Activation API
Activation API contains only 4 functions. Two for online activation and other two for offline activation when the computer has no access to the Internet. Activation API is intended to work in cooperation with Web License Manager, so a developer still should invoke licensing system API to use serial numbers obtained from WebLM.
VMProtectActivateLicense
The function passes the activation code to the server and returns a serial number for this specific computer. Otherwise, an error code is returned.
int VMProtectActivateLicense(const char *code, char *serial, int size);The code parameter holds the activation code obtained from Web License Manager during the license purchase process. The serial parameter specifies a memory block of the given size, where the serial number generated by WebLM is put to.
VMProtectDeactivateLicense
This function passes a serial number to the server for deactivation. Possible return codes are listed below.
int VMProtectDeactivateLicense(const char *serial);
The serial parameters contains the serial number (not the activation code) obtained from WebLM earlier during activation.
VMProtectGetOfflineActivationString
VMProtectGetOfflineDeactivationString
These two functions work similar to the previous two, except they do not try to connect to the WebLM server. Instead, they return a text block that a user should copy to a computer connected to the Internet, open the WebLM offline activation form and paste the text there.
int VMProtectGetOfflineActivationString(const char *code, char *buf, int size);
int VMProtectGetOfflineDeactivationString(const char *serial, char *buf, int size);
The code and serial parameters are similar to those of the online version of these functions. The buf parameter should point to a buffer of 1000 bytes or more where the text block for the offline activation form will be copied to. Possible error codes are listed below.
Possible error codes
| Code | Value | Description |
|---|---|---|
| ACTIVATION_OK | 0 | Activation is successful. The serial number is put to the serial variable. |
| ACTIVATION_SMALL_BUFFER | 1 | The buffer is too small to hold the serial number. The minimum buffer size is calculated as: bits / 8 * 3 / 2 + N, where bits is the length of the RSA key in bits, and N is a “security constant” – additional bytes for possible line breaks and other special symbols. We recommend using at least 10. |
| ACTIVATION_NO_CONNECTION | 2 | The activation module couldn’t connect to Web License Manager. |
| ACTIVATION_BAD_REPLY | 3 | The activation server returned an unexpected result. This means some configuration issues on the server, wrong server URL or a hack attempt. |
| ACTIVATION_BANNED | 4 | This activation code is banned on the server by the software vendor via the WebLM interface (for example, if the key has leaked or pirated). Not to be confused with ACTIVATION_ALREADY_USED. |
| ACTIVATION_CORRUPTED | 5 | Something has gone completely wrong. The error is produced by the activation module self-check system and usually means a hacking attempt. If you’ve got this error, all further operations with serial numbers and activation are not safe. |
| ACTIVATION_BAD_CODE | 6 | The specified code is not found in the database of the activation server. Perhaps, a user made a mistake while entering the code, so we can ask him or her to check if everything all right. |
| ACTIVATION_ALREADY_USED | 7 | The activation counter for this code is depleted and all further activations are impossible. This doesn’t mean the code is bad or banned. The code is good, but it just can’t be activated any more. The user should contact the software vendor and purchase additional licenses or uninstall the software on other computer to increase the value of the activation counter on the server. |
| ACTIVATION_SERIAL_UNKNOWN | 8 | Activation error. The given serial number is not found in the database on the server. Therefore, deactivation is impossible. |
| ACTIVATION_EXPIRED | 9 | Activation error. Means the activation period of the code has expired. |
| ACTIVATION_NOT_AVAILABLE | 10 | This error means activation/deactivation is unavailable. |
Tips and tricks
Activation API is pretty simple, so you shouldn’t experience difficulties with it. Do not forget to offer a way to activate the program offline for users who have problems with the Internet. Also, don’t forget, the Activation API does not save the serial number it receives and does not pass it to the licensing module – this should be done by the developer. You don’t have to call Activation API on every launch of the application. You just need to call it once, get a serial number from WebLM, save it where appropriate and then use this saved copy.
Activation in Web License Manager
You can find the detailed Web License Manager description on our website, and here we merely provide minimum steps required to create an activation code for use with the Activation API.
