BlitzKey - Shareware activation key system

Community Forums/Showcase/BlitzKey - Shareware activation key system

John J.(Posted 2005) [#1]
BlitzKey is a simple activation key system designed to be used in your shareware games and applications. The user can enter they're user ID and activation key (provided by you), and the BlitzKey DLL validates it. To generate keys for your customers, BlitzKey also supplies a function to generate valid activation keys for a specific ID.

BlitzKey is free to download (dll + documentation) HERE.
The C++ source to BlitzKey is availible on request only (since I don't want any hacker to have free access to the key generation algorithm)

____ Revision History ____________________________
1.20 - Added data encryption to secure DLL data transfer
1.10 - Added CRC check to validate BlitzKey DLL file
1.00 - Initial release

Using BlitzKey is simple, just call the VerifyCode() or GenerateCode() function depending on your needs. Example:
ActivationCode$ = GenerateCode("Customer Name", "[SECRET KEY CODE TO MAKE THE CODE UNIQUE TO YOUR APPLICATION]")

... ... ...


ok = VerifyCode("Customer Name", ActivationCode$, "[SECRET KEY CODE TO MAKE THE CODE UNIQUE TO YOUR APPLICATION]")

If Not ok Then Print "INVALID REGISTRATION CODE!!!" ...
...
...



fredborg(Posted 2005) [#2]
It would be very simple to replace the dll with another one that returned true regardless of the key code, wouldn't it?

Unless of course the dll is embeded in the .exe file somehow.


John J.(Posted 2005) [#3]
Oops - didn't think of that.
I guess this is useless then. :(


John J.(Posted 2005) [#4]
The only possibility I can think of to make this "secure" would be either to embed the dll in the exe like you said, or validate the dll, possibly with a file size check and checksum check, but even that probably could be faked.


RifRaf(Posted 2005) [#5]
The only true solution i found was to have users run a registration program wich generates an ID based on their PC setup, and send that back to me. I then add thier code into the progam and recompile.. every customers id stays in the application. It allows registered users to pass copied between each other, but nobody else could use it.

One improvement would be to have the registration program upload the id to ftp or email it. but some people freak out when things attempt to access the net.


slenkar(Posted 2005) [#6]
hey john this is perfect to prevent casual piracy,
most game players dont know how to create DLL's anyway


Ross C(Posted 2005) [#7]
For encryption, why don't you you the entered serial code to decrypt the contents. You couldn't really break that unless you did it by brute force. Each individual copy would have to have it's own unique key though, and you'd have to somehow lock the file to the one computer.


Beaker(Posted 2005) [#8]
I agree with Slenkar, and you can embed the DLL into the exe using Molebox or similar which will make it more secure.

You are also right that using a checksum will help.


TartanTangerine (was Indiepath)(Posted 2005) [#9]
Do what we do in IndieNet, encrypt the communications with the dll.


Sledge(Posted 2005) [#10]

I agree with Slenkar, and you can embed the DLL into the exe using Molebox or similar



This is what I was thinking also - it's far from useless, JJ.


big10p(Posted 2005) [#11]
Yeah, I guess you could just do a CRC check on the dll to verify it. I think there's some CRC code in the archives.


Anatoly(Posted 2005) [#12]
2 RifRaf
What if I get a new PC then?
And yes, some people really freak out when programs try to access the net - I do!


Grey Alien(Posted 2005) [#13]
I think it could be useful to me as it will prevent casual piracy plus I'll CRC check the .dll, or perhaps use molebox. Thanks.

Actually I wrote a key system for some commerical software 4 years ago in Delphi. I made sure that the key was in Hex with uppercase letters and was made from five 6-character blocks separated by a dash. This was there could be no ambiguity about the letters being typed in such as I and 1 and O and 0. Also the blocks of six worked well when reading them out, in fact 4 chars would probably have been better.

What level of encryption is yours comparible with i.e. 40bit or 128bit etc? or is that not applicable?


John J.(Posted 2005) [#14]
I guess with a CRC check, BlitzKey will be hacker-proof enough for most applications.

The codes generated with this are absolutely un-decryptable. The only problem would occur when the hacker uses the DLL to generate a valid code (only possible if the hacker found the code key you use to generate codes) or like fredborg said, replace the DLL.

I'll probably add in an include file to BlitzKey to CRC check the DLL for you.

Also, I have a question to someone who knows more about this than me: In this code, is it possible for the "SECRET KEY" to be stolen by a hacker:?
ActivationCode$ = GenerateCode("Customer Name", "[SECRET KEY]")

I'm not sure if data would be safe this way, since maybe a hacker could check what's in a register or stack (or however function arguments are passed).


