What isn't mentioned in the article is why UD2 is chosen. It is a relic from the SecuROM days, in fact, one of the developers on SecuROM is the one who also works or worked at Denuvo.
I would imagine many things from the SecuROM era live on in Denuvo.
But if you read the article you will realize that certain games will not work in the future due to Denuvo.
"This destroyed any exception-based hooking since majority of the time an exception is triggered, Windows will write an EXCEPTION_RECORD high up in unused stack space. You can probably see where this is going. Now, whenever the CPUID is hooked via an exception, that important value will become overwritten with an EXCEPTION_RECORD, causing undefined behaviour later on. I believe this can be bypassed if you attach a debugger to the process and set certain flags when it comes to exception handling, but the method of patching every hardware check is still cumbersome due to randomness anyway."
As Windows matures, behaviour can change, breaking certain stuff.
The anti-tamper codes, if any tampering is detected will crash on undefined/unallocated regions. Meaning that if Windows ever were to overwrite that region for whatever reason, will trigger the crash.
Such was the case for SecuROM in early days. It featured the CRC checks mentioned, if any single byte was changed, including an INT (breakpoint) instruction, it would crash. Here it's unlikely that it wont crash. Rendering the game inoperable.
Had also a look at Denuvo a while ago. Used LLVM to remove the x86 obfuscation and broke it down to VM-Opcodes. Atleast back then, Denuvo seemd to translate gamecode into a stackmachine.
(vmreg_e268 is stackpointer, its decremented and stored in tempreg, then the value of vmreg_e560 is copied to stackpointeraddr, then new stackpointervalue is written back)
But i quickly lost interest when it became MBA galore:
(looks like its doing some operation with a constant to vmreg_ebe8, but obfuscated by MBAs and most likely the result won't ever being used, so its just noise to drown out the real operations)
BTW: anyone aware of LLVM optimizer passimplementations that can deal with MBAs ?
It is a C++ implementation of SiMBA [1] - a tool to handle linear MBAs, made available by Denuvo itself. Denuvo have another tool - Gamba for handling some variety of non-linear MBAs. And then further improvisation by another researcher - MSiMBA [3].
SiMBA++ since written in C++, it is fast and it integrates well into the LLVM passes to automatically identify the MBAs and replace them in the LLVM IR with simplified expressions. So no additional work required.
Shameless plug - me and my colleague (author of SiMBA++) recently gave a talk about using LLVM for deobfuscation of WASM, where we talk about MBAs, SiMBA++ etc. The idea is not limited to WASM, it is language agnostic once you have a binary lifted to LLVM IR. https://www.youtube.com/watch?v=gKRdOcuXbYI
> BTW: anyone aware of LLVM optimizer passimplementations that can deal with MBAs ?
Your best bet is InstCombine, but likely most of the MBA patterns aren't going to be InstCombine patterns because who writes that kind of code?
In principle, you might see if you can tickle Alive2 (which can map LLVM IR to SMT logic) to see if you can get a peephole optimizer that's querying an SMT solver. But I'm not aware of anyone who's built a pass like that yet, and it's definitely not a regular pass in the compiler.
It is clearly effective. Go to a PC game piracy site and most games will be available, but anything covered by Denuvo is unavailable even years later. Either nobody is willing to crack it (unlikely) or Denuvo have done an exceptional job.
The most important thing about Denuvo is that it's on a subscription license to the game publishers, so it's almost always removed after some length of time. This is critical in understanding why it isn't cracked as often, because they've shifted the economics to "spend 3 months tediously removing obfuscation methods or wait 1 year and the game is unprotected anyway."
> anything covered by Denuvo is unavailable even years later
I don't think this is true in the general case.
> Either nobody is willing to crack it (unlikely)
That's exactly what's going on - it's a matter of time-benefit, not "possible." What's groundbreaking with Denuvo isn't that the overall technique is incomprehensible but rather that it's insanely tedious to remove and very difficult to automate. They haven't made some groundbreaking theoretical technique, they've applied so many "standard" ways to obfuscate a binary that it becomes more annoying than it's worth to remove.
