The history of anti-piracy software is long and turbulent, especially so in the video game industry. The ongoing war between publishers and warez groups and pirates, like any other conflict, often leads to situations in which bystanders get hurt. In this case, these bystanders are legitimate users. For many years people believed that piracy, at least on PC, cannot be stopped. However, in 2014 Denuvo Anti-Tamper entered the stage and proved that it was capable of waging war – and winning – against pirates, although this quickly earned the new software a bad reputation. Today, I’m taking a closer look at all things Denuvo, as well as piracy and its consequences, in a broad context.
DRM or not?
DRM is short for “Digital Rights Management”, which basically means “access control” in human language. Despite the fact that DRMs these days are commonly associated with having to set up accounts on digital distribution platforms and then get down to more or less onerous activation/verification processes, even a classic product key check during installation is a form of digital rights management. Various kinds of DRMs are used not only in video games but also in music and film industry and even to protect e-books. In short, it all boils down to controlling access to the protected content in one way or another.
To date, people tend to disagree on the true nature of Denuvo. Its developer, Denuvo Software Solutions, claims that Denuvo Anti-Tamper is not a DRM solution itself, but merely prevents crackers from circumventing the existing security measures. Personally, I feel that the definition of “DRM” is wide and blurred enough to make categorizing Denuvo purely discretionary. We can even see it on Steam product pages – some developers/publishers of games that use Denuvo write a note that reads: “Incorporates 3rd-party DRM: Denuvo Antitamper”. Others don’t do it, apparently thinking that Denuvo only protects the existing DRM; this is what the developers of Total War: Warhammer said in a special FAQ.
As far as I’m concerned, Denuvo has the characteristics of a DRM so it can be considered one, but at the same time I believe this classification to be of little importance. What properties I had in mind? Firstly: the said software makes a call home, which means that it communicates with a trusted server for the purposes of activation and authentication of the program being launched. This is how digital rights management software, such as the infamous SecuROM, works. Secondly: although Denuvo doesn’t limit the overall number of possible installations of a given product, it does limit the daily amount of activations to five. Of course, this is more than an average user needs but some restrictions are there nevertheless. I guess that Denuvo Software Solutions tries to avoid the “DRM” label for dear life because of its bad rep among the gamers. Call it what you will, I say.
How Denuvo works
The above deliberations aside, the essence of Denuvo is more or less restrictive obstruction of tampering with the game files while staying invisible to the player at the same time. Denuvo’s protection level depends entirely on the developer/publisher who has to implement the said solution on its own. Some limit it to the .exe executable file, while others secure all the remaining ones as well. Denuvo can also be removed at any time, just like in the case of Doom or Inside.
Obviously, the magic behind Denuvo remains a secret, and all possible theories and revelations are often cut down with a simple “code sample or GTFO”. That’s why deduction and conjecture are everything we have at his point. As I mentioned earlier, online activation with a trusted server owned by Denuvo Software Solutions is involved, or at least this is what an experiment of a NeoGAF forum user shows. If we change parts of our computer or its operating system, or delete a special license file created after the first activation, Denuvo is going to execute the whole process all over again. Moreover, I’ve come across people claiming that the necessity to reactivate is also caused by updating games and/or not launching them for a long time. In any event, the validity of the information stored in such license file is most likely checked every time an application is started. The file itself most likely contains data regarding a given PC’s hardware and operating system as well as identification data from a digital distribution platform related to the protected software. In the case of Steam, this probably means our Steam ID as well as the game’s product key and Steam App ID. It is said that Denuvo generates a key to a specific copy on a specific machine on this basis. Of course, this is just speculation, but the theory is definitely a plausible one. Denuvo prevents modification of selected game file(s), and “separation” of the protected application and the distribution platform it’s linked to. On top of that, it performs an additional, secure activation/authentication. All this makes creating a stable pirate release a difficult task.
My guess is that the protection of the Steam, Origin, or Uplay client’s mechanisms and partial reliance on unique user data is probably the reason why Denuvo’s developer calls its product anti-tamper software. This does make some kind of sense: protecting a file from being tampered with is one thing, while checking whether its’ been tampered with is another, but both fall under the “anti-tamper” category, at least in a linguistic sense. But I still fail to see how this is supposed to make anyone stop disliking Denuvo for what it is, DRM or not, so why even bother?
