Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


Sign in to follow this  
Followers 0
MOONLIGHT SONATA

Protecting UACD ! -Some Insight

204 posts in this topic

Here's My stream of thought about protecting unattended Windows XP CD.

Unfortunately, very little could be done about protecting unattended cd, just because no unique marker could be attached to UACD that can distinguish between

two different installation CDs as well as two different installation environments. Martin Zugec posted an original but self-limited method of protecting UACD by using MAC address checking of installed LAN card. Brilliant implementation of idea, but to be appreciated with its limitation of mandatory availability of a LAN card for genuine success which, in, reality, may not be the case in many cases.

I have one suggestion about some modifications to be implemented in Martin's method. Here is it :

1. instead of LAN card and MAC address , we may think about system BIOS version as the unique identifier of installation environment and the machine. Windows xp stores in registry, in different places, a lot of information about system BIOS including version, date etc.

while date can be a marker, for sure, but it is not going to be the ultimate solution, because it can be same in two machines.

2. what xp , in my limited idea, spares from storing in the registry, is the system BIOS build time which is displayed in either entering BIOS setup or in mere wakeup logo screen of system bios display during boot-up.

in my opinion, this build time is crucial if any seperate hardware independent protection is to be imagined.

3. what we basically need is a program which , if run from CMDLINE.txt before runoncex.cmd, automatically detects System BIOS version+date+time, then cross-checks with a file in the cd for acuuracy of information. for next part i owe it to Martin for his unique mind - if cross-check is successfull then silently proceed with installation, but if it fails then silently delete NTLDR and restart the machine. although, here's a suggestion from me - as NTLDR can be restored from at least REcovery console, better is to delete NTLDR and boot.ini both.

if there is any ignorance on my part , please let me know. give your piece of mind, please, - anybody.

EDIT by Martin Zugec (with Moonlight Sonata permission)

AnalyzeUA.vbs:

Option Explicit
'On Error Resume Next

Dim objWMIService : Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Dim colItemsBios : Set colItemsBios = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Dim colItemsBaseBoard : Set colItemsBaseBoard = objWMIService.ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Dim strItemBios, strItemBaseBoard, strAllowedValue
Dim objItemBios, objItemBaseboard

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20

 
For Each objItemBios In colItemsBios
  For Each objItemBaseboard In colItemsBaseboard
     strItemBios = Trim(LCase(objItemBios.ReleaseDate))
     strItemBaseboard = Trim(LCase(objItemBaseBoard.Product))
   strAllowedValue = InputBox ("BIOS Release identificator","BIOS Release",strItemBios & strItemBaseboard)
  Next  
Next
 
Set objWMIService = Nothing
Set colItemsBios = Nothing
Set colItemsBaseboard = Nothing
Set objItemBios = Nothing
Set objItemBaseboard = Nothing

ProtectUA.vbs:

Option Explicit

Dim objWMIService, arrayBIOS, objBIOS, strAllowedHost, strYouAreWelcome
Dim strOperatingSystem, colOperatingSystems
Dim objFSO, objShell, strSystemDrive
Dim objBaseboard, arrayBaseboard, strComputerHost, strPassword

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
Const wmiRestartForce = 4

strPassword = "Passw0rd"
Dim arrayAllowedHosts(1)
arrayAllowedHosts(0) = "20030716000000.000000+0000x1078"
arrayAllowedHosts(1) = "20030814******.******+***virtual machine"

Set objShell = CreateObject("Wscript.Shell")

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set arrayBIOS = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Set arrayBaseBoard = objWMIService.ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)

For Each objBIOS In arrayBIOS
For Each objBaseboard In arrayBaseBoard
 strComputerHost = objBios.ReleaseDate & objBaseboard.Product
 For Each strAllowedHost in arrayAllowedHosts
   If Trim(LCase(strComputerHost)) = Trim(LCase(strAllowedHost)) Then strYouAreWelcome = 1
 Next
Next
Next

If strYouAreWelcome <> 1 Then  
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set colOperatingSystems = GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")
strSystemDrive = objShell.ExpandEnvironmentStrings("%SystemDrive%")
 objFSO.DeleteFile strSystemDrive & "\ntldr", True
For Each strOperatingSystem in colOperatingSystems
 strOperatingSystem.Reboot()
Next
Else If strYouAreWelcome = 1 Then
 ObjShell.Run ("C:\PKUNZIP -e -d -s" & strPassword & " C:\CzecMate.zip C:\"), 0, True
End If
End If

objFSO.DeleteFile "C:\ProtectUA.zip", True
objFSO.DeleteFile "C:\Pkunzip.exe", True

0

Share this post


Link to post
Share on other sites

Do you have a link to Martins' original post?