First, enter Web License Manager (you can use the demo on our website) and create a product. Then export the product as a VMProtect project to be able to configure licensing and activation. After the project is set up, all check are added to the code of your app and the executable is protected, click the “Add New Code” link on the left panel in WebLM:
Select the product you need from the upper drop-down list and fill in the rest of form with the data you want to put into the serial number. Click the “Save” button. You should see the activation code you can use to debug Activation API.
You can study rich capabilities of Web License Manager (such as integration to e-commerce providers and automatic activation code generation) in the online user manual.
Configuring activation in VMProtect
For the Activation API to work, the WebLM URL is required, so you should specify it in the project settings in VMProtect. To do this, open VMProtect and switch to the options section:
Enter the address to the “Activation Server” field. The address should look as: http://yourserver/weblm_path. This is the first place to check if you face problems with online activation.
Activation system
What is it?
Activation is a two-stage process of registering an application. On the first step (usually, directly after the purchase) a user receives an activation code that usually looks like XXXX-YYYY-ZZZZ. On the second stage, the customer enters the code to the application, the application connects to the server of the developer via the Internet, the server checks the activation code and returns a serial number to the application tied to the given activation code and usually locked to user’s hardware.
Such approach allows the developer to control license usage by customers, prevent licenses from leaking and offers additional possibilities, for example, making demo licenses or offering reliable trial periods.
Why do I need it?
The activation system gives a software developer a lot of possibilities, for instance:
- Short serial numbers – long serial numbers are great, except they are long. User may make a typo while entering them, e-mail client break those keys or replace some symbols. At the same time, long serial numbers can hold a sufficient volume of additional information. Activation codes can resolve all issues of long serial numbers while taking the most benefit from their advantages.
- Installation control – all activations are available to the developer online in real-time. Each activation can be monitored, analyzed, blocked. The developer can provide support to users and so on.
- Trial periods – you can create time-limited serial numbers by using product “modes”.
- Subscriptions – subscriptions are similar to trial periods, but are offered for a fee. You can sell the right to use the program for a specified time to a user, just like antiviruses do. Simply sell activation codes for each service year.
What do I need?
VMProtect Ultimate has several functions for relatively easy implementation of both online and offline activation. You will also need Web License Manager installed on your server. Finally, you should configure the protection project in VMProtect, to make the activation module know the URL of the WebLM server.
Serial number encryption algorithms
The security of a key in the licensing system is based on asymmetric cryptography algorithms. The current version implements the RSA algorithm with the key length from 1024 to 16384 bits. Future versions are planned to implement other algorithms based on ECC as well as symmetric+asymmetric combined cryptography.
The algorithm used is unique for each product. Keys made with one algorithm cannot be used with another one, this means changing algorithms after at least one license is created is not allowed. The protection module in the protected program “knows” which algorithm the serial number is encrypted with and will not accept keys made with other algorithms or with the same algorithm but different parameters (say, different key length).
RSA Algorithm
A serial number is encrypted with the RSA algorithm as follows:
- Adding random data to the beginning of the serial number – the method is based on RFC2313, but the implementation is slightly different. The following bytes are added to the beginning of the key: 00 02 NN…NN 00, where NN..NN are from 8 to 16 random non-zero bytes. The number of bytes is random, but the system takes into account the length of the key and its maximum capacity.
- Adding random data to the end of the serial number – the total number of bytes in a serial number must be equal to the number of bits in keys of the algorithm divided by 8. The serial number is appended with the corresponding number of bytes holding random data. As a result, the following serial number format is produced: 00 02 NN..NN 00 DD..DD MM..MM, where NN is a set of random non-zero bytes, DD is the original serial number, MM is a set of random bytes (including zeros). The summary length of the sequence should be equal to the number of bits in keys of the algorithm divided by 8
- Encryption goes using a typical procedure implemented in many libraries to process big numbers. The PHP generator contains all the required information.
- Packing – the set of bytes obtained after encryption is encoded to base-64 — this is a serial number that goes to a customer.
Serial number format
Serial number structure
The serial number consists of blocks. Each block starts from an identifier byte that indicates contents of the block and possibly its length. The last block always has the 255 identifier that contains a checksum of the serial number except the last block.
Depending on the type of the block, it can have constant or variable length. In the latter case, the length is specified in the byte following the block identifier. The exact format of each block is described below.
