VMProtect Accuses Denuvo Of Using Unlicensed Software In Its Antipiracy DRM
from the irony-thy-name-is-denuvo dept
To date, the most remarkable aspect of the Denuvo story was the very brief stint it had as a successful DRM. Brief is the operative word, of course, as the past six months or so have seen Denuvo’s vaunted status devolve into one more typical of DRM stories, with defeats for the security software coming at rates measured in days and weeks of a game’s release.
But now things have taken a turn towards the ironic. A security software firm called VMProtect, which makes software to protect against reverse engineering and developing cracks of applications, is accusing Denuvo of having used its software without properly licensing it. This is the kind of thing that folks who support DRM tend to call piracy. And, thus, Denuvo may have “pirated” another company’s software to make its anti-piracy DRM.
According to a post on Russian forum RSDN, Denuvo is accused of engaging in a little piracy of its own. The information comes from a user called drVan?, who is a developer at VMProtect Software, a company whose tools protect against reverse engineering and cracking.
“I want to tell you a story about one very clever and greedy Austrian company called Denuvo Software Solutions GmbH,” drVano begins. “A while ago, this company released a protection system of the same name but the most remarkable thing is that they absolutely illegally used our VMProtect software in doing so.”
drVano goes on to detail the story to a degree that seems legitimate. Denuvo had met with VMProtect about using the latter’s software, but had wanted to do so under the common and cheap $500 license offered publicly as a “personal license.” Rolling that software into a distributed DRM obviously fell outside of that sort of personal use license, leading VMProtect to ask for much more in the way of money if Denuvo wanted to move forward. Denvuo declined, but then apparently went ahead an bought a personal license anyway and began rolling out the software in Denuvo DRM. VMProtect revoked the license due to Denuvo’s breach of the license conditions, but Denuvo kept up its distribution anyway.
Which lead VMProtect to go on offense.
VMProtect then took what appears to be a rather unorthodox measure against Denuvo. After cooperation with Sophos, the anti-virus vendor agreed to flag up the offending versions of Denuvo as potential malware. VMProtect says it has also been speaking with Valve about not featuring the work of “scammers” on its platform.
“Through our long-standing partners from Intellect-C, we are starting to prepare an official claim against Denuvo Software Solutions GmbH with the prospect of going to court. This might be a very good lesson for ‘greedy’ developers who do not care about the intellectual property rights of their colleagues in the same trade,” drVano concludes.
The irony here is delicious. The precipitous fall of DRM, once claimed to be the end of software piracy entirely, culminates in what may be piracy on the part of that same company. All while the effectiveness of that DRM has dropped to essentially zero.
If the gaming industry were ever going to learn that DRM is a failed concept, Denuvo ought to be the teacher of that lesson.
Filed Under: denuvo, drm, piracy
Companies: denuvo, grey box, vmprotect
Comments on “VMProtect Accuses Denuvo Of Using Unlicensed Software In Its Antipiracy DRM”
“The irony here is delicious.”
But not unheard of. We’ve seen plenty of these stories before. And plenty of stories of labels, studios, publishers etc pulling all sorts of stunts to avoid paying artists. Just like the pirates they despise. With the added fact that many pirates end up contributing with the artist in other means (such as shows, direct donations and merchandising).
Re: Re:
True, but in many of those cases they apply a (very thin) veneer of legitimacy by using a laughably one-sided contract that specifically grants them extremely wide discretion to determine how much to pay the author. They then abuse that discretion to the greatest extent they can, so that when they honor the letter of the contract, they owe nothing (or almost nothing). This is part of the reason they get away with it so often and for so long: collecting a realistic sum requires getting a court to decide that the contract is so absurd it cannot be enforced, or that the studios’ conduct is so egregious that not even the absurd contract terms can excuse it. Outside of those scenarios, the only way to stop them is for the author to have so much bargaining power that he/she can demand terms that are more difficult to evade (e.g. the whole "gross percentage instead of net percentage" bit). That power is typically vested only in very well-known celebrity performers.
Here, Denuvo apparently didn’t even bother pretending to comply with a contract. They embedded the code knowing up front that they had no approval to use it in that manner, not even misinformed approval of a one-sided contract.
