U-He Zebra Timebomb

Discussion in 'Software' started by kola, Nov 18, 2021.

  1. Olymoon

    Olymoon Moderator

    Joined:
    Jan 31, 2012
    Messages:
    5,777
    Likes Received:
    4,447
    That's why I dont invest time in his synths, even if they are good. I prefer to invest time in plugins that I can try without fear of timebomb before I buy.
     
    • Like Like x 1
    • Agree Agree x 1
    • Useful Useful x 1
    • List
  2. The Revenant

    The Revenant Platinum Record

    Joined:
    Oct 6, 2015
    Messages:
    452
    Likes Received:
    266
    Sorry for the confusion, but when I say DAW, it means the software AND the hardware. So no, my computer is NOT connected to the Net.
    Oh, and please, calm down, Mister Iknoweverythingbetterthanyou.
     
  3. Synclavier

    Synclavier Rock Star

    Joined:
    Nov 28, 2014
    Messages:
    587
    Likes Received:
    393
    The problem with Uhe is that he talks to much and never keeps his word. disgusting:(

    We've garnered a few details thanks to U-He's open replies to comments and questions in their post from 23 June 2017. Before you get too excited, Zebra 3 is apparently still a year away.
    So, to reiterate, Zebra 3 is still a year away from being released. In terms of those thinking of holding out from buying Zebra 2... don't. Although Zebra 3 won't be able to load presets from Zebra 2 and ZebraHZ (both of which will continue to be available), there are excellent upgrade options:
    "If you own Zebra2, Zebra3 will be a $30 upgrade. If you own Zebra2 and Dark Zebra/ZebraHZ, Zebra3 will be a free upgrade."

    Bla-bla marketing. Good that R2R taught that pretentious prick a lesson:


    Here is how U-he main protection works:

    1. Generate value (0 - 2047) from the licensee name.
    We call this value "UserValue".
    2. Get the hash of serial number by UrsHash.
    UrsHash is combination of WHIRLPOOL512 and SHA512)
    3. Get hardcodedHash[UserValue] and compare with calculated hash.
    If it matches, license = OK.

    This means, serial number is not generated for users dynamically. The hash
    of all serial numbers are hardcoded to the app since the first release. User
    name is just used to determine which correct serial number to assign. This
    is good if dev has many customers, otherwise serial check will be dull and
    slow (check all hardcoded serials one by one, this is done by RobPapen).

    However, there is the weak point in this "wise" protection. Once legit serial
    numbers are leaked, that serial number can be used to other name. You can
    make another licensee for that serial by colliding "UserValue". This is not
    easy to avoid. Blacklisting the leaked serial number can affect to the legit
    users too, because that user may have same UserValue with leaked licensee.

    In short:
    - Uhe app contains 2048 correct hashed serial numbers.
    - Calculate valid serial from hashed serial is nearly impossible.
    - User A and User B may have same legit serial number.
    -> Generate another valid name for leaked serial can be possible.

    Enjoy checking many security aspects for the uhe type protection.
    These UserValue+Hash protection is used by Arturia, Audiority, SonicAcademy,
    LVC-Audio, Youlean etc. Valid user+serial pair can be made from legit serial.
     
    Last edited: Nov 20, 2021
  4. SineWave

    SineWave Audiosexual

    Joined:
    Sep 4, 2011
    Messages:
    4,437
    Likes Received:
    3,573
    Location:
    Where the sun doesn't shine.
    Too funny, especially when you're as imaginative guy like me. :rofl:

    And a xenophobe. :lol: @mojo777 Please, don't think I have anything against you. I'm just in a joking mood. Cruel joking mood, admittedly. :( Noone is perfect. I'm actually very polite to people. My sub-conscience is my private business. :wink:
     
    Last edited: Nov 20, 2021
  5. lbnv

    lbnv Platinum Record

    Joined:
    Nov 19, 2017
    Messages:
    422
    Likes Received:
    230
    Ok, not hard to understand.

    I own Zebra and this is the only synth I really don't regret I have bought. All others... In a certain degree. More or less.

    But it's a subjective sentiment.
     
