What are they for?
Apart from VMProtect, other software can also generate serial numbers. This is necessary to automate the delivery of serial numbers. A customer purchases a product, an e-commerce agent sends an HTTP request to the vendor’s website, the generator runs on the server, and produces a serial number based on the customer’s data. The serial number is then sent to both the customer and the vendor. The vendor then manually adds the serial to VMProtect using the import license dialog.
How it works
The VMProtect licensing system is based on asymmetric algorithms, which is why a secret product key is required to generate a serial number. You can export this key in the project properties window and pass it to the generator in any suitable way.
The generator is called by the e-commerce agent using an HTTP request. A PHP generator can be called directly, while a DLL-based generator is called indirectly, but the principle remains the same:
- Receive user data from the e-commerce agent
- Add all required information specified by the vendor
- Generate a serial number
- Encrypt it using one of the algorithms
- Send the result to the e-commerce agent
Are there any existing generators?
The licensing system comes with three ready-to-use serial number generators: DLL version, .NET version, and PHP version.
Can I make my own generator?
Yes, you can. The serial number format is described here, and serial number encryption algorithms are described here.
Is it safe?
In general, yes, it is safe. However, you should follow these recommendations:
- Use HTTPS – if your e-commerce provider can send HTTPS requests and your hosting provider supports them, you should prefer HTTPS over HTTP, as all data will be transmitted in encrypted form and the generated serial number cannot be intercepted.
- “Hide” your generator – ensure that the generator cannot be discovered accidentally. Using a predictable address such as www.site.com/keygen.php is a bad idea. A less obvious URL such as www.site.com/abc123.php is preferable. Do not place direct links to the generator anywhere, do not list it in website directories, and do not include it in files such as robots.txt. The less is known about the generator’s location, the better. Optionally, you can host the generator on a separate server.
- Verify that only the e-commerce agent calls the generator – the application processing requests should check the caller’s IP address. E-commerce providers usually publish the IP ranges they use for requests. Use this information to validate incoming requests. If the IP address is outside the allowed range, do not return a meaningful error. Either return nothing or respond with a simple 404. Do not provide any clues about the failure reason.
- Validate input parameters – the e-commerce provider’s control panel usually allows you to define the parameters required for license generation (for example: user name, e-mail address, purchase date, and order ID). Ensure all required parameters are present and correctly formatted. Do not respond to invalid requests. Instead, notify yourself (for example, via email) when an invalid request is received so the issue can be investigated.
- Add a “password” parameter – include an additional secret parameter in the request sent by the e-commerce agent. It should have a non-obvious name and value. Verify this parameter on the server side. If the value is incorrect or missing, do not generate a serial number.