CODEX UNVIRTUALIZE DENUVO/VMProtect


**************

В связи со стремительно развивающимися событиями, данный топик будет реформирован. Перечень тем, на которые ведется обсуждение:

░▒▓▓-SecuROM 7/8 common (VM research; disk-check bypass attack; find OEP & dumping; cumulative attack...)
░▒▓▓-- SPR I (profiles; updates)
░▒▓▓-Requests for generation SecuROM PA Unlock code (SecuROM PA Online-activation) WOW! Only on EXELAB.RU
░▒▓▓-Denuvo ("surface" questions)
░▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓

SPR I - Fight against the virtual machines (VM) of all SecuROM 7-8 versions (Подробности в 20, 23 посте.)


80_PA - SecuROM (PA) Online-Activation keygen! Holy shit!
[/url]
the list of programs (games), which can now be activated using 80_PA:
https://pastebin.com/EiMbV3YD or --> pastebin primary link <--

>>>>>>>> (!) Send me more games with SecuROM PA (!) >>>>>>>>>>>>

Denuvo Profiler (DProfiler)


------------
1.04.2012
Собственно я не сказал самого главного. SecuRom_Profiler 7 v1.0(SPR I) - часть большого зеленого пирога, под названием "ТИБЕРИУМНЫЙ РЕВЕРСИНГ" (статья опубликована в 159 номере ][. А позже, ещё одна итоговая статья - 199 ][), включает в себя собственно статью в журнале, ПОЛНУЮ техническую статью, материалы по SecuROM 7.33.0017, исходники X-кода и видео. Технический вариант статьи с приложениями можно брать отсюда:
▒Статья
▒Видео
▒Видео 2 (Продолжение)
▒Видео 3 (Окончательный разгром)
▒Видео 4 (В погоне за взломом DENUVO)
Имеет косвенное отношение к статье:
▒Видео косвенное

Хроники битвы при DENUVO 19.04.19
https://xakep.ru/2019/04/19/denuvo/

Message for the companies(etc) using this protection: we can buy SecuROM/DENUVO SDK & sources. Сontact me according to the personal message. Сonfidentiality is guaranteed!!! The bought files will be used for private research!

░░░░░░░░░░
См. также:
diff_trace

▓▓
615d_22.09.2013_EXELAB.rU.tgz - Sony DADC SecuROM vulnerability.zip
c177_01.02.2017_EXELAB.rU.tgz - PATENT DENUVO.pdf (притащил v00doo)


▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓
80_PA new 2.0 hotfix (!!!). Official links (mirrors):
https://mega.nz/#!L6gGBYBK!Y9X-6LFBdow6a1_IBlDFbrS6PBF4RRz_n9kuSGiI0UM (или --> 80_PA_v2.0 keygen link <--)
--> Mirror #1 <--
--> Mirror #2 <--

▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓
DENUVO Leak content
обращайтесь в личку - скину.

▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓▒▓
Denuvo Profiler (DProfiler) - test version 0.3 "INSPIRE"
https://mega.nz/#!DLwExKya!kCyFXw1roY3MkFaTO56LJAd-amc2yXWVerV2ic38bgs (или --> DProfiler link <--)

| Сообщение посчитали полезным: yanus0, obfuskator, Vovan666, MasterSoft, slick, hlmadip, ClockMan, Nightshade, Dart Raiden, Bronco, BAHEK, SReg, [Nomad], DimitarSerg, verdizela, yagello, OnLyOnE, FrenFolio, daFix, VodoleY, gena-m, m0bscene, Gideon Vi, ff0h, zeppe1in, antipod, huckfuck, kioresk, aRiX, 4kusNick, Ara, d0wn, Smon, audiofeel, zNob, cypherpunk, zzzombie1989, MarcElBichon, v00doo, DenCoder, nick7, Haoose-GP, arnix, Qbik, serilo, s2003r, DICI BF, Kindly, PavelDAS, HandMill, VanHelsing, random, TrueLies, warezhunter_, denfil777, alx30721, omeh2003, asm-jaime, WildGoblin, mushr00m, Flippy1801, KOTwasya, r3n5m388, chegevara, Groul, dnv83, kassane, ==DJ==[ZLO], red0x, HAOSov, rootkid, DirtyHarry, MacTep, kurorolucifer, s0cpy, aire1, ReloadUGunz, tRuNKator, Cherbet, RmK-FreE, Pringell, IHateInventNicknames, go2crck, mak, Dimosz, Creckerhack, zd0x, Mustafa_Dev007, UnnyBolt, Isaev, Astap1516, Voices_of_the_BULG, EHS4N, SnakeByte, KOCMOC42, anarh1st47

