| Page 14 of 16 |
prudislav
VIP Member
Posts: 29148
Location: The land of beer and porn
|
 Posted: Tue, 17th May 2016 20:00 Post subject: |
|
 |
| sabin1981 wrote: | | Weirdly, both Doom and Homefront 2 have variant 2 of Denuvo, not the latest v5. Other v2 titles have already been cracked (well, bypassed) so maybe these two won't be so tough. |
thats just how protectionID from December2015 recognizes the anti-pampers....
variant 1 is the old CPY cracked one with dispatch-table
and variant 2 is the current one without dispatch-table  |
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Tue, 17th May 2016 21:52 Post subject: |
|
|
just checked it. pid shows variant 3 on rotr and 2 on doom. no other games to check though
|
|
| Back to top |
|
|
|
|
| Posted: Wed, 18th May 2016 01:03 Post subject: |
|
|
|
|
|
| Back to top |
|
|
M4trix
Posts: 9315
Location: Croatia, Adriatic coast (I can see ixi from here)
|
| Posted: Wed, 18th May 2016 01:21 Post subject: |
|
|
|
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Wed, 18th May 2016 02:40 Post subject: |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Wed, 18th May 2016 03:14 Post subject: |
|
|
Steam uncrackable, so we all fuckin' (2016 edition)?
|
|
| Back to top |
|
|
|
|
| Posted: Wed, 18th May 2016 03:50 Post subject: |
|
|
| KamamuraCZ wrote: | | Steam uncrackable, so we all fuckin' (2016 edition)? |
prudislav approves
|
|
| Back to top |
|
|
tonizito
VIP Member
Posts: 51456
Location: Portugal, the shithole of Europe.
|
| Posted: Wed, 18th May 2016 08:13 Post subject: |
|
|
| VGAdeadcafe wrote: | | prudislav wrote: | | sabin1981 wrote: | | Weirdly, both Doom and Homefront 2 have variant 2 of Denuvo, not the latest v5. Other v2 titles have already been cracked (well, bypassed) so maybe these two won't be so tough. |
thats just how protectionID from December2015 recognizes the anti-pampers....
variant 1 is the old CPY cracked one with dispatch-table
and variant 2 is the current one without dispatch-table |
Anti-pampers ?  |
| boundle (thoughts on cracking AITD) wrote: | | i guess thouth if without a legit key the installation was rolling back we are all fucking then |
|
|
| Back to top |
|
|
JackQ
Non-expret in Derps lagunge
Posts: 14191
Location: Kibbutznik, Israel
|
| Posted: Sat, 21st May 2016 09:53 Post subject: |
|
|
Taken from Reddit Sticky topic:
| exit_2 wrote: |
"Hello all. I am new here and I hope I can write in English
I didn't crack anything very, very long time. But whole Denuvo is interesting topic for me (yes, I don't like them ).
Like I wrote, I didn't crack anything long time and these "new" DRM like Steam or Origin are something new for me.
Last couple of days I am doing deep analyze of Denuvo at Unravel. I didn't finnish, but I can write some details right now:
Unravel.exe calls Core/activation64.dll.ordinal64 - I think activation64.dll is part of Origin DRM. Code inside of this function tries open or create mutex "CoreXProcState"
and later function loads dbdata.dll and then call function getTableData.
Like ELF_7719116 wrote, this function is very interesting. Its 100% very important, because is obfuscated with something like VMProtect. Function returns 2ACh bytes (my case)
long data. These data looks like some HW ID. Origin using name DBReqToken.
I didn't have time analyze how function generate this HW ID, but it uses CPUID instruction with different parameters couple of times and I found functions like: GetLogicalProcessorInformation, GetCurrentProcessorNumber, IsProcessorFeaturePresent
Later activation64.dll create new process core/ActivationUI.exe with parameter "/SMOID=%S". There is some little problem because activationUI is 32-bit process. This process create origin.exe process which is again 32-bit process and then ActivationUI is called again and then game is started.