  6. twoheart

    twoheart Audiosexual

    Joined:
    Nov 21, 2015
    Messages:
    2,196
    Likes Received:
    1,370
    Location:
    Share many
    This attitude that the Windows firewall is not good enough results either from old "knowledge" (pre Win XP), when the firewall was not enabled by default, or the inability to use the Windows firewall correctly due to lack of sufficient knowledge.

    If you find the WFW too complicated use the free Windows Firewall control and you are ready to go even without a deeper understanding of how a firewall works.
     
    Last edited: Nov 20, 2021
  7. fiction

    fiction Audiosexual

    Joined:
    Jun 21, 2011
    Messages:
    1,925
    Likes Received:
    703
    Can you rely on it 100% or is there any bypass mechanism built by Microsoft into the OS that the native firewall has no access to?
     
  8. 2poor2

    2poor2 Producer

    Joined:
    Jul 13, 2014
    Messages:
    344
    Likes Received:
    88
    Just in case you didn't know,
    Not only .exe files can access the web.

    I have a little script (cmd) I've found on the internet, to block the .exe files from the current folder AND SUBFOLDERS, and I duplicated the main line for it to also block
    .dll
    .vst3
    .ocx

    There are other windows files that can access the web... but for 99.9% of cases, plugins and vsti instruments only use those files.
    EACH TIME i install a vst or vst or something like arturia V Collection (there are dlls... vst3... .exe files...), I copy my little cmd file to the plugins folder, I open an admin cmd window, and run the script.
    EACH time there is a dll, vst3, ocx, exe file, including in the subfolders, a new entry will be added to the windows firewall (we can see the new entries, in the advanced options of the firewall).

    I use the absolutely amazing app EVERYTHING, that creates a database in ram, of ALL files,
    after I install a plugin or vsti, I open EVERYTHING, I type c:, so it only scans my C drive, and I sort it by 'creation date'.... that way, ALL files that were just created on my C drive can be displayed. It allows me to see which folders are used , where files are copied... ultra useful, if an installer places a particular hidden file, as part as the copy protection, in some hidden folder..

    Yes, all those file extensions can access the internet.
    Sometimes, there are plugins or vsti with a ton of files... but ALL the dll, exe, etc, will be added to the firewall.
    For example, if I run the script in C program files\steinberg\cubase, it will add a bunch of entries. But at least, I know there won't be any little innocent exe..dll.. file, that will call home.

    Also, Sometimes people don't pay attention to this... and they get owned.
    For example, even if all files are blocked, the plugin or app can still open the webpage.
    What I mean is, sometimes, when we uninstall an app, our internet browser launches, and tries to open an URL to ask why we are uninstalling the app..why we aren't satisfied... etc etc... like
    https://www. pluginsucksdonkeydick.com/uninstall&appid=333444555&serialnumber=3456789

    If the plugin manages to open that page, while we uninstall it, the server will now know that our app ID is 333444555 and we have used a serial number 3456789...
    That serial can now be blacklisted, etc etc

    Another way how the plugin or vsti could call home, I guess... at least, that's what I would do...
    For example, if we use delphi or borland c++ to code, we can use a ton of components, to create our app. One of those components, such as buttons, check boxes, drop-down menus, labels, is the web browser.
    Imagine I create a vsti. On the main window, I place 'web browser' component, I resize it to 1x1 pixels, transparent, and I put it visible=off.
    Now, in my vsti, I program it, so, every single day, when the plugin is started, I use my little invisible webbrowser component, and I type some code ... like webcomponent1.openurl... and I try to open the websites https//mycompany.com/&plugin=zebra&usedserial=889900
    Of course, we can't see that website being open... because the web component is invisible and is only 1x1 pixel.
    When the url above is opened, the server checks the serial number. If the serials database don't have the number 889900, the plugin/vsti
    will switch to demo mode. Or will detonate some time bomb.
    Instead of the plugin opening , eg, chrome, and try to access that url, the plugin would use a tiny internet browser that nobody can see.
    If that particular url isn't blocked at the hosts file level... well, the plugin will easily be able to reach that url...