“This is the kind of thing that folks who support DRM tend to call piracy. And, thus, Denuvo may have “pirated” another company’s software to make its anti-piracy DRM.”
Indeed, but I’d add this – losses due to this kind of “piracy” are much more realistic and quantifiable than “losses” due to file sharing.
Basically, it’s impossible to accurately quantify losses when it’s end users sharing the game. There are numerous situations where no additional money would be forthcoming if a particular copy of a game was not pirated. These range from a user testing a game out (but will not blind buy if a “demo” was not available) to people pirating a non-DRM copy of the game they have actually bought (likely in this case due to the documented performance problems caused by Denuvo). Nobody can accurately state how many copies led to lost sales and how many had no effect.
However, in the case of an unlicensed component, the calculation is realistic and easy to work out – number of unlicensed copies used have a documented figure that the licence should have cost. There’s the lost profit to the creators of the original.
Add to that, this kind of “piracy” is actually worse because it’s part of a commercial product. People downloading a free copy of the game just play that game – no profit motive involved. In the case of commercial infringement such as this, Denuvo have either inadvertently or deliberately refused to pay suppliers in order to increase its own margins.
So, if true, it’s not only a case where Denuvo are participating in the very behaviour their product is meant to prevent, they are doing so in a much more insidious manner than the people they’re paid to stop.
“After cooperation with Sophos, the anti-virus vendor agreed to flag up the offending versions of Denuvo as potential malware.”
I really, really like this. DRM, by definition, is malware, so it’s nice to see it classified as such for once.
Re: Re:
I used to pirate cracked games because I didn’t have money to buy mostly and then to recover some games I had but couldn’t run due to DRM (or the DRM was annoying like having to put the media in the drive). Nowadays I don’t bother pirating nor buying those DRMed games. God bless GOG.
Re: Re: Re:
“the DRM was annoying like having to put the media in the drive”
Yeah, the primary reasons I ever went to the seedier sides of the web were to look for no CD cracks for games. I’ve happily pirated games where the DRM was to enter codes from manuals, etc. and that wasn’t practical/possible. It’s a big reason I laugh at anyone who tries to pretend that every download is a lost sale – no I’m not paying full retail for a game I already own, no matter how much you believe I’m wrong for downloading a copy I can access properly.
“Nowadays I don’t bother pirating nor buying those DRMed games”
There were other reasons (such as moving to Linux desktops full time and not having enough resources to keep up the hardware upgrade cycle after emigrating). But, a large part of the reason why I abandoned PC gaming entirely in favour of consoles was the silly battles with DRM. Sure, consoles have DRM too, but I’ve never encountered something that actively prevents me from playing a game I purchased.
“God bless GOG.”
Seconded.
Re: Re: Re: Re:
At the moment, I’m trying my hand at being a Linux gamer. And sure, there are a lot of games that won’t run, or require some tricky WINE configs, or don’t perform as well as in Windows…but y’know what? I’ve realized that there are enough good native Linux games that I don’t need to bother with the Windows ones.
(There are, of course, plenty of Linux games that use DRM. I buy DRM-free when I can, and just-plain-Steam DRM is benign enough that I can’t say I’ve had issues with it. If there’s third-party DRM, though, that’s a "nope.")
Re: Re: Re: Re:
“God bless GOG.”
Indeed.
I’ve always avoided pirating games, but I’ve been a big user of NO-CD cracks for a long time because I hate keeping a big book of game CDs with me, swapping discs, risking the discs being scratched/ruined, installing Sony malware, etc, etc. Now, if we’re honest, Steam has managed to be a mostly seamless DRM platform. But GOG and their DRM-free values are clearly the ideal.
Long live GOG.
Re: Re: Re:2 Re:
I love GOG but I wish their Linux support was better.
Deserved it
The heart of their software bought (or not), no wonder the engine never changed after the first crack.
I don’t feel too bad for either VMProtect or Denuvo. After all, they both engage in unethical behavior, because they are agents of the content mafia and are pursuing the commerical-unfree-software business model.
Don’t you just love it when copyright law is enforced?
DRMception
Permission to laugh my arse clean off?
Re: DRMception
Sorry the DRM won’t permit you to do as you please with your arse. Otherwise everyone would pirate their arses instead of buying it from the arse manufacturer.
