Get License Keys For Software

Serial keys for software programs, more accurately called product keys or installation keys, are needed before you can install almost any popular software program.

License keys are the defacto-standard as an anti-piracy measure. To be honest, this strikes me as (in)Security Through Obscurity, although I really have no idea how license keys are generated.What is a good (secure) example of license key generation? How to generate and validate a software license key? Ask Question. To get access to all the features the user has to pay a license fee and receive a key. That key will then be entered into the application to 'unlock' the full version. @Pacerier There are many things license keys protect software companies from. Modifying the exe is not.

  1. Jul 20, 2018  Recover / Find License Keys for Installed Software on Computer: Nearly all software has a product key and remembering these can be difficult at the best of times, but what happens when you have to.
  2. Jul 05, 2017  NirSoft’s ProduKey lets you view product keys for Windows, Microsoft Office, and many other software programs. It can show the keys from the current computer, or you can use it to view the keys stored on a broken computer’s hard drive. How to Recover Keys From a Working Computer.

Serial keys or key codes are often required during the first part of a program's installation or sometimes after using a program for a certain period of time.

So what do you do when you can't find that special installation code but you need to install the program again?

Where Can I Find Serial Keys and Installation Codes for My Software?

Without a doubt, a key finder program — a special kind of software tool — is the best way to go if you're lost a serial key for one of your software programs, so long as it's still installed or recently was.

Product key finder programs are software tools that automatically search your computer for the serial keys stored in the Windows Registry or elsewhere on your computer.

For example, when you installed your operating system and other software, the product keys used during their installations were stored, probably encrypted, inside a specific registry key.

See our article on free product key finder software programs for a ranked and reviewed collection of these very handy tools, all of which are free to download, install, and use.

Now, you could manually look in the registry for the serials and install keys yourself, but they can be very hard to find. Not only that, the stored keys are usually encrypted, making what you dig up there completely useless anyway.

Most product key finder programs were originally designed to find the serial numbers and key codes for operating systems like Windows 10, 8, 7, Vista, etc., but many of them find serials and keys for many other programs, too, like office suites, video games, and more.

What If the Program I'm Missing the Serial Key for Isn't Installed Anymore?

Even if you think, or know, the program you've lost the key for isn't installed on your computer anymore, you should still try one of the higher-rated product key finder tools in our list.

Sometimes,a program will leave the registry keys that contain that program's serial key in the registry even after it's uninstalled, which is why this is worth a try. This isn't usually the case when the program was removed with a dedicated software uninstaller, but it's still worth a try.

If that doesn't work, you're left with digging around for the box the software came in, the email that accompanied the download, etc.

What If I Still Can't Find the Installation Code I'm After?

Unfortunately, at this point, your only legal option is to buy a new copy of the program.

In your search for help with lost serial keys, you've probably come across software cracking tools, keygen programs or maybe even lists of free key codes, there for the taking.

It's very important to realize that none of those resources are legal ways of obtaining installation keys or any other unique code designed to protect programs from being pirated.

The only legal way of installing software is by using a valid installation code obtained through a legal purchase of the software program.

Active1 year, 2 months ago

License keys are the defacto-standard as an anti-piracy measure. To be honest, this strikes me as (in)Security Through Obscurity, although I really have no idea how license keys are generated. What is a good (secure) example of license key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so, what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?

rookrook
48.8k31 gold badges141 silver badges225 bronze badges

9 Answers

For old-school CD keys, it was just a matter of making up an algorithm for which CD keys (which could be any string) are easy to generate and easy to verify, but the ratio of valid-CD-keys to invalid-CD-keys is so small that randomly guessing CD keys is unlikely to get you a valid one.

INCORRECT WAY TO DO IT:

Starcraft and Half-life both used the same checksum, where the 13th digit verified the first 12. Thus, you could enter anything for the first 12 digits, and guess the 13th (there's only 10 possibilities), leading to the infamous 1234-56789-1234

The algorithm for verifying is public, and looks something like this:

CORRECT WAY TO DO IT

Windows XP takes quite a bit of information, encrypts it, and puts the letter/number encoding on a sticker. This allowed MS to both verify your key and obtain the product-type (Home, Professional, etc.) at the same time. Additionally, it requires online activation.
The full algorithm is rather complex, but outlined nicely in this (completely legal!) paper, published in Germany.

Of course, no matter what you do, unless you are offering an online service (like World of Warcraft), any type of copy protection is just a stall: unfortunately, if it's any game worth value, someone will break (or at least circumvent) the CD-key algorithm, and all other copyright protections.