At first I didn't really understand what you ment by "protecting" a UACD. Now I understand.

I'll throw in my two cents on this subject. Personally, I think the most important thing to "protect" in your UACD is the CDKey that is almost certainly embeded in it. If someone gets hold of your UACD you have a lot more to worry about than them using it to install "Uncle Joes" computer.

At my work we have a Volume Liscense agreement with Microsoft and thus we have one of those VLP CDKeys that hackers just love to get. This CDKey is directly traceable to my company and untimately to myself. I have nightmares of one day googleing my CDKey and getting 100's of hits.

So I ALWAYS encrypt my CDKey in my WINNT.SIF and UNATTEND.TXT answer files. This only works in WinXP and 2K3 as far as I know. I use the following batch file to encrypt my CDkeys:

@ECHO OFF
TITLE WindowsXP SP1 UNATTEND.TXT CDKeyGen
COLOR 74
MODE CON COLS=60 LINES=30
CLS
ECHO [Last Edited on 11-03-2003]

ECHO   *** Defining Variables
SET WORKDIR=%~dp0

ECHO.
ECHO This will refresh the encrypted CDKey on the
ECHO UNATTED.TXT file used for the XP Build.
ECHO Note: This script must be run under WinXP
PAUSE

ECHO *** Reality Check
if not exist "%WORKDIR%UNATTEND.TXT" goto ERR1
if not exist "%WORKDIR%I386\WINNT32.EXE" goto ERR2
ECHO   - passed

ECHO *** Updating ProductKey entry in
ECHO     %WORKDIR%UNATTEND.TXT with Corporate Volume License
ECHO     The encrypted key will be valid for *30* days.
"%WORKDIR%I386\WINNT32.EXE" /ENCRYPT:"FJDTR-YFLO83-EWHG3-LPXW5-TE65T:30" /UNATTEND:"%WORKDIR%UNATTEND.TXT"
ECHO.
ECHO *** Complete!
ECHO     The results of this operation shown below:
TYPE "%WINDIR%\WINNT32.LOG"
PAUSE
goto END

:ERR1
ECHO !!! ERROR !!!
ECHO %WORKDIR%UNATTEND.TXT was not found.
ECHO Please make sure this file is in the same
ECHO directory as this script before executing.
PAUSE
goto END

:ERR2
ECHO !!! ERROR !!!
ECHO %WORKDIR%I386\WINNT32.EXE was not found.
ECHO Please make sure the I386 structure is OK.
PAUSE
goto END

:END
ECHO *** End of script

And no, that's not my real CDKey in the script. That would have really dumb :)

0

Share this post


Link to post
Share on other sites

actually, what i do is when im done installing, I run a xcopy command at the end that copies the entire cd minus the $OEM$ folder...I have a txt file with the exclusion for the txt file itself and the $OEM$ folder...ill prolly add winnt.sif to that list also...so that way nobody can copy my cd structure in its entirety or have my unnatended settings. This is only useful if I physically install the cd myself.

Edited by evilvoice
0

Share this post


Link to post
Share on other sites

@Nois3

This is great thanks :thumbup

I do have a question now

ECHO     The encrypted key will be valid for *30* days.

Could you please explain this, does this mean that after 30 days, your windows stops functioning, and you need to reaply your serial?

EDIT:

or does this mean that in 30 days your CD won't accept the code?

Edited by erik_demon
0

Share this post


Link to post
Share on other sites

@Nois3 and @ evilvoice

Thanks, for your contribution. Great.

What i had when i started this topic was the unavoidable situation where any of our forum member has to conceed his uACd to someone close enough to ask for it and someone generous enough to give it to some other without even thinking about how much effort from the side of original builder has been put into it. such scenario is neither unthinkable nor unavoidable. just imagine if such unfortunate things happen what is the solution ? we, all forum members, are men and do men cry?

I forgot to mention martin's post. here's the link to first page:

http://www.msfn.org/board/index.php?showtopic=47383&st=0

Edited by MOONLIGHT SONATA
0

Share this post


Link to post
Share on other sites

Erik,

The line in the script below determines how long the encrypted CDKey is valid:

"%WORKDIR%I386\WINNT32.EXE" /ENCRYPT:"FJDTR-YFLO83-EWHG3-LPXW5-TE65T:30" /UNATTEND:"%WORKDIR%

I have it set to 30 days in the above example. But you can change anywhere from 1 day to a couple months (I believe). It does have limits however, I forgot what they were.

