I take from your description, that you are somehow selling the software. All it takes to break your scheme, is getting the crypted cookie from another user.

I believe this is slightly harder than your user simply giving the software away to another person directly, so I would say this is ok 99.5% of the time...

If this worries too much, here's a simple way to cope with it, assuming that you have the source code of the .EXE you're selling. This is in addition to what you already done.

• Place some sort of char * placeholder in your code along the lines of:

   char *replace_me = "____REPLACE_ME_WITH_THE_MAGIC_KEY___";

• Compile this code and store the resulting .EXE in a file, say, unsigned.exe

• When generating the download page, grab unsigned.exe with a Perl script and write it to some semi-random name, replacing the string ____REPLACE_ME_WITH_THE_MAGIC_KEY___ with a string with exactly the same length (or shorter but padded with \0s), containing the customer-id or some other number that allows you to track the user.

It then becomes a matter of checking this number in the .EXE to know who leaked his/her copy. You can also have more elaborate schemes, placing an encrypted number in there and having the code decrypt and print such number at runtime.

Of course, all this can be easily defeated if the attacker can disassemble your code...

Best regards

-lem, but some call me fokat