VMProtect Accuses Denuvo Of Using Unlicensed Software In Its Antipiracy DRM
from the irony-thy-name-is-denuvo dept
To date, the most remarkable aspect of the Denuvo story was the very brief stint it had as a successful DRM. Brief is the operative word, of course, as the past six months or so have seen Denuvo's vaunted status devolve into one more typical of DRM stories, with defeats for the security software coming at rates measured in days and weeks of a game's release.
But now things have taken a turn towards the ironic. A security software firm called VMProtect, which makes software to protect against reverse engineering and developing cracks of applications, is accusing Denuvo of having used its software without properly licensing it. This is the kind of thing that folks who support DRM tend to call piracy. And, thus, Denuvo may have "pirated" another company's software to make its anti-piracy DRM.
According to a post on Russian forum RSDN, Denuvo is accused of engaging in a little piracy of its own. The information comes from a user called drVanо, who is a developer at VMProtect Software, a company whose tools protect against reverse engineering and cracking.
“I want to tell you a story about one very clever and greedy Austrian company called Denuvo Software Solutions GmbH,” drVano begins. “A while ago, this company released a protection system of the same name but the most remarkable thing is that they absolutely illegally used our VMProtect software in doing so.”
drVano goes on to detail the story to a degree that seems legitimate. Denuvo had met with VMProtect about using the latter's software, but had wanted to do so under the common and cheap $500 license offered publicly as a "personal license." Rolling that software into a distributed DRM obviously fell outside of that sort of personal use license, leading VMProtect to ask for much more in the way of money if Denuvo wanted to move forward. Denvuo declined, but then apparently went ahead an bought a personal license anyway and began rolling out the software in Denuvo DRM. VMProtect revoked the license due to Denuvo's breach of the license conditions, but Denuvo kept up its distribution anyway.
Which lead VMProtect to go on offense.
VMProtect then took what appears to be a rather unorthodox measure against Denuvo. After cooperation with Sophos, the anti-virus vendor agreed to flag up the offending versions of Denuvo as potential malware. VMProtect says it has also been speaking with Valve about not featuring the work of “scammers” on its platform.
“Through our long-standing partners from Intellect-C, we are starting to prepare an official claim against Denuvo Software Solutions GmbH with the prospect of going to court. This might be a very good lesson for ‘greedy’ developers who do not care about the intellectual property rights of their colleagues in the same trade,” drVano concludes.
The irony here is delicious. The precipitous fall of DRM, once claimed to be the end of software piracy entirely, culminates in what may be piracy on the part of that same company. All while the effectiveness of that DRM has dropped to essentially zero.
If the gaming industry were ever going to learn that DRM is a failed concept, Denuvo ought to be the teacher of that lesson.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: denuvo, drm, piracy
Companies: denuvo, grey box, vmprotect
Reader Comments
Subscribe: RSS
View by: Time | Thread
But not unheard of. We've seen plenty of these stories before. And plenty of stories of labels, studios, publishers etc pulling all sorts of stunts to avoid paying artists. Just like the pirates they despise. With the added fact that many pirates end up contributing with the artist in other means (such as shows, direct donations and merchandising).
[ link to this | view in thread ]
Indeed, but I'd add this - losses due to this kind of "piracy" are much more realistic and quantifiable than "losses" due to file sharing.
Basically, it's impossible to accurately quantify losses when it's end users sharing the game. There are numerous situations where no additional money would be forthcoming if a particular copy of a game was not pirated. These range from a user testing a game out (but will not blind buy if a "demo" was not available) to people pirating a non-DRM copy of the game they have actually bought (likely in this case due to the documented performance problems caused by Denuvo). Nobody can accurately state how many copies led to lost sales and how many had no effect.
However, in the case of an unlicensed component, the calculation is realistic and easy to work out - number of unlicensed copies used have a documented figure that the licence should have cost. There's the lost profit to the creators of the original.
Add to that, this kind of "piracy" is actually worse because it's part of a commercial product. People downloading a free copy of the game just play that game - no profit motive involved. In the case of commercial infringement such as this, Denuvo have either inadvertently or deliberately refused to pay suppliers in order to increase its own margins.
