Denuvo DRM Cracked within a Day of Release

Denuvo is probably the best digital-rights management system, used to protect computer games. It's regularly cracked within a day.

If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers. But that doesn't mean Denuvo will stay effectively useless forever. The company has updated its DRM protection methods with a number of "variants" since its rollout in 2014, and chatter in the cracking community indicates a revamped "version 5" will launch any day now. That might give publishers a little more breathing room where their games can exist uncracked and force the crackers back to the drawing board for another round of the never-ending DRM battle.

BoingBoing post. Slashdot thread.

Related: Vice has a good history of DRM.

Posted on October 20, 2017 at 9:17 AM • 19 Comments


TatütataOctober 20, 2017 10:50 AM

No wonder...

If you say "Denuvo" aloud, it sounds very much like the French expression "de nouveau", meaning "yet again". :-)

oliverOctober 20, 2017 11:07 AM

DRM is a cancer that must be eradicated!!!
I only wish that these purveyors of BS die a horrible death.
It couldn't happen to a "nicer" bunch.

AndrewOctober 20, 2017 11:22 AM

Maybe people wouldn't feel the need to crack it if Denuvo didn't have some serious issues like:
1). making it ridiculously hard to uninstall or leaving files around after removal of the game software
2). hidden license agreements implicitly agreed upon by installing the games
3). potentially (a claim they refute but it has been claimed before) shortening the lives of SDDs by super high read/writes
4). forcing users to have an internet connection to play single player games
5.) collecting usage information about users with a very weak privacy policy

Several reviewers and users on steam and other platforms have suggested getting the cracked versions of the games simply because of these issues. People who otherwise would have purchased the game legally. Denuvo has problems and it's inclusion into games is expensive, ineffective, and counterproductive.

M. WelinderOctober 20, 2017 12:27 PM

"Within a day" -- that makes it commercially useless. In fact, that makes it worse than useless.

The purpose of DRM is to increase profits. It increases revenue by making the distributor a monopoly during the all-important "new game" period. If you only get one day of monopoly I would guess that the costs (license fee, extra support costs, angry users when something fails to work right, etc.) outweigh the extra revenue.

After the monopoly period, the pirates have the better product and the better price. With the caveat that they are operating illegally, of course.

NooneOctober 20, 2017 12:51 PM

The DRM spiral has been a reality since the Apple ][+. It's a waste of time and money. Publishers would be better served by price reductions to increase sales.

Clive RobinsonOctober 20, 2017 2:05 PM

@ Oliver,

DRM is a cancer that must be eradicated!!! I only wish that these purveyors of BS die a horrible death. It couldn't happen to a "nicer" bunch.

I real must take exception with regards your above sentiment...

That is the use of "nicer" realy? I ask you is that realy acceptable how about "more deserving" instead ;-)

@ All,

More seriously as discussed back in the days of Digital Watermarking, there are two basic types of DRM "on line" and "off line". Off line will eventually fail, because everything you need to crack it is available in some way without control.

Watermarking more or less died the death after Ross J. Anderson's lab at Cambridge UK came up with a way to do two dimensional twisting of an image such that there was insufficient linear code to be detected, but the human eye did not realy detect the twisting.

Altgough all DRM systems are different eventually "protected-text" has,to become "Plaintext" with all that is involved. If all that is required is available to am attackrt it is pretty much "end-ex" for the DRM.

GamerOctober 20, 2017 5:23 PM

The saddest thing about all of this is that the developers get hit the worst when DRM is put onto a game, and it's the publishers who force DRM onto them just as much as they force it onto us.

When will they learn? DRM causes customers to lose faith in not just the quality, but also the security of the product, which creates less sales than they could have had without the DRM, as evidenced by the words of every customer who has ever been fed up with this crap throughout time. The number of us who are sick of this are growing, and some of us are even raising kids with *shock* the same beliefs as us. Public trust in DRM never existed in the first place and the lukewarm tolerance of it will surely decline naturally as time goes on.

