Difference between revisions of "Denuvo"
m (added flowchart detailing the events that occurs when launching a Steam protected title) |
m (written some more, still trying to figure out a better layout, what to cover, and how to list the content) |
||
| Line 1: | Line 1: | ||
'''Denuvo''' is a company based out of Austria which were formed through the management buyout of Sony DADC DigitalWorks, the creators of [[SecuROM]]. | '''Denuvo''' is a company based out of Austria which were formed through the management buyout of Sony DADC DigitalWorks, the creators of [[SecuROM]]. | ||
| − | + | {{ii}} [[Wikipedia:Denuvo|Denuvo article on Wikipedia]] | |
| − | + | {{ii}} [https://denuvo.com/ Official website] | |
'''Products''' | '''Products''' | ||
| Line 10: | Line 10: | ||
** https://support.codefusion.technology/redeem/ | ** https://support.codefusion.technology/redeem/ | ||
| − | '''Denuvo Anti-Tamper''' | + | ==Denuvo Anti-Cheat== |
| + | Despite being listed on the official website [https://web.archive.org/web/20170131030651/http://denuvo.com/ since at least January 2017,] this product from Denuvo does not seem to have received much fanfare or use among video games publishers. In August 2018, Irdeto [https://irdeto.com/news/denuvo-joins-esports-integrity-coalition-to-combat-cheating/ announced] the Anti-Cheat technology would soon to be launches as a full end-to-end solution. With this renewed focus on the Anti-Cheat product it is to be expected at least some upcoming games will make use of the technology. | ||
| + | |||
| + | ==Denuvo Anti-Tamper== | ||
| + | '''Denuvo Anti-Tamper''' is the current de-facto standard for securing DRM schemes on modern titles. Since its original release back in 2014, it have been used to strengthen the DRM of over 150 titles; some with great success, others less so. At its core, it uses various obfuscation techniques (such as unique hardware-based codepaths, or virtualization) to make tampering with the DRM protection of a game harder in an attempt to delay piracy. | ||
| + | |||
| + | A consequence of its use of unique hardware-based codepaths, Denuvo Anti-Tamper requires an online connection periodically as the system environment of the operating system changes with new hardware and/or Windows updates. While it is unknown exactly what invalidates the token stored on the drive, this happens frequently enough for the anti-tamper protection to be generally described as requiring a periodic online connection every two week or so. While this generally is not an issue or hindrance for those with an always present online connection, it can be a hindrance for people primarily roaming or gaming offline if not proper preparations are made in advance to ensure the validity of the offline token. The lack of transparency regarding this process from Denuvo Anti-Tamper is a hindrance for affected users, as it means few might be aware of Denuvo's presence before being put in a position where the existence of it negatively harms the user experience. More on this is discussed further down (''to be written''). | ||
| + | |||
| + | ===System interaction=== | ||
{{Image|Denuvo_Anti-Tamper_Flowchart_Steam.png|Flowchart over launch procedure for Steam titles.}} | {{Image|Denuvo_Anti-Tamper_Flowchart_Steam.png|Flowchart over launch procedure for Steam titles.}} | ||
| + | Based on data gathered by monitoring operations performed by Denuvo protected titles through the use of [https://docs.microsoft.com/en-us/sysinternals/downloads/procmon Process Monitor], [https://www.telerik.com/fiddler Fiddler], and in some instances also [https://www.wireshark.org/ Wireshark], the basic overview in how the anti-tamper components interacts with the system is quite minimal: | ||
| + | |||
| + | # At the launch of a game a validation of the offline token is performed. | ||
| + | # If the offline token is invalid or missing, an appropriate request code is generated based on the system environment and sent to an online server. | ||
| + | # The online server responds with a corresponding response code. | ||
| + | # The local anti-tamper component uses the response code to write a new valid offline token to the local drive. | ||
| + | # The game continues to launch along with the now valid offline token. | ||
| + | # On subsequent launches the anti-tamper protection will automatically load and make use of the offline token stored on the disk, up until said token is made invalid again. | ||
