Wait, you mean client-side anticheat is not some holy unbreakable barrier? I am shocked (sarcasm)
this post was submitted on 04 Apr 2026
243 points (99.2% liked)
Technology
83502 readers
3590 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
You are an idiot. This is quite exciting.
Good for you then :)
What is denuvo? Would someone break down how it works. It sounds like an interesting thing to learn from as I think they used 18bit encryption for early pioneers that it was for coded placement for locked sections of a nest portal. These were introduced to Nintendo i think for games like Zelda. I think it was denuvo that had been early ways of releasing full games. The only thing I could remember from something with computers but it’s been years since I ever worked on computers. Denuvo sounds very familiar from what I had seen a long time ago.
Sharing chatgpt answer as I was curious myself
Denuvo differs from older DRM by continuously protecting the game’s code instead of just checking ownership once. Traditional systems like Steam or SecuROM perform a one-time validation, but Denuvo embeds encryption, obfuscation, and constant runtime checks directly into the executable, making it much harder to analyze or modify. The recent bypass described by Tom’s Hardware didn’t actually “crack” Denuvo in the traditional sense. Instead, it used a hypervisor, a low-level virtualization layer, to sit between the game and the operating system and feed Denuvo fake “valid” responses so it believes everything is legitimate. This avoids removing the protection entirely and instead tricks it. The tradeoff is that the method requires disabling core Windows security features, which creates serious system-level risks and is why even some in the piracy community consider it unsafe.
When are Denuvo games coming to GOG and itch.io? We feel extremely left out guys.
GOG is strictly anti-DRM, so you'll never get Denuvo-enable games there. You miiiiiight get them after Denuvo gets pulled out, but the sort of publisher that wants Denuvo included is probably the same kind to refuse a totally DRM-free release.
.........I should've added the /s, come to think of it.
Would running in Proton mean the security issues are moot?
This is too low level to run in Proton.
Good, I hope they go bankrupt.
By someone besides Empress?
Easy solution: fuck denuvo. Fuck the games that use it. And also fuck windows.
Edit: it has been shown many many many times over the many many many years, that preventing Piracy doesn't mean increased sales or vice versa.
Those who don't buy because the can't, won't play It if DRMed (loss not even near the cost of denuvo)
Those who don't buy because they make informed decisions, won't buy or play it, if DRMed (loss plus denuvo cost)
And many would buy a game even if it's non-DRM-ed just because they liked it and want to support the devs. I bought soooo many games AFTER I already finished them or were halfway through.
And putting denuvo on it, instead of giving me a demo? Fuck you. I know the game is shit just by that.
the infuriating one is Capcom. after all these years, decades even, they STILL to this DAY do not understand PC games. they still have yet to figure out HOW to optimize their games for PC and would STILL keep using Denuvo even AFTER admitting that "yeah it slows our games down, yeah we remove it and then put it back"
Either it's old as Japanese execs at capcom that refuse to understand gaming on the PC or they just don't care. But it boggles my mind how Capcom kept using Denuvo while admitting it fucks their shit up.
Capcom puts Denuvo into everything, then after a while they replace it with enigma, which is presumably cheaper, and leave that shit in indefinitely. They also put DRM in games on Steam that they are already selling DRM-free on GoG, defeating any imagined benefit DRM could have and just punishing their actual customers.
Sega meanwhile puts Denuvo into absolutely everything and just keeps it in forever. Square Enix puts Denuvo into everything, but at least usually removes it after a while. I'm thinking this might really be a Japanese thing. They also don't only hate piracy but modding as well, so I'm not surprised they would all opt for the most heinous form of DRM.
Aye, I also rarely understand the motivation. Must really be that those who decide have no real clue about what a computer or a game is.
In the last decade i highly drifted towards indie games and rarely even check AAA anymore. No innovation, no risk, nothing fresh nor great. Just re-iteration of what has already been done before. Milk every franchise until even the hardcore-fans are bored to oblivion.
It's so sad, and I'm passionately gaming since pacman on the Atari 2600
Is there a tag on Steam? Would be useful.