Rimmsy(Posted 2005) [#15]
Anyway to get this badboy to work with bmx?


John J.(Posted 2005) [#16]
I don't know anything about creating BlitzMax DLLs (there's nothing on the specs page about it). The code could be ported to BlitzMax, though.


Grey Alien(Posted 2005) [#17]
You can always store the key in your blitz app in an encrypted form (only simple needed like a char shift) then decrypt it as it's passed to the .dll. Then noone can scan the .exe for the key, yay!


John J.(Posted 2005) [#18]
Thanks for the suggestion grey! I just uploaded a new version (1.20 of BlitzKey). The new version of BlitzKey does a CRC check on the DLL before a DLL function is called (it will halt the application with a runtime error if invalid). Also, secret key codes are encrypted like Grey Alien suggested.

The new version is availible at the same location as the original file (HERE)


Grey Alien(Posted 2005) [#19]
wow, cool thanks. I'll download it!


slenkar(Posted 2005) [#20]
john thanks,

Just to clarify,
I make a game that is feature limited if the DLL doesnt return true.
If the DLL returns true then the game is bought and all features are unlocked,
This means no seperate download of demo and game, just one download of the game that will inactivate if the DLL doesnt return true.
correct?


Grey Alien(Posted 2005) [#21]
Slenkar: Sounds right to me.


John J.(Posted 2005) [#22]
Slenkar: Yes. That's the way "unlockable" shareware programs work. You would normally have some sort of "Register" button somewhere in your app that brings the user to some registration UI that requests a user ID (or serial number) and activation code. Then the DLL securely verifies the serial number to see if it correct for the given user ID.

Also, there's usually a "Buy" button where the user is directed to your website's purchase page where you might have it set up to e-mail purchasers correct registration codes. The purchase system could be done manually, where you manually e-mail each customer their keys (you generate them with the GenerateCode() DLL function), or you could embed the generation function in a PHP script (or however you want to automate it). That's why I'll send anyone the code if they want it.


Beaker(Posted 2005) [#23]
Now that you have put a CRC check in the DLL, will that mean it won't work with the DLL embedded in the EXE?


Techlord(Posted 2005) [#24]
I'm distributing my software online and using a online authentication system as well. The users are notified that online authentication is required.


Grey Alien(Posted 2005) [#25]
John J.: Actually you seem to have misinterpreted what I said about storing the key in your app in an encrypted version, although what you've done is cool anyway. What I meant was, if you have to pass the key into a function, that key must be a const in your program somewhere and thus if you viewed the .exe in a HEX editor you could find it! Unless ... you actually generate the key via code somehow, then it could only be worked out by someone who had the source, especially now that you have encrypted the transfer to the dll.

Also I am very interested in having an automatic function to generate the keys online and send them back to the purchaser but I don't have a clue how to do this in PHP or CGI or whatever, look's like I need to do some reading up!


Snarkbait(Posted 2005) [#26]
It could still be hacked with a step-debugger & trace, BUT so can any other registration key system (hence all the keygens readily available for most software out there). The addition of online authentication makes this more safe.


slenkar(Posted 2005) [#27]
This is cool thanks john I was implementing my own system before which was too difficult to keep track of


John J.(Posted 2005) [#28]
Grey Alien: I think I understood what you meant. The problem is that I can't really make a "generic" key generator that will work securely for everyone. I guess that will have to be up to the user.

As snarkbait said, mostly any registration key system can be hacked with enough effort, so this simply provides a moderate security level for most uses. The only way to have complete security would be to upload the registration data to a server for authentication. But then... a hacker could possibly steal correct registrations being uploaded. I guess nothing's completely secure.

Beaker: I'm not sure exactly how programs like MoleBox embed files. If the file is accessible to the program as if it was really a single file, it should work. You could always disable the CRC check (just change ValidateDLL() to return True all the time before you compile).


Jay Kyburz(Posted 2005) [#29]
Thanks John,

I think this is a great system. Plenty secure enough for me.

Do you have a os x version? Do dll work on osx? Does it need to be recompiled? Do you use any Windows specific calls?

I would be happy to see if i can get this working for you.


jfk EO-11110(Posted 2005) [#30]
BTW. if you are using a standard checksum check (32Bit) this could be faked easily. When you use an individual check it may be saver. EG: read every 100th int from the dll, add them all together and AND it with , say 29 bits, so you get a 29 bit checksum of frequenty controlled data. A Cracker would have to disassemble and understand this routine to create a checksum-corrected dummy dll.

And yes, maybe the CRC won't work when the dll is packed with Molebox. So you should make the CRC Check an option. Molebox has its own encryption, CRC Check and compression.