с торрентов, вестимо. Ищите в названии раздачи [L]

| Сообщение посчитали полезным:

Unravel вышел в релиз. Denuvo осталась на месте. Таблетки пока нет.
В папке присутствуют некие dbdata.dll и dbdataEA.dll, вероятно они тоже связаны с защитой

to ELF_7719116: на Русторке есть раздача папкой, можно скачать необходимые файлы для анализа.

| Сообщение посчитали полезным:

Здравствуйте, Haoose-GP
Разрешите Вас просить разместить файлы, необходимые для запуска программы, на доступный сервис обмена файлами.

| Сообщение посчитали полезным:

koksokola пишет:
а откуда скачивать игры с этим securom?
Зачем обязательно скачивать?! Обычно на торрентах лежат уже готовые NoCD/NoDVD и 80_PA там не нужен. Другое дело, если игра - лицуха и требуется онлайн-активация секурома.

Haoose-GP пишет:
на Русторке есть раздача папкой, можно скачать необходимые файлы для анализа.
Киньте пжалуйста мин. рабочий набор, нет желания регаться, хотя и порекомендую (для тех кто ещё не знает) сервис "10 минутная почта": https://10minutemail.com

ClockMan пишет:
--> Link <--
Я не понимаю, что мешает собраться нам и немного потрепать денувко. Точнее понимаю, что многие скажут, что лень и долго (в плане того, что нужно кодить много новых инструментов). Хотя мало кто заметил, насколько --> годную копипасту <-- сделал vden
С другой стороны, вон, вышел X-COM 2 БЕЗ DENUVO, его зарелизили. X-COM 2!! И как оказалось, эта игра с легендарной биркой - дешевая забагованная халтура с x64 говнокодом! Меня хватило всего на десяток миссий. Кому тогда этот треш, защищенный vmprotect денуво тогда нужен?!

infreered
ROTR min. works kits from Qbik:
http://rghost.net/6hkjxkPx8
http://rghost.net/8bFMHkpTC
Unravel donwload link!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Haoose-GP пишет:
В папке присутствуют некие dbdata.dll и dbdataEA.dll, вероятно они тоже связаны с защитой
Как пить дать. Правда размер маловат, всего 2 метра.

| Сообщение посчитали полезным: mak

ELF_7719116 пишет:
ROTR min
skidrow выложили на тест,как раз под обнову ларискину, посмотрел,угу... до десятка байт про патчили, но у меня валится , или я не от туда стартую?
// Странно как то оригинальную ОЕР опечатали, вызов пожевали, а процедура осталась.

-----
Чтобы юзер в нэте не делал,его всё равно жалко..

| Сообщение посчитали полезным:

В Unravel я не нашел файлы dbdata, как в стиме.
Если еще нужно, завтра утром выложу вам минимальные наборы RoTR и Unravel

| Сообщение посчитали полезным: mak

ELF_7719116 пишет:
Я не понимаю, что мешает собраться нам и немного потрепать денувко.
Если пойму, что мне это на пользу, то, пожалуйста - я весь Ваш!
Но пока от лома игр ничего, кроме временного удовольствия и с ним выноса себе мозга с уходом от реальности не вижу... Оно в кризисный/предкризисный год очччень буит с пользой, да

Добавлено после ответа Bronco
Bronco пишет:
Аутогенная тренировка
Спасибо! В планах было поискать на эту тему, но работа не давала. А тут одна фраза и О!

