Re: Securing my app with serial number

Hi Andrew,

Here's (approximately) how I do it, with some pseudo-code.

The app has two passwords hard-coded into it, we'll call them A and B.
When the program is installed, it generates a string:

Right(CDriveSerialNo() & "|" & Rnd(1) & "12345678901234567890", 20)

It then encrypts that string with password A, converts it to a hex
string, and stores it in the registry as a challenge code. When the
user wants to register, the software displays that code, which has to
be sent to me.

I then de-hex and decrypt the string, re-encrypt with password B and
re-hex, and send that string as an unlock code to the user. The
program stores that string in the registry as well. At any time, it
can de-hex and decrypt the strings with the appropriate passwords and
compare; if the strings match, the program is registered.

I can also insert some extra data into the beginning of unlock code
prior to re-encrypting it, which the program can use as flags on what
features to unlock:

If DecryptedChallenge = Right(DecryptedUnlock, 20) Then
Registered = True
UnlockFlags = Left(DecryptedUnlock, Len(DecryptedUnlock) - 20)
End If

If the user later contacts me saying they need to reinstall the
software, they have to tell me why. I keep their last keycode on file
so I can determine the drive serial number, which gives me at least a
little information to verify their story and determine whether this is
a legitimate reinstallation or not.

This isn't the most secure method in the world, but it works for me. I
have a small userbase of technically-challenged people, and little
demand for this application outside a tiny niche.

One obvious step in improving the security of this is to obfuscate the
hard-coded passwords A and B, so they do not appear in plain-text in
your program when viewed in a hex editor.

Beyond that, there are many methods to foil a cracker, and many methods
crackers have to foil you. Google is your friend for techniques, as
well as commercial protection packages that implement these techniques
for you. I'm afraid I don't have links/names handy, or experience with
any of these packages.

Hope this helps!