Is this, uh… actually a good outcome? If games make most of their money in the first couple months anyway (I’m not sure about this claim but it seems intuitively possible, at least for AAA), then getting anti-piracy for that timeframe seems like a high priority.
Then, the subscription can be allowed to lapse… and the game can be preserved, at least to the extent to which it can run without servers. If we have any belief in the “games as art” idea, this seems like a good result for preserving art.
> The most important thing about Denuvo is that it's on a subscription license to the game publishers, so it's almost always removed after some length of time.
No, the most important thing about Denuvo is that PC gamers are forced to upgrade their hardware because Denuvo is such a performance hog. All you have to do is wait until Denuvo is stripped and the game will run much faster.
Frankly, it wouldn't surprise me if there's a conspiracy between Denuvo and Intel/AMD/NVIDIA where Denuvo goes out of their way to hurt performance on a really popular title, thus forcing people to upgrade.
Idiot writers at gaming websites claim a new patch to a game that's been out for a while has "optimizations" and lauds the developers for slaving away to make an already-finished game faster. The reality is that they just stripped out Denuvo.
>anything covered by Denuvo is unavailable even years later.
That sounds like a marketing claim. There's a bunch of denuvo-protected games that have been cracked. As far as I am aware, although I am not completely up to date, there are more denuvo-protected games that have been cracked than not.
(I agree that Denuvo is generally effective for its goals, especially at game launch when it is most valuable. It's just not infallible, by any stretch.)
I think some of the recent 'cracks' were mostly errors by the developers, allowing the demo of a game to load the full data files or shipping an unprotected EXE on accident somewhere (sometimes they leave a debug EXE lying around).
I thought EMPRESS (the only one that was able to consistently put out cracks and only for some games) retired. So there's literally no one who's cracking any recent games, which is all that matters for publishers.
by my best count there are ~80 uncracked and ~190 cracked denuvo games. Demo bypassess etc count as uncracked. Further ~130 games had Denuvo removed after release.
There are cracked Denuvo games, and no anti-piracy scheme is unbreakable, ever.
If it can run on your PC when copy-protected, it means at some point the CPU executed the right instructions, so a crack is always possible to create. It's just a matter of how much effort and time is it to reverse-engineer it. You cannot copy-protect software indefinitely.
I remember feeling cool as fuck as a teenager because I cracked GTA 3 by dumping the live memory of the binary post decryption. Of course it's been 25 years, so the status quo has improved by a lot and god knows how many man-years and kWh are wasted on copy protection.
Technically some CPUs support secure enclaves that should support end to end encryption which should be robust short of lifting the encryption keys from the die. In practice things like SGX have been full of holes.
I think it is a combination of both. From what I heard, Denuvo hires many people from "the scene," and when someone cracks it, they pursue them aggressively.
Denuvo is also not a massive target because there are too many games nowadays to care about a specific one. The exception was when "Hogwarts Legacy" was released with Denuvo, and people went crazy for a crack which was delivered just 13 days later.
Denuvo does not need to hire from the scene. The scene is not some magical place full of uber leet crackers. People doing denuvo have the same or better skills.
There’s definitely been plenty of denuvo games cracked, but I’d say most games that haven’t been cracked have denuvo. I think it also depends on the version of denuvo. Newer versions seem pretty well protected
Could some of that be the decreasing share of single player games? Multiplayer, always online games are a moving target vs an offline game you only need to crack once. Everything “needs” to be online, user experience be damned.
Empress has cracked Denuvo protected games within a few days of launch, so not its not stopping everyone [0]. After one person bypasses it then others do from the inspiration they got from the OG. There's a formal theory for it, but I can't recall it currently.
Successfully got me out of gaming as a kid a decade ago when it started being implemented everywhere. Not exactly the business idea they had behind it I don't think. Now I just play F2P gachas and check in on Game Pass every now and then, so no conversion ever since either.
