AlienALX
Well-known member
A few months back I was reading a thread on a site I visit about the game Mad Max. Apparently those who had stolen it were having issues with the crack that had been released for it. Several versions were released, but each time the game protection managed to stop the game working at certain points during the game. Up until now I had never heard of Denuvo, and if you asked me if I thought a game could be protected fully and completely I would laugh and give the usual response "Anything is hackable".
But Denuvo has actually made me rethink this. I watched as they complained over and over about Mad Max. I was laughing, because I had actually bought the game myself, but it did get me thinking.
Any way, I'd not really paid it any attention since because apparently the next game to be protected by Denuvo was Just Cause 3, and again I had already bought it as a pre order so knew nothing of it being cracked.
After reading the review of Rise of the Tomb Raider today on Bit-tech (link incoming, I'm no good at that 'here' stuff)
http://www.bit-tech.net/gaming/2016/01/30/tombraider2tomb2raider/1
I read that they had encountered a strange bug in the game where after a few hour's play it started to act strangely, filling up all usable memory on the test machine. In the comments after the review I saw some one bring up Denuvo again, so I decided that it was time to get off of my lazy ass and do some reading. And what I have found is pretty cool ! Obviously finding information on exactly how it works is impossible. There is information that it causes R/W cycles to your hard drive so SSDs could be damaged, but that was refuted by Denuvo who said it simply didn't work like that.
Basic information on Denuvo can be found here -
https://en.wikipedia.org/wiki/Denuvo
But being the tech geek that I am I really wanted more information. So I did some digging and found a Reddit post apparently from the Chinese hackers 3DM. It reads -
Please note: No one (other than people working at denuvo) really knows how it works 100%. This post is just my observations from attempting to analyze denuvo, and it is certainly just one technique out of the N that it has and uses. However, I think this is the most crucial technique of denuvo, and why it has been so hard to crack.
So what's the magic behind Denuvo? Environment dependent obfuscation.
First of all, Denuvo is NOT a shrink wrap anti tamper system. Developers must integrate their code with denuvo, including marking non-performance-impacting but essential functions for Denuvo's obfuscation. For example, this may be a function that initializes the engine. It should only be run once, so making it slower doesn't really impact overall performance.
What Denuvo does for these functions is that it generates at least dozens of different versions that are functionally identical, but each codepath is specifically formulated to work only in one processor environment. Then Denuvo stubs out this function during the build process.
Essentially, Denuvo protected binaries come with some parts empty, that must be downloaded from the Denuvo servers after successful authentication. However, Denuvo's servers have at least dozens (if not hundreds or more) of variants for each function.
What do I mean by processor environment? It's basically any slight differences you may have with your processor. It's not just what processor you have, but what revision it is. Two i5s with the exact same model numbers, but manufactured on different dates, can have different revisions, like bug fixes or small optimizations.
To give you an idea of how many different revisions / specs there are for a single processor model, check this out... http://www.intel.com/content/www/us/en/support/processors/000005554.html
There are a lot of slight differences and weird quirks in how different processor revisions operate. Some of them are tiny, like different timings of an opcode in certain situations. Denuvo definitely has put a lot of research into this, I would not be surprised if they're working directly with Intel.
So, after successful authentication that is verified by Steam or Origin, Denuvo then patches your binary with specific codepaths that will ONLY work on your specific processor.
You can't patch these away, because the game relies on them to work and the functions are crucial to the game. You can't just collect one and patch it into the "some-parts-missing" binary, because it'll only work on your processor AND you will trip the challenging integrity checks that seem to be dynamically generated, again, based on your processor. Not to mention the whole scheme is incredibly obfuscated.
Serious props to the denuvo team for such an advanced anti tampering system. And I'm sure this is just one part of it.
------------------------------
So in short this protection basically tailors itself to your specific CPU, and so without it the game simply fails to function correctly. This would be why every time a hacker thought they had cracked Mad Max, for example, within hours the game would either black screen, crash, or the audio would stop working.
Just Cause 3 on the other hand? has not been cracked.
Now whilst I am anti piracy I am also anti DRM. The last time I installed Crysis on my PC back in ooo, about 2007, Securom managed to break my PC and screw up all of my virtual drives and I ended up having to reinstall Windows. Sod's law about two weeks after I had completely reinstalled my operating system they released an uninstaller for it but it put me off for life.
So, whilst I was happily handing over cash for my games I more often than not downloaded a crack for them for a few reasons. Firstly, a 50 speed CDrom drive gets really loud when being accessed, causing my PC to vibrate but secondly I don't like having to keep shuffling DVDs and changing them all of the time.