There is a big banner on Steam games that use denuvo
and that banner is very easy to miss. Also if a game is already in your library (because it was gifted to you or you got a key somewhere else), then you don't get warned that you're about to install it that it comes with malware that you'll never be rid of unless you nuke and reinstall your os.
If you use the browser not the client, There's and add-on (steam something) that does show those things. Very helpful
There's also a Denuvo review account that only reports Denuvo status. Great if you don't really use the reviewers because it puts the status in the main store page.
oh do flexlm next...
On the one hand software freedom.
On the other this has me thinking about how fascinating this problem is from academic standpoint.
How can you ensure software can ONLY run on the machines you allow? Even if the user has ring 0 access?
Is it mathematically impossible to achieve?
Practically speaking, people already have cell phones that are impossible to own, because in many cases, users are not allowed to unlock the bootloaders of their phones.
SAAS. You never install the entire application. Large parts of the engine never run locally.
I think Denuvo technically does a little bit of this.
I forgot the exact details, but one of the keys that's used to unscramble the bytecode has to be downloaded from their registry server on first launch.
But after that, it's not required.
Although that still never totally protects it. I've seen a fair few number of passionate game communities bring online-only games back from the dead by reverse engineering the server architecture. It's a lot of work, but if you know how the software is supposed to function then you can write the other half of the software that gives the response to make that work.
Yeah, I can see that. I'm thinking of streaming assets and code on demand, similar to how an optical disk works. It's a terrible waste of resources, and they can be grabbed if they are not cryptographically secured.
Even that, a dedicated player can capture it. If it has to be rendered on the device then they have access to the assets.
City of heroes is a big example
The original code for that was leaked, most if not all replacement servers run that code, not reverse engineered code.
Or use the cloud gaming approach and just stream the video, no local engine at all!
That would protect the IP, but the response time is terrible. Pinging Google.com I get a response time of about 80 ms. At that delay, everything would feel spongy and laggy.
If they cared about your experience they wouldn't be using intrusive DRM at all.
Only with a client server model like in multiplayer or always online games. DRM is a conceptual scam. This kind of attack is unpatchable. It's essentially a blue pill attack against a single program.
It's totally possible to achieve. TPM is the desktop equivalent of the technology that runs on your cellphone to have apps detect if you have an unlocked bootloader or root. It's the same technology prevents your favorite concole (ie: switch 2, ect) from running pirated games.
This improved security does come at a price: we/the users are the enemy and cannot be trusted. This means modifying your system will be prohibited and we (the consumer) will have to trust that Big Tech has our best interests in mind. /s
What's preventing spoofing this with a fake implementation?
To expand on this a bit:
It's all built on top of the concept of "a chain of trust", starting at the hardware level.
(as mentioned) TPM is a chip that'll store encryption keys at a hardware level and retrieval of these keys can only happen if the hardware is unmodified.
I assume that part of this key is derived from aspects of your OS (ie: all device drivers are signed by MS).
The OS will fetch this key, if it's valid - the OS knows that the hardware is untampered, it can then verify that the OS is unmodified, which can then be used by application to determine that their not modified, etc.
Now you could spoof your own TPM chip (similar to how Switch 1's are chipped/nodded), but the deal-breaker is that when you add your key to the TPM chip, you sign it with a hardware vendor specific public key. And that vendor private key is baked into the hardware (often into the CPU, so the private key never crosses the hardware bus).
Luckily that key always leaks from a human or side channel
Cryptography.
Yes
I don't think this is matter of mathematics, it is difficult to define what "software only running on desired machine" is. Like, do you permit functionally equal software with different code? With painstaking effort, functionality should be approximated fairly close (although idk what that means in mathematical context) On the other hand, requiring exact code is likely not what they want.
Cryptographic guarantee requires mathematical specification, which seems ill-fit in this scenario.
What kind of measures do current Denuvo versions take that they need these kinds of bypasses?
It's at least running in the HyperVisor layer of the OS, which to my understanding is basically the same as a rootkit, tho I am not sure if it's a higher or lower level than that.
I don't understand how that is possible without installing its own kernel driver. afaik only the denuvo anticheat does that
Am still not playing any Video Game with Denuvo.
(I only play games with Steam's DRM)
view more: next ›