Difference between revisions of "Denuvo"

Denuvo Software Solutions GmbH is an Austrian company formed through the management buyout of Sony DADC DigitalWorks, the creators of SecuROM. Despite the management buyout, Denuvo Software Solutions and Sony DADC still have a close working relationship with the latter acting as a reselling partner of the former. Some games making use of the Denuvo Anti-Tamper product will therefor include mentions of this relationship in their EULAs, and refer to the product as one by Sony DADC or similar.^[1]

Official website

Denuvo article on Wikipedia

Denuvo Anti-Cheat

Despite being listed on the official website since at least January 2017, this product from Denuvo does not seem to have received much fanfare or use among video games publishers. In August 2018, Irdeto announced the Anti-Cheat technology would soon to be launches as a full end-to-end solution. With this renewed focus on the Anti-Cheat product it is to be expected at least some upcoming games will make use of the technology.

Denuvo Anti-Tamper

Flowchart over launch procedure for Steam titles.

Denuvo Anti-Tamper is the current de-facto standard for securing DRM schemes on modern titles. Since its original release back in 2014, it have been used to strengthen the DRM of over 150 titles; some with great success, others less so. At its core, it uses various obfuscation techniques, such as unique hardware-based code paths, virtualization, and more, to make tampering with the account-based DRM protection (e.g. Microsoft Store, Origin, Steam, or Uplay) of a game harder in an attempt to delay piracy. It is embedded in the executable of the game, and only stores licensing data (the "offline token" used to launch the game) separately on the storage drive. This licensing data is typically a couple of kilobytes in size, and is (re)created when the system environment changes enough to necessitate a new token.

A consequence of its use of unique hardware-based code paths, Denuvo Anti-Tamper requires an online connection periodically as the system environment of the operating system changes with new hardware and/or Windows updates. While everything that might invalidate the token stored on the storage drive is not fully known, this happens frequently enough for the anti-tamper protection to be described as requiring a periodic online connection every two week or so. This generally is not an issue or hindrance for those with an always present online connection, but can be for people primarily roaming or gaming offline if not proper preparations are made in advance to ensure the validity of the offline token. The lack of transparency regarding this process from Denuvo Anti-Tamper is a hindrance for affected users, as it means few might be aware of Denuvo's presence before being put in a position were the existence of it negatively harms the user experience.

Requires an online connection at the first launch of a game, after a game update or some Windows updates, when changing specific hardware, or the built-in expiration^{[citation needed]} (if used) has passed.

Limited to five daily activations per game, which resets 24 hours after the first activation.

Capable of offline token renewal through a support page (e.g. Metal Gear Solid V: The Phantom Pain) if supported by the game. Origin and Uplay titles do not support this as their token generation is handled within their respective internal activation process where offline is not an option.

Does not degrade storage drives lifetime,^[2] performance in itself,^[3] nor has ever enforced a persistent online connection.^[4][5]

Can increase the difficulty of binary modding, due to its obfuscation of certain parts of the executable. Doesn't necessarily disallow the practice,^[6] nor debugging.^[7]

Controversy

Due to Denuvo Anti-Tamper having seen year-long successes early in its product life there was and have been quite a lot of fear, uncertainty, and doubt spread around it as a product. On top of this the lack of proper in-depth analysis of its effect from third-parties have also contributed to the speculations and misleading statements spread around.

Because how it works and functions is unknown to the average consumer, users tend to be quick to blame it for issues that is most likely caused by something else entirely.

Examples of controversies:

• Has a noticeable impact on gameplay performance.
  • This is generally found to be wrong, although with some notes applied. As with every else in the world of programming, each "line of code" technically have a "cost" in the form of the CPU having to spend CPU cycles to perform the operation (how many CPU cycles it takes depends on how heavy the operation is). So what matters when discussing gameplay performance is how noticeable a supposed performance impact is, and whether it is perceivable during regular play. The protection does not rely or make use of the GPU at all, and so what matters is how it affects the CPU time of a game, which typically is not what most games bottleneck on.
  • The CPU impact of the protection differs between games, but is generally regarded as unnoticeable during regular play regardless of game.
    • When benchmarking and comparing an unprotected executable with a protected executable in the graphics-heavy Final Fantasy XV, the developer/modder/graphics expert Peter "Durante" Thoman discovered no performance impact to the gameplay between the executables, although loading times were found to be difference (which matches up with Denuvo's statements of where the protection is the most active).
    • Digital Foundry performed a similar benchmark of the release version of Devil May Cry 5 and found that while the unprotected copy performed ~7% faster in extreme CPU-bound scenarios^{[Note 1]}, the difference of 13 FPS (173 FPS vs. 186 FPS) at the high frame rates raises the question whether users will even notice the difference. They continued with mentioning how modern gaming PCs should have the CPU overhead to run the extra load incurred by what their tests suggests to be Denuvo Anti-Tamper.