Re: DRMception
Granted soldier! Permission indeed, to point AND laugh at all of the copyright fanboys who will avoid this thread like a vampire avoids a cross shaped garlic pizza.
Re: Re: DRMception
Ok, come on, you are a TechDirt Mean Girl! “Like a vampire avoids”..? You’re a Mean Girl, I think that was a quote directly from the movie! Gotcha, Mean Girl!
Re: Re: Re: DRMception
You keep using that word. I don’t think it means what you think it means.
Hey, guess what, the rest of us can quote movies out of context and without contributing to the discussion. But it seems you’re the only one brimming with pride about that ability…
Re: Re: Re:2 DRMception
I think Mike could make a packet selling “I’m a TechDirt Meangirl” t-shirts and hats.
Re: Re: Re:3 DRMception
Well since asking awkward questions got me labeled one, I’ll have to buy it when it’s available for sale.
Re: Re: Re:2 DRMception
Obviously you are not a golfer.
Lions Eating Hyenas
Their ravening predations, having temporarily depleted the naturally available prey, the fell beasts set to ruthlessly devouring one another much to the amazement and joy of the onlooking populace.
Reporter: "How long do you think it’ll take to break Denuvo?"
Lawyer: "Ten…"
Re: Re:
“How long do you think it’ll take to break Denuvo?”
As long as it takes VMProtect to reverse the code back to readable form and hand it over to the crackers for them to “do their work” on it.
Re: Re: Re:
Yup. But it doesn’t seem they’ve needed to so far. I expect Denuvo to play the “VMProtect didn’t work anyway” card.
The “Ten…” joke aside, VMProtect’s legal battle against Denuvo will last far longer than the DRM. We’re finally seeing the payoff of the legal battles against Prenda, but it took years – just as Ken “Popehat” White warned years ago. “The wheels of justice turn slowly, but they do turn.”
Re: Re: Re: Re:
Too bad they often turn too slowly to be of much help to the victims. At least you’d hope they help establish a precedent so it doesn’t repeat.
Re: Re: Re:
What’s really absurd about this, is that if VMProtect did that, they’d be guilty of a crime in some countries — nowhere in most anti-circumvention laws does it say that the anti-circumvention code must not be stolen.
I just did a search to find out if this is why Arkham: Knight wont run on my computer. Seems likely.
Total consperacy theory but....
This company provides a solution for obscuring your code to make it harder to crack. They got shafted by Denuvo and went so far as to get Sophos to block Denuvo.
So really seems rather reasonable to think they either helped the crackers break Denuvo, or they might even have the cracker on their staff.
Really would be a genius solution for a company like them. “Here is some anti-cracking software, it will do great protecting your code. If you cheat us though….. This is Bob, he wrote that code and he will crack the shit out of yours faster than you can blink.”
Re: Total consperacy theory but....
Moral of the story: don’t shaft your suppliers if your entire product depends on what they’re supplying.
Re: Re: Total consperacy theory but....
A computer program is a set of instructions. By definition – even for DRM – it’s easy to reverse-engineer. Just look at what the instructions do. There are programs that’ll turn them back into editable code.
And so the actual DRM in a DRM system is almost an afterthought. The bulk of the effort is in obfuscating the code so it can’t be reverse engineered.
Which is where VMProtect’s anti-reverse engineering software came in. Without it, this latest version of Denuvo’s software was cracked almost instantly.
The impression I get is that Denuvo’s system didn’t just depend on VMProtect’s product. The key part of it – the bulk of it – WAS VMProtect’s product.
Re: Total consperacy theory but....
I have no evidence it happened like this, but here’s a few hunches:
It’s very likely Denuvo was legitimately cracked, without help from VMProtect.
VMProtect was suspicious of Denuvo after the latter bought a “personal” license.
VMProtect must have found out that Denuvo was using their stuff after analyzing a few cracked games.
They (VMProtect) probably tried to contact Denuvo multiple times to arrange something only for Denuvo to refuse.
The copyright cartel is total hypocrite.