What did I mean by a “stable pirate release”? Well, in practice, launching a pirated game is just a partial success. Developers sometimes implement copy protection triggers in their productions which make playing difficult or impossible should the running product be found pirated. Denuvo uses this tried solution, so finding and eliminating such triggers is one of the challenges that crackers have to face before they announce successful cracking of a given title. It’s also worth remembering that Denuvo’s security measures can be updated, for example, with the release of a patch or an expansion to a game. Pirates therefore have to wait longer for patches, if crackers ever issue them at all. What’s better, Denuvo Software Solutions announced a complete revamp of its anti-tamper product, most likely due to the poor job it did “protecting” Resident Evil VII: Biohazard, so the above conjectures will surely lose accuracy (if they were accurate at all).
Denuvo versus Crackers
Denuvo is a unique phenomenon because of its ability to fight piracy effectively. Compared to other systems, which are often cracked on launch day, Denuvo Software Solutions’ product is truly revolutionary. However, it has been proven many a time that it isn’t entirely dependable and predictable. The time needed to release a working crack for Denuvo-protected games ranges from several days to many months, and that is without counting numerous titles that turned out too tough to crack. For instance, Star Wars: Battlefront and Just Cause 3 have remained uncracked for over a year. At any rate, it must be remembered that even Denuvo’s developer admits that its product can be defeated just like any other security measure. Denuvo’s purpose is to make the process difficult and thus time-consuming. Time is the operative word here since Denuvo’s overt goal is to protect the most important sales periods. Over time, releasing a crack has an increasingly lower influence on a game’s financial results, so we can talk about Denuvo accomplishing its task even if a given title is eventually cracked. To put it plainly: if a pirate is willing to wait a year for a crack, it is obvious that he or she never intended to pay. However, with the wait being an unknown factor, there is a chance that the impatient or the hyped-up individuals will decide to pick up a genuine copy in the end.
Let’s have a look at specific cases now. The first Denuvo-protected game to be cracked was probably Dragon Age: Inquisition, which held out for about a month since its launch; at the time it was a really impressive result. Lords of the Fallen, which came out the preceding month, was successfully pirated only after nine months. Doom and Rise of the Tomb Raider, titles desired and undoubtedly considered to be priority by warez groups, also stayed uncracked for a few good months. However, Denuvo seems to have run out of luck as of late. Recently, news made headlines about Resident Evil VII: Biohazard and Conan Exiles (which is still in early access stage) being successfully cracked. Personally, I think that these failures were exaggerated for two reasons. Number one: Resident Evil VII demo, which came out on December 19 last year, was protected by Denuvo (a huge mistake, I think), and so the crackers could tamper with the game files from then on until January 29, when CONSPIR4CY (CPY) released a crack. Number two: the cracking of Conan Exiles had literally nothing to do with Denuvo since it was the developers who accidentally published an unprotected build on Steam. Nonetheless, there is no denying that five days of actual protection in case of Resident Evil VII is not much, so I’m not surprised at the announced revamping of Denuvo Anti-Tamper. Well, crackers surely aren’t the only ones to do their homework – Denuvo’s engineers learn from their own mistakes and warez groups’ ideas.
Despite all its innovativeness, Denuvo Software Solutions is definitely not infallible – and it shows. Perhaps their biggest failure was the cunning workaround for Doom devised by a hacker known as Voksi. Instead of cracking Denuvo, Voksi created a special loader that made illegal copies of the game successfully pass the online activation process. The application would first download Doom’s demo, so that the user had it in their Steam library, and while launching the full, pirated version, the program would swap its Steam App ID for that belonging to the demo edition. Denuvo’s servers used to accept both identifiers as equally valid for some reason. According to Voksi, thanks to his work over 600,000 pirates played Doom without having to crack it. Denuvo Software Solutions naturally fixed this issue after a couple of days but the already downloaded and activated copies remained playable in offline mode. In other words: the damage had already been done at that point.
Confidential data leak
Another failure that unquestionably tarnished the company’s reputation was the incorrect configuration of Denuvo website’ server (most likely bad CHMOD settings), which allowed netizens to access content that had to stay non-public beyond any doubt. Reports say that the leaked data included private correspondence with Denuvo’s customers. Moreover, TorrentFreak claims that the captured files contained a confidential presentation concerning services and products offered by Denuvo Software Solutions (screenshots of the alleged find). If genuine, the document seems to confirm that Denuvo Software Solutions was formed through the management buyout of Sony DADC DigitalWorks, which means that Denuvo Anti-Tamper might have actually been developed by the creators of the rightfully hated SecuROM.
