The Denuvo System In Hogwarts Legacy Explained By A DRM Developer

Maurice Heumann, a DRM developer who also writes articles on his own blog analyzing various game exploits and security issues, has shared a new post on reverse engineering and measuring the Denuvo DRM system performance in Hogwarts Legacy. The author empathizes that his goal is never to encourage piracy or hacking but to conduct research for a purely educational purpose and open up the possibility of getting the security vulnerabilities patched.

Since Maurice's last article on reverse engineering integrity checks in Call of Duty: Black Ops 3, he's spent 5 months analyzing the Denuvo DRM in Hogwarts Legacy. His goal was to study the protection to discover all the bindings it uses for the fingerprint and patch them as well as runtime checks.

Here's how it works. The game collects hardware/software features into a fingerprint and generates a Steam Ticket, proof of game ownership. Fingerprint and Ticket are then sent to Denuvo Servers.

From there the Steam Ticket is sent to Steam to presumably make sure the user owns the game. If the user really owns the game, a Denuvo Token is generated, which only works on a PC with the exact fingerprint.

Using that token, the player can now run the game. The game can't run without the token, which is used to decrypt certain values at runtime and similar things. On top of that, Denuvo regularly verifies the hardware features for the fingerprint still match with the token, at runtime.

Maurice explained, that using a Denuvo Token on a PC that has a mismatching fingerprint shows the dialog on the screenshot above, therefore his goal was to get past that dialog.

To figure out what features the game collects, he used the Qiling reverse engineering framework. It emulates any kind of binary allowing it to fully instrument it. Qiling is a powerful tool, yet it requires a whole lot of scripting and adaptation Maurice had to implement himself.

Getting fully accommodated to Qiling and finding most of the fingerprint features took him about two months. Discovering the last one took the remaining 3 months and Maurice only found it by accident. 

With all the features at hand, Maurice forced the game to generate a token on his PC with a fingerprint for his PC. Using all the patches and hooks, around 2000 in total, he now wanted to run the game on his laptop using the token generated for the PC. It took a while, but he managed to launch the game:

Maurice also shared his thoughts on Denuvo's performance, trying to measure it by some hooks to estimate how relevant it is to even talk about performance loss in combination with Denuvo.

Every time the console prints [MOMO] OVERHEAD one of his hooks triggers, this means Denuvo intervenes in the execution of the game. This, in turn, means Denuvo causes at least some performance overhead during those times.

Indeed, Denuvo does intervene from time to time, but one can clearly see that it doesn't do that very often. Only when major things happen, scene switches or loading screens, logs seem to accumulate, which isn't something to worry about in Maurice's opinion.

In conclusion, Maurice highlighted that Denuvo protection is very well integrated into the game, which as a DRM developer he strongly admires and doesn't think that this system really deserves all the hate it usually gets.

Read the full breakdown here and don't forget to join our 80 Level Talent platform and our Telegram channel and follow us on Instagram, Twitter, and LinkedIn, where we share breakdowns, the latest news, awesome artworks, and more.