VMProtect Accuses Denuvo Of Using Unlicensed Software In Its Antipiracy DRM

from the irony-thy-name-is-denuvo dept

To date, the most remarkable aspect of the Denuvo story was the very brief stint it had as a successful DRM. Brief is the operative word, of course, as the past six months or so have seen Denuvo’s vaunted status devolve into one more typical of DRM stories, with defeats for the security software coming at rates measured in days and weeks of a game’s release.

But now things have taken a turn towards the ironic. A security software firm called VMProtect, which makes software to protect against reverse engineering and developing cracks of applications, is accusing Denuvo of having used its software without properly licensing it. This is the kind of thing that folks who support DRM tend to call piracy. And, thus, Denuvo may have “pirated” another company’s software to make its anti-piracy DRM.

According to a post on Russian forum RSDN, Denuvo is accused of engaging in a little piracy of its own. The information comes from a user called drVan?, who is a developer at VMProtect Software, a company whose tools protect against reverse engineering and cracking.

“I want to tell you a story about one very clever and greedy Austrian company called Denuvo Software Solutions GmbH,” drVano begins. “A while ago, this company released a protection system of the same name but the most remarkable thing is that they absolutely illegally used our VMProtect software in doing so.”

drVano goes on to detail the story to a degree that seems legitimate. Denuvo had met with VMProtect about using the latter’s software, but had wanted to do so under the common and cheap $500 license offered publicly as a “personal license.” Rolling that software into a distributed DRM obviously fell outside of that sort of personal use license, leading VMProtect to ask for much more in the way of money if Denuvo wanted to move forward. Denvuo declined, but then apparently went ahead an bought a personal license anyway and began rolling out the software in Denuvo DRM. VMProtect revoked the license due to Denuvo’s breach of the license conditions, but Denuvo kept up its distribution anyway.

Which lead VMProtect to go on offense.

VMProtect then took what appears to be a rather unorthodox measure against Denuvo. After cooperation with Sophos, the anti-virus vendor agreed to flag up the offending versions of Denuvo as potential malware. VMProtect says it has also been speaking with Valve about not featuring the work of “scammers” on its platform.

“Through our long-standing partners from Intellect-C, we are starting to prepare an official claim against Denuvo Software Solutions GmbH with the prospect of going to court. This might be a very good lesson for ‘greedy’ developers who do not care about the intellectual property rights of their colleagues in the same trade,” drVano concludes.

The irony here is delicious. The precipitous fall of DRM, once claimed to be the end of software piracy entirely, culminates in what may be piracy on the part of that same company. All while the effectiveness of that DRM has dropped to essentially zero.

If the gaming industry were ever going to learn that DRM is a failed concept, Denuvo ought to be the teacher of that lesson.

Filed Under: , ,
Companies: denuvo, grey box, vmprotect

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “VMProtect Accuses Denuvo Of Using Unlicensed Software In Its Antipiracy DRM”

Subscribe: RSS Leave a comment
59 Comments
Ninja (profile) says:

“The irony here is delicious.”

But not unheard of. We’ve seen plenty of these stories before. And plenty of stories of labels, studios, publishers etc pulling all sorts of stunts to avoid paying artists. Just like the pirates they despise. With the added fact that many pirates end up contributing with the artist in other means (such as shows, direct donations and merchandising).

Anonymous Coward says:

Re: Re:

But not unheard of. We’ve seen plenty of these stories before. And plenty of stories of labels, studios, publishers etc pulling all sorts of stunts to avoid paying artists.

True, but in many of those cases they apply a (very thin) veneer of legitimacy by using a laughably one-sided contract that specifically grants them extremely wide discretion to determine how much to pay the author. They then abuse that discretion to the greatest extent they can, so that when they honor the letter of the contract, they owe nothing (or almost nothing). This is part of the reason they get away with it so often and for so long: collecting a realistic sum requires getting a court to decide that the contract is so absurd it cannot be enforced, or that the studios’ conduct is so egregious that not even the absurd contract terms can excuse it. Outside of those scenarios, the only way to stop them is for the author to have so much bargaining power that he/she can demand terms that are more difficult to evade (e.g. the whole "gross percentage instead of net percentage" bit). That power is typically vested only in very well-known celebrity performers.

