Categories: Protection

Runtime Environment for CodeMeter Protection Suite

A new native component has arrived to keep software even better protected with novel mechanisms. Learn all the benefits and how this module can safely link up with your protected applications.

Software technology never stops evolving. What is hot today will be old hat tomorrow. Long-suffering software developers will be familiar with this merciless aspect of their trade: They pick a programming language that is all the rage, only for them to have to rewrite their entire application for a different language or a completely new technology soon after and be able to keep up with the newest trends and fads. CodeMeter Protection Suite is always kept up-to-date and brimming with new functions and capabilities that equip software developers with top-flight protections for whatever novel environment or technology they are dealing with. One example of this concept is the all-new AxProtector Python, currently in its beta tests. Python scripts are enjoying record popularity at the moment and are a favorite for routine software development tasks. However, when these little helpers grow up and become valuable IP in their own right, software developers will want the best means to protect and license the fruit of their labor.

Protecting script languages?

Python is a script language that lives in source code form. Can Python code be protected? One option – a good enough choice for many situations – is to translate it into native code and to then encrypt the resulting binaries with AxProtector. But software developers usually need to produce their work in many different binary forms for different platforms to give their customers the freedom of choice. And they would have to trust their compilation tool to create native code that is not only correct, but also works as smoothly as they expect it to. In some cases, translating the code into native form makes certain use cases difficult or even completely impossible, such as the ability for customers to integrate protected functions into their own Python scripts. That’s more than enough reason to look for a new solution that could protect script languages like Python without the hassle of going through a third-party tool.

The greatest challenge lies in checking the licenses and decrypting the code in an environment that is safe from snooping and tampering – at first sight an impossible endeavor for scripts that the user can access in source code form. But a solution is available: A native component developed by Wibu-Systems that can handle all these operations far away from prying eyes: the new CodeMeter Protection Suite runtime component CPSRT (CodeMeter Protection Suite Runtime).

Native library

The contents of the functions in question are encrypted in a protected script, alongside the means for handing over the encrypted code to the native CPSRT component. This checks the required licenses, decrypts the functions, and sends them back to the interpreter, where they can be executed. The native component could also take over other jobs for the script language, e.g. conducting regular license checks or tracking debuggers.

The native component is protected by AxProtector to stop would-be attackers from tampering with itself. Hardening its own protections is just as important as having the right safeguards for the communication between it and the protected application. This would seem an ideal target for attackers – simply listen in on the communication to find out everything you need to know, or even to inject your own malicious instructions like the classic man-in-the-middle attack. This is why Wibu-Systems’ developers teamed up with the company’s security experts and came up with a foolproof communication system.

Encrypted communication

When loading the native component, an encrypted line of communication is started that uses certificates created for the protected application.

The two certificates, a copy protection key certificate and a protectee certificate, form links in a chain of signatures connecting the licensor’s private key certificate provided by Wibu-Systems to software developers back to Wibu-Systems’ very own root certificate.

The protected application – the protectee – can use the protectee certificate to authenticate itself to the native component and show that it has the right to access licenses and decrypt functions. Vice versa, the native component has a certificate signed by Wibu-Systems to identify itself with the protected application and prove its genuineness. With the trust ensured by this process, the two can work together to negotiate the communication key without any outside party ever getting near it.

The native component will also only execute the instructions (e.g. for decrypting code) for Firm Codes that the protected application has the right certificate for. It can also use these certificates to check the integrity of the protected application, stopping manipulated software in its tracks from its very first launch.


The certificate chain is based on the infrastructure first introduced for the Universal Firm Code (Firm Codes higher than 6.000.000), although this does not exclude software developers using older CodeMeter Firm Codes or even its predecessor WibuKey. They can also use the new native component with the same certificate infrastructure by going through their Firm Security Box (FSB). The required certificates will be rolled out automatically with the next update for all CodeMeter Firm Codes; developers who do not want to wait can update at any time and free of charge.

Should your FSB lack the certificate, you will be notified when you next try to encrypt an application, with detailed information about the next steps you should take.

The new native component is currently used by AxProtector .NET and AxProtector Python but will soon be rolled out to other AxProtector variants and provide the additional capabilities of the native component to the protection mechanisms for even safer and more secure software.

Installation required

The native component needs to be available on the user’s computer. With AxProtector .NET, it is copied into the protected folder in which the encrypted assembly and the other required files are kept. Since the platform on which the assembly is eventually executed cannot be known beforehand with .NET, the native component is included in versions for different platforms, as a CPSRT.dll file in several subfolders. Beginning from version 10.70a, the mechanism with which assemblies protected with AxProtector .NET look for the CPSRT.dll has been refined: It initially looks in the application’s folder and its subfolders and then in all other places named in the PATH variable.

The next CodeMeter version 7.30 will come with CPSRT.dll included with the installers and install the latest version of the new component to avoid the need to distribute it manually. As always, Wibu-Systems is committed to backward compatibility, so that any application protected with CodeMeter Protection Suite will continue to work perfectly with newer incarnations of CPSRT.dll.


KEYnote 41 – Edition Spring 2021

To top