Block format
| ID | Name | Size (byte) | Description | Example |
|---|---|---|---|---|
| 0x01 | Version | 1 | The block contains a version of the serial number, 1-byte sized. The version must be 1. | 01 01 |
| 0x02 | User name | 1 + N | The block contains a UTF-8 encoded user name. Before the user name, there is 1 byte holding the length of the name. Therefore, the total length of a user name must not exceed 255 bytes. No trailing 0 is required. | 02 04 4A 5F 48 4E |
| 0x03 | 1 + N | The block contains a UTF-8 encoded e-mail of the user. Before the e-mail there is 1 byte holding the length. Therefore, the total length of an e-mail must not exceed 255 bytes. No trailing 0 is required. | 03 07 61 40 62 2E 63 6F 6D | |
| 0x04 | Hardware identifier | 1 + N | The block contains hardware identifier as returned by the VMProtectGetCurrentHWID() function. The function returns a base-64 string. A decoded version of the string is put to the serial number. The length of the data block must be a multiple of 4. There is a length byte before the data block. The maximum block length is 32 bytes. | 04 08 E1 E2 E3 E4 A1 A2 A3 A4 |
| 0x05 | License expiration date | 4 | The block contains serial number expiration date Date format is described below. | 05 01 0A 07 DA |
| 0x06 | Maximum operation time | 1 | the block contains 1 byte holding the time in minutes the program can operate. Therefore, the maximum time can be 255 minutes. | 06 05 |
| 0x07 | Product code | 8 | The block contains a product code – 8 bytes created by VMProtect and exported with product parameters. These data are exported in the base-64 encoding and must be decoded to a byte array before putting to a serial number. The size of the array must be exactly 8 bytes. This block is obligatory! Without it, the protected program will not work correctly. | 07 01 02 03 04 05 06 07 08 |
| 0x08 | User data | 1 + N | The block contains up to 255 bytes of custom user data. The license system doesn’t analyze these data and will return them when the VMProtectGetSerialNumberData() function is called. Before the data block, there is a byte holding the size of the user data. | 08 05 01 02 03 04 05 |
| 0x09 | Maximum build date | 4 | The block contains the maximum build date of the application. The format is described below. | 09 01 0A 07 DA |
| 0xFF | Checksum | 4 | The block contains the serial number checksum. The block is located before the last one, and the checksum is calculated for all previous blocks. The checksum calculation mechanism is described below. | FF 01 02 03 04 |
Date storage format
Dates are stored in a serial number as a double word – 0xYYYYMMDD. The high order word contains the year, and the lower order word holds the day and the month. Bytes follow the Little Endian representation – from lower to higher. If there is a pointer to the first byte of the record, the date can be read or written with the following code:
byte *pDate = 0xNNNNNN; // date address
*(DWORD *)pDate = (2010 << 16) | (10 << 8) | 1; // October 1, 2010
DWORD dwExp = *(DWORD *)pDate;Checksum calculation
The checksum of the serial number is calculated using the SHA-1 hashing algorithm. The result is five 32-bit words. The first word is used as a checksum for the serial number. Please note: the word is Little Endian (from lower to higher). The string representation of SHA-1 hash the Big Endian is used – numbers go from the higher byte to the lower one, so if the SHA-1 hash is generated by a string function (like in PHP), the first four bytes of the hash must be reversed.
Additional information
Block with numbers other than those specified above are ignored by the licensing system. New blocks may be added in newer versions. We do not recommend creating your own blocks using non-occupied identifiers! Firstly, this could render the key non-functional with newer version of the licensing system. Secondly, the protected program cannot read the values of theses blocks anyway. To store additional information in a key, use the User Data field instead. It was meant exactly for this purpose.
A serial number doesn’t have SALT, a random information intended to provide variability of keys based on the same input data. This task is imposed to the encryption algorithm. If you need differences on the serial number level, for example, when selling a series of keys to an organization, you can add individual indices to the user name field (“Company” LLC, key 1 of 10) or insert this information to the User Data field in any appropriate format.
UNIX-version
Description
The UNIX-version of the key generator is a PHP file that contains all necessary information for serial number generation. The file is located in %Examples%\Keygen\PHP. Below we describe the key points of using such a generator.
