8 replies to this topic

[Tolito]

How do these work, exactly? I have done my research and I remain baffled. I could, of course, hard-code thousands of keys as one source has mentioned, but that is very ineffective. How do I know which keys have already been used? Am I supposed to distribute each copy only able to work with a single key? Will I need to make some odd verification system that checks to see if the first digit and the last digit add together to be the square root of the seventh digit, which at the same time is the sum of digits two and eight, and so on? Also, if I sale copies directly from my site and I am paid via PayPal, how would this work? How would PayPal be able to send them a unique Product Key and so on?

Tying all of this together is very confusing for me. Any suggestions and examples on what to do would be greatly appreciated. Thank you!

[Neometron]

I'm far from qualified to answer this, but I want to have first crack at guessing.
I could imagine a system very similar to PKI where there is a public/private key. There would be a database at some game company's HQ containing a private product key for each public key distributed with the packaging or downloaded apon purchase online. The game itself may have a hard coded string of characters and using the public key to encrypt that string. Then the encrypted string would be sent over the internet back to HQ in order to be decrypted using the private key. If the hard coded string matches after using the private key, then the public key is good. This is just a guess and I may be completely wrong.

[Tolito]

Thank you for taking a crack at it. This seems like a bit of work if you ask me, especially with connecting to the Internet. I am thinking about having a system built into the game that checks to see if the key entered matches a certain format (like the one I mentioned with the first and last digits being multiplied and such). I suppose that would work, but now I am wondering just how to get PayPal to send someone who purchases a product key, and if each product key should be unique.

Should each product key be unique if this system is used? What are the benefits? Risks? How would thousands of unique product keys be kept up with?

[Neometron]

Here is some more guessing ;)

For PayPal I think they have an 'auto return' feature for business websites. For instance you have a website where a person buys a game and proceeded to PayPal’s website. They pay up and PayPal returns back to a predefined page at your website. At that point your own website issue the product key if payment is received; not PayPal.

The system I was describing was for each unique product/public key there is a corresponding unique private key. So 10k product keys = 10k private keys. All keys are stored in a locally stored database.

I suppose instead of doing it that way, there could be a system where there is only one private and public key pair.

• You keep the private key, and the public key is hardcoded into software.
• Have a unique plaintext string that gets embedded into each game disk.
• Take that unique text string and encrypt it using the private key you kept.
• The encrypted output ‘is’ the Product Key and is placed on the packaging.
• A person buys your game.
• The person enters the Product Key
• The Product Key is decrypted using the hardcoded public key.
• If the plaintext message received from the Product Key is the same as the plaintext message stored on disk, then the Product Key is good.

However I could see a few flaws with this right off the bat:

• A hacker could replace the public key with their own and the plaintext message on disk gets encrypted with their own private key.
• Each game disk is different due to the unique plaintext string which results in multiple iso images.
• One Product Key cannot be used with other disks.

[Tolito]

Quite an idea! What makes it necessary for each product key to be unique, though? What are the benefits of this, if each copy of the game is exactly the same and there are not any differences from one disk to another? I will need to contact PayPal for more information regarding their services for selling products this way. Thank you for the support. B-)

[SimonForsman]

Just make it easy for yourself, use online activation of the keys, that way you can just generate them randomly when you print the discs/boxes or sell an online copy, store them in a database and set the date and a hardware hash for the last activation of it, allow uses to activate their game on X machines per month/year/whatever and it will be good enough. (its easy enough to remove the key check entierly and restricting activations will keep people from sharing their key (a shared key would quickly stop working)

alternativly you can use a fairly simple system such as the one you described in your first post and just let the game client verify the key. (that won't prevent key sharing though).

Unless you have a genuine online component to the game however it will be fairly easy for a hacker to simply remove the keycheck entierly from your game and then distribute the modified version. (If you have a online component you can just have the client send a hashed or encrypted serial key to you when he tries to play online and just refuse the connection if another player is playing with the same key (all you gotta do is keep track of which keys have been sold/shipped and which ones are used by currently online players)

Getting the keys out to the users is simple, paypal will send a message to a web address of your choice when a sale is made (with the purchasers contact details) so you can generate the keys and send them out via email when you get the purchase confirmation from paypal. (This is fairly easy to do with for example php or python)

Edited by SimonForsman, 27 July 2012 - 01:02 PM.

[Tolito]

The same rule applies here, though. A hacker can remove the thing that checks for online activation keys and distribute the modification for all. There are also programs that allow people to intercept the program's connection with the Internet and pass along a positive value to the program instead so it thinks it has received a message from the server saying the key is valid. You still have a good concept nevertheless.

I think the fairly simple system I described will work for me. Hackers will make the game not require a product key no matter how much work is put into the system. I just want to set up a key system that will lead to an honest individual making a purchase (A.K.A. they would only try guessing (if even that) and not go on torrent sites or anything of the sort).

If I made PayPal do this, would it redirect the user to the page at all? How would I make the page only work if the traffic comes directly from PayPal? I will try Googling for this information. Thank you very much for the packed-with-detail answer!

[SimonForsman]

The same rule applies here, though. A hacker can remove the thing that checks for online activation keys and distribute the modification for all. There are also programs that allow people to intercept the program's connection with the Internet and pass along a positive value to the program instead so it thinks it has received a message from the server saying the key is valid. You still have a good concept nevertheless.

I think the fairly simple system I described will work for me. Hackers will make the game not require a product key no matter how much work is put into the system. I just want to set up a key system that will lead to an honest individual making a purchase (A.K.A. they would only try guessing (if even that) and not go on torrent sites or anything of the sort).

If I made PayPal do this, would it redirect the user to the page at all? How would I make the page only work if the traffic comes directly from PayPal? I will try Googling for this information. Thank you very much for the packed-with-detail answer!

Paypal doesn't redirect the user, it contacts your server on its own

Basically when your web script recives a POST containing the transaction data it should make a connection to paypals server to verify that the submitted details are accurate and then process the data it got.

Here is a PHP code example.
https://www.x.com/de...e-sample/216623

If paypal gives you the verified result you just have to check the data (item number, payment amount, etc) , generate a key (or grab the next unsold key from your database if you got pre-generated keys) and send it out via email to the buyer.
Check: http://email.about.c...hentication.htm
to see how to send an email through a php script.

Edited by SimonForsman, 28 July 2012 - 12:16 PM.

[Tolito]

Thanks for the links! I was hoping PayPal contacted my server on its own. I contacted PayPal regarding this and they were wanting me to make the user be redirected and all, so maybe someone on the forums will understand what I mean.

What I would like it to do is send buyer information to a page on my website, which uses this data when generating a product key (it will not always be unique, but it will be pretty close to being unique each time). It prints the product key and a one-time download link to the page. I want PayPal to email this to the user once the payment goes through, unless it is not possible to cancel PayPal transactions. If I do not have to worry about them canceling the transaction and getting the product without payment, the information could be emailed to them as soon as they pay for it. I need some feedback on this concept, though. What do you think?

Thank you for taking the time to share all of this information.