So, if true, it's not only a case where Denuvo are participating in the very behaviour their product is meant to prevent, they are doing so in a much more insidious manner than the people they're paid to stop.
"After cooperation with Sophos, the anti-virus vendor agreed to flag up the offending versions of Denuvo as potential malware."
I really, really like this. DRM, by definition, is malware, so it's nice to see it classified as such for once.
[ link to this | view in thread ]
Deserved it
I don't feel too bad for either VMProtect or Denuvo. After all, they both engage in unethical behavior, because they are agents of the content mafia and are pursuing the commerical-unfree-software business model.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
DRMception
[ link to this | view in thread ]
Re: Re:
Yeah, the primary reasons I ever went to the seedier sides of the web were to look for no CD cracks for games. I've happily pirated games where the DRM was to enter codes from manuals, etc. and that wasn't practical/possible. It's a big reason I laugh at anyone who tries to pretend that every download is a lost sale - no I'm not paying full retail for a game I already own, no matter how much you believe I'm wrong for downloading a copy I can access properly.
"Nowadays I don't bother pirating nor buying those DRMed games"
There were other reasons (such as moving to Linux desktops full time and not having enough resources to keep up the hardware upgrade cycle after emigrating). But, a large part of the reason why I abandoned PC gaming entirely in favour of consoles was the silly battles with DRM. Sure, consoles have DRM too, but I've never encountered something that actively prevents me from playing a game I purchased.
"God bless GOG."
Seconded.
[ link to this | view in thread ]
Lions Eating Hyenas
[ link to this | view in thread ]
Reporter: "How long do you think it'll take to break Denuvo?"
Lawyer: "Ten..."
[ link to this | view in thread ]
Re: DRMception
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: DRMception
[ link to this | view in thread ]
Re:
As long as it takes VMProtect to reverse the code back to readable form and hand it over to the crackers for them to "do their work" on it.
[ link to this | view in thread ]
Total consperacy theory but....
So really seems rather reasonable to think they either helped the crackers break Denuvo, or they might even have the cracker on their staff.
Really would be a genius solution for a company like them. "Here is some anti-cracking software, it will do great protecting your code. If you cheat us though..... This is Bob, he wrote that code and he will crack the shit out of yours faster than you can blink."
[ link to this | view in thread ]
Re: Re: DRMception
[ link to this | view in thread ]
Re: Total consperacy theory but....
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Total consperacy theory but....
And so the actual DRM in a DRM system is almost an afterthought. The bulk of the effort is in obfuscating the code so it can't be reverse engineered.
Which is where VMProtect's anti-reverse engineering software came in. Without it, this latest version of Denuvo's software was cracked almost instantly.
The impression I get is that Denuvo's system didn't just depend on VMProtect's product. The key part of it - the bulk of it - *WAS* VMProtect's product.
[ link to this | view in thread ]
Re:
True, but in many of those cases they apply a (very thin) veneer of legitimacy by using a laughably one-sided contract that specifically grants them extremely wide discretion to determine how much to pay the author. They then abuse that discretion to the greatest extent they can, so that when they honor the letter of the contract, they owe nothing (or almost nothing). This is part of the reason they get away with it so often and for so long: collecting a realistic sum requires getting a court to decide that the contract is so absurd it cannot be enforced, or that the studios' conduct is so egregious that not even the absurd contract terms can excuse it. Outside of those scenarios, the only way to stop them is for the author to have so much bargaining power that he/she can demand terms that are more difficult to evade (e.g. the whole "gross percentage instead of net percentage" bit). That power is typically vested only in very well-known celebrity performers.
Here, Denuvo apparently didn't even bother pretending to comply with a contract. They embedded the code knowing up front that they had no approval to use it in that manner, not even misinformed approval of a one-sided contract.
[ link to this | view in thread ]
Re: Re:
The "Ten..." joke aside, VMProtect's legal battle against Denuvo will last far longer than the DRM. We're finally seeing the payoff of the legal battles against Prenda, but it took years - just as Ken "Popehat" White warned years ago. "The wheels of justice turn slowly, but they do turn."
[ link to this | view in thread ]
Re: Re: Re: DRMception
Hey, guess what, the rest of us can quote movies out of context and without contributing to the discussion. But it seems you're the only one brimming with pride about that ability...