DRM
Don’t Run Me
VMProtect and Sophos deal should be the bigger issue
i’m surprised that this article doesn’t make a much bigger deal out of the deal between VMProtect and Sophos. To me that seems to be the much more sketchy, much more dangerous behavior.
And of course,
GOG for the win!
Re: VMProtect and Sophos deal should be the bigger issue
Yeah this caught my eye as well. Even though I feel like more DRM is closer to malware than not, I’m not too comfortable having non-malicious code flagged as malware. If private companies can negotiate that, what about nations that could prevent a company like Sophos from doing business in their borders?
I’m sure Hollywood would be very interested if they could flag pirated versions as malware, then use something like the CFAA against pirates for spreading malware.
Re: Re: VMProtect and Sophos deal should be the bigger issue
The Sony Root Kit was non-malicious, but I’d certainly call it malware.
Most malware writers insist that their software isn’t malware. When a game sends back your contacts list and other personal information for resale, they’ll describe it as simply part of their business model. When an unrequested browser add-in redirects your home page and search links to their own site, they’re doing it as a service to be helpful.
Re: Re: VMProtect and Sophos deal should be the bigger issue
This kind of thing happens regularly. If you download some pirated software it will not take long to notice the AV going crazy and attacking the cracks for the software.
Really annoying when your AV deletes something and then tells you “That was a cracking program”, well yeah…. I know… now leave it alone so I can crack this game.
Re: VMProtect and Sophos deal should be the bigger issue
I disagree. The DRM is anti-user software. It acts against rather than for the user, slowing down their system and causing other problems. Unwanted and unexpectedly included with something else.
While we’re at it, we should also be calling encryption “Digital Rights Management.” Which it is, of course. It’s only a matter of who manages the rights to the encrypted data.
That way, powerful people who have declared jihad against encryption would be declaring jihad against DRM.
Re: VMProtect and Sophos deal should be the bigger issue
I used VMProtect (personal license) for my needs long ago and it was my understanding that it was their stated policy ‘you leak license key or use it for bad things, we send AV Vendors unique signatures how to detect code signed by YOUR key'(Why? because it was used for many viruses).
It’s very interesting why it’s ONLY Sophos right now.
Ironic, isn't it?
Have you heard the tragedy of Denuvo Software Solutions GmbH the wise?
Re: Ironic, isn't it?
It’s not a story the copyright fanatics would yell you.
Just another reminder that there is no honor amongst thieves. Or digital restrictions management providers.
Techdirt misses the lede: Sophos falsely tags disputed IP as malware
“After cooperation with Sophos, the anti-virus vendor agreed to flag up the offending versions of Denuvo as potential malware.”
Normally, Techdirt would be all over the offense of Sophos being used to settle IP claims.
But because this story involves Denuvo DRM getting some comeupance, Techdirt ignores the much bigger deal, which is that Sophos agreed to tag an **IP dispute** as malware.
Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
An IP dispute over software that acts against rather than for the user, slowing down their system and causing other problems. Pirated, unwanted and unexpectedly included with something else. If it’s not malware, it’s indistinguishable from it.
Techdirt may not have made a big deal of the malware label issue, but they didn’t ignore it. It’s reported in the story.
Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
“An IP dispute over software that acts against rather than for the user, slowing down their system and causing other problems.”
You are missing the point, too. Sophos didn’t decide to flag DRM as malware. Sophos, according to VMProtect, only flagged the allegedly pirated installs of VMProtect IP as malware, leaving regular installs of VMProtect unflagged.
You, like Techdirt, are so eager to see DRM get its comeuppance that you are missing the bigger issue, which is that Sophos is falsely flagging disputed IP as malware.
If Sophos flagged all DRM, and all installs of VMProtect, as malware then you’d have a point. But they don’t. They are taking sides in an IP dispute and falsely flagging software as malaware because of copyright claims.
Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Again, ignore the IP dispute and there’s STILL good reason to flag it as malware. But there’s also the issue of trust:
There are shareware and open source programs like WinZip and 7-Zip that I trust, but that trust ABSOLUTELY DEPENDS on where I download them from.
You don’t trust software unless it comes from a legitimate source. Denuvo is not a legitimate source for VMProtect.
Re: Re: Re:2 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
The point, as I see it, that Scote seems to be raising is that ignoring the IP dispute is exactly the wrong thing to do.