Origin DRM using names for parameters and then is easier analyze what is what. Protection looks for file activation.ini but never found any (maybe we can try create one ). Some of names which Origin uses: WrappedExecutablePath, ExecutableProcessId, ContentIds, RequireOrigin, DBReqToken, UIVersion
License file is created at C:\ProgramData\Electronic Arts\EA Services\License\1031469.dlf (maybe we can run game at offline mode, I will try to investigate it)
File is encrypted, but later decrypted in memory. It contains some names again: <?xml version="1.0", encoding="UTF-8", standalone="yes", <License xmlns="http://ea.com/license">, <CipherKey> (some encryption key?), <MachineHash> (some HW ID?), <ContentId>1031469</ContentId>, <UserId> (user ID at origin service?)
Right now I am analyzing ActivationUI.exe and I will need some more time for it.
Some more information. Game is running when I am going offline. I didn't try to play it and maybe later it will be problem. I will try it and post info. I am writing this because there are some rumors that some parts are decrypted (created) during application run, but I think not at this case (maybe I am wrong). But ofcourse something like this is possible and server can send generated code for specific machine ID.
Attact to Denuvo is possible more than one way. I didn't analyze 3DM or CPY attacts and I don't know how they did it. Maybe someone can write more about it. Its very good to know all possible information.
I think, they did, what I think is easier way. They somehow fooled Denuvo and used same HW ID and same license for all computers. We will need analyze how getTableData function generating this HW ID. ELF already started but we will need more detailed info. I did some research how catch cpuid instruction and its not easy I hoped it will generate some exception, but there is no exception
Opcode is pretty short (2 bytes) and then byte search is not very good idea. There is possibility trace code and found it like this, but this will slow down application and its little bit dangerous because Denuvo can detect it. Maybe this is why CPY or 3DM cracks take so long time. Finding all CPUID instructions in >100MB file is not easy job. I think they are using not only processor info for HW ID but OS info too (we will see ).
Can someone help with deobfuscation Denuvo's code?
I have some more ideas, but my post is really long (sorry). I will return to analyze and keep you updated.
Last problem. I tried to find anything about Origin DRM and I found nothing. Its really strange, because I found detailed info about Steam DRM. It will really help me because Origin is not interesting for me (and I don't like do something what someone else already did ) and I want to work directly at Denuvo. I really though move to Steam and another game (Rise of Tomb Raider) because DRM unwrapper for Steam is public. But I started with this object and I did some work. Maybe someone will help me...
And please don't kill me for long post and bad english."
|
Fixed
"Fuck Denuvo"
Your personal opinions != the rest of the forum
Last edited by JackQ on Fri, 27th May 2016 17:34; edited 2 times in total
|
|
| Back to top |
|
|
garus
VIP Member
Posts: 34197
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
Keit
Posts: 1134
Location: Sweden
|
| Posted: Sat, 21st May 2016 12:39 Post subject: |
|
|
just imagine how many games we'll have to play when they finally crack denuvo though
|
|
| Back to top |
|
|
Morphineus
VIP Member
Posts: 24883
Location: Sweden
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
harry_theone
Posts: 11240
Location: The Land of Thread Reports
|
|
| Back to top |
|
|
LeoNatan
☢ NFOHump Despot ☢
Posts: 73259
Location: Ramat HaSharon, Israel 🇮🇱
|
| Posted: Fri, 27th May 2016 16:47 Post subject: |
|
|
| JackQ wrote: | | RengarSenpai(ex scene cracker?) wrote: |
"Hello all. I am new here and I hope I can write in English
I didn't crack anything very, very long time. But whole Denuvo is interesting topic for me (yes, I don't like them ).
Like I wrote, I didn't crack anything long time and these "new" DRM like Steam or Origin are something new for me.
