Hey guys, I just finished my first Mac application and I would like to sell it. I would like to create an algorithm to generate and validate serials based on the customer e-mail. Please help me!!!!!
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS Serial generator
- Thread starter fernandovalente
- Start date
- Sort by reaction score
If you're getting cracked then that means your app is generating enough buzz to interest the crackers. That would means you're making a lot of money, and things are going well, which is a good thing. There are strategies to take after your app has been cracked, but as long as the crackers don't have the ability to generate valid serial numbers than you should be ok.
Almost every article/post/email/etc. that I've read on this subject suggests that you're better off not trying to out-do the crackers because they enjoy playing this game, meanwhile, every hour you dedicate to your protection scheme is one less you've spent improving your product (which will undoubtably be a better return on your time).
This doesn't add up. You have no experience in writing license-enforcement code, yet you hope to develop such code and have it be uncrackable.
I suggest that you start by getting the source to AquaticPrime, analyzing how and why it's crackable, then figuring out how to remedy that for AquaticPrime. If you can't do that, then it's almost certain you won't be able to develop your own code from scratch and have it be uncrackable.
If it were an easy problem to solve, then someone would have solved it, and AquaticPrime would be uncrackable (or at least a lot stronger than it is). The fact that AquaticPrime remains crackable suggests it's not easy to solve, or that the solution may be worth more to the solver than the zero you're willing to pay.
Well, this is now exactly what I'm looking for. I would like to be able to generate serial numbers, not files that will validate my apps. Any other tip? I read about seeding a random number, then convert it to letters. Any tip of how I can do that?
Thanks in advanced
Thanks in advanced
Well one option I have seen in password databases is to use a sha1 hash of different values combined with some salts.
for example:
name: John Smith
organization: Smith Enterprises
email :johnsmith@example.com
hash(name +organization + email + salt) and then turn that into hexadecimal or whatever.
Now you have some way or verifying the different information.
Although this is a very simple one and could be easily cracked, its a simple way of doing it.
for example:
name: John Smith
organization: Smith Enterprises
email :johnsmith@example.com
hash(name +organization + email + salt) and then turn that into hexadecimal or whatever.
Now you have some way or verifying the different information.
Although this is a very simple one and could be easily cracked, its a simple way of doing it.
I could be entirely wrong about this, but I believe the reason why these types of authentication schemes aren't used as much is because they are crackable in a way that would allow the cracker the ability to issue perfectly valid serial numbers. Once this happens you have no way to verify real licenses from fake ones and you're totally screwed. As I understand it, the Aquatic Prime-syle approach is designed to prevent this worst-case scenario.
Now you say you can just maintain a database of customer records to cross check against? Well this is going to totally screw over your paying users, because of things like: is this registered to "The English Department", "Mr. Doe" the current chair of the english department, "Ms. Smith" the former chair of the english department, or "Mrs. Robinson" the former "Ms. Smith" recently married to "Mr. Robinson"? You get the idea. This is the kind of implementation nonsense that really ticks off your paying customers (especially Mac users who have zero tolerance for this kind of thing) and will almost certainly cost you more money in sales than trying to lock down your serials.
Look, if you write an app that's even halfway decent it's almost certainly going to get cracked. The reason for this is because crackers enjoy the challenge of trying to solve the puzzle you've created for them--it's a game that they enjoy playing. The more difficult you make it, the more enticing and fun it becomes for them. The most important thing to remember is that these people weren't going to buy your software in the first place. I doubt there's a cracker alive that's said to himself "well I can't crack this app so I guess I'll have to buy it now".
Re-read chown33's comments.
That's true.
But I need to generate and validate serials to be able to sell it. OK, it doesn't need to be generated depending of the person's name. I just need to generate numbers and validate them. For example:
123A-234ADF-FSADS3-OWIEU23-DSAS93828-H
That's true.
But I need to generate and validate serials to be able to sell it.
Why? You can sell software without serial numbers. Do you really think a serial number will stop or prevent someone from using your software without paying? If someone wants to pay for your software, they will pay and if they don't then all the code in the world is not going to change it.
Microsoft uses codes, validation schemes and phone home routines and windows is still widely pirated.
People will pay you if they think your software is worth paying for, not because there is some required serial.
As others have said in this thread, time and effort spent on serial codes is time and effort wasted on making your software better. And in the end, it is the quality of the software that determines whether you get paid or not.
One of the smarter strategies I've read about is that the public serial key should include their name and email in the actual key, this makes them less likely to publish it for others to use and makes it easier to type in. Note that this is different than maintaining a database of user info to cross/check. I don't really know enough about how exactly RSA works to implement this, but here's a link to the wikipedia entry.
Unlike MrFusion, I do think having a serial authentication scheme is a good idea. It keeps honest people honest, and if it's done in a way that focused on minimizing the pain/burden to the paying customer at every opportunity then I think it's an acceptable measure to help protect your investment. It's also an accepted practice in the industry, so you won't stand out negatively by doing this--only if you go about doing it in a way that unduly burdens your paying customers.
As was mentioned in this thread already, you can spend too much time trying to protect your software. Your goal should be to simply keep the honest people honest with the minimal impact on their use of your software.
To listen to some experienced developers on this subject, subscribe to "The MDN Show" podcast on iTunes and download the following.
MacSB (006): Licences and Serials, May 23, 2008
MacSB (009): Customer Privacy, Sept 12, 2008
To listen to some experienced developers on this subject, subscribe to "The MDN Show" podcast on iTunes and download the following.
MacSB (006): Licences and Serials, May 23, 2008
MacSB (009): Customer Privacy, Sept 12, 2008