Configuring the generator
In the beginning of the PHP file, the setup code is located:
//////////////////////////////////////////////////////////////////////////////////////////////
// The following lines should be generated by VMProtect License Manager
$exported_algorithm = "RSA";
$exported_bits = 2048;
$exported_private = "PJvj4kEpoQMIpYK+9wEt......xKeiSZgzdiln8Q==";
$exported_modulus = "rOlny/3QgZb/VmGr3CmY......I6ESAUmtQ+RBqQ==";
$exported_product_code = "oLQdGUn8kVk=";
//////////////////////////////////////////////////////////////////////////////////////////////This code is automatically generated by VMProtect (see Exporting product parameters) and is unique for each particular product. It is crucial to copy it accurately, as otherwise the generator will work incorrectly.
Contents of a key
Then, the generator specifies the contents of a serial number The contents are specified in an array, with all possible parameters of the key listed below. However, in real applications, some of them may be omitted:
$params = array(
user_name => "John Doe", // UTF-8!
email => "john@doe.com",
hwid => "vHGMdMRvGCPjWcCQ", // Exactly as returned by VMProtectGetCurrentHWID
expire_date => array(year => 2009, month => 10, day => 1),
maxbuild_date => array(year => 2009, month => 10, day => 1),
time_limit => 10,
user_data => base64_decode("CGCvRvMWcPHGdMjQ"), // string of bytes
);
Successful key generation handler function
Below you can see a simplest function called upon successful generation of a serial number. The only parameter sent to it is a serial number string. The function must pass the serial number to the caller (an e-commerce agent), usually with the echo command. The string is preliminarily split to sub-strings 75 symbols each, for convenience. Also, this function could send the generated serial number by e-mail to the developer or add it to a database.
function OnSerialGenerated($serial)
{
$serial = wordwrap($serial, 75, "\n", true);
echo $serial;
}
Key generator error handler function
The final part of the code that needs our attention is a function called when something goes wrong. This function receives a string with the error message, and when it finishes, the die() function is called. The handler function must do two things: instead of a key, return to an e-commerce agent a message saying the key will be sent manually. And send to the developer an exhaustive information about the error to fix it and generate the key manually.
function OnSerialGenerationFailed($details)
{
echo "You will receive serial number in the next 24 hours"; // message to the customer
// mail("support@vendor.com", "Houston, we have a problem", $details); // message to vendor
}
There are several possible causes of mistakes: incorrect parameters of the algorithms, incorrect parameters of the key, a too long user name or e-mail, or a too long serial number that doesn’t fit to the number of bits specified in the algorithm. That is why the OnSerialGenerationFailed function must send a detailed information about the issue to the developer, so he could generate a serial number and send it to the customer.
Other things to consider
Examples hold a simplified version of the key generator. It doesn’t take into account recommendations to develop web generators. It does not check the IP address of the caller and does not analyze input parameters. Please pay attention to this when developing your own generator based on this one.
A user name and an e-mail must be passed as UTF-8 strings. Make sure your e-commerce agent sends these data in the UTF-8 encoding, or transcode the information if this is not so. Wrong encoding won’t lead to an incorrect serial number generated, but the registration name displayed for such a serial number can be different from the real user’s name, so he or she may be surprised to see it in the “About” window of the application
Asymmetric encryption is a complex mathematical process. If it is implemented using pure PHP without any third-party libraries, serial number generation can take dozens of seconds. The generator uses gmp_powm, bi_powmod, bcpowod functions whenever they are available. If serial number generation take too long on your hosting, we recommend to ask the hosting provider to enable these functions. For example, the gmp_powm function works ten of times faster than bcpowmod.
.Net-version
Description
The .Net-version of the key generator is a build containing all that is required to generate serial numbers. Source codes are in %Examples%\Keygen\Net as two projects: KeyGen (the key generator itself) and Usage (an example of use of the key generator).
The key generator is supplied in source codes for quick building under a given version of the .Net Framework, however we strongly do not recommend to apply any changes to the code. In future versions of VMProtect some new possibilities may be added to the generator, and that may lead to repeated modification of the code. Also, this may lead to errors that are very difficult to locate. If you found errors in the original code of the generator or would like to suggest improvements, please contact the support team.
