PureBasic Forums - English

Posted: **Thu Oct 30, 2008 5:52 pm**

OK we have all pretty much insalled software that used a serial number.

How do they do it?

How can there be multiple good serial numbers for a piece of software (ie: Windows) that will register the product?

Is it some form of math?

Posted: **Thu Oct 30, 2008 5:57 pm**

Rook Zimbabwe wrote:Is it some form of math?

Yep, and there are various ways to achieve that, a very simple example would be
that every single serial number has a specific cross sum. Of course that's very
easy to crack but you get the idea...

Posted: **Thu Oct 30, 2008 7:32 pm**

thats why keygens work. They litterally generate the key

Posted: **Thu Oct 30, 2008 7:46 pm**

milan1612 wrote:a very simple example would be that every single serial number has a specific cross sum.

Like 7 on old ms products

Posted: **Thu Oct 30, 2008 8:11 pm**

Keygens for a product are able to be produced because the author has put the decrypting routine inside the exe so crackers are able to find them and duplicate them. The trick is to not do this.

In software where i have implemented a serial number system i have done this:

1. Create a program to generate 1000 random serial numbers all with the same amount of chars and save these to a text file. Also have this program create a PB include file creating an array holding MD5 hashes of all the numbers.
2. Include the file into your program.
3. In your app, create a nice registration box asking for a serial number.
4. When you program is running and somebody enters a serial into you nice reg box, MD5 hash it and compare it to the hashes stored in your included array.
5. If there's a match, you know it's genuine and you can enable whatever functionality you have.
6. Store the MD5 hash of the serial in a file or in registry so they don't have to enter it again and check for the existance of this hash on start up of your app.

Of course when someone buys your app give them a serial number from the text file that was generated. Many sites allow you to do this automatically when someone buys a piece of software. Shareit for example.

That is the simplest form of app security i could come up with and has actually served me well. This form can still be cracked by a competent cracker but it stops casual copying. If you ever feel like any serials are doing the rounds on any various warez site just run your serial generating program again and recompile your app and it now has 1000 new serials and the old ones won't work with your newly compiled exe.

To be honest i don't sell a lot of software so 1000 serials is a huge limit for me. If you expected to shift more than that you will need a more robust system.

Serial Generator

Code: Select all

;Return a random number in a specified range
Procedure RandomFromRange(Maximum.l, Minimum.l)
	ProcedureReturn Maximum - Random(Maximum - Minimum)
EndProcedure


CreateFile(1, "Serial Numbers.txt")
	For x = 1 To 1000
		For y = 1 To 4
			Serial.s + Chr(RandomFromRange(90, 65))
		Next y
		Serial + "-"
		For y = 1 To 4
			Serial.s + Chr(RandomFromRange(90, 65))
		Next y
		Serial + "-"
		For y = 1 To 4
			Serial.s + Chr(RandomFromRange(90, 65))
		Next y
		Serial + "-"
		For y = 1 To 4
			Serial.s + Chr(RandomFromRange(90, 65))
		Next y
		WriteStringN(1, Serial)
		Serial = ""
	Next x
CloseFile(1)

Convert to hashes

Code: Select all

x.l = 0
ReadFile(1, "Serial Numbers.txt")
	CreateFile(2, "Serial MD5s.pbi")
		WriteStringN(2, "Dim ValidCodes.s(999)")
		Repeat
			String.s = ReadString(1)
			
			WriteStringN(2, "ValidCodes("+Str(x)+") = " + Chr(34) + MD5Fingerprint(@String, Len(String)) + Chr(34))
			x+1
		Until Loc(1) = Lof(1)
	CloseFile(2)
CloseFile(1)

Posted: **Thu Oct 30, 2008 9:27 pm**

Okay, I put together a little serial number system based on the cross sum
criteria I mentioned above. As I use random digits it could well be that my procedure
creates the same serial number twice, my code does not guarantee unique serials!