-----
IZ.RU

| Сообщение посчитали полезным:

DenCoder пишет:
Если пойму, что мне это на пользу
Аутогенная тренировка ???

-----
Чтобы юзер в нэте не делал,его всё равно жалко..

| Сообщение посчитали полезным: DenCoder

Нашел у себя SecuROM PA GUI DLL, API Version 0.87 и SecuROM API хидеры. Мб кому то пригодится

78b9_10.02.2016_EXELAB.rU.tgz - securom_api.rar

| Сообщение посчитали полезным: ELF_7719116

Касаемо Electronic Arts с его файло dbdataEA.dll.
Он экспортирует getTableData. По-моему там всё таки один аргумент, хотя IDA Pro говорит что два. Это указатель на __int64. Это можно судить по инструкции VM:

Полагаю туда ложится результат криптоопераций над CPUID, он вызывается от 1 до 4. Это поверхностно.

Чуть более детально. Начинаем чисто:

Далее начинается следующий код под vmprotect DENUVO:

где asm cpuid code в динамической памяти с размером 0x100000

данный код вызывается несколько раз (в цикле?!) с EAX от 1 до 4.
вероятно с CPUID идут какие-то тривиальные операции. Кстати в dll'ке есть такая открытая функа (вызывается через initterm при вызове DllEntryPoint):

Вероятно под VM скрыто нечто подобное.

| Сообщение посчитали полезным: exit_2

| Сообщение посчитали полезным: asusk55vm

Haoose-GP
Це шо? Новый Hitman или как?

| Сообщение посчитали полезным:

SharkXXL
Да. Бета-версия.

| Сообщение посчитали полезным:

Hello all. I am new here and I hope I can write in English

I didn't crack anything very, very long time. But whole Denuvo is interesting topic for me (yes, I don't like them ).

Like I wrote, I didn't crack anything long time and these "new" DRM like Steam or Origin are something new for me.

Last couple of days I am doing deep analyze of Denuvo at Unravel. I didn't finnish, but I can write some details right now:

Unravel.exe calls Core/activation64.dll.ordinal64 - I think activation64.dll is part of Origin DRM. Code inside of this function tries open or create mutex "CoreXProcState"

and later function loads dbdata.dll and then call function getTableData.

Like ELF_7719116 wrote, this function is very interesting. Its 100% very important, because is obfuscated with something like VMProtect. Function returns 2ACh bytes (my case)

long data. These data looks like some HW ID. Origin using name DBReqToken.

I didn't have time analyze how function generate this HW ID, but it uses CPUID instruction with different parameters couple of times and I found functions like:
GetLogicalProcessorInformation, GetCurrentProcessorNumber, IsProcessorFeaturePresent

Later activation64.dll create new process core/ActivationUI.exe with parameter "/SMOID=%S". There is some little problem because activationUI is 32-bit process.
This process create origin.exe process which is again 32-bit process and then ActivationUI is called again and then game is started.

Origin DRM using names for parameters and then is easier analyze what is what. Protection looks for file activation.ini but never found any (maybe we can try create one ).
Some of names which Origin uses: WrappedExecutablePath, ExecutableProcessId, ContentIds, RequireOrigin, DBReqToken, UIVersion

License file is created at C:\ProgramData\Electronic Arts\EA Services\License\1031469.dlf (maybe we can run game at offline mode, I will try to investigate it)

File is encrypted, but later decrypted in memory. It contains some names again: <?xml version="1.0", encoding="UTF-8", standalone="yes",
<License xmlns="http://ea.com/license">, <CipherKey> (some encryption key?), <MachineHash> (some HW ID?), <ContentId>1031469</ContentId>,
<UserId> (user ID at origin service?)

