The most important thing: contrary to popular belief, Denuvo is NOT a newly developed and modern super-protection! In fact, behind Denuvo hides the ordinary VMProtect, from Russian roots, with minor differences (like a kind of fork). The mythical “strength” of this protection is the lack of a good debugger for debugging x64 (64-bit executable PE files). The beloved OllyDbg debugger/disassembler works only with x86 executables, and it’s x64 version has not yet been released. The only (barely) suitable debugger is x64dbg, but at the moment it is still a very embryonic, weak and poorly-optimized product.

Ironically, Denuvo’s popularity gave x64dbg a huge boost in contributions from several programmers.

Now, a little more detail:

Denuvo/VMProtect

It is perfectly evident, if we compare the virtual machines of both products. From Lords of Fallen to Just Cause 3 – we find VMProtect 2.X. It’s traits are identified by the presence of an encrypted dispatch-table. Starting with Just Cause 3, Denuvo developers realized this epic fuck-up and discarded the dispatch-table from the virtual machine, changing the structure of the delta offset p-code instructions, thus we can consider this a new iteration of teh latest VMProtect 3.x. In addition to the virtual machine, everything in Denuvo uses VMProtect code obfuscation. Also should be mentioned the fact that the known tool ProtectionID initially determined executables protected with Denuvo as being protected by VMProtect 2.x, that should also mean something. Also something noteworthy happened with Assassin’s Creed Syndicate – it uses… VMProtect! Why not Denuvo?! Obviously, someone at Ubisoft knew it was essentially the same thing and decided not to overpay for a sensational brand. However, their game was cracked fairly quickly so maybe they were not so lucky after all.

Who developed Denuvo?

Denuvo Software Solutions GmbH., Mr. Salzburg, Austria. Officially, Reinhard Blaukovich (Reinhard Blaukovitsch) and Robert Fendandez (Robert Hernandez). The first, is none other than the former developer of SecuROM (Sony DADC Austria AG – Austria, too). However, official information is highly questionable – it is very likely that the development of Denuvo attracted employees from VMProtect Software. The programming styles between SecuROM and Denuvo are very different. In addition, here’s an interesting fact: the virtual machine implementation in the latest version of SecuROM 8 (8.03.012) had the dispatch-table discarded from it by the developers. But then in the first version of Denuvo it suddenly pops up again! Would the same developers have repeated the same mistake twice?!

Denuvo – DRM?

Denuvo is not DRM. It cannot check the disk or perform online activation, as did SecuROM. And there is nothing – neither disk check nor online activation, that SecuROM and StarForce emplyed, that was not successfully reversed and/or bypassed. Denuvo (VMProtect) simply protects files from modification. Denuvo is more focused on being a protective layer over DRM mechanisms like Steam/Origin.

Can Denuvo (VMProtect) be cracked?

As with any other defense mechanism – YES! Of course! It is merely a question of time and effort. Until now cracks consisted of emulating Steam/Origin, which are now protected by Denuvo. But it can still be done be keeping the emulation as is + manipulating the CPUID for Denuvo. But, most likely, the trend will shift to devirtualize the virtual machine. Yes, it certainly isn’t going to be as easy as with SecuROM virtual machine, which was the definition of “easy to crack” – nevertheless, it’s still VMProtect’s first year and I am sure that this problem will be solved.

Denuvo (VMProtect) had a devastating effect on the performance and optimization of games?

Even without Denuvo (VMProtect) many modern games require powerful processors and faster memory.

The length of the assembly instructions almost double when compared to x86/32-bit;

The virtual machine takes more than twice as long to store and process CPU registers (from RAX to R15);

The virtual machine takes more than twice as long to store and process CPU registers (from RAX to R15);

Primitives breed hundreds of virtual machine;

P-code instructions (bytecode) now occupy more space than the assembly code of the game itself!

Finding out what is going on can only be achieved by using a debugger. For example, when the first games protected by Denuvo got “cracked” some people reported that, a couple of seconds after opening the game executable, the game process would hang and not start at all. The “crack” developers did not even bother to inform the public that Denuvo (specifically in Steam version of games) even went as far as checking the existence of a simple branch in the Windows registry: HKEY_CURRENT_USER\Software\Valve. There are two ways to solve this minor trouble: Just install Steam yourself or create that registry branch manually.

Here’s some interesting facts and information directly from VMProtect:

Protected files are run on almost any version of Windows, even old Windows 95! However, licensing feature requires at least Windows 2000.

VMProtect doesn’t support .NET executables and has a limited support of VB executables

“Mutation” protection method

Mutation is a replacing the source code instructions with their analog (or a certain instruction sequence), that give the same result as the source code. It is the fastest yet simplest way of software protection. Quite useful when you need to hide the signatures of third-party libraries used in your code. For example if hacker knows that you use a well-known SHA-1 implementation, he may attack it, instead of your code. Mutation allows to hide the presence of the library.

“Virtualization” protection method

Virtualization is the process of translating executable code into instructions of a virtual machine with the different architecture, that is unknown to a potential cracker. Virtualized parts of the code are executed by the interpreter (virtual machine) without being converted into native machine code. Generally, the re-engineering of virtualized code requires the study of virtual machine architecture first, then it requires the creation of a disassembler that understands that architecture. Both processes are quite time-consuming and stops a great deal of crackers. Each time you protect the application, VMProtect generates a completely different set of virtual machines, so even if a cracker finally understand an architecture of the particular virtual machine, he has to start from the very beginning for the second protected procedure of the same file.

“Ultra” protection method

Ultra combines virtualization and mutation methods to make the protection even better. The protected code is being mutated first and then the result is virtualized.