When you run the batch file, Windows uses the current systems time as a start date. So make sure your clock is correct. When you use your UACD Windows will check the PC's time (CMOS Clock) during installation. If it's past the specified number of days Windows will give an error during installation and prompt for the CDKey. So you have to make sure your the CMOS Clock is set correctly on the PC's being built.

Obiviously, you can easily get around this time limitation by setting the CMOS date to something that falls within the specified time period. But very few people will realize this. And the real goal here is not to have your CDKey in plain text on your UACD.

0

Share this post


Link to post
Share on other sites

@Nois3

Please forgive me for being confused. I would definitely like to use your script, but I need to know some stuff.

1. When does one run this batch? Should it be on the physical CD itself, and run during Windows setup? If so, doesn't that mean that someone can just look in the batch file to get the CD key? Or do you run it in the Windows environment before even creating the CD?

2. I removed winnt32.exe, along with all of the other files that are required to do an install from within the Windows environment. If I *only* copy over winnt32.exe, will that work okay?

3. Is this essentially putting an expiration date on your CD? Does this mean that if I make a CD today, then 30 days from now, one won't be able to install Windows? Or does this mean that if one installs Windows XP, it will be active for 30 days?

Thanks in advance. :)

0

Share this post


Link to post
Share on other sites

@Nois3

why are you absorbed in limiting security to setting some expiry date and why CDKey is under scanner so much? your cdkey inn Winnt.sif can always be encrypted and if during cd preparation you, using UltraISO , hide $OEM$, your Install folder and particularly, winnt.sif in i386 folder , then how an intruder will ever get his eye into it?

it is better to think about implementing BIOS version+date+time for killing unauthorised use of CD in conjunction with what i said about UltraISO method.

-Thanks.

0

Share this post


Link to post
Share on other sites

Droopy,

1. You run this batch file before you burn your CDROM. In my batch file I call the WINNT.SIF file UNATTEND.TXT - but its the same thing. I should have simplified the batch before posting it, but I just copied and pasted what I already had (and put in a fake cdkey)

2. Yes, if you copy over winnt32.exe it should work OK.

3. Yes, it essentially puts a expiration date on your CD. Exactly. It also encrypts the Productkey entry in your WINNT.SIF file. This way, if you lend your UACD out, the borrower cant just open \I386\WINNT.SIF in notepad and steal your CDKey.

Moonlight,

Encrypting your CDKey on your UACD is the primary purpose here. The CDKey expiration "feature" is built in to the encryption, you must have an expiration date.

I was unaware that UltraISO could "hide" files and directories. I'm curious how it does it. Does it simply set the hidden file attribute? If so, I was unaware that the CDFS (redbook) specification even had that feature. Even so, if you set explorer to show "hidden" files can't you see them?

0

Share this post


Link to post
Share on other sites
I was unaware that UltraISO could "hide" files and directories. I'm curious how it does it. Does it simply set the hidden file attribute? If so, I was unaware that the CDFS (redbook) specification even had that feature. Even so, if you set explorer to show "hidden" files can't you see them?

The files and folders are completely hidden, even in DOS. AFAIK, only program that can read them is EasyBoot.

0

Share this post


Link to post
Share on other sites

Im begining to think this is a marvelous tool for any ua enthusiast concerned for security,as mentioned many countless hours spent debuggin our creations to give it all away to just anyone....Thanks for a solid contribution.

0

Share this post


Link to post
Share on other sites

2Moonlight Sonata: I can easily access informations about BIOS date, so I will rewrite the script for you. However I got some problems in my company I need to solve first, so excuse me for (hope so) few days

0

Share this post


Link to post
Share on other sites

Ok, I found little time, so here you go:

Option Explicit

Dim objWMIService, arrayBIOS, objBIOSNumber, strMAC, strAllowedHost, arrayAllowedHosts, strYouAreWelcome
Dim strOperatingSystem, colOperatingSystems
Dim objFSO, objShell, strSystemDrive

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
Const wmiRestartForce = 4

arrayAllowedHosts = array("20030716000000.000000+000")

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("Wscript.Shell")

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set arrayBIOS = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)

For Each objBIOSNumber In arrayBIOS
For Each strAllowedHost in arrayAllowedHosts
 If LCase(objBIOSNumber.ReleaseDate) = LCase(strAllowedHost) Then strYouAreWelcome = 1
Next
Next
If strYouAreWelcome <> 1 Then  
Set colOperatingSystems = GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")
strSystemDrive = objShell.ExpandEnvironmentStrings("%SystemDrive%")
objFSO.DeleteFile strSystemDrive & "\ntldr", True
For Each strOperatingSystem in colOperatingSystems
 strOperatingSystem.Reboot()
Next
End If

This script will show you release code for PC:

On Error Resume Next

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
  For Each objItem In colItems
     strTemp = InputBox ("BIOS Release identificator","BIOS Release",objItem.ReleaseDate)
  Next

0

Share this post


Link to post
Share on other sites

Thanks Martin Zugec.