| − | This will hopefully end up being a completed article eventually that tries to inform and explain how Denuvo Anti-Tamper works from an end-user perspective, with sections covering often raised questions or concerns. The information listed here have been gathered by applying black-box testing on Denuvo Anti-Tamper protected titles in various scenarios and analyzing traffic and events through WireShark, Fiddler, and Process Monitor. Some aspects of it may also be based upon comments by cracking teams, as they | + | Beyond the mentioned online connection above, as well as read and write (if the offline token is invalid), no other online connection nor disk writes or reads are performed by Denuvo Anti-Tamper during play, based on extensive testing through the above mentioned tools across multiple protected titles. |
| + | |||
| + | ''If the online connection fails for Steam protected titles the user will get an "offline activation" option where they can make use of a secondary online connected device to retrieve the corresponding response code. This is not an option for neither Origin nor Uplay protected titles, and possibly other supported platforms as well.'' | ||
| + | |||
| + | |||
| + | --- | ||
| + | |||
| + | |||
| + | This will hopefully end up being a completed article eventually that tries to inform and explain how Denuvo Anti-Tamper works from an end-user perspective, with sections covering often raised questions or concerns. The information listed here have been gathered by applying black-box testing on Denuvo Anti-Tamper protected titles in various scenarios and analyzing traffic and events through WireShark, Fiddler, and Process Monitor. Some aspects of it may also be based upon comments by cracking teams, as they are some of the ones most knowledgeable about the internal workings of it. | ||
Note that the article is a work in progress, and may change frequently. | Note that the article is a work in progress, and may change frequently. | ||
| Line 37: | Line 61: | ||
*** SSE4.1 instruction set | *** SSE4.1 instruction set | ||
*** Linux Wine/Steam Proton | *** Linux Wine/Steam Proton | ||
| + | |||
| + | --- | ||
| + | |||
| + | '''Denuvo Steam related servers''' | ||
| + | |||
| + | Domains: | ||
| + | * srv00.codefusion.technology - Test server? | ||
| + | * srv01.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Used for Steam protected titles #1. | ||
| + | * srv02.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Used for Steam protected titles #2. | ||
| + | * srv03.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Used for Steam protected titles #3. | ||
| + | * srv04.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Unknown usage. | ||
| + | * srv05.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Unknown usage. | ||
| + | * support.codefusion.technology - Redeem.exe, "offline activation", error support pages | ||
| + | |||
| + | Servers: (Hosted on AWS, EU West 1, Ireland) | ||
| + | |||
| + | Round-robin DNS load balanced: | ||
| + | # 52.17.173.247 | ||
| + | # 52.18.94.153 | ||
| + | |||
| + | Test server? | ||
| + | * 52.50.151.143 | ||
| + | |||
| + | Support: | ||
| + | *52.16.106.153 | ||
| + | |||
| + | --- | ||
| + | |||
| + | '''WB Games Denuvo servers''' | ||
| + | |||
| + | Domains: | ||
| + | * revalidate.wbgames.com - Load-balanced between two AWS instances using round-robin DNS - Used for Batman: Arkham Knight + Mad Max on Steam. | ||
| + | * Support pages: | ||
| + | ** https://revalidate.wbgames.com/madmax/ | ||
| + | ** https://revalidate.wbgames.com/bak/ | ||
| + | |||
| + | Servers: (Hosted on AWS, US East 1, Virginia) | ||
| + | |||
| + | Round-robin DNS load balanced: | ||
| + | * 35.169.86.124 | ||
| + | * 34.200.59.160 | ||
Revision as of 23:27, 10 December 2018
Denuvo is a company based out of Austria which were formed through the management buyout of Sony DADC DigitalWorks, the creators of SecuROM.
Products
- Anti-Tamper
- Anti-Cheat
- DRM scheme employed on retail discs in some regions "redeem.exe"
Denuvo Anti-Cheat
Despite being listed on the official website since at least January 2017, this product from Denuvo does not seem to have received much fanfare or use among video games publishers. In August 2018, Irdeto announced the Anti-Cheat technology would soon to be launches as a full end-to-end solution. With this renewed focus on the Anti-Cheat product it is to be expected at least some upcoming games will make use of the technology.
Denuvo Anti-Tamper
Denuvo Anti-Tamper is the current de-facto standard for securing DRM schemes on modern titles. Since its original release back in 2014, it have been used to strengthen the DRM of over 150 titles; some with great success, others less so. At its core, it uses various obfuscation techniques (such as unique hardware-based codepaths, or virtualization) to make tampering with the DRM protection of a game harder in an attempt to delay piracy.