DRM getting you out of PC gaming only to switch to gacha and subscription services seems like quitting smoking to free up more money for your heroin habit.
To some degree this is true, but it's cost-benefit analysis rather than being uncrackable. Denuvo is so invasive that software exploits aren't worth the effort (or risk on behalf of the user), and physical exploits are sold instead.
For example, physical FPS exploits include devices that sit in the HDMI/DP chain with a USB output and emulate a keyboard and mouse.
years ago, a friend of mine built something functionally equivalent to Denuvo in his spare time over the span of a few years. I think his original idea was "DRM for the little guy", recognizing that indie games probably lose massive revenue from initial release piracy.
He had no idea how to sell it. After it sitting around for awhile, I tried pitching the technology to few friends in VC, who had absolutely no idea what I was talking about.
It bothered me for a long time to see such a culmination of talent and effort get 0 reward for it. I've wondered if such technology would be interesting to some large publisher to just buy outright, bringing their anti-piracy in-house rather than relying on Denuvo. Any ideas/help appreciated :)
> recognizing that indie games probably lose massive revenue from initial release piracy.
This seems like an odd claim _especially_ for indie games. Indie games tend to already have trouble attracting buyers, it feels like anyone considering pirating it would just move on if they couldn't do so.
Plus having a pirate version is essentially advertising for them if their product is good. Many indie title success stories I think is thanks to pirates trying them out for free and then telling everyone "Wow I just played this awesome indie title that you never would have heard of because its an indie title with little to no marketing and it is really good!" which lead to people looking at it and talking about it and getting more sales. I myself have bought numerous titles that I never would have bought based on the steam shop page. This is especially true for building, survival, or physics based games, which are pumped out en-mass, but take real talent and vision to do well enough to be worth the time and money to buy and play. Just a few games off the top of my head that I own but never would have otherwise bought without first pirating and playing them include, Project Zomboid, World of Goo, Besieged, Neo Scavenger, Oxygen Not Included, Banished. And even some pretty large titles like Crusader Kings I would never have considered buying without playing it first, and now it is one of my favorite games. Factorio would be the same thing if they didn't have a old version as a demo to play.
A indie game dev phoned home how many players were playing his game that pirated it and he addresses your claim too in the article he posted about it[0]>
Many years ago I was publishing work independently with a few other colleagues, and yes, piracy was a big deal. It was flattering, because you knew the demand was there, but maybe the audience couldn't or wasn't willing to pay for the product, but you don't want to see your work obtained for free when you're charging for it.
The main problem with this is that some of us who buy indie games specifically buy them because they are available on DRM free platforms like Itch.io and GoG.
Adding DRM is just going to stop me from ever wanting to purchase the game. Its the same problem with Steam sucking up indie devs who started to only release on Steam. Will never purchase their game on a platform where I can't keep my own offline backup for when the service eventually fails.
It's nice to see such effort into user-hostile technology go unrewarded. When your product is, "what if we made everything we touch a bit worse?", you deserve to get 0 reward. It's sad to see that things like Denuvo haven't met the same fate as your friend's software.
I love that the only example of inconvenience presented in this thread is that a person might open the wrong game while on a steam deck while possibly not having internet while on a plane. The agony!
I was right there with you with this opinion back in the day. Distribution was terrible, people didn't have near 24-7 access to internet. The times have changed. You're also not 11 years old anymore. You can afford to pay your peers in your industry.
Worth noting that denuvo causes a lot of hitching, massive load time increases and overall performance problems. Denuvo marketing dept likes to say this isn't true but you only have to look at the before/after on games with and without it, monster hunter world was a very stark example. I have no doubt denuvo is also massively contributing to the performance problems on Monster Hunter Wilds as well.
I think Denuvo impact on performance is as much exaggerated by gamers as it is downplayed by Denuvo.
