Volume Number: 13 (1997)
Issue Number: 2
Column Tag: Programming Techniques

Serial Killer

By Jamie McCornack

Easy and effective serial number management for electronic game distributors

This material isn't rocket science - it is just an easy way to do something that you need to do. The computer game business is a dog and pony show, and this is about how to deal with pony poop. I am offering no glamour here, but I might save you a couple of day's work.

Games need serial numbers more than any other software. They also need individual serial numbers for individual customers because

• People play games for fun, and paying for things isn't much fun. Given a choice, the average game player will say, "It's only a game," and never think twice about ethics. These people would never go to their Porsche dealer and take off with a red one, saying, "It's only a Porsche," even though Porsches are supposed to be fun too.

• People will respond positively to paying for games if they are reminded gently and given the opportunity to pay at their own pace. Ambrosia recently bought a company, Humm-V, from voluntary contributions - folks who were willing to send in $15 to $20 for a serial number.

• The reward for having a serial number need not be big, but there must be some reward. Ambrosia (to use the most successful example in the Mac electronic distribution world) offers contests and the like to registered users. However, the main reward is that the game stops asking for a serial number every time you play it. While the reward need not be big, it needs to be immediate. So, the game itself needs to respond to serial number input.

• Having a single serial number hard-wired into your program doesn't work. It will immediately find its way onto the Internet, and the folks who "crack" your program will think that they belong in the next William Gibson novel.

The glossy box people do not have this problem as much, since they publish mostly on CD-ROM which costs peanuts to reproduce, but much more to copy. To copy protect a CD-ROM, all you have to do is insist that the CD be present (or some 200meg file on the CD) before the program runs. At the current state of the art, your CD costs you under a buck to produce, and a copy costs the freelance pirates about $10 - so, they might as well buy an original.

However, if distributing games on floppies, compilation CDs, or via modem, the economies of scale work against you.

A floppy loaded with your data and labeled costs more to produce than a blank floppy (purchased in boxes of 20) costs a potential pirate. Imagine what the book business would be like if books cost publishers six cents a page to print, and every person in the country had a nickel-per-page copy machine at home.

Compilation CD's (One Thousand Great Games for $19.95) are an effective way spread around demos and shareware games. However, the buyer has my game (and 999 other games), the distributor has $19.95, and I have nothing. Now I need to encourage the buyer to spend a little more. Electronic distribution is the same scenario, except the buyer receives a bill from AOL at the end of the month, and I still have nothing.

Well, not quite nothing. What I have is a marketing opportunity. The opportunity to sell something - an end to the "please register" reminder, a game enhancement, and early access to my next game. The easiest and most effective item for this market is a serial number. Here are some serial number guidelines.

• The serial number should be unique, and the gratification should be immediate. The game program needs to accept and reward any valid serial number, and spurn any invalid serial number.

• There should be more invalid numbers possible than valid numbers. There should be a minimum of 1000 wrong numbers for every right number or the "Hunt and Peck Hackers" will perform brute force solutions instead of doing their history homework.

• The system should be easy for you, easy for the registered user, and easy for the folks that answer your 800 line, fill out the MasterCard slips, and give out the serial numbers.

Generator cranks out a couple thousand serial numbers per second, and saves them as a tab delineated Excel file. Most databases can import Excel data. You can select start and end numbers from 1 to 999999. I recommend that you generate a reasonable quantity of numbers - you probably don't need a million serial numbers yet, nor do you want to devote 25meg to storing the file. Note that Generator is a 68k Mac program, but since it produces about 120,000 serial numbers per minute, it is probably not worth writing an Accelerated for PowerMac version.

I import my serial numbers into a FileMaker Pro document. FileMaker garbles the first record in the list because it stumbles on the Excel header, so I start my list with 0. I delete the first record, which leaves me with serial number 1 heading the list.

Generator's first function, CalculateValues(), names the file, sets the Excel header, forces tabs into the data where needed, and saves the serial numbers and customer numbers.

For clarity, the twelve digit numbers generated by Generator are grouped in four clumps of three; xxx-xxx-xxx-xxx. They look just like Bonkhead's numbers, but they're not. The uniquifying algorithms used herein are different from theirs, and yours should be different too. You'll have to write your own unique ProduceValues() function if you want your own unique serial numbers, but this version of ProduceValues() will give you some ideas.

