- HAPPY NEW YEAR!!!
- Release by VR timebombs. VR tried to force-validate serial by old routine by
- patching but it doesn't really help. We checked their Hive2 release and we
- found zero timebombs are patched. Now you know that users who posts "100
- percent working" for their releases are zero percent trustful.
- At least we checked many places they haven't noticed.
- Let's hope we made 100 percent again this time :)
- ----------------------------------------------------------------------------
- Here is how U-he main protection works:
- 1. Generate value (0 - 2047) from the licensee name.
- We call this value "UserValue".
- 2. Get the hash of serial number by UrsHash.
- UrsHash is combination of WHIRLPOOL512 and SHA512)
- 3. Get hardcodedHash[UserValue] and compare with calculated hash.
- If it matches, license = OK.
- This means, serial number is not generated for users dynamically. The hash
- of all serial numbers are hardcoded to the app since the first release. User
- name is just used to determine which correct serial number to assign. This
- is good if dev has many customers, otherwise serial check will be dull and
- slow (check all hardcoded serials one by one, this is done by RobPapen).
- However, there is the weak point in this "wise" protection. Once legit serial
- numbers are leaked, that serial number can be used to other name. You can
- make another licensee for that serial by colliding "UserValue". This is not
- easy to avoid. Blacklisting the leaked serial number can affect to the legit
- users too, because that user may have same UserValue with leaked licensee.
- In short:
- - Uhe app contains 2048 correct hashed serial numbers.
- - Calculate valid serial from hashed serial is nearly impossible.
- - User A and User B may have same legit serial number.
- -> Generate another valid name for leaked serial can be possible.
- Enjoy checking many security aspects for the uhe type protection.
- These UserValue+Hash protection is used by Arturia, Audiority, SonicAcademy,
- LVC-Audio, Youlean etc. Valid user+serial pair can be made from legit serial.
R2R