Just like you should champion any bad guy who is being denied due process (to extent that he should be allowed due process), I agree with Scote that anti-virus has no place in an IP dispute. Saying that behaviour is ok is like saying using the DMCA to censor content online is ok as long as you don’t like the content.
Re: Re: Re:3 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
As Vikarti Anatra says above:
Again, ignore the IP dispute and there’s STILL good reason to flag it as malware. It’s now software that you shouldn’t trust.
Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Re: Re: Re:2 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
But that’s not what they’ve done.
They negotiated with an AV vendor to flag THEIR OWN product as malware. That is, an unauthorized and therefor untrusted copy of their own software.
The latest Denuvo DRM version, without VMProtect, (and cracked immediately) would be a different story. But that’s not being flagged as malware.
Re: Re: Re:3 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Those are not the same thing. Either they are flagging a competitor’s software, or they are using a third party as leverage in a licensing dispute. Neither of these situations is something to applaud.
Re: Re: Re:4 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
They are not flagging their competitor’s software. They are flagging THEIR OWN software being redistributed by an untrusted source. Denuvo DRM without VMProtect is not being flagged.
Re: Re: Re:5 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
So you’d be ok with a vanilla flavoring company issuing a food safety recall on Vanilla Coke if Coca Cola failed to pay its bills, as long as they didn’t go after any other flavors of Coke?
This is not a trust issue. It is a licensing issue, pure and simple. Paying for something does not make it trustworthy, and failing to pay for something does not make it untrustworthy. The only thing that changes is whether or not it’s used with a valid license. Paying a bill can’t possibly change the trustworthiness of the software in question, surely?
Using anti-virus to sidestep or add leverage to a licensing dispute is absolutely, heinously, the wrong thing to do. No matter how much you agree with the result, it is not the correct way to go about business, and it sets a terrible precedent if allowed.
Re: Re: Re:6 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Re: Re: Re:7 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Again, not quite the same thing. Working with the other party and getting the unlicensed product removed from the market is exactly the correct thing to do, if negotiations fail to produce a valid license in a reasonable timeframe.
The difference here is that VMProtect didn’t work with Denuvo; they worked with Sophos to effect the recall. Anti-virus is not supposed to be a license enforcement tool, and everyone is less safe if that becomes the norm.
Re: Re: Re:8 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
One more time, as Vikarti Anatra says above:
Suppose you write a remote access tool for doing tech support. And then someone else – without consulting you – uses it to commit crime. The FBI may arrest you and the DOJ may prosecute you. YOU are held responsible for not policing its use.
Yes, that’s goddamned insane and stupid. But it’s reality, and it’s not at all hard to imagine VMProtect’s writers ending up in the same situation.
Often the only defense against such BS charges is being able to show "Look, we tried. Here’s how…." Working with the anti-virus companies to treat unauthorized use as malware might do that.
The story says otherwise. VMProtect tried to work with Denuvo, but…
Re: Re: Re:9 Techdirt misses the lede: Sophos falsely tags disputed IP as malware
Yeah, I forgot about that story.
I still say that even though VirtualVM’s actions may have been necessary, that doesn’t make it ok. And, that trying to make it ok is plastering over the symptom while ignoring the problem.
I still say that asking virus scanners to enforce license agreements makes everyone less safe.
It’s not fully clear what exactly happen (RSDN thread says they planned to do something but… ). VMProtect’s site has blog post from 6th June http://vmpsoft.com/20170606/vmprotect-and-denuvo-gmbh/
Does it mean they settled?
the torrentfreak article linked has an update that says that Denuvo has permission to use vmprotect.. but their site is down for me at the moment so here’s an archive link:
https://web.archive.org/web/20170607162145/vmpsoft.com/20170606/vmprotect-and-denuvo-gmbh/
Re: Re:
It is working right now: http://vmpsoft.com/20170606/vmprotect-and-denuvo-gmbh/
Maybe the pirates DDOSed their site when you were reading?
Why didn’t this article write do his/her due diligence in finding out the facts. 1 day before this article was released VMProtect came out and said that rumor was false.
http://vmpsoft.com/20170606/vmprotect-and-denuvo-gmbh/