Here, Denuvo apparently didn’t even bother pretending to comply with a contract. They embedded the code knowing up front that they had no approval to use it in that manner, not even misinformed approval of a one-sided contract.

PaulT (profile) says:

“This is the kind of thing that folks who support DRM tend to call piracy. And, thus, Denuvo may have “pirated” another company’s software to make its anti-piracy DRM.”

Indeed, but I’d add this – losses due to this kind of “piracy” are much more realistic and quantifiable than “losses” due to file sharing.

Basically, it’s impossible to accurately quantify losses when it’s end users sharing the game. There are numerous situations where no additional money would be forthcoming if a particular copy of a game was not pirated. These range from a user testing a game out (but will not blind buy if a “demo” was not available) to people pirating a non-DRM copy of the game they have actually bought (likely in this case due to the documented performance problems caused by Denuvo). Nobody can accurately state how many copies led to lost sales and how many had no effect.

However, in the case of an unlicensed component, the calculation is realistic and easy to work out – number of unlicensed copies used have a documented figure that the licence should have cost. There’s the lost profit to the creators of the original.

Add to that, this kind of “piracy” is actually worse because it’s part of a commercial product. People downloading a free copy of the game just play that game – no profit motive involved. In the case of commercial infringement such as this, Denuvo have either inadvertently or deliberately refused to pay suppliers in order to increase its own margins.

So, if true, it’s not only a case where Denuvo are participating in the very behaviour their product is meant to prevent, they are doing so in a much more insidious manner than the people they’re paid to stop.

“After cooperation with Sophos, the anti-virus vendor agreed to flag up the offending versions of Denuvo as potential malware.”

I really, really like this. DRM, by definition, is malware, so it’s nice to see it classified as such for once.

PaulT (profile) says:

Re: Re: Re:

“the DRM was annoying like having to put the media in the drive”

Yeah, the primary reasons I ever went to the seedier sides of the web were to look for no CD cracks for games. I’ve happily pirated games where the DRM was to enter codes from manuals, etc. and that wasn’t practical/possible. It’s a big reason I laugh at anyone who tries to pretend that every download is a lost sale – no I’m not paying full retail for a game I already own, no matter how much you believe I’m wrong for downloading a copy I can access properly.

“Nowadays I don’t bother pirating nor buying those DRMed games”

There were other reasons (such as moving to Linux desktops full time and not having enough resources to keep up the hardware upgrade cycle after emigrating). But, a large part of the reason why I abandoned PC gaming entirely in favour of consoles was the silly battles with DRM. Sure, consoles have DRM too, but I’ve never encountered something that actively prevents me from playing a game I purchased.

“God bless GOG.”

Seconded.

Thad (user link) says:

Re: Re: Re: Re:

At the moment, I’m trying my hand at being a Linux gamer. And sure, there are a lot of games that won’t run, or require some tricky WINE configs, or don’t perform as well as in Windows…but y’know what? I’ve realized that there are enough good native Linux games that I don’t need to bother with the Windows ones.

(There are, of course, plenty of Linux games that use DRM. I buy DRM-free when I can, and just-plain-Steam DRM is benign enough that I can’t say I’ve had issues with it. If there’s third-party DRM, though, that’s a "nope.")

guntherpea (profile) says:

Re: Re: Re: Re:

“God bless GOG.”

Indeed.

I’ve always avoided pirating games, but I’ve been a big user of NO-CD cracks for a long time because I hate keeping a big book of game CDs with me, swapping discs, risking the discs being scratched/ruined, installing Sony malware, etc, etc. Now, if we’re honest, Steam has managed to be a mostly seamless DRM platform. But GOG and their DRM-free values are clearly the ideal.

Long live GOG.

Anonymous Coward says:

Deserved it

The heart of their software bought (or not), no wonder the engine never changed after the first crack.

I don’t feel too bad for either VMProtect or Denuvo. After all, they both engage in unethical behavior, because they are agents of the content mafia and are pursuing the commerical-unfree-software business model.

