My version of a robust License key system (example code)

[Morthawt]

This is an example of a generator and checker program for license keys. It makes all alphabetic keys (6 groups of 5 letters). What is different about this is I paid attention to some documentation on the technology of how "good" serial keys work.

In order to generate a key, you load the generator and type in some customers private and personal info like their name and the date/time of purchase or something, or a customer ID and their name or what ever. So, it uses this unique information and hashes it. Cryptographic process' are done to each character of that initial seed data to create the majority of the key. Then the seed value and the remaining key parts are salt hashed and the first 4 characters of that hash are placed at the end of the code. Then it is broken up into sections using a "-" symbol, eg:

IKCFG-HFSIO-HYBYH-OADHJ-INGVC-DDOBB

The benefit of a system like this is that you don't need to include any license keys with the product, or have lists of anything to check against. The product on the users end checks only certain aspects of the key (so hackers would not be able to make a global hacked keygen for all future versions because you can just alter which sections of the key a new program check and then everyones old keys still work and the keygen fails) and both checks the hash of the seed and key sections to make sure the checksum matches up with the end of the key AND if someone figured that out and made a random key and made a valid checksum thinking that would be enough, the software realises this and warns you that it was a fabricated key.

Currently all the checker does is notify with message boxes but I can now use this template in the future to make a good and solid serial key protection on something.

You will never prevent everything in the world though, I am sure if hackers can crack actually "programmed" software that they could crack autoit in a trivial amount of time and just remove protections depending on how much time you put into obfuscating your code. That being said I think this is pretty cool, secure and convenient since the codes are checked in isolation on the client's PC for validity without needing lists of codes disguised on their computer or anything. It all adds to the security.

Checker just checks and lets you know the status of the key, the generator will copy the individuals code to clipboard after you type in the "customers" details for seed information and click the button. Just paste it in a notepad and you have it then for testing the checker. For each unique "product" you would want all new random values on both the checker and generator where the hash salt is eg $ks[3] = 'NUB%F$Wt6j9' They must be the same on both generator and checker and unique to each program, same with the 'Test program v1.000' string which is salt for the over all checksum part of the code.

Any way, if you want to have a look, here are the files, I welcome any feedback on this design.

Serial Code GeneratorF Final Working!V3.au3

Serial Code CheckerFWorking!V3.au3

[careca]

Good job!

[Morthawt]

Thanks

I am experimenting with other formats for the code such as base64. I made a converter for base64 but its only ascii so I am trying to now make a unicode base64 but its very difficult!

Edited October 30, 2012 by Morthawt

[twitchyliquid64]

How does the end-user application know if it's a valid key or not?

What's to stop an attack from attacking the elements of the key that are checked (and based on obvious information)?

What hash function are you using? Some are really easy to break

[dany]

I am sure if hackers can crack actually "programmed" software that they could crack autoit in a trivial amount of time and just remove protections depending on how much time you put into obfuscating your code.

Exactly, they simply extract the validation function from your code one way or another. Considering this method is pretty much symmetric, they'll have the generate function as well or atleast be able to reverse-engineer it with little effort. Obfuscation certainly helps but when the program is called Photoshop or something other famous they'll eventually figure it out anyway.

I like the idea that only certain aspects are checked and that they can be changed per version but once cracked the cracker knows every valid Case, or in this case guess them easily as they're identical (copypasta). Besides, when it comes to security you don't want to discard information like that because the more bits that need to be valid the better.

Also, hardcoding your salts raw like that makes them kinda redundant.

With that being said and considering it's for AutoIt, I think it's a simple and creative approach and possibly enough for small, cheap programs, especially when combined with obfuscation.

It can be improved or expanded upon very easily too. For instance the start position in each StringMid could also be variable and the bits you're discarding from all the SHA1 hashes can also be put to use (like splitting and summing all bytes together maybe?).

In the Checker some Cases are commented out but you could also pick the Cases at runtime and avoid looping from 1 to 10 because that's really easy to guess. Use the returned bits from _Crypt_HashData($keypart & 'Test program v1.000', $CALG_SHA1) and build or validate the rest of the key from there.

Or even better, make each Case a truly unique (mathematical) procedure.

; Here's a snippet of code:
Global $bHash, $iFlagA, $iFlagB
$bHash = _Crypt_HashData('test key', $CALG_SHA1)
$iFlagA = BitAND(Dec(StringMid($bHash, 3, 2)), 1)
$iFlagB = BitAND(Dec(StringMid($bHash, 5, 2)), 1)
; You now have two flags, set either to 1 or 0, that can be used to further differentiate the resulting serial key.
; You can use them to pick different hashing functions for each Case or maybe reverse the initial seed before using it, etc.

In short, still lots of possibilities to make the whole more complex and secure.