For the past couple of years I have bought a good 90% of my games via either Steam, or, somewhere like HumbleBundle who provide Steam keys. I still buy my software on DVD where I can, but these days that'e becoming increasingly harder.
Any way, food for thought.
But Denuvo has actually made me rethink this. I watched as they complained over and over about Mad Max. I was laughing, because I had actually bought the game myself, but it did get me thinking.
Any way, I'd not really paid it any attention since because apparently the next game to be protected by Denuvo was Just Cause 3, and again I had already bought it as a pre order so knew nothing of it being cracked.
After reading the review of Rise of the Tomb Raider today on Bit-tech (link incoming, I'm no good at that 'here' stuff)
http://www.bit-tech.net/gaming/2016/01/30/tombraider2tomb2raider/1
I read that they had encountered a strange bug in the game where after a few hour's play it started to act strangely, filling up all usable memory on the test machine. In the comments after the review I saw some one bring up Denuvo again, so I decided that it was time to get off of my lazy ass and do some reading. And what I have found is pretty cool ! Obviously finding information on exactly how it works is impossible. There is information that it causes R/W cycles to your hard drive so SSDs could be damaged, but that was refuted by Denuvo who said it simply didn't work like that.
Basic information on Denuvo can be found here -
https://en.wikipedia.org/wiki/Denuvo
But being the tech geek that I am I really wanted more information. So I did some digging and found a Reddit post apparently from the Chinese hackers 3DM. It reads -
Please note: No one (other than people working at denuvo) really knows how it works 100%. This post is just my observations from attempting to analyze denuvo, and it is certainly just one technique out of the N that it has and uses. However, I think this is the most crucial technique of denuvo, and why it has been so hard to crack.
So what's the magic behind Denuvo? Environment dependent obfuscation.
First of all, Denuvo is NOT a shrink wrap anti tamper system. Developers must integrate their code with denuvo, including marking non-performance-impacting but essential functions for Denuvo's obfuscation. For example, this may be a function that initializes the engine. It should only be run once, so making it slower doesn't really impact overall performance.
What Denuvo does for these functions is that it generates at least dozens of different versions that are functionally identical, but each codepath is specifically formulated to work only in one processor environment. Then Denuvo stubs out this function during the build process.
Essentially, Denuvo protected binaries come with some parts empty, that must be downloaded from the Denuvo servers after successful authentication. However, Denuvo's servers have at least dozens (if not hundreds or more) of variants for each function.
What do I mean by processor environment? It's basically any slight differences you may have with your processor. It's not just what processor you have, but what revision it is. Two i5s with the exact same model numbers, but manufactured on different dates, can have different revisions, like bug fixes or small optimizations.
To give you an idea of how many different revisions / specs there are for a single processor model, check this out... http://www.intel.com/content/www/us/en/support/processors/000005554.html
There are a lot of slight differences and weird quirks in how different processor revisions operate. Some of them are tiny, like different timings of an opcode in certain situations. Denuvo definitely has put a lot of research into this, I would not be surprised if they're working directly with Intel.
So, after successful authentication that is verified by Steam or Origin, Denuvo then patches your binary with specific codepaths that will ONLY work on your specific processor.
You can't patch these away, because the game relies on them to work and the functions are crucial to the game. You can't just collect one and patch it into the "some-parts-missing" binary, because it'll only work on your processor AND you will trip the challenging integrity checks that seem to be dynamically generated, again, based on your processor. Not to mention the whole scheme is incredibly obfuscated.
Serious props to the denuvo team for such an advanced anti tampering system. And I'm sure this is just one part of it.
------------------------------
So in short this protection basically tailors itself to your specific CPU, and so without it the game simply fails to function correctly. This would be why every time a hacker thought they had cracked Mad Max, for example, within hours the game would either black screen, crash, or the audio would stop working.
Just Cause 3 on the other hand? has not been cracked.
Now whilst I am anti piracy I am also anti DRM. The last time I installed Crysis on my PC back in ooo, about 2007, Securom managed to break my PC and screw up all of my virtual drives and I ended up having to reinstall Windows. Sod's law about two weeks after I had completely reinstalled my operating system they released an uninstaller for it but it put me off for life.
So, whilst I was happily handing over cash for my games I more often than not downloaded a crack for them for a few reasons. Firstly, a 50 speed CDrom drive gets really loud when being accessed, causing my PC to vibrate but secondly I don't like having to keep shuffling DVDs and changing them all of the time.
For the past couple of years I have bought a good 90% of my games via either Steam, or, somewhere like HumbleBundle who provide Steam keys. I still buy my software on DVD where I can, but these days that'e becoming increasingly harder.
Any way, food for thought.
