Advanced Installer allows you to easily add a serial number protection for your package. There are two types of serial validation each having it's advantages and disadvantages: Predefined List and Algorithm Verified. In terms of protection the two methods are about as hard to break.
Important - please note:
- The Advanced Installer's serial validation DLL is offered as a convenience. It should be replaced with your own, stronger and more secure, validation method.
- The validation done at install time is not the best method of serial protection. The recommended method is the validation done by the application itself, after it has been installed.
Predefined List of Serials
In this case each package will have one or more predefined valid passwords.
- When releasing a new version of the product you can add or delete certain serials without changing the rest.
- The list is fixed, so for a released version you cannot change the list, if, for example, the client list grows and you need to add more serials.
Algorithm Verified Serials
In this case the package will check whether that the serials pass a certain algorithm verification. The algorithm uses a special value, called a seed, to identify a group of equivalent serials. Changing the seed invalidates the current group of serials. The seed length and form depend on the length and form of the template.
- You can generate a practically unlimited number of serials. More exactly, this number is limited only by the number of combinations of digits and letters that verify the template you have chosen.
- If a serial has been compromised you cannot delete it in the next release. For that you would need to change the seed value, thus rendering all other serials invalid.
While the algorithm itself is reasonably hard to crack, the MSI it is not a secure environment. This means that somebody that tampers with the MSI, using nothing but a specialized editor, like Orca, could rather easily remove the protection.
A possible solution to improve this would be to use the bootstrapping feature in Advanced Installer to mask the MSI. However, this is not a definitive solution since an attacker could spy on the program activities and extract the MSI.
- Serial Number Validation DLL
Example and sample code for developing a DLL for serial number validation.