I didn't play MH:World on PC but from what I have seen MH:Wilds suffers from piss-poor optimization that is unrelated to the (two!) DRM they have put in. It may be Denuvo, but from what I've seen, it is just the usual laziness that is prevalent in most AAA games today. Instead of spending the performance budget where it matters by having programmers collaborate with artists, they just throw everything at the engine which ends up overwhelmed and in turn throws everything to DLSS and framegen resulting in an ugly mess (but a raytraced ugly mess!) if you don't have the latest overpriced hardware.
And it may be the same problem with Denuvo. Denuvo doesn't have to cause massive performance problems, but developers have to implement it correctly, using license checks sparingly, and certainly not in performance-critical code.
Also note that when the publisher removes Denuvo, it may also come with other performance optimizations, not everything comes from the removal of Denuvo.
I factor it in as risk, and decide according to that. No chance in hell that I won't buy a game I'm interested in, just because it has this crap. But I do make a mental note that it can break if I have internet or whatever.
Also unrelated, but seeing "A 2nd Year Computer Science Student" in the blog name was both breathtaking in a positive way, but also hurts a little. Kudos to the author, seriously.
Students are the only people with the patience for deep RE, I spent hours and hours in my teens unpacking binaries that used similar VMs and got pretty decent at it.
Nowadays, there is no way I could do it, I tried to get back into hackthebox recently and the new RE challenges make my brain hurt.
Very interesting analysis and as someone who practiced reversing/cracking in my youth, it helps me to understand why Denuvo is so effective. I have, for awhile, had a policy that I will not buy any game with Denuvo, and I continue to stand by that policy. I only play games w/ Steam on Linux (Steam Deck or Framework 13 laptop) and Denuvo makes this impossible, so it's a hard no from me. But I respect the engineering they invested into this DRM.
Denuvo DRM works on linux however it does require an internet connection and you can get banned for +24 hours if you play on more than 3-5 devices a day (a proton prefix also counts as 1 device).
Yeah I remember trying to debug some issue I had with DOOM Eternal (I think) and then randomly getting the message that I can't play for 24 hours because I'm an evil criminal. Not a great customer experience.
The best protection from piracy has always been making the product available at a reasonable price in a convenient fashion. This is echoed by Gabe Newell, founder of Valve, the makers of Steam, who said: "piracy is almost always a service problem and not a pricing problem...." I think the actual operation of Steam has shown that pricing matters too, since it is well known for its unusually generous sales compared to other (legitimate) digital stores. The point is that if you meet the customer where they're at, as frictionlessly as possible, you will outcompete the pirates.
DRM's primary purpose is to force consumers into an ultimatum: accept our inflated pricing and enforced inconveniences, or get nothing at all. For some products, this is part of their brand identity, since they bill themselves as "premium" or "AAA". For others, it's enforcement of their monopoly control (e.g., sports broadcasting). In all cases, it's treating the consumer like a disposable and squeezable commodity, which isn't necessarily inaccurate for some products and their target audiences, but certainly isn't the only way to do business.
Readit News
I would imagine many things from the SecuROM era live on in Denuvo.
But if you read the article you will realize that certain games will not work in the future due to Denuvo.
"This destroyed any exception-based hooking since majority of the time an exception is triggered, Windows will write an EXCEPTION_RECORD high up in unused stack space. You can probably see where this is going. Now, whenever the CPUID is hooked via an exception, that important value will become overwritten with an EXCEPTION_RECORD, causing undefined behaviour later on. I believe this can be bypassed if you attach a debugger to the process and set certain flags when it comes to exception handling, but the method of patching every hardware check is still cumbersome due to randomness anyway."
As Windows matures, behaviour can change, breaking certain stuff.
Deleted Comment
How do you expect the aforementioned tech to break the games it's on? If anything it "breaking" will just make the anti-tamper feature ineffective.
Such was the case for SecuROM in early days. It featured the CRC checks mentioned, if any single byte was changed, including an INT (breakpoint) instruction, it would crash. Here it's unlikely that it wont crash. Rendering the game inoperable.