• Requires a persistent online connection (aka adds an always online requirement to games).
  • This have been found false multiple times, as the protection only adds an online requirement when the offline token is found invalid, see Steam for more information.
  • In the case of Sonic Mania's "always online requirement" on release date, it was found to be caused by a bug caused by the developers' incorrect use of the Steam API, and could be fixed without ever tampering with the protection of the game.^[8]

• Causes excessive HDD/SSD reads/writes which degrades the lifespan of storage drives.
  • The origin of this rumor is various user reports from 2014 and "tests" performed using Lords of the Fallen and Dragon Age: Inquisition. This have been denied and debunked multiple times by both Denuvo themselves^[2], publishers/developers, and other users since then. As shown in the Steam section above, Denuvo performs minimal read and write operations to the drive, and there is no benefit to do additional drive reads or writes in terms of security or performance.^[9]

• Relies on the SSE4.1 CPU instruction set, causing incompatibility with AMD Phenom 2 and earlier CPUs.
  • This is another rumor that is blamed on Denuvo Anti-Tamper whenever a new game is released that makes use of SSE4.1 instructions for a function. To this day Denuvo Anti-Tamper itself have never showcased any reliance on the SSE4.1 instruction set, and developers often track down and fix the issue in the game code, without removing Denuvo Anti-Tamper.^[10][11]

• Forced incompatibility with Linux through Wine/Steam Proton, or prevents native Linux ports from being developed and released.
  • Because previous versions of Wine did not fully translate/support the Windows kernel APIs that Denuvo relied on, that incompatibility of Wine was blamed as a conscious act on the anti-tamper protection. Said incompatibility of Wine seems to have been fixed, and Steam Proton officially supported two Denuvo Anti-Tamper protected titles on its initial release date (Tekken 7 and NieR: Automata).
  • The use of Denuvo Anti-Tamper have not prevented official Linux ports from being developed and released either, as evidenced by Hitman and Rise of the Tomb Raider which have both gotten native Linux and/or macOS ports before the protection was removed from the Windows version.

Steam

Based on data gathered from Steam-based Denuvo protected titles by monitoring operations performed by Denuvo protected titles through the use of Process Monitor, Fiddler, and in some instances also Wireshark, the basic overview in how the anti-tamper components interacts with the system is quite minimal:

1. At the launch of a game a validation of the offline token is performed.
2. If the offline token is invalid or missing, an appropriate request code is generated based on the system environment and sent to an online server.
3. The online server responds with a corresponding response code.
4. The local anti-tamper component uses the response code to write a new valid offline token to the local storage drive.
5. The game continues to launch along with the now valid offline token.
6. On subsequent launches the anti-tamper protection will automatically load and make use of the offline token stored on the storage drive, up until said token is made invalid again.

If the online connection fails the user will get an "offline activation" option where they can make use of a secondary online connected device to retrieve the corresponding response code, an option not available for either Origin, Uplay, or possibly other supported platforms' protected titles as well. The availability of this second option means a local token generator is theoretically possible for a fully offline procedure, as was confirmed in 2017 with the release of an unofficial offline token generator for Dishonored 2.^[12]

Beyond the mentioned online connection above, as well as the drive read, and drive write if the offline token is invalid, no other online connection nor drive reads/writes are performed during play.

The offline token is stored in Steam\userdata\<user-id>\<app-id>\######### in a file with just a bunch of numbers as the filename and without a file extension. Note that the filename differs between versions of the game, so its normal to have more than one of these files lying around. Only the latest modified file are actually being used, and the other are inert and can be safely removed.

Technical information

All servers seems to be hosted on Amazon Web Services (AWS) datacenter EU West 1, Ireland.

Support pages / "offline activation" pages / redeem.exe:

• support.codefusion.technology [52.16.106.153]

Used for Steam protected titles:

Currently load-balanced between two AWS instances using round-robin DNS.

• srv01.codefusion.technology
• srv02.codefusion.technology
• srv03.codefusion.technology

Unknown usage:

Test server? Generates valid offline tokens.

• srv00.codefusion.technology [52.50.151.143]

Also load-balanced between the two aforementioned AWS instances.

• srv04.codefusion.technology
• srv05.codefusion.technology

Request/Response API

• Content-Type: text/plain
• Method: POST
• Body: the generated request code (nothing else)
• https://52.50.151.143/ | https://srv00.codefusion.technology/ <--- Unknown usage. Test server?
• https://52.16.106.153/validate/ | https://support.codefusion.technology/validate/ <--- Used for "offline activation" for Steam protected titles.
• https://52.17.173.247/ | https://srv01... -> https://srv03... <--- Used for Steam protected titles.
• https://52.18.94.153/ | https://srv01... -> https://srv03... <--- Used for Steam protected titles.
• Expected body reply: proper request code taking up 5000+ characters, or a short reply (10~30 characters) which can be assumed to be an error code of sorts.

Warner Bros titles

Currently only known to be used for Mad Max and Batman Arkham Knight.

All servers seems to be hosted on Amazon Web Services (AWS) datacenter US East 1, Virginia.

Domains:

• revalidate.wbgames.com - Load-balanced between two AWS instances using round-robin DNS

Support pages:

• Mad Max
• Batman Arkham Knight

Request/Response API

• Content-Type: text/plain
• Method: POST
• Body: the generated request code (nothing else)
• https://35.169.86.124/ | https://34.200.59.160/ | https://revalidate.wbgames.com/
• https://35.169.86.124/validate/ | https://34.200.59.160/validate/ | https://revalidate.wbgames.com/validate/ <--- Used for "offline activation" for Steam protected titles.
• Expected body reply: proper request code taking up 5000+ characters, or a short reply (10~30 characters) can be assumed to be an error code of sorts.

Redeem.exe

Official redeem website

Adds a requirement of having an optical disc drive available when purchasing physical copies of games just to obtain the Steam key.

This is a DRM scheme employed on the retail discs of some games (e.g. Deus Ex: Human Revolution, NieR: Automata) in some regions and is used to authenticate the physical disc as well as a one-time serial key located on a leaflet in the disc case. After the authentication of both factors a Steam activation key for the game is redeemed from an online database and granted to the user in the application window, which can then be used in the Steam client to unlock a copy of the game.

Work in progress

Topics that might or might not be covered:

• Needs to be rechecked:
  • for Uplay: under Uplay\cache\activations in a single account-specific file that stores all tokens for that account;
  • for Origin: game-specific files under C:\ProgramData\Electronic Arts\EA Services\License;

Notes

References