Using the generator
Take the code from the Usage project as a base, then add to your project a link to the VMProtect.KeyGen.dll build. After that you will be able to generate serial numbers in your application. To function properly, the generator must “know” which product you generate serial numbers for. To achieve this, in VMProtect open the “Project | Export key pair” dialog and select the “Parameters for KeyGen.Net” option. The text area below will contain text information you should copy and paste to your application as a string constant.
Here is an example code to call the generator:
try
{
string data = @""; // put the exported data here
Generator g = new Generator(data);
g.UserName = "John Doe";
g.EMail = "john@doe.com";
g.ExpirationDate = DateTime.Now.AddMonths(1);
g.MaxBuildDate = DateTime.Now.AddYears(1);
g.RunningTimeLimit = 15;
g.HardwareID = "AQIDBAgHBgU=";
g.UserData = new byte[] { 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 };
string serial = g.Generate();
Console.WriteLine("Serial number:\n{0}\n", serial);
}
catch (Exception ex)
{
Console.WriteLine("Error: {0}", ex);
} The string you copied from VMProtect should be placed to the data variable passed as a parameter to the serial number class constructor. In case of any problems occur while parsing the product data, the constructor throws an exception containing a description of the problem. If the constructor successfully finishes its work, the generator is ready to produce serial numbers.
A serial number can contain various information specified using the generator properties. The above example displays how to fill all and every field of a serial number. Certain fields have limitations. For example, the User Name and E-Mail cannot accept strings exceeding 255 symbols in the UTF-8 encoding. If incorrect data are supplied, properties throw exceptions containing a description of the problem.
When the generator setup is done, the Generate() method is invoked. This method generates a serial number. At this step, all data of the serial number are combined, the checksum is calculated and the data are encrypted. If the volume of data exceeds the allowed length, the method throws an exception.
If you need to generate multiple serial numbers, you can use the generator class several times in a row, without the need to create it from scratch. To clear any given property of the generator, simply assign a null value to it.
Windows-version
Description
Windows key generators are DLL-files for x86 and x64 platforms, a C language header file and an MSVC-compatible lib-file. Therefore, the library can be both linked statically and loaded dynamically.
All files of the generator are located in the %Examples%\Keygen\DLL folder. A test application generating serial numbers is also there.
Generator API
The generator exports just two functions: the first one generates a serial number, while the second one frees up memory allocated by the first one. Let’s start with the first and the main one:
VMProtectErrors __stdcall VMProtectGenerateSerialNumber(
VMProtectProductInfo * pProductInfo,
VMProtectSerialNumberInfo * pSerialInfo,
char ** pSerialNumber
);The first parameter is a pointer to the VMProtectProductInfo structure, which contents are uploaded to VMProtect (see Exporting product parameters). The structure contains product private key, the algorithm used and the identifier of the product. More details on filling this structure follow below.
The second parameter is a pointer to the VMProtectSerialNumberInfo structure, which contents are moved to the generated serial number. The structure holds all fields of a serial number and a bit mask that defines which fields should be written to the serial number.
struct VMProtectSerialNumberInfo
{
INT flags;
wchar_t * pUserName;
wchar_t * pEMail;
DWORD dwExpDate;
DWORD dwMaxBuildDate;
BYTE nRunningTimeLimit;
char * pHardwareID;
size_t nUserDataLength;
BYTE * pUserData;
};
The flags field contains bit flags from the VMProtectSerialNumberFlags set described before the structure:
- HAS_USER_NAME – put the user name from the pUserName variable into the serial number.
- HAS_EMAIL – put the e-mail from the pEMail variable into the serial number.
- HAS_EXP_DATE – the serial number will expire after the date specified in the dwExpDate variable.
- HAS_MAX_BUILD_DATE – the serial number will only work with version of the product built up to the date specified in the dwMaxBuildDate variable.
- HAS_TIME_LIMIT – the program stops working after the time specified in the nRunningTimeLimit variable expires (the time is specified in minutes and shouldn’t exceed 255).
- HAS_HARDWARE_ID – the program works only on hardware with the id specified in the pHardwareID variable.