Right now I am analyzing ActivationUI.exe and I will need some more time for it.

Some more information. Game is running when I am going offline. I didn't try to play it and maybe later it will be problem. I will try it and post info.
I am writing this because there are some rumors that some parts are decrypted (created) during application run, but I think not at this case (maybe I am wrong).
But ofcourse something like this is possible and server can send generated code for specific machine ID.

Attact to Denuvo is possible more than one way. I didn't analyze 3DM or CPY attacts and I don't know how they did it. Maybe someone can write more about it.
Its very good to know all possible information.

I think, they did, what I think is easier way. They somehow fooled Denuvo and used same HW ID and same license for all computers.
We will need analyze how getTableData function generating this HW ID. ELF already started but we will need more detailed info.
I did some research how catch cpuid instruction and its not easy I hoped it will generate some exception, but there is no exception
Opcode is pretty short (2 bytes) and then byte search is not very good idea. There is possibility trace code and found it like this, but this will slow down application
and its little bit dangerous because Denuvo can detect it. Maybe this is why CPY or 3DM cracks take so long time. Finding all CPUID instructions in >100MB file is
not easy job. I think they are using not only processor info for HW ID but OS info too (we will see ).

Can someone help with deobfuscation Denuvo's code?

I have some more ideas, but my post is really long (sorry). I will return to analyze and keep you updated.

Last problem. I tried to find anything about Origin DRM and I found nothing. Its really strange, because I found detailed info about Steam DRM.
It will really help me because Origin is not interesting for me (and I don't like do something what someone else already did ) and I want to work directly at Denuvo. I really though move to Steam and another game (Rise of Tomb Raider) because DRM unwrapper for Steam is public. But I started with this object and I did some work. Maybe someone will help me...

And please don't kill me for long post and bad english

| Сообщение посчитали полезным: ELF_7719116, v00doo, 4kusNick, Haoose-GP, daFix, PaXman

exit_2
Hello! Thx for interest and some important information. For the file of the license (C:\ProgramData\Electronic Arts\EA Services\License\) I didn't know.

Files:
Core/activation64.dll
ActivationUI.exe - is Origin cover. They have no relation to denuvo! --> simple origin topic <--

3DM, CPY probably use emulation DLC and patching some bytes in denuvo section.

exit_2 пишет:
Can someone help with deobfuscation Denuvo's code?
Need uvirtualizer.

if it is origin, then (some encryption key?) = AES

exit_2 пишет:
Function returns 2ACh bytes (my case)
2ACh returns bytes always?

| Сообщение посчитали полезным:

great work exit_2

I've also got 2ACh bytes of something which looks like base64...but probably is not.

| Сообщение посчитали полезным:

Наверно вы это и сами видели. Вряд ли что-то новое напишу.
Denuvo на Хитмане работает так:
При запуске если еще нет файлика dbdata в userdata\ (первый запуск) игра идет сюда:

И передает туда такие данные:

<db> - видимо зависит от железа и не меняется при нескольких последовательных запросах, а <st> может немного меняться с течением времени.
А в ответ приходит такое:

Где <e>0</e> - это я полагаю код ошибки. В данном случае ошибок нет, код 0.

| Сообщение посчитали полезным:

Ok I will write small update after few days.

ELF_7719116: Yes, in my case 2ACh bytes always. I will try another computer too, just for testing differencies between data. I am interesting about it.

What I did last days. I fought against Origin It was important for me understand how it works and etc. Ofcourse I still don't know everything but many things are more clear for me now.

I installed another game with Origin's protection. It is 32-bit application and easier for debugging because no switch from 64-bit to 32-bit and back.
I did functional dump, but then I found problem. Dump working only with Origin running. Why? Its easy, they compiled some Origin's library to original program. I didn't have time go to deep inside of these functions, but in disassembly they have normal names and its not very hard to find them. I think there will be no problem switch them off (I will try it just for fun).