    Probably that's one of the ways plugins manage to call home, despite all the security measures already in place...

    Hope these little tricks can help someone :)
     
    • Interesting Interesting x 4
    • Like Like x 2
    • Useful Useful x 1
    • List
  9. BambooPestle

    BambooPestle Producer

    Joined:
    Mar 14, 2020
    Messages:
    79
    Likes Received:
    81
    @2poor2
    As far as I know blocking .dll/.vst3 will not have effect if you already firewalled your host (DAW for example). Library code executes from host context, so networks calls from vst2/vst3 plugin will be blocked as well.
    But dll(vst2)/vst3 plugin can call executable (.exe) internally, and i think child process will not inherit parent (host) firewall rules, so it can have network access (need to test, but different firewalls can handle child processes differently).
    If this will work we can go even further, for example: DLL can also extract/generate executable to some temp. directory with random name and execute it, so in this case you can't even block access to specific executable.
    So better way to use disconnected from network PC/notebook, it's true

    If i'm wrong somewhere please correct me
     
    • Like Like x 2
    • Interesting Interesting x 1
    • List
  10. lasteno

    lasteno Platinum Record

    Joined:
    Apr 14, 2013
    Messages:
    436
    Likes Received:
    179
    which serious firewall are you using? or recommend?
     
  11. I found this excellent firewall about a year ago, small 'boutique' company. It's called "Windows 10 firewall Control" by Sphinx Software. Heard about it on the nsanedown site, which has a lot of very knowledgeable computer people. It's kind of on the 'computer nerd' side of things. Anyway, it has a really nice "Lan Only" setting on it that I've found is great for all the downloaded music production stuff. Maybe some other firewalls have something similar, but I hadn't seen it before this one. I had found complete firewall blocking of software from all access sometimes left software working improperly because some software needs to connect to other software on your system, but having it open just to your Lan and nothing else provided good protection while keeping everything working okay. They have a free version of their firewall if you want to check it out. It can be a little quirky, but its easily the best firewall I've ever used. I only have one computer so it's in an 'always on' internet connection and have never had a time bomb or a pop up saying I'm using a warez version of something since I'm using this firewall.
     
  12. twoheart

    twoheart Audiosexual

    Joined:
    Nov 21, 2015
    Messages:
    2,196
    Likes Received:
    1,370
    Location:
    Share many
    I do rely 100% on it within the scope of what it is supposed to do.

    But every program in administrators context can change the behaviour of (any) firewalls and other programs or services, thus you need a virus scanner on top or be careful all the time what you allow to run on your PC (the last is what I rely on)
    The only thing you need to know is that WFW should be configured to block everything by default and the user must allow what he needs and what he certifies is ok.
    This can be easily managed by the free windows firewall control I mentioned.

    The misunderstanding about firewalls is that they do not replace a virus scanner or an intrusion detection system...* The firewall is only one part of a concept to protect my IT.

    There are studies that show that people who rely on an Internet sercurity packages are more likely to catch viruses, etc. This suggests that users of such packages are more likely to be negligent with their PCs than others who know about the problems and avoid them.
    And there are studies that using a secon firewall has a negative impact on overall system security

    That's the case. The called functions inherit the security context of the host.

    BUT: You must be sure to block every host that can call the functions of the dll or uses the VST. For instance if you use Premiere Pro or Audition or Davinci resolve they all make use of the VSTs on your system.
    Its a problem typical for Windows with a lot of side effects, that you can't predict wich programs will make use of a given DLL that's linked into the system by registering it...
     
    Last edited: Nov 21, 2021
    • Agree Agree x 1
    • Useful Useful x 1
    • List
  13. secretworld

    secretworld Producer

    Joined:
    Mar 7, 2018
    Messages:
    176
    Likes Received:
    85
    For me I like tinywall, free, easy, lan mode, can block everything except what you allow. And did I see free lol...
     
  14. BEAT16

    BEAT16 Audiosexual

    Joined:
    May 24, 2012
    Messages:
    9,081
    Likes Received:
    7,009
    TinyWall is designed to address those shortcomings and others. It starts off with a much more secure default configuration, and gives the firewall a sane user interface that makes it much easier to decide what to allow and what to block.