Anonymous Coward says:

Re: Re: Re: DRMception

You keep using that word. I don’t think it means what you think it means.

Hey, guess what, the rest of us can quote movies out of context and without contributing to the discussion. But it seems you’re the only one brimming with pride about that ability…

Roger Strong (profile) says:

Re: Re: Re:

Yup. But it doesn’t seem they’ve needed to so far. I expect Denuvo to play the “VMProtect didn’t work anyway” card.

The “Ten…” joke aside, VMProtect’s legal battle against Denuvo will last far longer than the DRM. We’re finally seeing the payoff of the legal battles against Prenda, but it took years – just as Ken “Popehat” White warned years ago. “The wheels of justice turn slowly, but they do turn.”

Machin Shin says:

Total consperacy theory but....

This company provides a solution for obscuring your code to make it harder to crack. They got shafted by Denuvo and went so far as to get Sophos to block Denuvo.

So really seems rather reasonable to think they either helped the crackers break Denuvo, or they might even have the cracker on their staff.

Really would be a genius solution for a company like them. “Here is some anti-cracking software, it will do great protecting your code. If you cheat us though….. This is Bob, he wrote that code and he will crack the shit out of yours faster than you can blink.”

Roger Strong (profile) says:

Re: Re: Total consperacy theory but....

A computer program is a set of instructions. By definition – even for DRM – it’s easy to reverse-engineer. Just look at what the instructions do. There are programs that’ll turn them back into editable code.

And so the actual DRM in a DRM system is almost an afterthought. The bulk of the effort is in obfuscating the code so it can’t be reverse engineered.

Which is where VMProtect’s anti-reverse engineering software came in. Without it, this latest version of Denuvo’s software was cracked almost instantly.

The impression I get is that Denuvo’s system didn’t just depend on VMProtect’s product. The key part of it – the bulk of it – WAS VMProtect’s product.

Anonymous Coward says:

Re: Total consperacy theory but....

I have no evidence it happened like this, but here’s a few hunches:
It’s very likely Denuvo was legitimately cracked, without help from VMProtect.
VMProtect was suspicious of Denuvo after the latter bought a “personal” license.
VMProtect must have found out that Denuvo was using their stuff after analyzing a few cracked games.
They (VMProtect) probably tried to contact Denuvo multiple times to arrange something only for Denuvo to refuse.

Anonymous Coward says:

Re: VMProtect and Sophos deal should be the bigger issue

Yeah this caught my eye as well. Even though I feel like more DRM is closer to malware than not, I’m not too comfortable having non-malicious code flagged as malware. If private companies can negotiate that, what about nations that could prevent a company like Sophos from doing business in their borders?

I’m sure Hollywood would be very interested if they could flag pirated versions as malware, then use something like the CFAA against pirates for spreading malware.

Roger Strong (profile) says:

Re: Re: VMProtect and Sophos deal should be the bigger issue

I’m not too comfortable having non-malicious code flagged as malware.

The Sony Root Kit was non-malicious, but I’d certainly call it malware.

Most malware writers insist that their software isn’t malware. When a game sends back your contacts list and other personal information for resale, they’ll describe it as simply part of their business model. When an unrequested browser add-in redirects your home page and search links to their own site, they’re doing it as a service to be helpful.

Machin Shin says:

Re: Re: VMProtect and Sophos deal should be the bigger issue

This kind of thing happens regularly. If you download some pirated software it will not take long to notice the AV going crazy and attacking the cracks for the software.

Really annoying when your AV deletes something and then tells you “That was a cracking program”, well yeah…. I know… now leave it alone so I can crack this game.

Roger Strong (profile) says:

Re: VMProtect and Sophos deal should be the bigger issue

I disagree. The DRM is anti-user software. It acts against rather than for the user, slowing down their system and causing other problems. Unwanted and unexpectedly included with something else.

While we’re at it, we should also be calling encryption “Digital Rights Management.” Which it is, of course. It’s only a matter of who manages the rights to the encrypted data.

That way, powerful people who have declared jihad against encryption would be declaring jihad against DRM.