This is how a VM push looks like:
(vmreg_e268 is stackpointer, its decremented and stored in tempreg, then the value of vmreg_e560 is copied to stackpointeraddr, then new stackpointervalue is written back)But i quickly lost interest when it became MBA galore:
(looks like its doing some operation with a constant to vmreg_ebe8, but obfuscated by MBAs and most likely the result won't ever being used, so its just noise to drown out the real operations)BTW: anyone aware of LLVM optimizer passimplementations that can deal with MBAs ?
It is a C++ implementation of SiMBA [1] - a tool to handle linear MBAs, made available by Denuvo itself. Denuvo have another tool - Gamba for handling some variety of non-linear MBAs. And then further improvisation by another researcher - MSiMBA [3].
SiMBA++ since written in C++, it is fast and it integrates well into the LLVM passes to automatically identify the MBAs and replace them in the LLVM IR with simplified expressions. So no additional work required.
Shameless plug - me and my colleague (author of SiMBA++) recently gave a talk about using LLVM for deobfuscation of WASM, where we talk about MBAs, SiMBA++ etc. The idea is not limited to WASM, it is language agnostic once you have a binary lifted to LLVM IR. https://www.youtube.com/watch?v=gKRdOcuXbYI
[1] SiMBA - https://github.com/DenuvoSoftwareSolutions/SiMBA [2] Gamba - https://github.com/DenuvoSoftwareSolutions/GAMBA [3] MSiMBA - https://github.com/mazeworks-security/MSiMBA
https://github.com/binsec/xyntia
Your best bet is InstCombine, but likely most of the MBA patterns aren't going to be InstCombine patterns because who writes that kind of code?
In principle, you might see if you can tickle Alive2 (which can map LLVM IR to SMT logic) to see if you can get a peephole optimizer that's querying an SMT solver. But I'm not aware of anyone who's built a pass like that yet, and it's definitely not a regular pass in the compiler.
I had some success with https://github.com/mrphrazer/msynth But its hard to glue this to LLVM.
> anything covered by Denuvo is unavailable even years later
I don't think this is true in the general case.
> Either nobody is willing to crack it (unlikely)
That's exactly what's going on - it's a matter of time-benefit, not "possible." What's groundbreaking with Denuvo isn't that the overall technique is incomprehensible but rather that it's insanely tedious to remove and very difficult to automate. They haven't made some groundbreaking theoretical technique, they've applied so many "standard" ways to obfuscate a binary that it becomes more annoying than it's worth to remove.
Then, the subscription can be allowed to lapse… and the game can be preserved, at least to the extent to which it can run without servers. If we have any belief in the “games as art” idea, this seems like a good result for preserving art.
No, the most important thing about Denuvo is that PC gamers are forced to upgrade their hardware because Denuvo is such a performance hog. All you have to do is wait until Denuvo is stripped and the game will run much faster.
Frankly, it wouldn't surprise me if there's a conspiracy between Denuvo and Intel/AMD/NVIDIA where Denuvo goes out of their way to hurt performance on a really popular title, thus forcing people to upgrade.
Idiot writers at gaming websites claim a new patch to a game that's been out for a while has "optimizations" and lauds the developers for slaving away to make an already-finished game faster. The reality is that they just stripped out Denuvo.
That sounds like a marketing claim. There's a bunch of denuvo-protected games that have been cracked. As far as I am aware, although I am not completely up to date, there are more denuvo-protected games that have been cracked than not.
For awhile I feel like there were monthly headlines along the lines of "Denuvo cracked within hours of game release" (e.g. https://www.techspot.com/news/71543-denuvo-protected-games-n...).
(I agree that Denuvo is generally effective for its goals, especially at game launch when it is most valuable. It's just not infallible, by any stretch.)
I think some of the recent 'cracks' were mostly errors by the developers, allowing the demo of a game to load the full data files or shipping an unprotected EXE on accident somewhere (sometimes they leave a debug EXE lying around).
Most "cracked" denuvo games are games cracked AFTER denuvo was removed by the publisher in an update (usually 6 months after release)
Just look at the Yakuza/Like a Dragon games
If it can run on your PC when copy-protected, it means at some point the CPU executed the right instructions, so a crack is always possible to create. It's just a matter of how much effort and time is it to reverse-engineer it. You cannot copy-protect software indefinitely.