- HAS_USER_DATA – put custom user data of nUserDataLength length at the address of pUserData to the serial number.
The third parameter is a pointer to a pointer. The address of the generated serial number is written there. After generating the serial number, it should be copied, and the address must be passed to the second API function of the generator that will free memory taken by the serial number.
void __stdcall VMProtectFreeSerialNumberMemory(char * pSerialNumber);
The VMProtectGenerateSerialNumber function returns a VMProtectErrors value that either contains 0 if the serial number is successfully generated, or an error code. Possible error codes are:
- ALL_RIGHT – no errors, the serial number is generated.
- UNSUPPORTED_ALGORITHM – an incorrect key encryption algorithm is passed in the first parameter of the function.
- UNSUPPORTED_NUMBER_OF_BITS – an incorrect number of bits is passed in the first parameter of the function.
- USER_NAME_IS_TOO_LONG – the length of the UTF-8 encoded user name exceeded 255 byte.
- EMAIL_IS_TOO_LONG – the length of the UTF-8 encoded user e-mail exceeded 255 byte.
- USER_DATA_IS_TOO_LONG – the length of the user data exceeded 255 byte.
- HWID_HAS_BAD_SIZE – the hardware identifier has incorrect size.
- PRODUCT_CODE_HAS_BAD_SIZE – the identifier of the product passed in the first parameter of the function has incorrect size.
- SERIAL_NUMBER_TOO_LONG – the serial number is too long and can’t fit the number of bits specified in the algorithm.
- BAD_PRODUCT_INFO – the first parameter of the function is incorrect or NULL.
- BAD_SERIAL_NUMBER_INFO – the second parameter of the function is incorrect or NULL.
- BAD_SERIAL_NUMBER_CONTAINER – the third parameter of the function doesn’t point to memory to write the serial number address to.
- NOT_EMPTY_SERIAL_NUMBER_CONTAINER – the third parameter of the function doesn’t point to an empty memory cell, the cell must be NULL.
- BAD_PRIVATE_EXPONENT – the first parameter of the function contains an incorrect value of the private exponent.
- BAD_MODULUS – the first parameter of the function contains an incorrect value of modulus.
Errors can be of two categories: those caused by incorrect parameters or incorrect value of the first parameter, and all the rest. First category errors are rare and they indicate incorrect configuration of the structure. You should upload the product information again and check if the structure is filled correctly. An example of a proper filling of the structure can be found below.
Second category errors are caused by an attempt to put more data to the key than it can hold with its size. In this case we recommend to send a message to the e-commerce provider containing a text like “The key will be sent in 24 hours” instead of the actual serial number, and send all the required information to your own e-mail. In this case, the key is generated manually in VMProtect, some data are truncated to fit all crucial information to the maximum key size.
Example of usage
Below is a code example that calls the above functions and generates a serial number. Notice the block of code in the very beginning. The example will not work until you replace it with the one exported from VMProtect for your product:
//////////////////////////////////////////////////////////////////////////
// !!! this block should be generated by VMProtect !!! ///
//////////////////////////////////////////////////////////////////////////
VMProtectAlgorithms g_Algorithm = ALGORITHM_RSA;
size_t g_nBits = 0;
byte g_vModulus[1];
byte g_vPrivate[1];
byte g_vProductCode[1];
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
int _tmain(int argc, _TCHAR* argv[])
{
VMProtectProductInfo pi;
pi.algorithm = g_Algorithm;
pi.nBits = g_nBits;
pi.nModulusSize = sizeof(g_vModulus);
pi.pModulus = g_vModulus;
pi.nPrivateSize = sizeof(g_vPrivate);
pi.pPrivate = g_vPrivate;
pi.nProductCodeSize = sizeof(g_vProductCode);
pi.pProductCode = g_vProductCode;
VMProtectSerialNumberInfo si = {0};
si.flags = HAS_USER_NAME | HAS_EMAIL;
si.pUserName = L"John Doe";
si.pEMail = L"john@doe.com";
char * pBuf = NULL;
VMProtectErrors res = VMProtectGenerateSerialNumber(&pi, &si, &pBuf);
if (res == ALL_RIGHT)
{
printf("Serial number:\n%s\n", pBuf);
VMProtectFreeSerialNumberMemory(pBuf);
}
else
{
printf("Error: %d\n", res);
}
return 0;
}
This is an example project for Microsoft Visual Studio from %Examples%\Keygen\DLL\Example. Below are the most interesting parts of the code with our comments.