When I found way how correctly dump 32-bit executable, I moved back to 64-bit.
And? No problem Finally I have dumped exe and I can check only Denuvo protection.

I found some problems right now. Protection is pretty aggressive against x64dbg. If you try any normal breakpoint to API, crash. Hardware breakpoints doesn't work too. I will need more play with it.

I did very quick analyze. Functions for Origin aren't normal. I think Denuvo obfuscated them. Its not easy way to localize them like in 32-bit executable.

I checked license files from 32-bit and 64-bit game. Size is different. Its 577 bytes for 32-bit, but 1777 bytes for 64-bit. Pretty big difference.

I checked what is inside of licenses and its different too.

Same is: User ID
Different are: CyptherKey and MachineHash
64-bit key have one more parameter: GameToken

GameToken is 3FFh long BASE64 key (I hope). I think these data are generated by server and they are depends at DBReqToken generated inside of dbdata.dll . And I think these data Denuvo using inside of protection. We will see

I don't uderstand right now why is MachineHash different. Strange. Difference in computing for 32-bit and 64-bit???

1. Did someone deep test of anti-debug tricks and have any info? I can do it myself but it will be time consuming and maybe someone will share info.

2. We will need someone with good skills with deobfuscation. I really understand how VM works, but I really have no time learn whole Denuvo's VM obfuscation technology.
Maybe someone from VMSweeper team can help us? I think they know what are they doing But Denuvo using 64-bit code and what I saw VMSweeper is 32-bit code only

Tommorow I will try write first post whats doing directly inside Denuvo. I am doing fists steps right now and I already found some very interesting things.

| Сообщение посчитали полезным: ELF_7719116

exit_2 пишет:
I found some problems right now. Protection is pretty aggressive against x64dbg. If you try any normal breakpoint to API, crash. Hardware breakpoints doesn't work too. I will need more play with it.
There are no problems in anti-debugging of DENUVO any. DENUVO is very feeble in it.
Set BP & control two WinAPI:
ntdll.<NtSetInformationThread> (GetCurrentProcess) - generate exections when installed BP is worked
kernel32.SetThreadContext (main thread) - clear HW BP

https://exelab.ru/f/action=vthread&forum=13&topic=19719&page=4#14

| Сообщение посчитали полезным: v00doo

Hello again

ELF_7719116: Thx for answer. I am idiot. I can read, but maybe I can't? Thx again for patience

I will share some more information.

First very good information for all who need to help or they are insteresting about topic. I installed two more demos from Origin. Dragon Age Inquisition and Fifa 16.

Dragons Age Inqusiotion = Denuvo v2
Fifa 16 = Denuvo v3

I checked again Unravel and for my suprise its Denuvo v2 (Protection ID). I am little confused why they used not latest version of protection for new product.
But nevermind I will continue and I can move to v3 when we will break v2


I found 5 possible "run scenarios" for dumped exe:

1. Start at computer where license was generated. Exe will try to connect and if connection is correct then run correctly.
2. Start at computer where license was generated. Exe will try to connect and if connection is not correct then exe close silently.
3. Start at different computer. Denuvo will test license and delete it! Then run exe again 5x. With different cmd line:
- name_of_exe /dbrv1
- name_of_exe /dbrv2
- name_of_exe /dbrv3
- name_of_exe /dbrv4
- name_of_exe /dbrv5
- exitprocess
4. Start game with interesting cmd line: name_of_exe.exe /dbrv=1 /antitamperdiagnosis
Boom! This is very interesting They have some protection checking mechanism.
Protection will create file: C:\Users\name_of_current_user\Desktop\antitamper_diagnosis.bin
They write all important information to this file! We don't need create tool for dumping information,
they did it for us

5. Start game with cmd line: name_of_exe.exe /dbrv=1 / antitamperdiagnosis /CFEG37
This parameter of cmd line is strange. Protection just write msg box:
This game is incompatible with CheatEngine. Please close CheatEngine and restart the Game.