Last couple of days I am doing deep analyze of Denuvo at Unravel. I didn't finnish, but I can write some details right now:
Unravel.exe calls Core/activation64.dll.ordinal64 - I think activation64.dll is part of Origin DRM. Code inside of this function tries open or create mutex "CoreXProcState"
and later function loads dbdata.dll and then call function getTableData.
Like ELF_7719116 wrote, this function is very interesting. Its 100% very important, because is obfuscated with something like VMProtect. Function returns 2ACh bytes (my case)
long data. These data looks like some HW ID. Origin using name DBReqToken.
I didn't have time analyze how function generate this HW ID, but it uses CPUID instruction with different parameters couple of times and I found functions like: GetLogicalProcessorInformation, GetCurrentProcessorNumber, IsProcessorFeaturePresent
Later activation64.dll create new process core/ActivationUI.exe with parameter "/SMOID=%S". There is some little problem because activationUI is 32-bit process. This process create origin.exe process which is again 32-bit process and then ActivationUI is called again and then game is started.
Origin DRM using names for parameters and then is easier analyze what is what. Protection looks for file activation.ini but never found any (maybe we can try create one ). Some of names which Origin uses: WrappedExecutablePath, ExecutableProcessId, ContentIds, RequireOrigin, DBReqToken, UIVersion
License file is created at C:\ProgramData\Electronic Arts\EA Services\License\1031469.dlf (maybe we can run game at offline mode, I will try to investigate it)
File is encrypted, but later decrypted in memory. It contains some names again: <?xml version="1.0", encoding="UTF-8", standalone="yes", <License xmlns="http://ea.com/license">, <CipherKey> (some encryption key?), <MachineHash> (some HW ID?), <ContentId>1031469</ContentId>, <UserId> (user ID at origin service?)
Right now I am analyzing ActivationUI.exe and I will need some more time for it.
Some more information. Game is running when I am going offline. I didn't try to play it and maybe later it will be problem. I will try it and post info. I am writing this because there are some rumors that some parts are decrypted (created) during application run, but I think not at this case (maybe I am wrong). But ofcourse something like this is possible and server can send generated code for specific machine ID.
Attact to Denuvo is possible more than one way. I didn't analyze 3DM or CPY attacts and I don't know how they did it. Maybe someone can write more about it. Its very good to know all possible information.
I think, they did, what I think is easier way. They somehow fooled Denuvo and used same HW ID and same license for all computers. We will need analyze how getTableData function generating this HW ID. ELF already started but we will need more detailed info. I did some research how catch cpuid instruction and its not easy I hoped it will generate some exception, but there is no exception
Opcode is pretty short (2 bytes) and then byte search is not very good idea. There is possibility trace code and found it like this, but this will slow down application and its little bit dangerous because Denuvo can detect it. Maybe this is why CPY or 3DM cracks take so long time. Finding all CPUID instructions in >100MB file is not easy job. I think they are using not only processor info for HW ID but OS info too (we will see ).
Can someone help with deobfuscation Denuvo's code?
I have some more ideas, but my post is really long (sorry). I will return to analyze and keep you updated.
Last problem. I tried to find anything about Origin DRM and I found nothing. Its really strange, because I found detailed info about Steam DRM. It will really help me because Origin is not interesting for me (and I don't like do something what someone else already did ) and I want to work directly at Denuvo. I really though move to Steam and another game (Rise of Tomb Raider) because DRM unwrapper for Steam is public. But I started with this object and I did some work. Maybe someone will help me...
And please don't kill me for long post and bad english."
|
|
"RengarSenpai" "ex scene cracker?" No, just some random reddit copypaster.
You are so dense, you can't even copy reddit properly. The text above is from a post by "exit_2" from here, from February. |
|
| Back to top |
|
|
JackQ
Non-expret in Derps lagunge
Posts: 14191
Location: Kibbutznik, Israel
|
|
| Back to top |
|
|
|
|
| Posted: Fri, 27th May 2016 17:11 Post subject: |
|
|
That 'info' from that 'ex scene cracker' is ridiculous, everyone can that that 'info' very easily. This is just nothing at all.
