Serial number generators
What are they for?
Apart from VMProtect, other software can generate serial numbers too. This is necessary to automate sending serial numbers. A customer purchases the product, an e-commerce agent sends an HTTP query to the website of the vendor, the generator runs on the server and produces a serial number based on customer’s data. The serial number is sent to the customer and to the vendor. The vendor then adds the serial to VMProtect manually using the import license dialog.
How it works
The licensing system of VMProtect is based on asymmetric algorithms, that is why a secret product key is required to generate a serial number. You can export this key in the project properties window and pass it to the generator in any suitable way.
The generator is called by the e-commerce agent using an HTTP query. A PHP generator can be called directly, a DLL-based generator – indirectly, but the principle is the same:
- Receive user data from the e-commerce agent
- Add all required information specified by the vendor
- Generate a serial number
- Encrypt it with one of algorithms
- Send the result to the e-commerce agent
Are there any existing generators?
The licensing system comes with three ready to use serial number generators as DLL, for the .Net platform and on PHP.
Can I make my own generator?
Yes, you can. The format of the serial number is here, serial number encryption algorithms are described here.
Is it safe?
Generally, yes, this is safe. However, you should follow these recommendations:
- Use HTTPS – if your e-commerce provider can send HTTPS queries, and your web hosting provider can answer such requests – you should prefer this variant over the typical HTTP, because in this case all data are transmitted in the encrypted form and the generated serial number cannot be intercepted.
- “Hide” your generator – make sure no one can open the generator occasionally. The www.site.com/keygen.php address is a bad idea. While www.site.com/abc123.php is much better. Make sure you do not put any external links to the key generator, it isn’t listed in website directories, and don’t put it into any service file like robot.txt. The less is known about the location of the generator, the better. Optionally, you can even place the generator on another website.
- Make sure it is the e-commerce agent who calls the generator – the program processing queries from the agent should check the IP address of the caller. E-commerce providers usually publish the IP-range the use to query serial number generators. Find that list at your agent and add a check to the program. If IP address sending a query lies beyond the specified IP range, do not produce comprehensible error messages. Either do not return anything or produce a simple 404. Do not give any clues to why the query has failed.
- Check input parameters – product settings in the e-commerce agent’s control panel usually allow you to specify a query string the agent should make to receive a license. For instance, you want to receive user name, e-mail address, date of purchase and the order id. So make sure all these parameters are passed and all of them have the correct format. Do not produce any response to erroneous queries. Send a message to your own e-mail whenever an erroneous query to the generator is made. This should help to investigate the issue.
- Add a “password” specify an additional parameter in the query sent by the e-commerce agent, a password. It should have an non-obvious name and value. Check this parameter from the receiving side. If the value is wrong, or the parameter is not specified – do not generate a serial number.