REAL CORRECT WAY TO DO IT:

For online-services, life is a bit simpler, since even with the binary file you need to authenticate with their servers to make any use of it (eg. have a WoW account). The CD-key algorithm for World of Warcraft - used, for instance, when buying playtime cards - probably looks something like this:

  1. Generate a very large cryptographically-secure random number.
  2. Store it in our database and print it on the card.
    Then, when someone enters a playtime-card number, check if it's in the database, and if it is, associate that number with the current user so it can never be used again.

For online services, there is no reason not to use the above scheme; using anything else can lead to problems.

BlueRaja - Danny PflughoeftBlueRaja - Danny Pflughoeft
61.4k21 gold badges157 silver badges247 bronze badges

When I originally wrote this answer it was under an assumption that the question was regarding 'offline' validation of licence keys. Most of the other answers address online verification, which is significantly easier to handle (most of the logic can be done server side).

With offline verification the most difficult thing is ensuring that you can generate a huge number of unique licence keys, and still maintain a strong algorithm that isnt easily compromised (such as a simple check digit)

I'm not very well versed in mathematics, but it struck me that one way to do this is to use a mathematical function that plots a graph

The plotted line can have (if you use a fine enough frequency) thousands of unique points, so you can generate keys by picking random points on that graph and encoding the values in some way

As an example, we'll plot this graph, pick four points and encode into a string as '0,-500;100,-300;200,-100;100,600'

We'll encrypt the string with a known and fixed key (horribly weak, but it serves a purpose), then convert the resulting bytes through Base32 to generate the final key

The application can then reverse this process (base32 to real number, decrypt, decode the points) and then check each of those points is on our secret graph.

Its a fairly small amount of code which would allow for a huge number of unique and valid keys to be generated

It is however very much security by obscurity. Anyone taking the time to disassemble the code would be able to find the graphing function and encryption keys, then mock up a key generator, but its probably quite useful for slowing down casual piracy.

PaulGPaulG
12.2k7 gold badges44 silver badges70 bronze badges

Check tis article on Partial Key Verification which covers the following requirements:

  • License keys must be easy enough to type in.

  • We must be able to blacklist (revoke) a license key in the case of chargebacks or purchases with stolen credit cards.

  • No “phoning home” to test keys. Although this practice is becoming more and more prevalent, I still do not appreciate it as a user, so will not ask my users to put up with it.

  • It should not be possible for a cracker to disassemble our released application and produce a working “keygen” from it. This means that our application will not fully test a key for verification. Only some of the key is to be tested. Further, each release of the application should test a different portion of the key, so that a phony key based on an earlier release will not work on a later release of our software.

  • Important: it should not be possible for a legitimate user to accidentally type in an invalid key that will appear to work but fail on a future version due to a typographical error.

The SurricanThe Surrican
20.7k21 gold badges100 silver badges154 bronze badges

I've not got any experience with what people actually do to generate CD keys, but (assuming you're not wanting to go down the road of online activation) here are a few ways one could make a key:

  • Require that the number be divisible by (say) 17. Trivial to guess, if you have access to many keys, but the majority of potential strings will be invalid. Similar would be requiring that the checksum of the key match a known value.

  • Require that the first half of the key, when concatenated with a known value, hashes down to the second half of the key. Better, but the program still contains all the information needed to generate keys as well as to validate them.

  • Generate keys by encrypting (with a private key) a known value + nonce. This can be verified by decrypting using the corresponding public key and verifying the known value. The program now has enough information to verify the key without being able to generate keys.

These are still all open to attack: the program is still there and can be patched to bypass the check. Cleverer might be to encrypt part of the program using the known value from my third method, rather than storing the value in the program. That way you'd have to find a copy of the key before you could decrypt the program, but it's still vulnerable to being copied once decrypted and to having one person take their legit copy and use it to enable everyone else to access the software.

Andrew AylettAndrew Aylett
32.7k4 gold badges60 silver badges92 bronze badges

CD-Keys aren't much of a security for any non-networked stuff, so technically they don't need to be securely generated. If you're on .net, you can almost go with Guid.NewGuid().

Their main use nowadays is for the Multiplayer component, where a server can verify the CD Key. For that, it's unimportant how securely it was generated as it boils down to 'Lookup whatever is passed in and check if someone else is already using it'.

