How does software keygen work?
I have seen them plenty of times, with many different types of software, but the one thing I have always wondered is how software keygens know what key to generate. I know the basic principle of it: the keygen looks somewhere in the software installation files and creates a key that matches some encrypted file which allows the program to work. But I wanted to know how they do that, and how to prevent it. This is really a multiple part question.
How does the key-system work?
How do programmers usually create software that works based on a key. I am an intermediate programmer, but I never learned much of the security/anti-piracy aspect of it. How do they create and/or recognize the keys to allow the software to start working?
Where does it usually look to find this "encrypted file"?
Is it in a physical file on the computer, or an off-site database that it calls? What do the companies do to encrypt that file?
I would emagine that the key must be stored in more than just plaintext, what do they do to keep it encrypted?
What method is the keygen using to create the key?
I have played around a little with some password-cracker software such as "cain & able" and I have noticed, that with some of the password-cracking methods, such as brute-force and dictionary, it gives me ETAs in years, however keygens seem to create keys instantly. Are they using different methods entirely?
What measures can companies take to prevent the use of keygens in pirated software?I am starting to write my own software to be distributed, I was wondering what existing, relatively easy methods can I use to prevent
One of them was discussed in stackoverflow:
Assuming you don't want to do a special build for each user, then: Generate yourself a secret key for the product Take the user's name
Concatenate the user's name and the secret key and hash with (for example) SHA1
Unpack the SHA1 hash as an alphanumeric string. This is the individual user's "Product Key"
Within the program, do the same hash, and compare with the product key. If equal, OK.
Note: every key scheme can be cracked. That's why a lot of tools use online validation.
- Where does it usually look to find this "encrypted file"?
- There usually is no encrypted file when using the previous method. There might be other methods to generate keys with another algorithm, but they never store all keys in the program.
- What do the companies do to encrypt that file?
- Well if you are referring to storing the key the user typed in your system, then sometimes it's saved plaintext in a config file. Sometimes they use symmetric (like AES) encryption with a hardcoded key to encrypt this file.
- What method is the software keygen using to create the key?
- Because there are people that can figure out the scheme the program uses and just implement it in their own keygen.
- What measures can companies take to prevent the use of keygens in pirated software?
Online activation, but the harder you make it for the customer to use the software the less likely you will buy it. In the end there isn't a single piece of software that is piracy-proof. If there was, companies like Adobe and Microsoft would be hiring you instantly.