I've just seen this post about how to prevent crackers from breaking a software serial number protection by reverse engineering the serial checking code (found via 47 Hats).
If you are writing software you should take a look, it's very interesting, the main concept is to break the serial number verification code into several independent parts and include just one of them in the software, replacing the included part between versions or any time a cracker releases a keygen or serial number.
So by never including the complete algorithm in your program you are denying the crackers access to it and by switching the included parts of the algorithm you can break the partial solutions the crackers produce.
The other option for "strong serial numbers" is to use public-key cryptography.
While public key cryptography will theoretically give you stronger protection it has one serious limitation – in order to keep the serial number short enough for the user to type into the program you have to use a very small encryption key (otherwise your serial number can be several hundreds or even thousands of characters long).
A public key cryptography based system with such a small encryption key can be broken by brute force – by just trying all possible combinations until the cracker finds the correct encryption key.
For yaTimer I used a public-key based system, I'm assuming a time tracking tool will not attacked the kind of cracker that understands cryptography and knows about this weakness and how to exploit it.
I'm going to seriously consider the partial verification approach for my next product.
posted @ Tuesday, July 31, 2007 4:30 PM