1. HAPPY NEW YEAR!!!
  3. Release by VR timebombs. VR tried to force-validate serial by old routine by
  4. patching but it doesn't really help. We checked their Hive2 release and we
  5. found zero timebombs are patched. Now you know that users who posts "100
  6. percent working" for their releases are zero percent trustful.
  8. At least we checked many places they haven't noticed.
  9. Let's hope we made 100 percent again this time :)
  11. ----------------------------------------------------------------------------
  13. Here is how U-he main protection works:
  15. 1. Generate value (0 - 2047) from the licensee name.
  16. We call this value "UserValue".
  17. 2. Get the hash of serial number by UrsHash.
  18. UrsHash is combination of WHIRLPOOL512 and SHA512)
  19. 3. Get hardcodedHash[UserValue] and compare with calculated hash.
  20. If it matches, license = OK.
  22. This means, serial number is not generated for users dynamically. The hash
  23. of all serial numbers are hardcoded to the app since the first release. User
  24. name is just used to determine which correct serial number to assign. This
  25. is good if dev has many customers, otherwise serial check will be dull and
  26. slow (check all hardcoded serials one by one, this is done by RobPapen).
  28. However, there is the weak point in this "wise" protection. Once legit serial
  29. numbers are leaked, that serial number can be used to other name. You can
  30. make another licensee for that serial by colliding "UserValue". This is not
  31. easy to avoid. Blacklisting the leaked serial number can affect to the legit
  32. users too, because that user may have same UserValue with leaked licensee.
  34. In short:
  35. - Uhe app contains 2048 correct hashed serial numbers.
  36. - Calculate valid serial from hashed serial is nearly impossible.
  37. - User A and User B may have same legit serial number.
  38. -> Generate another valid name for leaked serial can be possible.
  40. Enjoy checking many security aspects for the uhe type protection.
  41. These UserValue+Hash protection is used by Arturia, Audiority, SonicAcademy,
  42. LVC-Audio, Youlean etc. Valid user+serial pair can be made from legit serial.

R2R