Thank you for your help. Now I am in office so I can't check your script here. I will check later in my house.

0

Share this post


Link to post
Share on other sites

Glad I could help. However be careful, I didnt have time to test it, so it maybe wont work as expected

0

Share this post


Link to post
Share on other sites

2Martin Zugec

I implemented your script, it works flawlessly as i expected, and even before i applied i firmly believed that whatever you post here will work for sure. That's why i badly expected you to come forward with the code. I don't wear hat so i can't say "hat's off to you" and since i alredy commissioned my heart in favour of your brain(seeing your MAC magic work), the only thing that i can give you now is my head. Behead me Martin!

For some serious input, i come with another post very shortly.Not Now! It is the Day of Deliverence, sir, Pardon me.

2MSFN

Thanks, for providing me a platform from where i got the chance to Net-Meeting someone like Martin who inspite of Work Pressure came with a Code in office time for Whole UACD builder community.English adjectives become useless and speechless in times when silence is the only way to say something!

2ALL UACD Builders

Watch Martin's Code here. It , with some further modifications, if possible, can provide the ultimate solution towards protecting UACD from any sharing nightmare. If the logic behind using such method is realized properly, any forum member can only extract benefit from Martin's Code. My position is very clear. I have no objection to give my UACD to ALL PC USERS ALL OVER THE WORLD, but i want to make One PC users' copy his personal one. I am not jealous , rather generous to play the perfect Host to any guest asking attention about my UACD. I want to be santaclaus, but it's only me. Regarding my UACD project, I am the MONARCH of ALL i SURVEY! Period.

0

Share this post


Link to post
Share on other sites

@MARTIN ZUGEC

In the 1st code, you use,

arrayAllowedHosts = array("20030716000000.000000+000")

here what are the meaning of 000000.000000+000 ?

now your bios build date and that of mine just missed by 6 days only. so near yet so far! that's why i wish if you could include BIOS build time inside the code. this can make the protection rock-solid. is it impossible to implement?

waiting your kind response.

0

Share this post


Link to post
Share on other sites

2Moonlight: Hmmm, try to run this script - what is the output?

On Error Resume Next

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
 For Each objItem In colItems
    strTemp = InputBox ("BIOS Release identificator","BIOS Release",objItem.SerialNumber)
 Next

I am not sure if this will work on every PC, it should be serial number (unique)

0

Share this post


Link to post
Share on other sites

2Martin

The BIOS Release identificator box shows nothing in my computer. It is showing the cursor only.

What information actually it will show? A unique serial no? What's serial no?

The script is not working for me try to modify.

0

Share this post


Link to post
Share on other sites

I was afraid of it :(

In that case try this:

On Error Resume Next

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems
   strTemp = InputBox ("BIOS Release identificator","BIOS Release",objItem.SerialNumber)
Next

What can you see?

0

Share this post


Link to post
Share on other sites

@Nois3

I've read about hiding files in a CDFS. I thought I had found it in flyakite's guide to creating a multiboot disc, but I've searched throughout all of his pages and I can't find anything on it. I really wish I could remember. It was pretty interesting. I never got a chance to test it, however. Come to think of it, I'm nearly positive I read about it on one of the following sites: UBCD, Bart's PE, or CDShell. You can google them if you're interested. Or I'll do it tomorrow. I must be headin' to bed right now.

Thanks for the info on your batch file. I think I'll go ahead and use it. :)

edit: Heh, I didn't realize that this thread was on page 3 already.

edit2: If UltraISO hides ALL files, then I'm guessing that it just makes the ISO UDF. That can be read from within Windows if the user has Roxio Easy CD Creator. The method that I saw allowed you to choose particular files to hide.

Edited by Dumpy Dooby
0

Share this post


Link to post
Share on other sites

In UltraIso you can select with files or folders to hide,

this its a test.iso with one folder set to hidden.
this is view of the cd when read from within windows
0

Share this post


Link to post
Share on other sites

@urie

That folder doesn't show up in windows even if "View Hidden Folders" is ticked? What about "Operating system files"?

That folder is still acessible from other programs? im thinking of xplode or wihu or wpi.

0

Share this post


Link to post
Share on other sites

@Martin

Even this code shows nothing in BIOS release identificator box. again only cursor.

By Serial Number, what do you mean? Interprete and elaborate for stupid fellows like me.

waiting....

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.