Re: Securing my app with serial number



Hi Andrew,

Here's (approximately) how I do it, with some pseudo-code.

The app has two passwords hard-coded into it, we'll call them A and B.
When the program is installed, it generates a string:

Right(CDriveSerialNo() & "|" & Rnd(1) & "12345678901234567890", 20)

It then encrypts that string with password A, converts it to a hex
string, and stores it in the registry as a challenge code. When the
user wants to register, the software displays that code, which has to
be sent to me.

I then de-hex and decrypt the string, re-encrypt with password B and
re-hex, and send that string as an unlock code to the user. The
program stores that string in the registry as well. At any time, it
can de-hex and decrypt the strings with the appropriate passwords and
compare; if the strings match, the program is registered.

I can also insert some extra data into the beginning of unlock code
prior to re-encrypting it, which the program can use as flags on what
features to unlock:

If DecryptedChallenge = Right(DecryptedUnlock, 20) Then
Registered = True
UnlockFlags = Left(DecryptedUnlock, Len(DecryptedUnlock) - 20)
End If

If the user later contacts me saying they need to reinstall the
software, they have to tell me why. I keep their last keycode on file
so I can determine the drive serial number, which gives me at least a
little information to verify their story and determine whether this is
a legitimate reinstallation or not.

This isn't the most secure method in the world, but it works for me. I
have a small userbase of technically-challenged people, and little
demand for this application outside a tiny niche.

One obvious step in improving the security of this is to obfuscate the
hard-coded passwords A and B, so they do not appear in plain-text in
your program when viewed in a hex editor.

Beyond that, there are many methods to foil a cracker, and many methods
crackers have to foil you. Google is your friend for techniques, as
well as commercial protection packages that implement these techniques
for you. I'm afraid I don't have links/names handy, or experience with
any of these packages.

Hope this helps!

.



Relevant Pages

  • Re: Securing my app with serial number
    ... The app has two passwords hard-coded into it, we'll call them A and B. ... It then encrypts that string with password A, ... and stores it in the registry as a challenge code. ... I can also insert some extra data into the beginning of unlock code ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Securing my app with serial number
    ... The app has two passwords hard-coded into it, we'll call them A and B. ... It then encrypts that string with password A, ... and stores it in the registry as a challenge code. ... I can also insert some extra data into the beginning of unlock code ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Registry Values
    ... I need to check if passwords have been set for Administrator and user ... accounts in the registry. ... Please could someone assist me in finding the string and exact ... log on under these accounts with blank passwords. ...
    (microsoft.public.windowsxp.general)
  • Re: Registry Values
    ... I need to check if passwords have been set for Administrator and user ... accounts in the registry. ... Please could someone assist me in finding the string and exact ... log on under these accounts with blank passwords. ...
    (microsoft.public.windowsxp.general)
  • Re: Unable to retrieve the complete description string of the event log record
    ... events in the Registry, under HKEY_LOCAL_MACHINE (which requires elevated privileges to ... "Description" message string of the event log record. ... below but still I'm not able to retrieve the complete description. ...
    (microsoft.public.vc.mfc)