First lines of the main function fill the VMProtectProductInfo structure with data, exported from VMProtect. This code is typical and it shouldn’t be changed to avoid errors. Then we create the VMProtectSerialNumberInfo structure and insert a bit combination of user name and e-mail to the flag field. In the next line, we put the user name and the password to the appropriate fields in the structure. Note, values are accepted in the UNICODE encoding. The key generator will transform them to UTF-8.
Then, we initialize a pointer variable where the address of the generated key will be stored, and call VMProtectGenerateSerialNumber, then analyze the return code. If there are no errors, the generated key goes out to console, and a call to free serial number memory function is made.
VMProtectSerialNumberInfo Structure
Some fields of the structure may needs some additional explanations. For example, dwExpDate and dwMaxBuildDate fields contain dates in the specific format: 0xYYYYMMDD, that is, the year is stored in the high wordб while the month and the day are in the respectively high and low bytes of the low word. To produce such a number, the following macros is used:MAKEDATE(y, m, d). You can call it like this: MAKEDATE(2010, 05, 12).
The pHardwareID field should contain a pointer to a string the VMProtectGetCurrentHWID method from the licensing SDK has returned.
Serial number generators
What are they for?
Apart from VMProtect, other software can generate serial numbers too. This is necessary to automate sending serial numbers. A customer purchases the product, an e-commerce agent sends an HTTP query to the website of the vendor, the generator runs on the server and produces a serial number based on customer’s data. The serial number is sent to the customer and to the vendor. The vendor then adds the serial to VMProtect manually using the import license dialog.
How it works
The licensing system of VMProtect is based on asymmetric algorithms, that is why a secret product key is required to generate a serial number. You can export this key in the project properties window and pass it to the generator in any suitable way.
The generator is called by the e-commerce agent using an HTTP query. A PHP generator can be called directly, a DLL-based generator – indirectly, but the principle is the same:
- Receive user data from the e-commerce agent
- Add all required information specified by the vendor
- Generate a serial number
- Encrypt it with one of algorithms
- Send the result to the e-commerce agent
Are there any existing generators?
The licensing system comes with three ready to use serial number generators as DLL, for the .Net platform and on PHP.
Can I make my own generator?
Yes, you can. The format of the serial number is here, serial number encryption algorithms are described here.
Is it safe?
Generally, yes, this is safe. However, you should follow these recommendations:
- Use HTTPS – if your e-commerce provider can send HTTPS queries, and your web hosting provider can answer such requests – you should prefer this variant over the typical HTTP, because in this case all data are transmitted in the encrypted form and the generated serial number cannot be intercepted.
- “Hide” your generator – make sure no one can open the generator occasionally. The www.site.com/keygen.php address is a bad idea. While www.site.com/abc123.php is much better. Make sure you do not put any external links to the key generator, it isn’t listed in website directories, and don’t put it into any service file like robot.txt. The less is known about the location of the generator, the better. Optionally, you can even place the generator on another website.
- Make sure it is the e-commerce agent who calls the generator – the program processing queries from the agent should check the IP address of the caller. E-commerce providers usually publish the IP-range the use to query serial number generators. Find that list at your agent and add a check to the program. If IP address sending a query lies beyond the specified IP range, do not produce comprehensible error messages. Either do not return anything or produce a simple 404. Do not give any clues to why the query has failed.
- Check input parameters – product settings in the e-commerce agent’s control panel usually allow you to specify a query string the agent should make to receive a license. For instance, you want to receive user name, e-mail address, date of purchase and the order id. So make sure all these parameters are passed and all of them have the correct format. Do not produce any response to erroneous queries. Send a message to your own e-mail whenever an erroneous query to the generator is made. This should help to investigate the issue.
- Add a “password” specify an additional parameter in the query sent by the e-commerce agent, a password. It should have an non-obvious name and value. Check this parameter from the receiving side. If the value is wrong, or the parameter is not specified – do not generate a serial number.