Vikarti Anatra (profile) says:

Re: VMProtect and Sophos deal should be the bigger issue

I used VMProtect (personal license) for my needs long ago and it was my understanding that it was their stated policy ‘you leak license key or use it for bad things, we send AV Vendors unique signatures how to detect code signed by YOUR key'(Why? because it was used for many viruses).
It’s very interesting why it’s ONLY Sophos right now.

Scote (profile) says:

Techdirt misses the lede: Sophos falsely tags disputed IP as malware

“After cooperation with Sophos, the anti-virus vendor agreed to flag up the offending versions of Denuvo as potential malware.”

Normally, Techdirt would be all over the offense of Sophos being used to settle IP claims.

But because this story involves Denuvo DRM getting some comeupance, Techdirt ignores the much bigger deal, which is that Sophos agreed to tag an **IP dispute** as malware.

Roger Strong (profile) says:

Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware

An IP dispute over software that acts against rather than for the user, slowing down their system and causing other problems. Pirated, unwanted and unexpectedly included with something else. If it’s not malware, it’s indistinguishable from it.

Techdirt may not have made a big deal of the malware label issue, but they didn’t ignore it. It’s reported in the story.

Scote (profile) says:

Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware

“An IP dispute over software that acts against rather than for the user, slowing down their system and causing other problems.”

You are missing the point, too. Sophos didn’t decide to flag DRM as malware. Sophos, according to VMProtect, only flagged the allegedly pirated installs of VMProtect IP as malware, leaving regular installs of VMProtect unflagged.

You, like Techdirt, are so eager to see DRM get its comeuppance that you are missing the bigger issue, which is that Sophos is falsely flagging disputed IP as malware.

If Sophos flagged all DRM, and all installs of VMProtect, as malware then you’d have a point. But they don’t. They are taking sides in an IP dispute and falsely flagging software as malaware because of copyright claims.

Roger Strong (profile) says:

Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware

Again, ignore the IP dispute and there’s STILL good reason to flag it as malware. But there’s also the issue of trust:

There are shareware and open source programs like WinZip and 7-Zip that I trust, but that trust ABSOLUTELY DEPENDS on where I download them from.

You don’t trust software unless it comes from a legitimate source. Denuvo is not a legitimate source for VMProtect.

MrTroy (profile) says:

Re: Re: Re:2 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

Again, ignore the IP dispute and there’s STILL good reason to flag it as malware. But there’s also the issue of trust:

The point, as I see it, that Scote seems to be raising is that ignoring the IP dispute is exactly the wrong thing to do.

Just like you should champion any bad guy who is being denied due process (to extent that he should be allowed due process), I agree with Scote that anti-virus has no place in an IP dispute. Saying that behaviour is ok is like saying using the DMCA to censor content online is ok as long as you don’t like the content.

Roger Strong (profile) says:

Re: Re: Re:3 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

As Vikarti Anatra says above:

I used VMProtect (personal license) for my needs long ago and it was my understanding that it was their stated policy ‘you leak license key or use it for bad things, we send AV Vendors unique signatures how to detect code signed by YOUR key'(Why? because it was used for many viruses).

Again, ignore the IP dispute and there’s STILL good reason to flag it as malware. It’s now software that you shouldn’t trust.

Someone says:

Re: Re: Re: Techdirt misses the lede: Sophos falsely tags disputed IP as malware

If Sophos flagged all DRM, and all installs of VMProtect, as malware then you’d have a point. But they don’t. They are taking sides in an IP dispute and falsely flagging software as malaware because of copyright claims.

On the contrary, IMO the fact that an entity can negotiate with an AV vendor to flag another entity’s product as malware is concerning. This can lead to anti-competitive behavior, as most users tend to trust the AV vendor more.

I’ll have no problem if Sophos flag all DRM as malware, but in this instance, it flag a particular product at the request / negotiation with a vendor, with the vendor is on record having problems with the creator of the said product.

When I read about this in the article, all I can think of is “reverse zero-rating” an app.

Roger Strong (profile) says:

Re: Re: Re:2 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

On the contrary, IMO the fact that an entity can negotiate with an AV vendor to flag another entity’s product as malware is concerning.