    Best of all, TinyWall introduces a really straightforward way of adding new apps to the approved list without blasting you with popups all the time. And it makes sure unknown apps can’t simply mooch into your system, turn off the firewall and start doing bad things to your PC.

    As developer Károly Pados says, the Windows firewall “possesses almost everything a man” – or woman – “could ask from a firewall engine.” What TinyWall offers is a better way to use that engine and to access all of its power. If you want a simple but effective and powerful firewall for Windows versions from Vista onwards, this one’s hard to beat. https://tinywall.pados.hu
     
    • Like Like x 2
    • Interesting Interesting x 2
    • List
  15. Xupito

    Xupito Audiosexual

    Joined:
    Jan 21, 2012
    Messages:
    7,315
    Likes Received:
    4,060
    Location:
    Europe
    As far as I know the potential problem is the possibility for plugins to open executables (or links) like has been said. DLL, vst3 and similar are executables but they operate inside the host program like the DAW. So they're blocked from the net if the DAW is.
    They also can write to its presets folders.

    But if they open another executable it'll be one external to the DAW when for instance we check in the process manager.
    Examples: Positive Grid Bias, it opens a freaking online shop with their cloud thing. Rapidcomposer plugin opens the main program.

    The best solution for me is to set the Firewall (the Windows one or not) in whitelist mode. In other words: block all the shit unless I say otherwise. Simplewall, Windows Firewall Control and others can do this using the Windows Firewall. Of course, block also in the hosts file when recommended by your favorite vaccinator.

    SimpleWall uses the lower-level Windows Base Filtering Engine but for most the result is the same. If we talk about pure Windows spying it does give some extra. But the strong suit of SimpleWall is the easy way it offers the user to manage all together, like @BEAT16 well said among other things.

    Edited: repackaged, corrections, it's all my hangover's fault
     
    Last edited: Nov 21, 2021
  16. twoheart

    twoheart Audiosexual

    Joined:
    Nov 21, 2015
    Messages:
    2,196
    Likes Received:
    1,370
    Location:
    Share many
    The best firewall is to be not connected to the internet all the time.

    I use two different network interface cards (NIC) in the PC. One (EXTERNAL 192.168.1.100 IP address over DHCP) is for the use of WAN incl. internet, the other I use for my LAN only (INTERNAL 192.168.0.100 no default gateway, no DNS sever, fixed IP addresses).

    If I don't need the internet I just switch off my EXTERNAL NIC via a batch on the desktop an can work without any connection to the outside world. If I want to go online I can toggle the EXTERNAL NIC on again with a second link to a batch file on the desktop.

    You can of course do it by pulling netwok cable but this way its more convenient and I can even start my DAW etc. via batch that first disables NIC EXTERNAL and then starts the DAW.
     
    Last edited: Nov 21, 2021
    • Like Like x 1
    • Agree Agree x 1
    • Interesting Interesting x 1
    • List
  17. softice

    softice Producer

    Joined:
    Sep 19, 2021
    Messages:
    124
    Likes Received:
    99
    I demo'd Zebra just by actually using the demo. It's such a deep synth anyway, and besides I have so many synths on top of that, that I didn't want to spend ages trying it out. I used the demo probably for a few years, on and off. It didn't click with me at first, the sound that is. But after a while it grew on me and I ended up buying it. Now I'll learn how to use it. I've already made up some basic INIT patches and I'll work from there. I ended up liking it so much I even bought the Dark Zebra/ZebraHZ on top.

    I used the same method trying out Hive and Repro, and when I could afford them, I bought them as well. I realise different people need different ways to demo. Just how I did mine. The u-he demos are quite good really, they don't start to fire of weird notes till after about 15-20 minutes, and then you just need to re-start your project. It's quite workable.

    I agree though that a time-bombed demo is worse than anything, and this is why I never used a u-he crack. Still, even if I'd used a perfect crack, I would have bought the software. It would be really annoying to be getting in to depth with the synth and then it bombs on you. So I spent a long time just trying them out here or there. I probably would have bought them sooner if I'd had a proper working crack.