A consequence of its use of unique hardware-based codepaths, Denuvo Anti-Tamper requires an online connection periodically as the system environment of the operating system changes with new hardware and/or Windows updates. While it is unknown exactly what invalidates the token stored on the drive, this happens frequently enough for the anti-tamper protection to be generally described as requiring a periodic online connection every two week or so. While this generally is not an issue or hindrance for those with an always present online connection, it can be a hindrance for people primarily roaming or gaming offline if not proper preparations are made in advance to ensure the validity of the offline token. The lack of transparency regarding this process from Denuvo Anti-Tamper is a hindrance for affected users, as it means few might be aware of Denuvo's presence before being put in a position where the existence of it negatively harms the user experience. More on this is discussed further down (to be written).
System interaction
Based on data gathered by monitoring operations performed by Denuvo protected titles through the use of Process Monitor, Fiddler, and in some instances also Wireshark, the basic overview in how the anti-tamper components interacts with the system is quite minimal:
- At the launch of a game a validation of the offline token is performed.
- If the offline token is invalid or missing, an appropriate request code is generated based on the system environment and sent to an online server.
- The online server responds with a corresponding response code.
- The local anti-tamper component uses the response code to write a new valid offline token to the local drive.
- The game continues to launch along with the now valid offline token.
- On subsequent launches the anti-tamper protection will automatically load and make use of the offline token stored on the disk, up until said token is made invalid again.
Beyond the mentioned online connection above, as well as read and write (if the offline token is invalid), no other online connection nor disk writes or reads are performed by Denuvo Anti-Tamper during play, based on extensive testing through the above mentioned tools across multiple protected titles.
If the online connection fails for Steam protected titles the user will get an "offline activation" option where they can make use of a secondary online connected device to retrieve the corresponding response code. This is not an option for neither Origin nor Uplay protected titles, and possibly other supported platforms as well.
---
This will hopefully end up being a completed article eventually that tries to inform and explain how Denuvo Anti-Tamper works from an end-user perspective, with sections covering often raised questions or concerns. The information listed here have been gathered by applying black-box testing on Denuvo Anti-Tamper protected titles in various scenarios and analyzing traffic and events through WireShark, Fiddler, and Process Monitor. Some aspects of it may also be based upon comments by cracking teams, as they are some of the ones most knowledgeable about the internal workings of it.
Note that the article is a work in progress, and may change frequently.
Topics that might or might not be covered:
- How does Denuvo interact with operating system? What does it rely upon? What options does the user have?
- Differences between Origin, Uplay, and Steam protected titles
- WB Games' own server revalidate.wbgames.com
- srv01-03.codefusion.technology / support.codefusion.technology
- Offline token files stored on the disk
- for Steam: game-specific under Steam\userdata\[userid]\[gameid]).
- Needs to be rechecked:
- for Uplay: under Uplay\cache\activations in a single account-specific file that stores all tokens for that account;
- for Origin: game-specific files under C:\ProgramData\Electronic Arts\EA Services\License;
- "Offline" activation proceedure
- Concerns
- Online reliance due to design
- Leftover files post-uninstall (aka the offline token files)
- Performance impact
- SSD read/writes
- Compatibility
- SSE4.1 instruction set
- Linux Wine/Steam Proton
---
Denuvo Steam related servers
Domains:
- srv00.codefusion.technology - Test server?
- srv01.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Used for Steam protected titles #1.
- srv02.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Used for Steam protected titles #2.
- srv03.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Used for Steam protected titles #3.
- srv04.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Unknown usage.
- srv05.codefusion.technology - Load-balanced between two AWS instances using round-robin DNS - Unknown usage.
- support.codefusion.technology - Redeem.exe, "offline activation", error support pages
Servers: (Hosted on AWS, EU West 1, Ireland)
Round-robin DNS load balanced:
- 52.17.173.247
- 52.18.94.153
Test server?
- 52.50.151.143
Support:
- 52.16.106.153
---
WB Games Denuvo servers
Domains:
- revalidate.wbgames.com - Load-balanced between two AWS instances using round-robin DNS - Used for Batman: Arkham Knight + Mad Max on Steam.
- Support pages:
Servers: (Hosted on AWS, US East 1, Virginia)
Round-robin DNS load balanced:
- 35.169.86.124
- 34.200.59.160