It’s been over four years since the first game protected by Denuvo appeared on the scene. At the time I made the case that Denuvo had been successful enough to prove that most of the publisher’s claims about piracy were false. So how has that claim held up over the years?
Whenever Denuvo comes up in conversation, there’s always a little side-argument where someone feels a need to explain that “Denuvo is not DRM.” This is technically true in the sense that a combination lock is not a safe, but this sort of pedantry isn’t really productive and doesn’t help consumers understand what Denuvo is and why they should care.
For decades, developers have been building anti-piracy systems into their games. In the old days, this would be something like asking the user to type in a phrase obtained from a hard-to-photocopy manual. These days, it generally means having the software check with some remote server to see if the user has a legitimate license to use the product. If the user is unable to prove they own the software, it can refuse to run.
The problem is that this sort of thing is trivial to defeat. If the program does a simple check to see if the user should be allowed to play the game, then a cracker can find this point in the game’s instructions and modify it. If the developer adds another check to see if the user tampered with the game, then the cracker can just disable that. Like I said in 2009, you can’t make unbeatable DRM that will work in an offline context. No matter how many checks the developer puts in the game, the cracker can just as easily disable those checks. If a legitimate user can run the game, then a cracker can make a modified version of the game that will run for everyone. Like I said four years ago, trying to create a game that the user can run that can’t be copied is like trying to make a book that the consumer can read but they can’t see. It’s not just a hard technology problem, it’s an inherent contradiction.
The problem for the developer is that — in the PC realm — the user has total control over the machine. Any safeguard the developer adds, the cracker can remove.
This has always been true, but it didn’t stop publishers from trying anyway. For 20 years they wasted time and money on increasingly convoluted systems that created hassles for the end user. Despite this, the games wound up on the torrents on day one anyway.
To make DRM work, the program generally needs three parts:
This is where the argument that “Denuvo isn’t DRM” comes from. Denuvo is an “anti-tamper” solution, which means it’s focused on #3. It’s up to the game designer or the publisher to come up with their own solutions to the first two steps. Denuvo isn’t DRM by itself, but if you’re a cracker then defeating Denuvo is the first and most difficult step to cracking a game.
I’m sure you won’t be surprised to hear that Denuvo Software Solutions doesn’t publish the inner workings of their anti-tamper software. If we want to know what it is or how it works, then we have to rely on the explanations of the people who have reverse-engineered it. That group includes pirates and crackers, who hide behind pseudonyms. This Reddit thread “How Denuvo works and why it’s so hard to crack” is filled with people making very specific and highly technical claims about how the software works and yet contradicting each other. As a result, there can’t be a single trusted source for what’s known about Denuvo and we just have to take someone’s word for it.
I’ve read various articles as well as the Wikipedia page on Denuvo. I’m a programmer, but I’ve never reverse-engineered or decompiled anything like this. I’m pretty far out of my element when evaluating these various claims. Still, I’ve found a few facts that are common enough and mutually coherent enough to be taken seriously. Below is what I’ve been able to figure out:
When a developer wants to protect their game, they take some important but non-performance-critical bits of their code and hand it off to Denuvo. An example of something like this is the code to open up the main menu. It’s important enough that you can’t run the game without the ability to use the menu, but it also isn’t executed every frame. This code is then stripped out of the game.
When the end user activates the game online, the Denuvo activation server will send them the missing code, modified so that it will only run on their specific hardware. Note that this isn’t a simple check like the kind I described earlier in the article. The game doesn’t just check your hardware for a match; it uses code deliberately engineered to only work for your specific model of processor. This means that the game will only run on your machine, or on ones with an identical hardware configuration.
This system makes it so that you can’t share your activated copy of the game with anyone else. If a cracker wants to put the game on the torrents, they have to find all of the bits of removed code and make platform-agnostic versions of them.
Four years ago crackers were predicting that Denuvo would soon be unbeatable. Games took months to crack. Then a few titles were cracked very quickly and it looked like Denuvo was beaten. Then Denuvo made a comeback earlier this year. I wouldn’t be surprised if this tug-of-war continued for years to come. The important thing to note is that games are taking weeks or months to crack, which is far better than the day one cracks that were common before Denuvo arrived on the scene. This is enough time to protect the critical sales period of a game.
So far there have been 111 games released with Denuvo. Just over two-thirds of them have been cracked. Most of the remaining un-cracked games are recent releases. Again, Denuvo seems to be doing its job by keeping games off the torrents during the period of highest demand.
On the other hand, I stand by the point I made four years ago: Denuvo is so good it proved it was useless.
For years, consumers complained about intrusive DRM. It locks you out of your legitimately purchased product. It creates bugs and slowdowns. It’s a hassle. It makes it impossible to run the game years later when the servers go down. It punishes legitimate customers while doing nothing to inconvenience the pirates.
In response to these concerns, publishers would tell us that strong DRM was necessary because of rampant piracy. Piracy was blamed for high prices, or for a refusal to port games to the PC. Developers claimed that between 90% and 95% of players were using pirated copies. This led publishers to make absurd claims that game prices would be lower or that they wouldn’t need to close so many studios if there weren’t so many dang pirates,. The assumption was that if 90% of players are pirates, then games would make ten times as much money if we could stop piracy. All those pirates would run out and buy legitimate copies and it would usher in a golden age of low prices and profitability.
Tomb Raider 2013 pre-dates Denuvo. Shadow of the Tomb Raider and Rise of the Tomb Raider were both protected by Denuvo. And yet we haven’t heard about any miraculous sales spike that caused the second two games to massively outsell the first. If Denuvo makes any difference at all, it must be very slight. Is it even enough to offset the loss of potential customers? If Denuvo was actually making a measurable difference in terms of sales, wouldn’t all games be using it by now?
We live in a world where games can sometimes go for half a year before they appear on the torrents. Prices have not gone down. Sales have not rocketed up. It turns out consumers were right all along. People who pirated games were not potential customers, and when they couldn’t get a game for free they just found something else to play. Publishers spent years griefing their customers for no good reason and wasted money on DRM that could have been better spent elsewhere.
These days it looks like Denuvo is selling their software as a way to combat cheaters online. It’s possible they’re just trying to expand the business, but it’s also possible they see the writing on the wall and are pivoting to a different business model before the publishers realize they’ve been wasting their money.
I guess we’ll give it another four years and see where this goes.