I remember feeling cool as fuck as a teenager because I cracked GTA 3 by dumping the live memory of the binary post decryption. Of course it's been 25 years, so the status quo has improved by a lot and god knows how many man-years and kWh are wasted on copy protection.
Denuvo is also not a massive target because there are too many games nowadays to care about a specific one. The exception was when "Hogwarts Legacy" was released with Denuvo, and people went crazy for a crack which was delivered just 13 days later.
0. https://en.m.wikipedia.org/wiki/Empress_(cracker)
For example, physical FPS exploits include devices that sit in the HDMI/DP chain with a USB output and emulate a keyboard and mouse.
He had no idea how to sell it. After it sitting around for awhile, I tried pitching the technology to few friends in VC, who had absolutely no idea what I was talking about.
It bothered me for a long time to see such a culmination of talent and effort get 0 reward for it. I've wondered if such technology would be interesting to some large publisher to just buy outright, bringing their anti-piracy in-house rather than relying on Denuvo. Any ideas/help appreciated :)
This seems like an odd claim _especially_ for indie games. Indie games tend to already have trouble attracting buyers, it feels like anyone considering pirating it would just move on if they couldn't do so.
0. https://www.gamedeveloper.com/business/so-52-45-of-people-pl...
My thought regarding indie games were successful ones though. Something like Celeste or Balatro.
The main problem with this is that some of us who buy indie games specifically buy them because they are available on DRM free platforms like Itch.io and GoG.
Adding DRM is just going to stop me from ever wanting to purchase the game. Its the same problem with Steam sucking up indie devs who started to only release on Steam. Will never purchase their game on a platform where I can't keep my own offline backup for when the service eventually fails.
I was right there with you with this opinion back in the day. Distribution was terrible, people didn't have near 24-7 access to internet. The times have changed. You're also not 11 years old anymore. You can afford to pay your peers in your industry.
I didn't play MH:World on PC but from what I have seen MH:Wilds suffers from piss-poor optimization that is unrelated to the (two!) DRM they have put in. It may be Denuvo, but from what I've seen, it is just the usual laziness that is prevalent in most AAA games today. Instead of spending the performance budget where it matters by having programmers collaborate with artists, they just throw everything at the engine which ends up overwhelmed and in turn throws everything to DLSS and framegen resulting in an ugly mess (but a raytraced ugly mess!) if you don't have the latest overpriced hardware.
And it may be the same problem with Denuvo. Denuvo doesn't have to cause massive performance problems, but developers have to implement it correctly, using license checks sparingly, and certainly not in performance-critical code.
Also note that when the publisher removes Denuvo, it may also come with other performance optimizations, not everything comes from the removal of Denuvo.
There is pretty much zero evidence that this is true and some credible evidence that it is untrue.
For example, plenty of games have had Denuvo removed after a few months by the publisher and showed zero improvement in performance.
This fake narrative is being pushed by software pirates bitter that Denuvo is being so effective at preventing them from stealing games.
Nowadays, there is no way I could do it, I tried to get back into hackthebox recently and the new RE challenges make my brain hurt.
Are you sure about that? I have a ROG Ally running Bazzite and I have played several games on this page[0] that use Denuvo.
0: https://store.steampowered.com/curator/26095454-Denuvo-Watch...
DRM's primary purpose is to force consumers into an ultimatum: accept our inflated pricing and enforced inconveniences, or get nothing at all. For some products, this is part of their brand identity, since they bill themselves as "premium" or "AAA". For others, it's enforcement of their monopoly control (e.g., sports broadcasting). In all cases, it's treating the consumer like a disposable and squeezable commodity, which isn't necessarily inaccurate for some products and their target audiences, but certainly isn't the only way to do business.
The legitimate buyers do have.
Who you want to annoy more - the people who gives you money or the people you never heard and you would never hear about?