But that’s not what they’ve done.

They negotiated with an AV vendor to flag THEIR OWN product as malware. That is, an unauthorized and therefor untrusted copy of their own software.

The latest Denuvo DRM version, without VMProtect, (and cracked immediately) would be a different story. But that’s not being flagged as malware.

MrTroy (profile) says:

Re: Re: Re:3 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

They negotiated with an AV vendor to flag THEIR OWN product as malware. That is, an unauthorized and therefor untrusted copy of their own software.

Those are not the same thing. Either they are flagging a competitor’s software, or they are using a third party as leverage in a licensing dispute. Neither of these situations is something to applaud.

MrTroy (profile) says:

Re: Re: Re:5 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

So you’d be ok with a vanilla flavoring company issuing a food safety recall on Vanilla Coke if Coca Cola failed to pay its bills, as long as they didn’t go after any other flavors of Coke?

This is not a trust issue. It is a licensing issue, pure and simple. Paying for something does not make it trustworthy, and failing to pay for something does not make it untrustworthy. The only thing that changes is whether or not it’s used with a valid license. Paying a bill can’t possibly change the trustworthiness of the software in question, surely?

Using anti-virus to sidestep or add leverage to a licensing dispute is absolutely, heinously, the wrong thing to do. No matter how much you agree with the result, it is not the correct way to go about business, and it sets a terrible precedent if allowed.

Vikarti Anatra (profile) says:

Re: Re: Re:6 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

So you’d be ok with a vanilla flavoring company issuing a food safety recall on Vanilla Coke if Coca Cola failed to pay its bills, as long as they didn’t go after any other flavors of Coke?

It worked for Amazon (issue with Kindle and 1984 which they couldn’t sell, yes, they refunded customers but how refund matter here)?
https://www.techdirt.com/articles/20090717/1559425587.shtml

It also worked for Amazon and Disney https://www.techdirt.com/articles/20131216/16292925583/you-dont-own-what-you-bought-disney-amazon-play-role-grinch-taking-back-purchased-film.shtml (This time Disney just decided they don’t want Amazon to offer movie (If we believe 1st version of Amazon’s response))

MrTroy (profile) says:

Re: Re: Re:7 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

Again, not quite the same thing. Working with the other party and getting the unlicensed product removed from the market is exactly the correct thing to do, if negotiations fail to produce a valid license in a reasonable timeframe.

The difference here is that VMProtect didn’t work with Denuvo; they worked with Sophos to effect the recall. Anti-virus is not supposed to be a license enforcement tool, and everyone is less safe if that becomes the norm.

Roger Strong (profile) says:

Re: Re: Re:8 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

One more time, as Vikarti Anatra says above:

I used VMProtect (personal license) for my needs long ago and it was my understanding that it was their stated policy ‘you leak license key or use it for bad things, we send AV Vendors unique signatures how to detect code signed by YOUR key'(Why? because it was used for many viruses).

Suppose you write a remote access tool for doing tech support. And then someone else – without consulting you – uses it to commit crime. The FBI may arrest you and the DOJ may prosecute you. YOU are held responsible for not policing its use.

Yes, that’s goddamned insane and stupid. But it’s reality, and it’s not at all hard to imagine VMProtect’s writers ending up in the same situation.

Often the only defense against such BS charges is being able to show "Look, we tried. Here’s how…." Working with the anti-virus companies to treat unauthorized use as malware might do that.

The difference here is that VMProtect didn’t work with Denuvo;

The story says otherwise. VMProtect tried to work with Denuvo, but…

Denvuo declined, but then apparently went ahead an bought a personal license anyway and began rolling out the software in Denuvo DRM.

MrTroy (profile) says:

Re: Re: Re:9 Techdirt misses the lede: Sophos falsely tags disputed IP as malware

Yeah, I forgot about that story.

I still say that even though VirtualVM’s actions may have been necessary, that doesn’t make it ok. And, that trying to make it ok is plastering over the symptom while ignoring the problem.

I still say that asking virus scanners to enforce license agreements makes everyone less safe.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...