Posts

Talk at Navaja Negra 2025 This technical presentation explores the inner workings of Denuvo Anti-Tamper, one of the gaming industry’s most widely deployed DRM solutions. Through detailed reverse engineering analysis, we’ll examine Denuvo’s protection mechanisms, obfuscation techniques, and architectural design choices. The talk covers the methodology used to analyze the system, key findings about how it integrates with game executables, and insights into modern anti-tamper technology. Attendees will gain a deeper understanding of contemporary DRM implementations and the technical challenges involved in software protection systems. ...

Talk at Navaja Negra 2024 Modern software systems are becoming increasingly complex, making thorough analysis a daunting task. Add advanced DRM and obfuscation technologies into the mix, and the challenge grows exponentially. In this presentation, we’ll explore the development of a Windows user-space emulation framework designed to tackle these complexities head-on. We’ll discuss how emulation can be a powerful tool for analyzing and overcoming the obstacles posed by intricate software and robust DRM protections. You’ll gain insights into the technical aspects of building an emulation layer and learn how this approach benefits both security researchers and DRM analysts. If you’ve ever wondered how to “fake it” in a world full of complex protections, this talk will show you how emulation can be your secret weapon. ...

I am currently working on an emulation environment similar to Qiling. Unlike Qiling, it emulates the entire user-space, not just the target application. As Qiling reimplements all APIs (kernel32, vcruntime, …) outside the emulator, it gains a lot of speed (e.g. by not needing to run all the ntdll code during startup), while sacrificing stability (reimplementing all APIs can be error prone) and introducing a whole lot of work. My emulator draws the line on syscall level. So instead of reimplementing all APIs, it loads all Windows DLLs and simply provides syscall implementations outside the emulator. This might be slower, but drastically reduces the amount of work. By using C++ instead of Python, I hope I can make up for the speed loss (I will do some performance measurements soon to see whether that is really the case :D). ...

Guest lecture at Ruhr-Universität Bochum (in german) Moderne Kopierschutzsysteme sind heutzutage so fortschrittlich, dass klassisches Reverse Engineering bei deren Analyse oftmals an seine Grenzen stößt. Zur effektiven Untersuchung dieser Schutzmechanismen ist daher neues spezialisiertes Tooling erforderlich. Dieser Vortrag gibt einen Einblick in Qiling, ein Emulations-Framework und Grundlagen zu Hypervisorn, die dabei helfen, diese komplexen Systeme erfolgreich zu analysieren und zu überwinden. ...

When I announced my Black Ops 3 integrity bypass, someone commented that my research was not impressive and I should try analyzing Denuvo instead. That kinda stuck with me, so I did what everyone would do and spent the last 5 months of my free time reverse engineering and bypassing the Denuvo DRM in Hogwarts Legacy. I am obviously not as skilled and experienced as EMPRESS, who managed to do it within days, but that’s ok 😃 ...

Call of Duty: Black Ops 3 is protected by a DRM that, among other things, protects the integrity of the game’s code at runtime. Reverse engineering those integrity checks has been a personal goal I had for a long time. In this post I’m going to describe my process of achieving exactly that, so let’s dive in. Disclaimer Just a little disclaimer here. The goal of this post is not to encourage piracy. Creating pirated copies is possible without bypassing the integrity checks and has long been done. Neither do I want to encourage cheating or hacking. In fact, the game has a lot of unpatched security vulnerabilities, which make it almost unplayable. Therefore, I hope this post opens up the possibility to get these patched. ...

I recently started to experiment with hypervisors and their use for bypassing anti-cheat or anti-tampering systems. This post will describe the concept of hypervisor-assisted hooking and a few simple approaches to detect such hooks. What is a hypervisor? In short: A hypervisor allows to run virtual machines with hardware acceleration. The concept of hypervisors in general is a huge topic, but for this post, all that depth doesn’t really matter. ...

Thanks to Rektinator and TwistedFate for helping me solve this challenge. JIT was one of Google’s pwnable challenges. It implements an artificial assembly language, which gets jit-compiled into x64 assembly. An example program looks like this: MOV(A, 10) STR(A, 1) LDR(A, 2) SUM() JMP(2) RET() It supports basic instructions to move, add and subtract, jump and compare values. Two files were given: compiler.c and FancyJIT.java The c file implements the jit-compilation by translating each indiviual instruction into the corresponding x64 assembly instruction and storing everything in an executable buffer. The c file itself lacks many security checks which would potentially enable a whole bunch of attack vectors. ...

For our graduation-party at school two years ago, a friend of mine, Olrik, and I decided to play the Nyan Cat theme on all PCs at school. With the name 9os, we started writing the entire project using 16bit x86 assembly. The task was to draw the rainbow behind the cat, then the cat itself, play the music and in the end draw the stars. Drawing the rainbow was pretty simple, as it consists only of a few stripes that need to be drawn at alternating heights and colors. Staying in protected mode allowed us to use BIOS interrupts to render the data to screen using mode 13h. ...

After having started to use libraries like libpcap or WinDivert, I got curious about low-level networking protocols like Ethernet, IP, ICMP, ARP, TCP or UDP. Especially the Address Resolution Protocol (ARP) fascinated me, as I have previously used tools like Ettercap or Cain & Abel to experiment with Man-in-the-middle attacks using ARP poisoning, however, I did not know how ARP poisoning worked in detail. Basically, using an ARP request, you can request the MAC address of a particular host behind a local IPv4 address. You will then receive an ARP response containing the MAC address from that host. ...