Denuvo: Assassins of SSDs
By the end of 2014, rumors made the rounds on the Internet (the source being probably the RPG Codex forums), claiming that Denuvo shortens SSD drives’ lifespan due to writing excessive amounts of data. This phenomenon was allegedly caused by constant decryption and encryption of game files, which supposedly resulted in them being incessantly copied from RAM to HDD/SDD and back. The said problem was “diagnosed” way back in relation to Lords of the Fallen, the second Denuvo-protected game in history. After the launch of Dragon Age: Inqusition, the third title to be protected with Denuvo, tests showed no such behavior of the program. All this felt a lot like looking for a scapegoat.
As for the constant data encryption and decryption, Denuvo Software Solutions denied the rumors. Moreover, the developer stated that such solution “would be of no benefit in terms of security or performance”.
Speaking of performance, Denuvo is often accused of making games run slower but so far there is no evidence of the connection between the two. The developer maintains that the software in question uses only “performance non-critical […] functions” and “has no perceptible effect on game performance nor is Anti-Tamper to blame for any game crashes of genuine executables”. Back in the day, the developers of Lords of the Fallen allegedly said that Denuvo decreases the title’s performance by 1 to 5 percent, but the Twitch stream in which the statement was made is no longer available, nor is it known what exactly they meant by it (meaning: was it load times or framerates or both?). Personally, I think that Denuvo might have some impact on the launch time of protected software for reasons I described earlier, but I’m not inclined to believe that any game works perceptibly worse because of Denuvo. Certainly not when sloppy ports and poor optimization aren’t a rare sight. Without clear evidence, it’s just shifting the blame.
Effective equals hated
As I said, Denuvo can boast several impressive results since its debut in 2014, having successfully protected tens of productions from being pirated – if not completely, then in key sales periods. The differences in the duration of protection can have various reasons. I suspect that crackers set priorities on the basis of cracking difficulty level and/or popularity of a given game. I sincerely doubt that anyone cared about Fernbus Simulator when Deus Ex: Mankind Divided was released two days before. Of course, I cannot rule out that someone’s cracker pride or a sense of “mission” makes them still try to tackle the uncracked Just Cause 3, but releasing a crack at this point won’t be as harmful to the publisher as it would be in the launch period. So it’s safe to say that Denuvo did its job.
But hang on a second, if Denuvo is usually effective and only affects pirates, then why people hate it with a vengeance? Personally, I have no problem with Denuvo – I’ve played Denuvo-protected games without even realizing it. Maybe it’s a matter of principle, then. If so, then this is bigger than Denuvo, which pretty much became a scapegoat. What I mean is that when buying a game linked to, say, Steam, you have to – as in “you usually have no alternative save for piracy” – accept the fact that you’re not really its owner but rather a kind of perpetual lessee. This is how Origin and Uplay work, as well. Denuvo Anti-Tamper simply responded to the needs of the companies that make money on developing and/or publishing games. What’s more, contrary to many of its predecessors, it only affects pirates, or at least there have been no problems with it thus far.
Some gamers point out that Denuvo limits modding possibilities or prevents creating alternative master servers should a publisher shut down servers of a protected game. Others come up with truly apocalyptic scenarios in which Denuvo suddenly goes bankrupt and every Denuvo-protected title becomes unplayable. The problem is that everything is within the publisher or developer’s hands, and – as I mentioned earlier – they can get rid of Denuvo at any moment. Impeding modding or creating alternative servers isn’t anything new, either, and Denuvo just provides an optional tool to do it effectively. Honestly, I would be more afraid of Steam becoming defunct one day. The sheer thought of losing dozens of discounted games I’ve bought and never played or even downloaded…
On a serious note, I would like to discuss the opinion some people have that CD Projekt is an example of a developer/publisher who trusts gamers; I think this line of thinking is far-fetched. I haven’t forgotten the problems with SecuROM and downloading extra data in the day-one retail edition of The Witcher 2. Besides, I cannot fathom why any company owning a digital distribution platform advertised as selling only DRM-free products would speak positively of DRMs. CD Projekt has a very smart and visibly effective marketing strategy that allows them to make profit on the universal dislike of SecuROM, Denuvo and other resented solutions of this kind. Of course, I wish CD Projekt all the best, and I’m really glad they achieved a worldwide, well-deserved success, but attaching ideology to effective business strategy and deliberately created image seems absurd to me.
