Yes, it essentially puts a expiration date on your CD. Exactly. It also encrypts the Productkey entry in your WINNT.SIF file. This way, if you lend your UACD out, the borrower cant just open \I386\WINNT.SIF in notepad and steal your CDKey.

Moonlight,

Encrypting your CDKey on your UACD is the primary purpose here. The CDKey expiration "feature" is built in to the encryption, you must have an expiration date.

I was unaware that UltraISO could "hide" files and directories. I'm curious how it does it. Does it simply set the hidden file attribute? If so, I was unaware that the CDFS (redbook) specification even had that feature. Even so, if you set explorer to show "hidden" files can't you see them?

Link to comment
Share on other sites

I was unaware that UltraISO could "hide" files and directories. I'm curious how it does it. Does it simply set the hidden file attribute? If so, I was unaware that the CDFS (redbook) specification even had that feature. Even so, if you set explorer to show "hidden" files can't you see them?

The files and folders are completely hidden, even in DOS. AFAIK, only program that can read them is EasyBoot.

Link to comment
Share on other sites

Ok, I found little time, so here you go:

Option Explicit

Dim objWMIService, arrayBIOS, objBIOSNumber, strMAC, strAllowedHost, arrayAllowedHosts, strYouAreWelcome
Dim strOperatingSystem, colOperatingSystems
Dim objFSO, objShell, strSystemDrive

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
Const wmiRestartForce = 4

arrayAllowedHosts = array("20030716000000.000000+000")

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("Wscript.Shell")

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set arrayBIOS = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)

For Each objBIOSNumber In arrayBIOS
For Each strAllowedHost in arrayAllowedHosts
 If LCase(objBIOSNumber.ReleaseDate) = LCase(strAllowedHost) Then strYouAreWelcome = 1
Next
Next
If strYouAreWelcome <> 1 Then  
Set colOperatingSystems = GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")
strSystemDrive = objShell.ExpandEnvironmentStrings("%SystemDrive%")
objFSO.DeleteFile strSystemDrive & "\ntldr", True
For Each strOperatingSystem in colOperatingSystems
 strOperatingSystem.Reboot()
Next
End If

This script will show you release code for PC:

On Error Resume Next

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
  For Each objItem In colItems
     strTemp = InputBox ("BIOS Release identificator","BIOS Release",objItem.ReleaseDate)
  Next

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...