Idea #1: ProduceValues() does much of its work with strings, with numerical input converted via LongToStr(). With minor changes, your version can output numbers with characters (both upper and lowercase) and symbols as well as digits (yes, the results are still called serial numbers).

Idea #2: LongToStr() places a string length value in str[0], and a nul value in str[last char + 1], creating a string that is both a Pascal string and a C string. Why? Someday you might be programming cross-platform, and the Mac prefers Pascal strings, and Wintel prefers C strings, and I don't know what Nintendo or the PlayStation use. However, there are a lot of potential customers out there, and they don't all use Macs. Sure, it costs us a character, but who is going to key in a 255 character serial number?

ProduceValues() briefly converts the string values ‘0' through ‘9' back to single-digit numbers, this is purely for the sake of clarity. For example, if you want to use uppercase letters instead of digits, convert

d1 = valStr[i++] - ‘0';

to

uL1 = valStr[i++] - ‘A';

and the number-stirring line (which converts 123 to 321, in this example), from

val1 = (d3*100)+(d2)+(d1/100);

to

val1 = (uL3*676)+(uL2)+(uL1/676);

This converts ABC to CBA. Using uppercase letters makes the serial "number" digital in base 26, giving 676 possible two letter combinations. Using uppercase and lowercase letters, plus the ten numerical digits, gives a base 62, with 3844 two character combinations and about 15 billion four character combinations. No wonder Apple hasn't run out of owner resource ID numbers yet.

In this example, the first and fourth three digit number groups reflect the customer number; 000-xxx-xxx-001 is customer #1, 076-xxx-xxx-345 is customer number 76,345, etc. The second number group is a random-appearing response to number group one, and the third number group is a random-appearing response to number group four. So, the first 999 customers are customers #1 through #999

Why don't we have a customer #0? We are #0. #0 is for in-house testing.

Customers #1 through #999 all have the same second number group (930, in this example) and customers #1 and #4,001 and #38,001 all have the same third number group (it happens to be 228).

The algorithm for generating response numbers is pretty simple in this example.

• Get a three digit number group (e.g. 123).
• Add 13 (e.g. 136).
• Swap the first and third digits (e.g. 631).
• Multiply by 3 (e.g. 1893).
• Subtract the original * 2 (e.g. 1893 - 246 = 1647).
• If the result is negative, convert it to its absolute value.
• Discard all but the last three digits (e.g. 647).

In real life you will want to use different seed numbers to add (or subtract) in step 2, different swap patterns, different multipliers, and you may want to swap and/or mingle digits from the first and fourth number groups. There are many ways to make your particular serial numbers your own.

The game program requests serial number input from the player, and confirms or denies the validity of that number. Does it run Generator backwards? Nope.

The game generates second and third number groups in response to the first and fourth number groups using exactly the same code as Generator, and checks them against the second and third number groups entered by the player. Are the generated and keystroked numbers identical?

If you are a believer in the heavy-handed school of registration numbers, the game can refuse to run until a suitable number is entered. A lot of glossy-box software uses this system. The only value I see from it is that if the buyer sends in a registration card with the number thereon, you know who to yell at if that number shows up on a BBS or on the pirates.com home page (my apologies if there really is a pirates.com out there).

If you are light-handed, a simple "thank you" splash screen might well suffice, and deactivate the gentle registration reminders that keep popping up. Also, flag this copy of the game as registered, either in the prefs file or in the application itself - do not demand the number be keyed in before every game.

One thing electronic distributors can do that glossy box distributors cannot, is personalize serial numbers. If someone buys a game off the shelf, they expect to be able to go straight home and play it with no further hassle. However, a customer who is mailing in a registration fee for the enhanced version of an electronically distributed game, or is phoning you with a pencil in one hand and a VISA card in the other, is going to give you their name. If you like, you can integrate that name into their serial number.

NameNumerator converts the first 24 characters of a name to a six digit decimal number. The six digit number (e.g. 958331) could be combined with the previous serial number generator (e.g. 958-xxx-xxx-331) to create a real challenge for the crackers.

Let's take a look at NameNumerator's most significant function.