Damn those DRMs!
I believe that hate towards anti-pirate protection software mostly results from three things: hindering legitimate users’ experience, forcing them to install various distribution platforms’ clients, and the fact that developers and publishers provide unsatisfactory quality of products and services. Those people who advocate piracy because of lack of demo versions could have a point, but their argument has lost a good chunk of its validity of late. I’m thinking of open and closed beta testing, an abundance of let’s-play videos, and actually working refund programs on Steam and Origin. Besides, numerous titles that came out in recent years offered a demo or trial version, even though releasing demos is not an industry standard anymore.
Before anyone jumps to conclusions, I’d like to stress that I’m against any anti-piracy measure, no matter how effective, if it gives trouble to a legitimate user (this is where such oddities as cracking genuine games comes from). Recently, I was angry at having to type in one code on an external website to generate another that activated Tyranny on Steam. Back in the day, I was disgusted by SecuROM in the retail version of The Witcher 2 and felt really sorry for the people who bought the collector’s edition just to play it a lot later than promised. The irony is that the more cunning pirates could play The Witcher 2 even before the official launch and they surely laughed at the honest buyers’ problems. CD Projekt had to know about the game leaking to warez and torrent sites, and yet only the purchasers of genuine retail editions were hurt by the clearly malfunctioning SecuROM. In cases like these, the publisher deserves harsh criticism, and as far as I’m concerned, owes a refund to anyone affected. At this point, however, there is nobody to strongly stand for the gamers’ customer rights.
Now, if anyone is outraged by the sole existence of anti-piracy software, then one must ask a question why a privately owned enterprise would spend money on such things? Well, it’s because they consider piracy a cause or a risk of losing profit. Publishers and developers are anything but stupid – if pretty much anyone can visit warez/torrent sites and see how common piracy is, then an entity that possesses professional data can assess it all the more. I do realize that a pirated copy isn’t automatically one that wasn’t purchased, but a publisher can only see a high POTENTIAL loss since the ACTUAL one is impossible to estimate. I don’t blame anyone for trying to protect their property, I can only have objections or grievances concerning the method used. Unfortunately, only in an ideal world is there no rational reason to put anti-piracy software in games, locks in doors, and security cameras in stores. Games – just like many other things we pay for without pointlessly questioning this necessity – are a commodity, not a right.
So, who pays for that?
Alas, the price of protection, just like any other cost, is paid by honest customers in the end. In a sense, even if we pirate solely to test a game before purchase, then we still pay for a torrent “demo” when buying a genuine copy. As for Denuvo, a Reddit user conducted something in the vein of a journalistic provocation and wrote an e-mail to Denuvo representatives to ask about the product. In their alleged response, I was especially interested in pricing. Protecting an AAA title (over 500,000 copies on PC) costs EUR 100,000; an AA one (fewer than 500,000 copies on PC) half as much; and indie productions: EUR 10,000. Moreover, one can supposedly pay per unit sold. In the latter case, the setup fee is EUR 2,500, and then EUR 0.15 is due for every copy sold. For corporations, such amounts of money are next to nothing, but independent developers probably can’t say the same. On the other hand, it certainly is a lucrative business for Denuvo Software Solutions, since the company doesn’t issue any refunds or damages if a game is cracked within a specific timeframe. Although after the news of lightning-quick cracking of Resident Evil VII, customers may start to demand some kind of a minimum guarantee. Well, time will surely tell.
In the current status quo, both parties are guilty and it’s no revelation. Because of piracy and greedy business practices, we have entered a vicious circle that might be difficult to escape. Personally, I see a little light in the tunnel and really hope it’s not an incoming train. I think gamers really lack an organization which could effectively take legal actions against publishers/developers for unfulfilled promises or botched launch versions. If a company doesn’t deliver on its promises and yet charges a customer, a refund is due. If a launch version of a game is nearly unplayable, all sales should be temporarily halted and we should be somehow compensated for doing the QA work. At any rate, Denuvo is the best anti-piracy solution I have seen so far, since I’ve played games I had no idea were Denuvo-protected. All in all, I think that maximum limitation of piracy – since I don’t believe 3DM’s forecasts – combined with refund systems as well as trial/demo versions will be advantageous to every party involved. Ultimately, sensible business isn’t about sellers and buyers waging war on one another but about striking a mutually beneficial deal.
Meehow | Gamepressure.com