Sorry, this is all for today (I am going out finnaly ). Tommorow I will try to write about what they do (API calls).

| Сообщение посчитали полезным: v00doo, ELF_7719116

--> Real story <--

-----
От многой мудрости много скорби, и умножающий знание умножает печаль

| Сообщение посчитали полезным: sefkrd, VodoleY

Far Cry Primal (bin dir - from Uplay)
http://www22.zippyshare.com/v/Y5Tz2RqF/file.html

-----
Array[Login..Logout] of Life

| Сообщение посчитали полезным: exit_2, mak

На нишебродском сабе крякстатус написали, что anno 2205 теперь использует denuvo. Если правда - интересный ход, встраивать защиту ПОСЛЕ выхода игры.

Так - случайные 5 центов.

| Сообщение посчитали полезным:

Stormraider
Так и есть. Впрочем они хотели ее встроить сразу на релизе, но что-то не сложилось и в свет игра вышла без защиты.

| Сообщение посчитали полезным:

I am sorry I am little bit late this time. But I was busy with other project.

Kindly: Did you upload this pack? There is one important thing. There is no dbdata.dll! Strange. There is systemdetection64.dll, but this dll is not obfuscated (quick check, maybe I am wrong)!

I will write some more informations.

When protected file started then (I will write only what I think is important):
1. Get addresses of these these API: - GetThreadContext, SetThreadContext, ExitProcess, RtlExitUserProcess, NtSetInformationThread, RtlCreateQueryDebugBuffer, RtlDestroyQueryDebugBuffer, RtlQueryProcessDebugInformation, DbgUiRemoteBreakin, DbgUiIssueRemoteBreakin
2. CreateFileMappingA ( INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 1, "LHMHY01HEZshwMiLQCSnHqXgcnFDm" )
3. CreateNamedPipeA ( "\.\pipe\6mgQ3WdJk39bgDu8Pm2", PIPE_ACCESS_DUPLEX, PIPE_WAIT | PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_ACCEPT_REMOTE_CLIENTS, 1, 1, 1, 1, NULL )
4. CreatePipe ( 0x00000001413f666d, 0x000000014184bbb2, NULL, 1 )
5. SetEnvironmentVariableA ( "Jc9jdUeVhwFZHOPKr", "ajrpko9YL8bjm" )
6. CreateEventA ( NULL, FALSE, TRUE, "6xqa0beODJDuflrcdR" )
7. CreateThread (I think this is anti-debugging thread)
8. CreateFileW ( "dbdata.dll", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ),
9. GetFileSize("dbdata.dll"), ReadFile("dbdata.dll"), CloseHandle("dbdata.dll")
12. CreateFileW ( "C:\ProgramData\Electronic Arts\EA Services\License\1031469.dlf", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL ), GetFileSizeEx, ReadFile, CloseHandle
16. Anti-debug thread uses GetThreadContext, SetThreadContext and create another anti-debug thread
17. First license checking!!! If is not correct, then delete it and CreateProcessW with commandline + /dbrv=1 parameter

If is first license check correct:
18. CreateSemaphoreA ( NULL, 0, 2147483647, NULL )
19. FindFirstFileA ( "kits/*", 0x000000000012e7b0 )
20. GetEnvironmentVariableA ( "EAGameLocale", 0x000000000012e6e0, 1023 ) (not found in my case, maybe is interesting try to set it)
21. CreateSemaphoreA ( NULL, 0, 1073741823, NULL )
22. WSAStartup ( 514, 0x000000000012e320 )
23. Trying to open some Origin's keys
24. Trying to open Origin's process
25. Trying to connect, if connection is not allowed: OutputDebugStringA ( "Origin Error: failed to get game info The Origin desktop application is not loaded." )
26. If connection is allowed then using send and recv for communication.