Code: Select all

EnableExplicit

Procedure.s CreateSN(CrossSum.l)
  Protected Dim Fields.s(4), i.l, j.l, Temp.s, Digit.l, Cross.l
  While Cross <> CrossSum
    Cross = 0
    For i = 0 To 4
      For j = 0 To 4
        Digit = Random(9)
        Temp + Str(Digit)
        Cross + Digit
      Next
      Fields(i) = Temp
      Temp = ""
    Next
  Wend
  ProcedureReturn Fields(0)+"-"+Fields(1)+"-"+Fields(2)+"-"+Fields(3)+"-"+Fields(4)
EndProcedure

Procedure CheckSN(SN.s, CrossSum.l)
  Protected *C.Character = @SN, Cross.l
  While *C\c
    Select *C\c
      Case '-' ;do nothing
      Case '0' To '9'
        Cross + Val(Chr(*C\c))
      Default
        ProcedureReturn 0
    EndSelect
    *C + SizeOf(Character)
  Wend
  If Cross = CrossSum
    ProcedureReturn 1
  EndIf
EndProcedure


;You can freely choose your desired "magic" cross sum - but it should be between ~100 to ~200!
Define t, sn.s
For t = 1 To 50
  sn = CreateSN(140)
  Debug sn
  Debug CheckSN(sn, 140)
  Debug ""
Next

Posted: **Fri Oct 31, 2008 12:13 am**

> If there's a match, you know it's genuine

But this is where the crackers "crack" your app; they just code out the check
so that any serial works without being tested. You should therefore check the
integrity of the exe to ensure it hasn't been modified, but even that isn't safe
from being cracked too.

Bottom line: anything that is checked, can be altered NOT to be checked.

So in the end, what you have is either a keygen in the wild, or a crack in the
wild. It all depends which one you prefer. I suppose a keygen is better as it
can be made useless with updates to your app, as you mentioned. But that
still won't stop someone distributing X version of your app with Y keygen.

Posted: **Fri Oct 31, 2008 12:20 am**

ts-soft wrote:Like 7 on old ms products

Yup, the old MS CD-Keys that looked like this: 123-1234567 only needed the last seven digits to add up to a multiple of seven (7, 14, 21, 28, etc.) for it to work. FWIW: The first three numbers were used to determine the region it was supposed to be sold in.

Kale wrote:If you ever feel like any serials are doing the rounds on any various warez site just run your serial generating program again and recompile your app and it now has 1000 new serials and the old ones won't work with your newly compiled exe.

A better approach here would be to find the serial number that's being passed around and replace it's hash in the array with a new one.

That way the serial being passed around won't work any more but all the others will for all your other customers, otherwise you'd have to issue new serial number to all your customers. Ugh!

PB wrote:I suppose a keygen is better as it can be made useless with updates to your app, as you mentioned. But that still won't stop someone distributing X version of your app with Y keygen.

A crack is actually better. They are usually distributed as a patch (especially if the original file is large) which can easily be defeated by rearranging some of the functions in your source code and re releasing.

Keygens are only easy to defeat if you know about them.

You don't have to know about a crack to defeat it, simply releasing a new version takes care of them.

Posted: **Fri Oct 31, 2008 1:13 am**

PB wrote:> If there's a match, you know it's genuine But this is where the crackers "crack" your app; they just code out the check so that any serial works without being tested.

Yes, thats why i said 'This form can still be cracked by a competent cracker', they just NOP out the check. All protection will and can be cracked, i just make sure no casual copying takes place and that's ok for me.

Posted: **Fri Oct 31, 2008 4:43 am**

All of you... thanks! Especially Kale and milan1612.

I use a simple string in my program of about 104 characters (no 0's) and take the user name and email add them together (maybe I reverse them or include a special character in 1-2 or 3 set places and make sure the total number of characters is 16 or 20) then run along the string to create the code... looping over if I go off the end...

This generates a unique serial that I can determine simply by reading registrations info... and if the game is passed around it will not work unless the registrations info is included so I will knwo who the customer was and what his email was.

If I sell by paypal I will have that recorded.

I will drop some code here as soon as I finish my current project!

PureBasic Forums - English

How do they use a serial number?

How do they use a serial number?

Re: How do they use a serial number?

Re: How do they use a serial number?