Illegal downloads have never been proven to equate to lost sales, but the presence of DRM not only creates a great and valid excuse to not buy a game, it actually morally legitimizes illegal downloading, for purposes of both civil disobedience and preservation of arts and culture.

Even if you want to make argument for potential losses, I say DRM prevents a "guilty purchase" (as my family and I have been known to make a few of, myself) from happening in the future. You know the kind of purchase I mean, when you've downloaded a game in the past, but you still buy it later, even if you have the bootleg, because you felt bad about disrespecting the developers? I've done that for games that are clean, but not for games that are poisoned with DRM.

Lawrence D’OliveiroOctober 20, 2017 5:25 PM

It’s not about rights, it’s about restrictions. Remember, DRM infringes on your rights. That’s why it’s “Digital Restrictions Management”.

AnonOctober 20, 2017 7:49 PM

Does DRM even work?

The idea is to protect revenue by forcing people to buy the product if they want it, but as the movie/music industry saw, DRM did little if anything to prevent loss of revenue.

If someone will go the the trouble of cracking software to remove the DRM and use the product for free, then they likely wouldn't buy the product to begin with.

I don't agree with copyright infringement, but we're kidding ourselves that DRM protects copyright.

DRM is also a burden in how it operates. It is nothing but a problem for the end-user (see the Sony root-kit for an example), and ultimately doesn't work.

EricOctober 20, 2017 9:53 PM

I am no security or DRM guru. I have both bought and pirated many games and applications. I avoid Denuvo-protected content like the plague. I won't buy it or bother with cracked versions. I have spent reasonable sums on games like 'Darkwood', that I don't even have any interest in playing solely because they offered it for free. Good luck with DRM schemes like Denuvo! Best wishes to you!

WilsonOctober 21, 2017 1:22 AM

@Lawrence D’Oliveiro

I think RSM is wrong, it's about rights more than about restrictions: it's your propriety right "managed" by others :(

Never let other people manage your rights

handle_xOctober 21, 2017 9:20 PM

"Never let other people manage your rights"

Yeah right? Easy to say...

Never use any product with a EULA? Scoff.

Gunter KönigsmannOctober 22, 2017 12:58 AM

What hasn't been mentioned above is that many items DRM makes it impossible to run a piece of software. One example would be the video cutting software that insists on creating a strongly-encrypted TLS connection and doesn't like the weaker fallbacks from the virus scanner and the middlebox. I own many CDs and DVDs that cannot be played back on any CD or DVD player I know she too a copy protection (that fortunately doesn't protect me from creating a working copy). ... And 1k$+ software always tends to be broken for 6-9 months while the manufacturer debugs why the from part only works on a test system. Don't know if denuvo has these problems, though: don't own any games.

GweihirOctober 26, 2017 2:51 AM

The whole idea of DRM for games is nonsense. Sure, you may see a lot of pirated copies without it, but the claim that each of those is a lost sale is pure fantasy. In actual reality, studies find time and again that people have a limited entertainment budget and would either not have bought the game in any case or will buy it regardless of DRM or not. Hence what a pirated copy effectively becomes is free advertising and what DRM becomes is a factor that decreases product quality and increases product price for those that buy the game. This means that using DRM is actually bad for your profit. It seems publishers cannot grasp that, despite solid evidence being available, e.g. in the last (suppressed) EU study on the topic.

The whole stance by publishers is so anti-fact and anti-rationality, it is staggering. Usually you will find stances this decoupled form reality and self-damaging only in the religious and quasi-religious space.

There are factors though that are bad for game publishers: Lack of innovation, unfinished games, bad performance on mainstream hardware, boring "low risk" writing, micro-transactions, too high prices, etc. The decrease in profits can then neatly be blamed on "piracy", and those that did the actual damage from within the company can keep their jobs and the stupidity continues.

Clive RobinsonOctober 26, 2017 11:12 AM

@ Gweihir,

The whole stance by publishers is so anti-fact and anti-rationality, it is staggering.