For me is very hard to progress more. Without deobfuscation of code is not possible understand checking mechanism and other important things.
Last days I tried find informations about VMProtect 3.x and any good tools. It is problem, because there is 64-bit code. I will need help with deobfuscation or with good tool. If I try to create it, then I will need very long time for it and I only hope I will :/
This time maybe good cooperation will be necessary. Maybe ELF_7719116 or someone else can help me or continue.

One more strange thing to the end. Dragon Age using 32-bit code for dbdata.dll. It is 100% packed with something like VMProtect. Do you know someone how VMProtect 2.x protecting 64-bit DLLs? After unpacking is original code in 64-bit? Strange

| Сообщение посчитали полезным: 4kusNick, smetanine, ELF_7719116, jude

exit_2 пишет:
Kindly: Did you upload this pack? There is one important thing. There is no dbdata.dll! Strange. There is systemdetection64.dll, but this dll is not obfuscated (quick check, maybe I am wrong)!
Yeah, this is the purchased licenced version from Uplay.

I see also new dirs with the some denuvo(?) data in:
c:\ProgramData\dbdata\00000000-0000-0000-0000-000000000000\11111111-1111-1111-1111-111111111111.dbdata

00000000-0000-0000-0000-000000000000
11111111-1111-1111-1111-111111111111
the values is faked of course.

c:\Users\USERNAME\AppData\Local\Ubisoft Game Launcher\spool\00000000-0000-0000-0000-000000000000\2010.spool
c:\Users\USERNAME\AppData\Local\Ubisoft Game Launcher\spool\00000000-0000-0000-0000-000000000000\101.spool

Where 00000000-0000-0000-0000-000000000000 is a same hash value for this paths.

Also, I'm search on computer for dbdata.dll and it was not found - maybe it used DLL Box feature like VMProtect Ultimate?

Also same hash values is for this locations:
c:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\savegames\00000000-0000-0000-0000-000000000000\ - dir with saves
c:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\cache\settings\00000000-0000-0000-0000-000000000000 - file
c:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\cache\club\00000000-0000-0000-0000-000000000000 - file
c:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\cache\ownership\00000000-0000-0000-0000-000000000000 - file (array with the activation serial inside)

This is file structure of the full game dir:
http://www59.zippyshare.com/v/dWCuMdrb/file.html

The game is activated while first launching automatically, without activation data request, like in Batman Arkham Knight.

-----
Array[Login..Logout] of Life

| Сообщение посчитали полезным: Libido, ELF_7719116

ajax пишет:
--> Real story <--

Цитата: "на краклабе, где, собственно, и отымели разработчиков SecuROM'a."
И да, копать надо в сторону отладки x64..

| Сообщение посчитали полезным:

**************************
80_PA update #2
**************************

Уже было анонсировано.
[+] Добавлены новые наборы:

[*] Некоторые оптимизации и исправления. Обновлены гайды.
[+] В набор добавлен Sony DADC SecuROM vulnerability.pdf

ссылки публикую вверху

| Сообщение посчитали полезным: HandMill, SReg, sefkrd, SharkXXL, VanHelsing, DICI BF

Far Cry Primal Update 1.1.2
http://www9.zippyshare.com/v/xbcKBkGM/file.html

only updated two files for bin folder from post:
https://exelab.ru/f/action=vthread&forum=13&topic=19719&page=10#23

Обновленные экзешники для выложенного комплекта.
Гуру смотрите, не изменили ли защиту, ну и есть ли мне смысл апдейты по мере выхода постить в дальнейшем?

-----
Array[Login..Logout] of Life

| Сообщение посчитали полезным:

I wanted to know how the protectionid detects the Denuvo's version ("variant", according to software naming order). So, here is what you may see in asm code of it (ollydbg 1.10):

Take a look on offset and you may verify it by yourself (in dump this procedure is crypted, so use dynamic way).
in c code it might be translated as:

In general, this method of Denuvo's version detection is not accurate. At the same time, protectionid developer has made a huge amount of work, and his software is the only way, for this moment, to detect the presence of Denuvo within executable file.

| Сообщение посчитали полезным: v00doo