This Old FAQ is old but still well worth the read. Tips, do's and don'ts, some interesting strategies and a few pointers from crackers themselves as well.

[MrVietA2]

Can you give me a exam for type like : xxxx-xxxx-xxxx-xxxx ?

Edited November 2, 2012 by MrVietA2

[Morthawt]

The code would need modifying accordingly but you could generate a 4 group of 4 characters, sure.

How does the end-user application know if it's a valid key or not?

What's to stop an attack from attacking the elements of the key that are checked (and based on obvious information)?

What hash function are you using? Some are really easy to break

That goes for any product. The reason hackers are able to make a key generator for someones's product is because they do exactly that I would assume. They find the parts which are being checked and make valid keys for that version of the product. Then the company realises there are keygens out there and alter which parts of the key sections are checked and now everyones old illegal codes stop working, same with the old key generator. That means the hacker group has to be aware of the new version and find the time to make a whole new keygen from scratch, which benefits companies because I am sure that if someone is desperate enough for the software that they will feel obligated to buy it if they cannot find working key generators anywhere. Either way it is a good thing to be doing partial key checks.

As for the hash, as you can see in the source code I am using SHA1 because thats currently the best autoit has to offer

Edited November 2, 2012 by Morthawt

[Wovenn]

I've been looking for something exactly like this to implement into my latest project! Great Work man!

Now I must ask you, is there anyway I can test this scripts with my project, how can I implement these scripts with my project so that it will open my program once the user has a valid key?

Thanks in advance!

Okay, I've figured it out, sorry for that. But I've got another question.

Would it be possible to make these keys only good for say, 1-3 days, a week, a month?

Edited January 22, 2013 by Wovenn

[Stacker]

Hi Morthawt

On 10/28/2012 at 3:43 AM, Morthawt said:

This is an example of a generator and checker program for license keys. It makes all alphabetic keys (6 groups of 5 letters). What is different about this is I paid attention to some documentation on the technology of how "good" serial keys work.

 

In order to generate a key, you load the generator and type in some customers private and personal info like their name and the date/time of purchase or something, or a customer ID and their name or what ever. So, it uses this unique information and hashes it. Cryptographic process' are done to each character of that initial seed data to create the majority of the key. Then the seed value and the remaining key parts are salt hashed and the first 4 characters of that hash are placed at the end of the code. Then it is broken up into sections using a "-" symbol, eg:

 

IKCFG-HFSIO-HYBYH-OADHJ-INGVC-DDOBB

 

The benefit of a system like this is that you don't need to include any license keys with the product, or have lists of anything to check against. The product on the users end checks only certain aspects of the key (so hackers would not be able to make a global hacked keygen for all future versions because you can just alter which sections of the key a new program check and then everyones old keys still work and the keygen fails) and both checks the hash of the seed and key sections to make sure the checksum matches up with the end of the key AND if someone figured that out and made a random key and made a valid checksum thinking that would be enough, the software realises this and warns you that it was a fabricated key.

 

Currently all the checker does is notify with message boxes but I can now use this template in the future to make a good and solid serial key protection on something.

 

You will never prevent everything in the world though, I am sure if hackers can crack actually "programmed" software that they could crack autoit in a trivial amount of time and just remove protections depending on how much time you put into obfuscating your code. That being said I think this is pretty cool, secure and convenient since the codes are checked in isolation on the client's PC for validity without needing lists of codes disguised on their computer or anything. It all adds to the security.

 

Checker just checks and lets you know the status of the key, the generator will copy the individuals code to clipboard after you type in the "customers" details for seed information and click the button. Just paste it in a notepad and you have it then for testing the checker. For each unique "product" you would want all new random values on both the checker and generator where the hash salt is eg $ks[3] = 'NUB%F$Wt6j9' They must be the same on both generator and checker and unique to each program, same with the 'Test program v1.000' string which is salt for the over all checksum part of the code.

 

Any way, if you want to have a look, here are the files, I welcome any feedback on this design.

Serial Code GeneratorF Final Working!V3.au3

Serial Code CheckerFWorking!V3.au3

Hi, i know this topic is old but i hope someone responds.

I can't understand how key is unique.
i explain.The serial code generator generate key with customer/details etc but all keys generated with different customer/details work with serial code checker.
how can I do so that the key functions only for a specific installation.
My idea is:
user need to compile form (name,company etc) then retrive Hardware ID.
this information is generate "pre-key"
User send this information to me and i generate the key

This key need to work only for that software.

other suggestions are welcome

thanks

 

[youtuber]

If StringMid(_Crypt_HashData($keypart & 'Test program v1.000', $CALG_SHA1), 3, 4) = StringMid($enteredkey, 27, 4) Then

    MsgBox(0, 'Success!', 'This key is a valid and authentic key!')

EndIf

How do I add it regedit and how do I compare it?