PC: Yes. Console: No.
|
|
| Back to top |
|
|
harry_theone
Posts: 11240
Location: The Land of Thread Reports
|
| Posted: Fri, 27th May 2016 17:14 Post subject: |
|
|
Jack it's probably best if you keep the /r/CrackStatus shit on /r/CrackStatus. The only thing this has gotten us was a few laughs and some very gullible people that were hoping for a crack. This thing here goes fucking nowhere.
|
|
| Back to top |
|
|
JackQ
Non-expret in Derps lagunge
Posts: 14191
Location: Kibbutznik, Israel
|
| Posted: Fri, 27th May 2016 17:27 Post subject: |
|
|
I have no intention to stop posting info if that it's explanation about the protection like that post,at some degree at least.
I am not posting random posts shit from reddit,it is taken from post which got stickied and yet to see anyone saying it's wrong.
It didn't lead to crack, and it's hard to tell who is really working on it or not,but there is some directions and relatively reliable sources that at least never posting "crack" if there is not really one.
EDIT:
fixed that post,to be more clear,no original source mention though.
"Fuck Denuvo"
Your personal opinions != the rest of the forum
|
|
| Back to top |
|
|
tonizito
VIP Member
Posts: 51456
Location: Portugal, the shithole of Europe.
|
| Posted: Fri, 27th May 2016 20:35 Post subject: |
|
|
Good, stick to posting your "info" on this thread please
| boundle (thoughts on cracking AITD) wrote: | | i guess thouth if without a legit key the installation was rolling back we are all fucking then |
|
|
| Back to top |
|
|
M4trix
Posts: 9315
Location: Croatia, Adriatic coast (I can see ixi from here)
|
|
| Back to top |
|
|
JackQ
Non-expret in Derps lagunge
Posts: 14191
Location: Kibbutznik, Israel
|
|
| Back to top |
|
|
thudo
Posts: 6309
Location: Mellonville North, Canada
|
| Posted: Fri, 27th May 2016 21:22 Post subject: |
|
|
Greatest Black Mark on the Cracking Scene since its inception.
A Massive World of Russian/Chinese Crackers/Hackers which easily and absolutely eclipses all the paid devs out there and still.. nothing. WOW!
For Shame... 
When we live in a society with so few jobs for kids but soo many with near useless diplomas, I guess we can afford our games via the Bank of Mum and Dad.
I guess going forward it will become the only way to get your PC games via real cheap or free/pir8te accounts.
MSI GT72S 6QF Dominator Pro S 29th Anniversary Intel i7 6820HK @ 4.0Ghz, 32GB DDR4-2133 RAM, 2x256GB Raid0 Toshiba NVMe 2.5 inch PCIe SSD, Nvidia Geforce GTX 980 OC'ed 200+ Core / 200+ Mem, 17.3 inch LG IPS HD Display @ 75Hz, Intel 7265AC Wifi, Windows 10 Pro BIOS version: .112 EC Firmware version: .105
Current Broadband speed record: 329.1 Mb/sec down // 21.73 Mb/sec up
http://www.dslreports.com/speedtest/3933292.png
|
|
| Back to top |
|
|
|
|
| Posted: Fri, 27th May 2016 21:51 Post subject: |
|
|
|
|
|
| Back to top |
|
|
prudislav
VIP Member
Posts: 29148
Location: The land of beer and porn
|
| Posted: Fri, 27th May 2016 22:27 Post subject: |
|
|
just FIY there was one small "D"-related easter egg in one of the recent scene cracks
not gonna post more though its not that hard to find
|
|
| Back to top |
|
|
M4trix
Posts: 9315
Location: Croatia, Adriatic coast (I can see ixi from here)
|
|
| Back to top |
|
|
| Page 14 of 16 |
All times are GMT + 1 Hour |