    As for firewall stuff. I use Comodo Internet Security which is free. It has firewall and HIPS and AV. I don't use the AV. HIPS is Host Intrusion Prevention, kind of like a heuristics that you can set to safe all the way up to paranoid. It catches a lot of stuff that AV does not catch. I don't use an AV at the moment and I haven't for a while. But I've been deep in to security stuff for a long time. Only run without an AV if you know what you are doing. In my experience, they slow the system down, and very often don't catch the really nasty stuff. I still run 2nd opinion scanners like Hitman Pro. You can still do on demand scanning with Comodo AV though.

    If you really want to be safe with browsing it's best to go through a Sandbox or a Virtual Machine. I use both VMWare and VirtualBox. Sandboxie for a sandbox. Comodo Internet Security has a sandbox too. And that is good to use when Sandboxie sometimes doesn't, like when you want to run a keygen you are unsure of - just run it in the Comodo Sandbox. You can grab the serials and paste them in and it works perfectly.

    For blocking sites I either edit the hosts file or I use the Firewall rules in Comodo. There are probably better programs out there, but I like the suite of tools it provides. AV comes and goes. One year it's on top, the next year it's not so good. Plus you have to pay. Plus it slows your system down. I just scan every few days and don't worry about it. Sometimes it's a real pain blocking IP addresses because they don't actually block until you flush your DNS cache, and even then sometimes they still don't block, you have to restart the computer. Keep that in mind when editing your hosts file. Even the little executables that R2R provide, although they work perfectly, you still sometimes need to doublecheck to see if it worked. If not, restart.

    For a 2nd Firewall I run NetLimiter - https://www.netlimiter.com/

    It's a superb program that I found at the sister site and I'm going to be buying it very shortly. It shows you all kinds of things and connections that are being made and when you run your DAW you can set it to block different connections with lots of options. It's very visual though it takes a little effort to learn it is well worth it. I wouldn't want to run 2 Firewalls as such, but it's a little different to most Firewalls even though technically that is what it is, but it's a lot more than that again. You can't block everything though in some programs like Ableton because they use TCP for their plugin scanning. Others do as well. Studio One I think. Just download a demo and see, it's not expensive, about 30 bucks for 2 computers. Less for one.

    Also, when I run a system that I don't want connecting to the net, I use a VPN called Mullvad that automatically blocks all connections unless you start it. It's a Killswitch that is always on. In fact, when you set it up this way, it's impossible to connect to the net without using the program itself. I have Ableton, Bitwig, Cubase, Reaper, Studio One and Reason all set up on my latest build, and they all start up and work perfectly without internet connection. Except Reason of course, you must be connected or it will not start. These are all paid for DAW programs btw.

    You can still check if your internet is working by doing a 'Ping' via the Cmd shell: 'ping 8.8.8.8' ------- that will ping googles servers and let you know if you have a live running connection, but you can't connect via a web browser. I guess it's possible that a program could install an exe file and when your compo starts up it dials home, even if the Killswitch of the VPN is on. I don't know. But for me, if I really want to make sure a program is not dialing out, after blocking it in the hosts file I would block it via NetLimiter too. NetLimiter has the advantage that it shows you all the different connections and IP addresses a program tries to connect to. Quite shocking sometimes.

    But even if this sounds like overkill and really technical, well, it still doesn't always work. I recently downloaded a crack of the SQ80V by arturia and even though I blocked the software center it still found a way around it. So arturia would have known exactly who I was as I had other software registered in my exact same name on the exact same machine. Sneaky. If I didn't have NetLimiter, I wouldn't have been able to block it so easily, but in the end it didn't matter, it still got through.

    I'm a noobie really compared to some people, but I'm also quite an advanced user compared to others, but I would never trust 100 percent even blocking a hosts file or firewall stuff or whatever. The only way you can be 100 percent sure is have a machine with no NIC and no Wireless. Even using Killswitch via VPN you would think internet is totally dead, and it is, but fire up Cmd shell and ping a site! You see it is still running on the lower network stack subsystem. Besides all that, all recent intel CPUs have webserver built in on Minix (linux) OS. It can send and receive data even when computer is off.