[ link to this | view in thread ]
DRM
[ link to this | view in thread ]
Re: Re: Re: Re: DRMception
[ link to this | view in thread ]
VMProtect and Sophos deal should be the bigger issue
And of course,
GOG for the win!
[ link to this | view in thread ]
Re: VMProtect and Sophos deal should be the bigger issue
I'm sure Hollywood would be very interested if they could flag pirated versions as malware, then use something like the CFAA against pirates for spreading malware.
[ link to this | view in thread ]
Re: VMProtect and Sophos deal should be the bigger issue
While we're at it, we should also be calling encryption "Digital Rights Management." Which it is, of course. It's only a matter of who manages the rights to the encrypted data.
That way, powerful people who have declared jihad against encryption would be declaring jihad against DRM.
[ link to this | view in thread ]
Re: Re: VMProtect and Sophos deal should be the bigger issue
The Sony Root Kit was non-malicious, but I'd certainly call it malware.
Most malware writers insist that their software isn't malware. When a game sends back your contacts list and other personal information for resale, they'll describe it as simply part of their business model. When an unrequested browser add-in redirects your home page and search links to their own site, they're doing it as a service to be helpful.
[ link to this | view in thread ]
Re: Total consperacy theory but....
It's very likely Denuvo was legitimately cracked, without help from VMProtect.
VMProtect was suspicious of Denuvo after the latter bought a "personal" license.
VMProtect must have found out that Denuvo was using their stuff after analyzing a few cracked games.
They (VMProtect) probably tried to contact Denuvo multiple times to arrange something only for Denuvo to refuse.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Ironic, isn't it?
[ link to this | view in thread ]
Re: Re: Re:
At the moment, I'm trying my hand at being a Linux gamer. And sure, there are a lot of games that won't run, or require some tricky WINE configs, or don't perform as well as in Windows...but y'know what? I've realized that there are enough good native Linux games that I don't need to bother with the Windows ones.
(There are, of course, plenty of Linux games that use DRM. I buy DRM-free when I can, and just-plain-Steam DRM is benign enough that I can't say I've had issues with it. If there's third-party DRM, though, that's a "nope.")
[ link to this | view in thread ]
Re: Re: Re: Re: DRMception
Obviously you are not a golfer.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: VMProtect and Sophos deal should be the bigger issue
Really annoying when your AV deletes something and then tells you "That was a cracking program", well yeah.... I know... now leave it alone so I can crack this game.
[ link to this | view in thread ]
Re: Re: Re:
Indeed.
I've always avoided pirating games, but I've been a big user of NO-CD cracks for a long time because I hate keeping a big book of game CDs with me, swapping discs, risking the discs being scratched/ruined, installing Sony malware, etc, etc. Now, if we're honest, Steam has managed to be a mostly seamless DRM platform. But GOG and their DRM-free values are clearly the ideal.
Long live GOG.
[ link to this | view in thread ]
Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Normally, Techdirt would be all over the offense of Sophos being used to settle IP claims.
But because this story involves Denuvo DRM getting some comeupance, Techdirt ignores the much bigger deal, which is that Sophos agreed to tag an **IP dispute** as malware.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Techdirt may not have made a big deal of the malware label issue, but they didn't ignore it. It's reported in the story.
[ link to this | view in thread ]
Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
You are missing the point, too. Sophos didn't decide to flag DRM as malware. Sophos, according to VMProtect, only flagged the allegedly pirated installs of VMProtect IP as malware, leaving regular installs of VMProtect unflagged.
You, like Techdirt, are so eager to see DRM get its comeuppance that you are missing the bigger issue, which is that Sophos is falsely flagging *disputed IP* as malware.
If Sophos flagged *all* DRM, and all installs of VMProtect, as malware then you'd have a point. But they don't. They are taking sides in an *IP dispute* and falsely flagging software as malaware because of copyright claims.
[ link to this | view in thread ]
Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
There are shareware and open source programs like WinZip and 7-Zip that I trust, but that trust ABSOLUTELY DEPENDS on where I download them from.
You don't trust software unless it comes from a legitimate source. Denuvo is not a legitimate source for VMProtect.