Get Value
GetValue() takes a string up to 255 chars long, and returns a six digit decimal number, in the form of a six 
character string.

void GetValue(Str255 valStr, Str255 retStr)
{
 long i;
 
 for (i=1; i <= 6; i++)   //Load first six char codes
 retStr[i] = (valStr[i] % 10);
 for (i=1; i <= 6; i++)   //Load next six char codes(7 through 12)
 retStr[i] = ((retStr[i] + valStr[i+6]) % 10);
 for (i=1; i <= 6; i++)   //Load third six char codes (13 through 18)
 retStr[i] = ((retStr[i] + valStr[i+12]) % 10);
 for (i=1; i <= 6; i++)   //Load fourth six char codes (19 through 24)
 retStr[i] = ((retStr[i] + valStr[i+18]) % 10);

 //Add 257458 (kinda ) and ‘0' 
 retStr[1] = ((retStr[1] + 2) % 10) + ‘0';
 retStr[2] = ((retStr[2] + 5) % 10) + ‘0';
 retStr[3] = ((retStr[3] + 7) % 10) + ‘0';
 retStr[4] = ((retStr[4] + 4) % 10) + ‘0';
 retStr[5] = ((retStr[5] + 5) % 10) + ‘0';
 retStr[6] = ((retStr[6] + 8) % 10) + ‘0';
}

The first half of GetValue() takes the individual characters of a Str255 (the registrant's name), strips all but the last digit of that character's ASCII code, and places that digit in another Str255. After the first six digits are placed (valStr [1] placed in retStr[1], valStr [2] placed in retStr[2], etc.), the next six are added to the first six (valStr [7] added to retStr[1], valStr [8] added to retStr[2] etc.) and all but the last digit is stripped from the resultant. This process is repeated through 24 characters. However, to distinguish Clifford Hummel Throckmorton-Whitney from Clifford Hummel Throckmorton-Whitfield, you can repeat as necessary.

The second half of GetValue() adds the arbitrary seed number 257458, sorta

Well, it's not quite addition. Actually, we are adding the digit from the hundred thousands column to retStr[1] and stripping off all but the least significant digit from the result, adding the digit from the ten thousands column to retStr[2], and so on. Then we add the ASCII value of the character ‘0', so instead of having the actual digit values in the string, we get the ASCII values of the digits. 0 + ‘0' = ‘0'; that is, 0 + 48 = 48, which is the ASCII code for the character ‘0'. 1 + ‘0' = ‘1'; that is, 1 + 48 = 49, which is the ASCII code for the character ‘1'.

So you have your telemarketing people with NameNumerator up and running on their Macs, and when folks call in their orders, they can say, "How do you spell your name, Mr. McCornack? Your serial number is " and that is why you need to use genuinely arbitrary seed numbers.

For example,

 for (i=1; i <= 6; i++)   //Load first six char codes
 retStr[i] = (valStr[i] % 13);//In base 13

will throw a Spaniard in the works, and

 
for (i=1; i <= 6; i++)    //Load first six char codes
 retStr[i] = (valStr[i] % (10 + i)); //In base (10 + i)

will scramble things even further.

Or perhaps you'd like to use alphabet characters. To start the above six digit example with an uppercase letter, change the first line of the second half of the routine to

 retStr[1] = ((retStr[1] + 2) % 26) + ‘A';

which adds a random-like number from 0 and 25 to the ASCII code for ‘A', giving the full range of capital letters (since ‘A' + 25 = ‘Z').

What is the advantage of personalized serial numbers? Many people who would otherwise distribute a generic serial number will balk at distributing a serial number which only works with their name, thus exposing them as the culprit. However, the typical game pirate is not worth harassing - what are you going to do, have your lawyer's mom call the pirate's mom to tell her she has a naughty kid?

You could build a serial number from a name and phone number, and verify the phone number by having your telemarketers say, "We will call you back in three minutes with your serial number" when the order is placed. However, if I were publishing a high-bucks 3D animation program, I would want to discourage folks from buying one copy and putting it on every workstation in the art department. I could say, "You don't like dongles? Then I will give you a serial number. However, it will only work in conjunction with your name, your credit card number, and its expiration date. If your system isn't secure enough for your credit card data, maybe it isn't secure enough for our program, either. Are you sure you don't want a dongle?"