With a Molebox encrypted EXE it will also be virtually impossible to read out the secret key, at least with a hex editor. Of course, with a debugger that scans the memory it still can be done. Some Apps even crash a number of known debuggers to prevent such spy actions.

I think the goal is to make sure the App won't appear on warez and crackz lists. A simple solution would be (as soon as it becomes neccessary due to some degree of popularity) to release a number of serial numbers/codes for your App in the warez scene, so none will feel like there's a need to crack it. Those serials should then work for some time, after a couple of weeks they would crash the app by default. Well , just an idea.


Jay Kyburz(Posted 2005) [#31]
That's a really bad idea.

Here is my idea.

When a player launches your game you should http:post the serial number your website. Make a note of the incoming IP address.

If you find a particular serial is being used allot add it to a list of banned keys.

If the key used to load the game is on the band list simply ask the player to register and provide them with a web address.

If the user is not connected to the net at start up, let them play this session. (perhaps mark the key as UNVERIFIED internally)


RifRaf(Posted 2005) [#32]
@Anatoly

if you get a new PC you have to email support with a new registration code. and explain why you want another one. Not a big deal. Milkshape uses (or at least used to use when i bought it) the same method.


Grey Alien(Posted 2005) [#33]
Yeah thanks John, I might just build in the enrypted/calculated key in the .exe myself. Cheerz.


TartanTangerine (was Indiepath)(Posted 2005) [#34]
Or purchase Software Passport Pro and be done with it.


Grey Alien(Posted 2005) [#35]
Tim. So you're up then, I got woke up at 6:30 after going to bed at 1:30. I feel like the worlds encrypted today. Yeah I could purchase something like that, if I could justify the costs, not sure if I should invest in it for my "first" game or try to build up funds for tools like that for the next game.


Jay Kyburz(Posted 2005) [#36]
I would use armadillo but no mac support


Damien Sturdy(Posted 2005) [#37]

That's a really bad idea.



Its actually done though.
Plus, any invalid code? How about redirecting to a website that states "Illegal copy has been reported.". Would scare a few people.

Then, say, after a week, the code simply doesn't work, runtimeerror "Illegal Copy", followed by you releasing a ton more "fake" codes.

another thing:

Share several thousand fake, unusable codes using p2p. Some warez sites probrably dont check the info they receive, so the codes will make their way there- maknig working codes hard to find.

Another (evil) thing:

Distribute a home-made-virus version of your app using p2p :P (lol)


regaa(Posted 2005) [#38]
LOTR - BFME have a very nice "secure" system. If ANYTHING in the game was changed-> filesize / name of any file in a filelist the game contains, then the game shotly after the game begins blow up, and you loose. When you update the game , also the list gets an update. This is the securest anti-copy technick i've ever seen.


big10p(Posted 2005) [#39]
I'd just be happy to use John's system myself, I think. Afterall, all games - even AAA titles - seem to end up being cracked, no matter how tough the security.

If you start using really aggressive security methods, it seems to end up putting legitimate end users (your customers) through hassle. Maybe enough hassle to put them off buying your game in the first place. Maybe they'll decide to download a pirate/cracked version instead.

Anyone that goes to the trouble of cracking a game to play it then F*&# 'em. :)

There have been thieves since the dawn of man and there always will be.


Damien Sturdy(Posted 2005) [#40]
Yeah, big10p.. My original post was going to say:

"I wouldn't even use anti-cracking scheemes- since I value my customers and know first hand what its like having to reinsert CD's all the while.

So what if someone cracks the game? :) at least for that one crack download, two customers successfully paid and got the game working with minimal hassle.


But i decided to post some crap instead.


Sledge(Posted 2005) [#41]

When a player launches your game you should http:post the serial number your website. Make a note of the incoming IP address.




if you get a new PC you have to email support with a new registration code. and explain why you want another one. Not a big deal. Milkshape uses (or at least used to use when i bought it) the same method.



It's a big hassle when a significant number of programs that you own demand this nonsense (which users of hacked copies don't have to put up with). Do you actually WANT people to use pirated versions of your software, because it sure sounds like it?

My take would be to have them enter their key then have the program store it somewhere other then the game's directory (maybe, but not necessarily the registry). This is not to "hide" the key, by the way, it's to make sure your user can distribute the game folder without accidentally distributing the key with it, so the demo can propagate (lets face it, people don't always share the installer as asked).

You already know that users will be disuaded from distributing their key deliberately because their name is tied to it (yes?) - that alone will stop casual piracy, anything more serious is a lost cause anyway and not something your honest customers should have to suffer for.


John J.(Posted 2005) [#42]
I don't like requesting new keys every time I get a new computer or re-format, etc. This makes the customer feel uncomfortable. That's why I like the registration ID/key system.