That being said, you may want to use an algorhithm to achieve two goals:

  • Have a checksum of some sort. That allows your Installer to display 'Key doesn't seem valid' message, solely to detect typos (Adding such a check in the installer actually means that writing a Key Generator is trivial as the hacker has all the code he needs. Not having the check and solely relying on server-side validation disables that check, at the risk of annoying your legal customers who don't understand why the server doesn't accept their CD Key as they aren't aware of the typo)
  • Work with a limited subset of characters. Trying to type in a CD Key and guessing 'Is this an 8 or a B? a 1 or an I? a Q or an O or a 0?' - by using a subset of non-ambigous chars/digits you eliminate that confusion.

That being said, you still want a large distribution and some randomness to avoid a pirate simply guessing a valid key (that's valid in your database but still in a box on a store shelf) and screwing over a legitimate customer who happens to buy that box.

Michael StumMichael Stum
121k103 gold badges369 silver badges511 bronze badges

How To Find Software Licenses

If you aren't particularly concerned with the length of the key, a pretty tried and true method is the use of public and private key encryption.

Essentially have some kind of nonce and a fixed signature.

For example:0001-123456789

Where 0001 is your nonce and 123456789 is your fixed signature.

Then encrypt this using your private key to get your CD key which is something like:ABCDEF9876543210

Then distribute the public key with your application. The public key can be used to decrypt the CD key 'ABCDEF9876543210', which you then verify the fixed signature portion of.

Free Software License Keys

This then prevents someone from guessing what the CD key is for the nonce 0002 because they don't have the private key.

The only major down side is that your CD keys will be quite long when using private / public keys 1024-bit in size. You also need to choose a nonce long enough so you aren't encrypting a trivial amount of information.

The up side is that this method will work without 'activation' and you can use things like an email address or licensee name as the nonce.

userxuserx
3,2081 gold badge17 silver badges30 bronze badges

The key system must have several properties:

  • very few keys must be valid
  • valid keys must not be derivable even given everything the user has.
  • a valid key on one system is not a valid key on another.
  • others

One solution that should give you these would be to use a public key signing scheme. Start with a 'system hash' (say grab the macs on any NICs, sorted, and the CPU-ID info, plus some other stuff, concatenate it all together and take an MD5 of the result (you really don't want to be handling personally identifiable information if you don't have to)) append the CD's serial number and refuse to boot unless some registry key (or some datafile) has a valid signature for the blob. The user activates the program by shipping the blob to you and you ship back the signature.

Potential issues include that you are offering to sign practically anything so you need to assume someone will run a chosen plain text and/or chosen ciphertext attacks. That can be mitigated by checking the serial number provided and refusing to handle request from invalid ones as well as refusing to handle more than a given number of queries from a given s/n in an interval (say 2 per year)

I should point out a few things: First, a skilled and determined attacker will be able to bypass any and all security in the parts that they have unrestricted access to (i.e. everything on the CD), the best you can do on that account is make it harder to get illegitimate access than it is to get legitimate access. Second, I'm no expert so there could be serious flaws in this proposed scheme.

BCSBCS
34.4k57 gold badges167 silver badges266 bronze badges

There are also DRM behaviors that incorporate multiple steps to the process. One of the most well known examples is one of Adobe's methods for verifying an installation of their Creative Suite. The traditional CD Key method discussed here is used, then Adobe's support line is called. The CD key is given to the Adobe representative and they give back an activation number to be used by the user.

However, despite being broken up into steps, this falls prey to the same methods of cracking used for the normal process. The process used to create an activation key that is checked against the original CD key was quickly discovered, and generators that incorporate both of the keys were made.

However, this method still exists as a way for users with no internet connection to verify the product. Going forward, it's easy to see how these methods would be eliminated as internet access becomes ubiquitous.

SeanSean

All of the CD only copy protection algorithms inconvience honest users while providing no protection against piracy whatsoever.

The 'pirate' only need to have access to one legitimate cd and its access code, he can then make n copies and distribute them.

It does not matter how cryptographically secure you make the code, you need to supply this with the CD in plain text or an legitimate user cannot activite the software.

Most secure schemes involve either the user providing the software supplier with some details of the machine which will run the software (cpu serial numbers, mac addresses, Ip address etc.), or, require online access to register the software on the suppliers website and in return receive an activitation token. The first option requires a lot of manual administration and is only worth it for very high value software, the, second option can be spoofed and is absolutly infuriating if you have limited network access or you are stuck behind a firewall.

On the whole its much easier to establish a trust relationship with your customers!

James AndersonJames Anderson
24.9k6 gold badges41 silver badges71 bronze badges

protected by CommunityAug 15 '14 at 19:13

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged securitycryptographylicense-key or ask your own question.