It's actually "anti-reality" which is darn dangerous at the best of times, and this most definitely is not the best of times.

Back in the mid to late 1990's those who had (mis)appropriated intellectual property by various means usually foul not fair, were sold a dream of "total control".

The main idea back then was "Digital Watermarking" (DW) and chips in consumer devices. DW was based on the ideas of Low Probability of Intercept (LPI) Direct Sequence Spread Spectrum (DSSS). How ever whilst the radio spectrum is not subject to arbitary stretching and compressing digital data can be easily modified that way. The result was that Ross J. Anderson and students at Cambridge Uni Computer Lab did two dimentional manipulation that destroyed the DW signal without making realy human perceptable changes. That killed of that DRM idea at the turn of the century.

The point was that the IP rent seekers finally realised that Digital Data was a problem they tried a form of proprietary encryption on DVDs called the Content Scrambling System (CSS) but as it had to run in software as well as hardware, the way it worked became public knowledge and the resilt was an application for *nix called De-CSS that as the name suggests got rid of the DRM.

The response of the rent seakers was to bribe politicos and get the Digital Millennium Copyright Act passed thst has way to wide a scope and way to huge penalties, as well ad stiffling "free speech".

But this was still not enough earlier attempts at forcing DRM chips in consumer devices like the so called "Fritz Chip" had failed due to counter lobbying and quite nasty rhetoric from some quaters (nothing compared to the fractious legal action by the "rent seekers" enforcment associations but still not civilized).

So the rent seakers decided to go a different route for their desired extraction of unentitled income. Long story short computers got the Trusted Platform Managment (TPM) chips. These were sold on the notion they were a user side security device to stop malware which Microsoft pushed rather than actualy write a secure OS and apps. As can currently be seen that ruse has had little or no effect on malware infection so was a compleat lie from that point of view. However it gives Microsoft and it's chosen few the ability to wield immense power over users. However it is by no means certain that TPM is actually secure, it's hierarchical in it's trust levels, which means that the chip manufactures could put in a hidden master key that would make the sort of backdoor the SigInt agencies would quite literally "kill for".

But the thing is like most DRM TPM is the equivalent of "off line" operating. With a little thinking it can be seen that even if you can not get at the keys in the chips there are ways of getting at the unprotected data.

To see why think about how "signed code" is both loaded and checked. The checking of the signing only happens when loading, which means that if you can modify the code memory after the code is loaded it will still function. There are various ways this can be done including halting the CPU tristating the busses and directly reading to the memory via the busses. The only way to stop that kind of attack is by using software that is encrypted in memory. Whilst this is done on some microcontrolers it does take up a lot of resources, and is not currently something you would use in high performance systems due nit just to the CPU / CoPro overhead but also due to the significant extra increase in delay on memory transfers.

But then even encrypted memory microcontrolers have found to be wanting in various ways in the past, as getting it right can be difficult at best.

The result is off line DRM is at best a deterrent not a serious security hurdle. Whilst this might change in the future, it's not a high priority for CPU manufacturers who can find better things to do with the silicon real estate than generate lots of problematic heat and burn battery life at twice the rate. Which also in effect kills their specs which marketing at least would see as a major product killer.

DRM unfortunatly will always be around, because the greed of the rent seekers means they will pay and pay for such systems, but at the end of the day they will get little or no benifit at best and as you point out probably lost sales as well. One day they might wake up and realise they are buying very expensive snake oil and not getting any return on it, but they are blinkered by the dreams of power over people, so I for one am not holding my breath on them wising up.

Craig Kilborne IIIOctober 27, 2017 2:04 PM

DRM only hurts one group of people: the paying consumer! Pirates get to enjoy content without all the bullshit. Hell, I'd be willing to bet a week's worth of wages that some pirates are actually paying customers who downloaded "cracked/hacked" content to enjoy it without the cancerous drm nonsense.

TJNovember 20, 2017 12:55 PM

oh look people can still defeat inline byte code VMs.. Reminds me when I was in to this stuff almost two decades ago..

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.