I think Jay Kyburz's idea is actually a good one. If a key is user over mabe 15 times, ban it. This works well and doesn't inconvenience the customer unless he re-installs 15 times or installs it on 15 computers - at this point I'm sure requesting a new key won't be too much of an inconvenience. But BlitzKey isn't really a web-based registration system, so I don't think I'll be supporting this, not with BlitzKey, anyway. Although internet authentication like this more hacker-proof, it also inconveniences the customer if they don't have internet access on that particular computer.

I'll probably add an option to disable the CRC check soon, so it can be used with molebox or some other packer. I'll also consider adding a safer checksum-type DLL validation.


I wouldn't even use anti-cracking scheemes- since I value my customers and know first hand what its like having to reinsert CD's all the while.


I also hate always re-inserting CDs all the time. I don't know how many games I have installed that I haven't played in ages because I don't want to go dig through my CDs to find the game CD. Anti-cracking schemes should be used, but designed NOT to inconvenience the customer in any way.

Jay Kyburz: I'd like to get BlitzKey working for Macs, too, but I know absolutely nothing about programming in C on macs. I don't think macs have DLL files, although there's probably some equivelant. BlitzKey uses only standard C function includes, like the string functions (actually just strlen() is used I think). I'll send BlitzKey's code to anyone who has the knowledge to compile this for Mac if they want, and I'll make the Mac "dll" (or whatever) official (giving credit to who compiled it for Mac, of course :) ).


So what if someone cracks the game?


It's impossible to stop crackers completely, but it's good to try, to a reasonable extent. Of course you should try not to inconvenience the customer in any way, but still keep reasonable security, unlike this system:
Please enter name: ______
Do you swear by your life that you legitimitely purchased this software? (yes/no)
Ok then. But if your stealing, I'll tell your mommy.

:)


Grey Alien(Posted 2005) [#43]
lol, I'm gonna use that method, except say that they'll be reincarnated as a dung bettle (which may be an improvement)


John J.(Posted 2005) [#44]
Yes, but make sure you don't get too secure. Saying they'll be re-incarnated as a dung beetle might be a little too much work. So what if someone cracks the game?

JK :)


slenkar(Posted 2005) [#45]
How do you let the game know that it has ALREADY been registered?
without having the user type in the key everytime,
also, whats to stop people from giving their code to their friends?


John J.(Posted 2005) [#46]

How do you let the game know that it has ALREADY been registered?
without having the user type in the key everytime,
also, whats to stop people from giving their code to their friends?


You would need to have some way to save the registered state, possibly with a hidden and encrypted binary file.

A code could be re-used with this system, as with most non-internet based registration systems, if the friend installs it with the same ID and key exactly.


slenkar(Posted 2005) [#47]
ok thanks just wondered,there is a way to tell if the code is being used on the same PC, but that would stop people installing it on multiple Pcs that they own


regaa(Posted 2005) [#48]
> Please enter name: ______
> Do you swear by your life that you legitimitely purchased this software? (yes/no)
> Ok then. But if your stealing, I'll tell your mommy.

Loool, this one should stop cracking 100%. Just imagine how many software pirates fear their mom. :)


gosse(Posted 2005) [#49]
You guys really worry too much about piracy.

edit:
Not slagging the lib here, what it does is entirely enough for some security.


jfk EO-11110(Posted 2005) [#50]
I agree with Jay to some degree. Although most firewalls will tell the user when an app tries to connect to the web, and if this happens during a registration process with a serial number taken from a warez site, it's likely the user will block web access. If you want to be able to have a frequently updated list of banned serials inside the app, you probably need to use some nasty tricks:

If your App or game allows to save data that is meant to be published on the internet, eg: savegame, exported stuff, screenshots etc. then hide the users registration code in an encrypted way inside the files. Obviously the encryption has to be absolutely bulletproof here.
Additionally the Game/app should feature frequent Software Updates that are absolutely vital, so most users will download and install them. The Update Installer also transports an updated list of the banned serials, so running pirated copies can be recognized past registration.

My initial idea (providing some fake serials in the warez scene to make them think there's no need to upload cracks and real serials) is meant as something that will not be understood. The software will run ok for a while, so people will think everything is ok. After some time there's a bug and it won't run anymore. Probably there's some special error message, so when a user is asking a question like "Hi, I am using SoftThingy 2.0 but I have this errormessage ERROR 177AE - Abort, can somebody help me?" then you know the guy is using a pirated copy. Other than that I would not tell the guy that you know what's going on.

But hey, of course, this makes sense only when you have to take care not to loose millions of $. For us Indy developers, most of us with a pretty small cashflow Johns Solution is more than good enough.