    Anyway, once you have a good firewall you know how to use (yes windows one is perfectly good, so get a front end that makes it easier like tinywall or whatever), get a program like NetLimiter and be amazed at all the different connections being made. Check out Bitwig! It connects to google servers! Oh and Amazon! Unless you block it, bet you didn't know that. So google and amazon know what dodgy software you use! And they would sell that information too. And developers would buy it. But it's probably not worth the hassle. I think we are safe for now. I don't worry about it.

    And don't worry too much about u-he stuff either, it's people like Arturia you need to be extra careful of! NetLImiter is your friend.
     
    • Interesting Interesting x 2
    • Like Like x 1
    • List
  18. kola

    kola Member

    Joined:
    Jan 5, 2014
    Messages:
    61
    Likes Received:
    14
    love this community. thx for your replies!
     
  19. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    7,623
    Likes Received:
    3,350
    An option is to just edit your Hosts file, so that your computer cannot connect or contact the domain or IP address you list there.

    The only problem with relying on this only, is that some devs will actually buy some innocuous domain and setup a URL forwarder.
    I saw one of them get around a hosts block the dev was using for a house painting company. lol
     
    • Interesting Interesting x 1
    • List
  20. saccamano

    saccamano Audiosexual

    Joined:
    Mar 26, 2023
    Messages:
    1,303
    Likes Received:
    528
    Location:
    CBGB omfug
    With regards to the OP, we have already learned that the u-he protection is an app internal affair that is as flawed as the many assumptions in this thread that were pointing to internet connectivity being the cause of the app time-bombs.

    As far as editing a "hosts" file to block an IP ADDRESS you're barking up the wrong tree. You block domains via hosts file not ip addy's. You block IP addresses thru firewall rules.

    And as far as firewalls are concerned, for windows os's the native windows firewall is about as useful as using two rocks to light a fire. These days a real time network monitor is a MUST to be able visually see what apps or services are trying to make use of the internet in REAL TIME. As well thru that real time monitor, there must exist the ability to point and shoot firewall rules post haste to block something that is misbehaving. Outpost pro Firewall 9.1 (win7) or 9.2 (win10) has this capability (though it's an orphan the company doesn't exist anymore) and can do the job very well.

    As far as further security goes, no media production machine of mine is ever allowed on the internet. NO a/v, updaters, anti-spy/malware, ms store, cortana, or other os related garbage is allowed to run on production machines. Production machines' network connections are single homed to the backend admin lan ONLY. I run two vlans - one for backend admin purposes and one for internet. Both vlans are kept mutually exclusive by means of the outpost firewall configs running on those machines. Machines that require internet access are dual-homed and the IME is turned OFF at the BIOS level. Only older dell hardware that has the capability of switching OFF that Intel Management Engine garbage are used for internet access. Internet access is switched on/off by means of a couple of batch files sitting on the desktops of those inet connected win7 machines. The batch files either enable or disable the internet facing nic's in these machines and at shutdown always disables the inet nic's by default. No updates or telemetry are allowed on the win7 internet boxen. Any critical updates are installed manually only when needed. Third party A/V spy and malware runs only on internet connected machines and scans of all downloaded material are done there first before being used anywhere else internally on the system. This arrangement has worked flawlessly for years and will continue to work flawlessly for years to come.
     
    Last edited: Jun 23, 2023
Loading...
Similar Threads - Zebra Timebomb Forum Date
Uhe Zebra funktionierende Version ohne Timebomb ? DE Jul 18, 2016
Zebralette 3 public beta Software News Feb 17, 2024
Zebra3 is slowly coming soon (since 2012!) Industry News May 13, 2023
Int Lab - Supernova (U-He Zebra2 Soundset) (Blade Runner, Ghost In the Shell, Akira) Presets, Patches Jan 29, 2023
28k + Zebra 2 presets needs your help! Samplers, Synthesizers Jan 11, 2023
Loading...