[ link to this | view in thread ]
Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
On the contrary, IMO the fact that an entity can negotiate with an AV vendor to flag another entity's product as malware is concerning. This can lead to anti-competitive behavior, as most users tend to trust the AV vendor more.
I'll have no problem if Sophos flag all DRM as malware, but in this instance, it flag a particular product at the request / negotiation with a vendor, with the vendor is on record having problems with the creator of the said product.
When I read about this in the article, all I can think of is "reverse zero-rating" an app.
[ link to this | view in thread ]
Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
But that's not what they've done.
They negotiated with an AV vendor to flag THEIR OWN product as malware. That is, an unauthorized and therefor untrusted copy of their own software.
The latest Denuvo DRM version, without VMProtect, (and cracked immediately) would be a different story. But that's not being flagged as malware.
[ link to this | view in thread ]
Re: VMProtect and Sophos deal should be the bigger issue
It's very interesting why it's ONLY Sophos right now.
[ link to this | view in thread ]
Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
The point, as I see it, that Scote seems to be raising is that ignoring the IP dispute is exactly the wrong thing to do.
Just like you should champion any bad guy who is being denied due process (to extent that he should be allowed due process), I agree with Scote that anti-virus has no place in an IP dispute. Saying that behaviour is ok is like saying using the DMCA to censor content online is ok as long as you don't like the content.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Those are not the same thing. Either they are flagging a competitor's software, or they are using a third party as leverage in a licensing dispute. Neither of these situations is something to applaud.
[ link to this | view in thread ]
Does it mean they settled?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
As Vikarti Anatra says above:
Again, ignore the IP dispute and there's STILL good reason to flag it as malware. It's now software that you shouldn't trust.
[ link to this | view in thread ]
https://web.archive.org/web/20170607162145/vmpsoft.com/20170606/vmprotect-and-denuvo-gmbh/
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
So you'd be ok with a vanilla flavoring company issuing a food safety recall on Vanilla Coke if Coca Cola failed to pay its bills, as long as they didn't go after any other flavors of Coke?
This is not a trust issue. It is a licensing issue, pure and simple. Paying for something does not make it trustworthy, and failing to pay for something does not make it untrustworthy. The only thing that changes is whether or not it's used with a valid license. Paying a bill can't possibly change the trustworthiness of the software in question, surely?
Using anti-virus to sidestep or add leverage to a licensing dispute is absolutely, heinously, the wrong thing to do. No matter how much you agree with the result, it is not the correct way to go about business, and it sets a terrible precedent if allowed.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
It worked for Amazon (issue with Kindle and 1984 which they couldn't sell, yes, they refunded customers but how refund matter here)?
https://www.techdirt.com/articles/20090717/1559425587.shtml
It also worked for Amazon and Disney https://www.techdirt.com/articles/20131216/16292925583/you-dont-own-what-you-bought-disney-amazon-pl ay-role-grinch-taking-back-purchased-film.shtml (This time Disney just decided they don't want Amazon to offer movie (If we believe 1st version of Amazon's response))
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
The difference here is that VMProtect didn't work with Denuvo; they worked with Sophos to effect the recall. Anti-virus is not supposed to be a license enforcement tool, and everyone is less safe if that becomes the norm.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
One more time, as Vikarti Anatra says above:
Suppose you write a remote access tool for doing tech support. And then someone else - without consulting you - uses it to commit crime. The FBI may arrest you and the DOJ may prosecute you. YOU are held responsible for not policing its use.
Yes, that's goddamned insane and stupid. But it's reality, and it's not at all hard to imagine VMProtect's writers ending up in the same situation.
Often the only defense against such BS charges is being able to show "Look, we tried. Here's how...." Working with the anti-virus companies to treat unauthorized use as malware might do that.
The story says otherwise. VMProtect tried to work with Denuvo, but...
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
I still say that even though VirtualVM's actions may have been necessary, that doesn't make it ok. And, that trying to make it ok is plastering over the symptom while ignoring the problem.
I still say that asking virus scanners to enforce license agreements makes everyone less safe.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: DRMception
[ link to this | view in thread ]
Re: Ironic, isn't it?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
Maybe the pirates DDOSed their site when you were reading?
[ link to this | view in thread ]
http://vmpsoft.com/20170606/vmprotect-and-denuvo-gmbh/
[ link to this | view in thread ]