Home » Support » User Manual » The Software Licensing System » Serial number generators

Serial number generators

Why do I need standalone generator?

Besides VMProtect, serial numbers using standalone generators. They are usually web-based and used to generate serial number by request from payment processing service. Customer pays money to service, service calls serial number generator, it generates serial number and sends it back to service and finally service sends it to the customer. Vendor receives notification and import serial number to the database.

How does it work

The licensing system based on asymmetric algorithms, so standalone serial number generator needs a products private key to generate licenses. You should export the key using “Export Key Pair” button from the product properties window.

Standalone generator usually called by HTTP-query. PHP-based generator can be called directly, DLL-based generator needs some environment to run. But both work the same way:

  • Get information about customer from payment processing service
  • Add some vendor and product-specific data
  • Pack data to a serial number
  • Encrypt serial number using the products algorithm
  • Send serial number to payment processing service

Do you provide working generators?

Yes, the licensing system is bundled with to serial number generators: DLL-based and .Net-based for Windows and PHP-based for UNIX.

Can I make my own generator?

Yes, you can. See the serial number format specifications here and encryption algorithm details here.

Is it safe?

Usually – yes. But here are some recommendations:

  • Use HTTPS protocol – if your payment processing service allow to query generator by HTTPS and your hoster allows to reply by HTTPS, it is better to use HTTPS. In that case data will be encrypted while exchange and nobody will be able to catch them.
  • Hide the generator – make sure that it is hard to find out URL for the generator. For example it is better to use www.site.com/abc123.php for generator instead of www.site.com/keygen.php. Make sure that there is no external links to the generator, that it doesn’t listed in robots.txt and other system files. You may even put generator to another site that doesn’t related to your product. The less is known about generator – the better.
  • Make sure that generator is called by payment processing service – before starting serial number generation it is recommended to check that serial number generator is called by payment processing service and not a hacker. Usually such services have list of IP addresses that they may use to call generators. Add checks that will compare caller’s IP with the list, provided by service. If the caller IP is not listed – just return nothing. Or return error 404. Do not return errors like “Serial number cannot be generated” or “Bad IP address”. This will give hacker too much information. And always send yourself e-mail with details of such attempts.
  • Check input parameters – payment processing services allows to define a number of parameters that will be passed to the generator. Do not use default names like “user” and “e-mail”, use “sx43a” and “a094d” instead. Check parameters on the generators side. Do not reply to queries with incorrect parameters set. With missed parameters or with additional parameters. And do not forget to notify yourself by e-mail about such attempts. Attach caller IP, list of input parameters and other information.
  • Add a “password” – you may put some additional parameters to the query with random values. Check those parameters and values on the generators side and do not reply on query without such parameters.