The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Serial Numbers/Registration Keys

I have a product complete minus a round of beta testing, except for a Serial Number/Reg Key system. Does anyone have any good places to start researching alogoritms and methods for this?

Thanks.
Soon so very soon Send private email
Monday, August 15, 2005
 
 
Aaron F Stanton Send private email
Monday, August 15, 2005
 
 
You can also use http://www.plimus.com to process your credit cards.  It is compatible with Armadillo keys in the previous post.

They take process the credit cards and also send out the reg keys to the users.
Nick Koranda Send private email
Monday, August 15, 2005
 
 
If you really want to roll your own, and are building something with the .net framework, then Open License is available at
http://www.spextreme.com/osp/open_license/
Peter
Monday, August 15, 2005
 
 
Be sure to put the registration key somewhere separate from the CD, like on a little throwaway card, so that when the customer can't find it, he has to buy another copy of the software.
Kyralessa Send private email
Monday, August 15, 2005
 
 
Thanks for the info the Silicon Realms stuff looks good, though not for this project.  It looks to be much more than I need at the moment.

Sigh.  No .net needed, though I'm thinking I might look into adding it just to use this.

I was looking for a little more theory if it is out there.

Kyralessa even better since there is no physical media the only copy of the key they will have is email.  Of course I'm sure I'll get around to setting up a way for the user to request thier key again if they lose it.
Soon so very soon Send private email
Monday, August 15, 2005
 
 
Sigh.

Another case of Not Invented Here.

Look, I understand you want to roll your own, and that's commendable.  However, it's probably outside your core competence.  It is their core competence.

How much is your time worth per hour?  Let's say that because you're a startup, you're paying yourself a lousy $15/hr.  What you're telling me is that in 20 hours total, half a week, you can write something at least as good as their Professional Edition, or in 10 hours total you can do their Basic Edition.  This includes the support and continual free updates that they provide.  If you are paying yourself more per hour than that, you're telling me that you can do it even faster.

This isn't a programming decision.  It's a business decision.

Seriously.  If you can do at least as well as they have in such a small amount of time, you should consider making a software protection product.

Sure, augment their stuff with a little bit of code of your own, but really take a moment and rationally look at what I'm telling you here.
Aaron F Stanton Send private email
Monday, August 15, 2005
 
 
Aaron,

I haven't decided what I'm going to do yet.  If definitely looks like a great product and if some cash that I'm hoping for comes in I'll probably go with the basic edition.  I must admit that the pricing looked remarkably good.

As far as learning some of the theory I just find it an interesting project to play with.  I have a full time job paying the bills, so I have the time to play with this a bit.  Learning stuff like this is why I'm in this business at all.

I do appreciate you advice.
Soon very soon
Tuesday, August 16, 2005
 
 
Ok...As long as it's something you're doing for learning, that's different.  I can well appreciate the joys of an intellectual challenge.  Sorry.

You might want to look up elliptical curve cryptography.  I don't remember exactly why, just that I heard it can be effective if properly implemented.  May not even be relevant, but should at least be interesting.
Aaron F Stanton Send private email
Tuesday, August 16, 2005
 
 
This link was in a recent email from codeproject:
http://www.codeproject.com/dotnet/LicenseKeyGeneration.asp
Peter
Tuesday, August 16, 2005
 
 
The only hitch is that while NIH is bad, AlreadyCracked makes InventedElsewhere a bad plan.

Also, generating unique keys is pretty easy (public key encryption is your friend, and there's plenty of suitable libraries already available so complete NIH isn't necessary) but writing code that can't be easily patched by a halfway decent hacker is hard - and a perfect key generator system InventedElsewhere is irrelevant if changing one byte in the executable converts if( keyValid() ) {...} into if( !keyValid() ) {...} thus making only invalid keys let the application work.  ;)

And the educational value is important - even with a system invented elsewhere that's usable, it's virtually certain that using it effectively will require more than just a few API calls, so knowing what doesn't work will be important.

Tuesday, August 16, 2005
 
 
If you want to get an idea of how folks break serial schemes and registration schemes, google FRAVIA. The person who used that nickname used to host a lot of pages about reverse engineering. His site, like a lot of others, were taken down in early 2000 during a very large FBI/worldwide operation that shut down most of the visible hacking sites. There are a lot of mirrors of the stuff he wrote from 95-99.

Careful reading of it will show you that you can't stop crackers, you can only slow them down. What you can do as a side effect of trying to keep the crackers out is to piss off all your legitimate customers (the ones you pay your bills).

The only times I've used dongles was for beta software that was being written for a client. I painted sets of dongles: blue, green, red, pink. Each beta version would use a different color dongle. When the software went into production, the dongle-code was removed. This way, version control of the beta product could ensure that when version 0.8 came out, no one could be using versions 0.6 or 0.7 since those dongles were gathered up. When the software was the released version, it would work anywhere, but the beta version would need a dongle to work. It was moderately expensive, but it was the only way of resolving version control in that environment (where folks would share floppies like as much as they did). Yes, they had a *lot* of problems when email viruses became popular.

It is sad to say that the most helpful resources for debugging your own installshield scripts are almost always cracker sites. On second thought, I think everyone who's made non-trivial installshield packages would say something similar.

Our advice is to "avoid rolling your own protection code." Since you appear determined to do-it-yourself, about all we can do is point you at places where you can learn *why* we are giving you the particular advice we are. It *will* be an expensive lesson for you, but you are determined to go through with it. Good luck.
Peter
Tuesday, August 16, 2005
 
 
Personally, I kinda feel that this whole issue is a hiding-to-nothing - if someone wants to hack-off your product, they will, one way or another. My products use a stupidly-simple key, and yer, there are probably a few people using them with a hacked-off key who might otherwise have bought, but most of them wouldn't have bought anyway, so it is no big deal.

Anyways, copied keys are more of a problem than cracked ones, and addressing that issue (without really anoying your honest customers) is even harder.

One other point - having a widely cracked'n'hacked key system doesn't seem to have done WinZip any harm.
Syd Egan Send private email
Wednesday, August 17, 2005
 
 
Your best defence is to keep improving your product and changing the key.

Here's some practical advice on how to set up a simple key system. Read it all - it's not too complicated.

http://membres.lycos.fr/pc1/pc1.html

Google "encrypted dll" for reverse engineering forums, some of the effort these kids put in to busting your locks will make your hair stand up.

And search this board. It's been discussed before.
trollop
Wednesday, August 17, 2005
 
 
Thanks for all the info everyone.  Syd: I am kind of on your line of thinking on this one.  I just want to keep the nearly honest honest.  As for sharing of keys I think I've got something to deal with the old guilt by displaying company name(which is encrypted in a license file) in the title bar trick.

I almost want a Reg Key just so the software looks professional as everyone expects an installer to ask.
Soon very soon
Wednesday, August 17, 2005
 
 
THAT'S the spirit :-) Munge the client and organisation names together with a licence serial number into the issued key.

+1 on marking the app and all reports / files with the client's name.
trollop
Wednesday, August 17, 2005
 
 
Make it as easy as possible for them to give them their money.  Remove all possible obstacles.
Aaron F Stanton Send private email
Thursday, August 18, 2005
 
 
"to give them their money."

should be

"to give you their money."
Aaron F Stanton Send private email
Thursday, August 18, 2005
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz