Denuvo - I thought we were over you.

 So I wanted to play a game, it's released, it's nowhere to be found - odd I thought. I go and search online - nothing.

Surprise, surprise when I found out it has Denuvo and has gone uncracked for a long time. What happened? There was such a great track record for this and we are back to square one.

Useless post.

Going to dig in a bit. Presumably what I am looking at is the Origin DRM, so what I am looking at is not Denuvo. And yes, that is a (useless) screenshot of the first thing I see when I load up an Origin game in x64dbg. So it's nothing special.

Quite frankly, I am angry, the shitposting on reddit regarding Denuvo, the false promises, the contradicting information of what Denuvo does, how it works etc.
How about I post what I find in addition to screenshots(or videos?) that at least proves/disproves something or sheds some light on the functionality.

Might take a look at Unravel.

Unlike the other games, this one seems interesting as I want to play it. It uses Denuvo. This shouldn't be interpreted as if I am going to crack it, that will likely be impossible as I have never studied Denuvo moreover x64dbg still lacks a tracer and the underlying TitanEngine engine is wonky(aka the tools aren't mature enough;no offense mrexodia).

For those of you that have time to spare.

As we have more or less shifted to x64, we find ourselves in need of new tools, in this case, free debuggers. I don't think we will ever see Olly64 come to fruit, the developer has not posted any updates in years, so with that in mind, I urge those that have the time and like to contribute to open source projects, to check out x64dbg, it has the potential to replace Olly, both 32 and 64-bit. Unfortunately, the devs need help, there's like only 2-3 active contributors, and lots of features are missing from the debugger to make it more useful.
It comes with the Snowman decompiler built-in, although I've found it to be less than accurate. There are also plans to have graphs, just like IDA, but so far nobody has come forth to contribute.

With your contributions, you will be indirectly helping in defeating future and current x64 protections(one being Denuvo/VMProtect). Of course, if you loathe piracy, then the other reason is malware research.

Addendum: You can also join the development channel on #x64dbg@irc.freenode.net.

Denuvo and VMProtect are the same?

Recently I've been reading on Denuvo, and how certain code seems not similar but identical to that of VMProtect. Russian websites are also saying that Denuvo<=>VMProtect indicating that perhaps the two companies are sharing the same code base. That certain features in VMProtect appear in Denuvo and disappear in VMProtect, and vice-versa.

Here is the article in question (Russian).

Just Cause 3 and Denuvo

So apparently the same thing is happening with JC3 that happened with FIFA15 and DAI.

The founder of notorious Chinese cracking forum 3DM is warning that given the current state of anti-piracy technology, in two years there might be no more pirate games to play. The claims come after attempts to breach the Denuvo security protecting Just Cause 3 pushed the group's cracking expert to breaking point.

Do you know what drives technological innovation? Competition! Right now anti-tamper/DRM solutions are being sought because of piracy, and get broken, which forces the authors to come up with new and interesting ways to prevent their solution from being broken.

The same cannot be said from "our" side, us reverse engineers. Most people keep their tools private and we have a stagnation of publicly available tools to help us combat these new solutions and techniques.
Do you know why? Money, Denuvo is paid, cracking is something people do for free of charge, there is little incentive to release their internal tools or to release docs or even bother .

Until then, this "prediction" of 3DM might have some merit.

Denuvo cracked?

According to this article http://www.dsogaming.com/news/report-denuvo-drm-system-has-been-cracked/, some part of Denuvo has been cracked.

Well done 3DM. However, there is still no official crack released, I expect fake torrents to be appearing pretending to be a crack from 3DM, they will likely not be, what they will be is malicious.

But while at it, I do want to mention that when it comes to 64-bit practical RE, the tools are just now being developed. It is only in IDA 6.6 that an x64 decompiler was added, but for us mortals, we can never buy this. Personally, I am a fan of Ollydbg, but I admit it has faults and limitations, one of them being no support for x64 RE, x64dbg is trying to fix that, but it will take a long time before it is truly useful for that.

More games to use the new Denuvo DRM

Dragon Age Inquisition.

Lords of the Fallen.

And as a reminder, no there is no crack yet for FIFA15, thus there will be no crack for either of these games, till Denuvo has been researched and defeated, if at all.

Also, I have no ETA on cracks, I am not affiliated with scene groups, I am just a guy that likes RE as a hobby, but I find this protection a pain in the ass already, even though I've never worked with it.

FIFA15 and the new DRM Denuvo

So at first I speculated it had SecuROM, just like FIFA14, but then we(when I say "we" I do mean the internet) find out it has a new DRM called Denuvo and this is why there is no crack yet, it's new and it will take time for it to be studied and bypassed, and maybe the rather low chance of there being no crack at all.
It took me 30 days just to run SecuROM under a debugger, so it's not unlikely the same thing to happen with a new DRM.

I've no idea what Denuvo employs, frankly I do not care, but if it gains traction and remains uncracked, things will get "interesting".

To say this in simple words, there is no crack yet, any crack you do find googling will likely turn out to be a virus.

Addendum: The upcoming GTA V game will also use this DRM. Seems like GTA V will not use Denuvo afterall, http://www.incgamers.com/2014/11/grand-theft-auto-v-will-not-use-denuvo-drm-says-company-co-owner

Alice Madness Returns, disappointed...

Well, I am shocked, in all my time I have never seen such a sloppy job.

I downloaded the RELOADED release of the game, expecting the game to work, waited for a while for the game to install, only to be greeted by the message "Failed to find default engine .ini file" upon launching the game. I said to myself, its ok , it happens. I tried desperately to fix the issue for half an hour, to no avail.

Then I deemed the release of RELOADED just plain bad, but the madness returns!!
I downloaded the skidrow release, surprise surprise, all missing files were there, I launch the game, greeted by the skidrow logo, then...a crash in kernelbase.dll.

But the madness did not end there, I then started to search for a working crack, I tried a RELOADED crackfix, so far so good, until I actually try to launch it, this time the game did not crash, instead I am greeted with a box saying "The game has been modified or tampered with".
Ridiculous, simply madness, but hey it didn't end there, I downloaded the Theta crackfix, I launch it, bam, crash in kernelbase.DLL.

After wasting over an hour trying to make the game run, I finally gave up.
I have never ever seen such a sloppy attempt to crack a game. It isn't even a crack, but "crac", as its incomplete.

SecuROM v8.10 might pack more than I thought.

Once you bypass the anti-debug APIs, you realise that bypassing those is the easy part, now I feel a bit ashamed that it took me 30 days just to bypass them. Oh well.

I've identified a few threads that are started before OEP which are essential, I've only just started to analyse them, they are obfuscated so reading the assembly will be difficult.

A small sidenote unrelated to all of this. There is a method on the internet for finding out the version of securom, searching for the string 'AddD' will show a version number next to it, for Securom v8, this method no longer works, there is a version displayed, but it's not correct.

Regarding EADRM in general.

So while I was writing my Crysis 2 articles, I found out something, the OEP for what I can assume is every game released in the past few years via Origin, is stored in the actual .exe, near the end of the file, just after the four characters IREW(all capital), as in the 4 bytes after IREW is the OEP. So writing those down, adding to them the image base(and working out any relocation that might happen), you are at OEP, you put a HW breakpoint for instance on execution on the OEP, once you break you can just dump, all that's left is to fix imports.

That said, Crysis 2 was easy as pie to unpack, but Crysis 3 after unpacking has another layer of protection, this time much more advanced for the average joe(aka me) to unpack. Robert Yates, the guy who cracked SecuROM a while back told me that Crysis 3 uses an older version of SecuROM, obviously not that old, probably 8.X.
For now, SecuROM is beyond me.

Addendum: Fixed typo, it was IREW and not IWER.

Update 8d/2m/2016. The information above is no longer relevant, Origin have updated their DRM.

Reverse Engineering. Unpacking Crysis 2! The actual stuff.

Before I continue, I want to stress that I legally own both Crysis 2, and Crysis 3 on Origin.

Now, I want to first say that my experience with RE is very limited, I don't really know ASM as well I should, nor do I know anything about the PE(Portable Executable) format. Or anti-debugging techniques and how to bypass them.

The tools used by me:

• Ollydbg 1.10 with the following plugins: HideOD,StrongOD,phant0m,HideDebugger. Can't tell you which combo of options(anti anti-debug options) work, just try them all, until the executable does not crash, gives exceptions, exits etc.
• Ollydbg 2.01 with OllydumpEX for 2.x, no other plugins.
• Hex Editor

Much of our work will be done using Ollydbg 2.01, since Ollydbg 1.10 doesn't seem to like some patches that will be required. And much of our work will be done on the file called awc.dll, located in the Core folder, it's part of EADRM. It's responsible for unpacking and launching Crysis 2.

A few important abbreviations to remember before we begin:

• OEP - Original Entry Point.
• IAT - Import Address Table.
• EP - Entry Point.
• EIP - Extended Instruction Pointer.
• RVA - Relative Virtual Address.
• VA - Virtual Address.
• JMP - Jump Instruction.

When it comes to packing/unpacking, OEP refers to the entry point the way it was BEFORE the executable was packed. Most packers though, also destroy the Import Table and the executable does not know where to find say, the function Sleep, or say CreateProcess. So the unpacker stub basically does a few calls to LoadLibrary and GetProcAddress and rebuilds it, this doesn't mean it's as simple as using Import Reconstructor to fix things. In our case, it might require manual work to fix this.

I highly recommend reading this short article http://dreamofareverseengineer.blogspot.com/2011/10/unpacking-custom-packers.html

[Deleted]

[18/9/2014]
The article was "useless", please read this instead, Regarding EADRM in general.

Reverse Engineering. Unpacking Crysis 2!

It has been a long time since I wrote anything in the blog, thought it might be time to share some experience.

So, what is so special about Crysis 2? Isn't it a really old 2011 game? It's special in my heart, it all started in February of 2011, Crytek had released the DEMO Multiplayer of Crysis 2 and after having tried it for the first time, I fell in love immediately with the multiplayer component. Here came March 21st and March 22nd, the game came out, but I couldn't buy it then, so I patiently waited for a cracked version to appear, astonishingly, it took 2-3 days for somebody to release a crack, meanwhile there was a non-cracked version available.

So, what did I do? Well, I tried to crack it myself, of course! Did I succeed? Absolutely not! I didn't know a thing about RE(Reverse Engineering) or ASM(Assembly), but I still tried for a while.

I played the Singleplayer, after a cracked version was released, I loved how spooky and eerie the story felt, because it was saying the suit was alive and could think for itself. The story was all about the suit. Graphics were as always, pretty good. But the AI was dumb, really dumb.

After I finished the singleplayer, I kept wondering, how do I play the multiplayer? I couldn't. After a while(a month or two?), something amazing was released, something I didn't believe was even possible. A multiplayer crack! However strange as it may seem, it only worked in limited hours, between 16-21PM UTC. I never figured out how it worked.

Did I play? Yes, oh my god yes, the multiplayer was really competitive, it took skill to aim. After a while, I found a website that was selling Crysis 2 serial keys for just $16 dollars, even as low as $11. Should have noticed the signs. The key was legit, it worked fine up to the moment GameSpy shutdown in 2014 May. Yes, from the $11 dollar price of a game not even 2 months old, the sign was obvious, it was dying and sure enough, after about 3 months, Crytek stopped patching it, abruptly, and there was ZERO communication from them TILL the Crysis 3 announcement in the summer of 2012. I must stress the word ZERO.
The game was left unpatched, with various GAMEBREAKING bugs, such as the infamous Scar+Laser bug, which made you strafe faster and was abused a lot. And cheaters, that could bypass the votekick system easily, very easily.
Hint: Same thing happened to Crysis 3.

So, there you have it. Much of 2011 and 2012 was Bitcoin and Crysis 2, mine and play and play and mine. Those were the days!

Actual unpacking bits in next article.