- My understanding of Delphi is very limited: in fact I’ve never seen any Delphi code before, the port is entirely based on searching the Language Reference and a bit of common sense.
- As a translation to a different language, mine is a pretty literal one. I’ve also avoided ES5 / ES6 features on purpose: I wanted the code to run on the Photoshop ExtendScript interpreter (which is very unfortunately stuck to ES3).
Brandon Staggs original Introduction
Most micro-ISVs [Independent Software Vendors] use a serial number/registration code system to allow end users to unlock or activate their purchase. The problem most of us have run into is that a few days or weeks after our software is released, someone has developed a keygen, a crack, or has leaked a serial number across the internet. There are several possible solutions to this problem. You could license a system like Armadillo/Software Passport or ASProtect, or you could distribute a separate full version as a download for your paying customers. Each option has advantages and disadvantages. What I am going to show you is a way to keep “rolling your own” license key system while making working cracks harder for crackers to produce, and working keygens a thing of the past. Aside: If you think it’s crazy to post this publicly where crackers can see it, don’t worry about that. I’m not posting anything they haven’t seen before. The entire point of partial key verification is that your code never includes enough information to reverse engineer a key generation algorithm. Also, I offer no warranty of any kind — this is for your information only! Now, on with things. Our license key system must meet some basic requirements.
- License keys must be easy enough to type in.
- We must be able to blacklist (revoke) a license key in the case of chargebacks or purchases with stolen credit cards.
- No “phoning home” to test keys. Although this practice is becoming more and more prevalent, I still do not appreciate it as a user, so will not ask my users to put up with it.
- It should not be possible for a cracker to disassemble our released application and produce a working “keygen” from it. This means that our application will not fully test a key for verification. Only some of the key is to be tested. Further, each release of the application should test a different portion of the key, so that a phony key based on an earlier release will not work on a later release of our software.
- Important: it should not be possible for a legitimate user to accidentally type in an invalid key that will appear to work but fail on a future version due to a typographical error.
The solution is called a Partial Key Verification System because your software never tests the full key. Since your application does not include the code to test every portion of the key, it is impossible for a cracker to build a working valid key generator just by disassembling your executable code. This system is not a way to prevent cracks entirely. It will still be possible for a cracker to edit your executable to jump over verification code. But such cracks only work on one specific release, and I’ll suggest a couple of tricks to make their job harder to complete successfully. […] [Quoted with permission]
- Brandon Staggs: Implementing Partial Serial Number Verification System.
- Patrick McKenzie: Everything You Need To Know About Registration Systems.
- Allan Odgaard [TextMate developer]: OpenSSL for License Keys.
- Chris Thornton: Keygens, Protection, Encryption Panel Software Protection Methods slides.
- The Business of Software community.
- GitHub’s JS encryption-related repos: crypto-js, forge, jsencrypt (RSA), base32-js.
- Youtube: RSA Encryption Algorithm.
- Dan Vanderkam: Arbitrary precision Hex <-> Dec converter.
- MDN: Bitwise Operators.
- Delphi Basics Reference Language.
- JS Minifier (use “Conservative” then strip newlines - aggressive minifiers will break ExtendScript code, see this article)
Hope this helps! Thanks for reading and if you feel dandy there’s always that yellow “Donate” button in the top-left corner :-)
I would like to thank Brandon Staggs for the kind permission of quoting his original article - pay a visit to his blog and the StudyLamp Software LLC website.