Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Windows Central
Windows Central
Technology
Michael Hoglund

Five months and 2,000 hooks later, Denuvo DRM has been cracked for Hogwarts Legacy. The man behind it shares his process.

Screenshot of Hogwarts Legacy with the Denuvo logo on top of a troll.

What you need to know

  • Hogwarts Legacy released in 2023 with Denuvo, a form of DRM.
  • This implementation has been cracked by Maurice Heumann.
  • He is not the first to do so, but he is the first to document this process.
  • Not only did Maurice find a way to bypass Denuvo, but he also measured the amount of calls Denuvo made to help determine the impact of Denuvo on performance.

Many PC gamers are all too familiar with the term Denuvo, so they'll skip it when it's even rumored to be present in a game like Starfield. As many argue, Denuvo and other game DRM solutions can lead to performance issues. However, there's a sense of relief when Denuvo is finally removed, as its use incurs a licensing fee that developers eventually stop paying. This effect often prompts many players to return and purchase the game. 

Because of this, Denuvo's expulsion from a game is a notable story every time it happens. PC players will celebrate across social media channels, Reddit, X, etc. While the majority only celebrate its official removal, some commemorate the not-so-legal times. 

I'm here to talk about one such take, Maurice Heumann, who dove headfirst into bypassing this beast in Hogwarts Legacy. While he's not the first to do so, as he mentions in his blog, he's undoubtedly the first to document the process in detail.

The Goal

This dude is a coder, my kind of guy! (Image credit: Maurice Huemann)

Right from the start, Maurice is meticulous, making it clear that his actions were driven by a thirst for personal knowledge and not malicious intent. His journey into the removal of one of PC gamers' most notorious adversaries is a testament to his dedication and curiosity, as it took 5 months and over 2,000 individual software hooks. This man is nuts.

"Cracking the game was not a goal I had. I like Hogwarts Legacy, and thus, causing any harm is not my intention. I wanted to do research purely for myself. Therefore, this post is going to be intentionally vague and not going to show how I analyzed and patched the game in detail because I don't need any more legal trouble than I already have."

Fair enough, Maurice. I don't blame you one bit. You may also notice he mentioned his lack of desire to crack Hogwarts Legacy entirely. He explained that his goal was to bypass Denuvo to the point that the title was playable, not Denuvo-free. It's important to note that in games where Denuvo has been cracked, Denuvo has not been removed but merely bypassed. This difference means all checks still happen, and Denuvo's activity continues in the game's background.

"The actual goal I had in mind was to find all features the game uses to derive the fingerprint and to patch them. On top of that, I want to patch most of the runtime checks. For a real crack, it is obviously needed to patch all of the runtime checks. Finding all of them is still an extremely time-consuming task, so everyone who has achieved that deserves my utmost respect."

How did he do it?

A well laid out diagram that helps make the whole process more relatable. (Image credit: Maurice Huemann)

Denuvo works with its platform of choice to generate critical license checkpoints that Denuvo can then use to verify a game's ownership status. It does this by using fingerprints and tickets, such as a Steam ticket in the case of Hogwarts Legacy. 

The game collects hardware and software data and compiles it into said fingerprint and Steam ticket. This information is sent to Denuvo's servers, where some backend work takes place to verify everything. The Steam ticket is then sent to Steam, as Maurice estimates, to verify game ownership through the Steam platform. A Denuvo token is generated for that specific hardware device or PC if the user owns the game.

This token is vital for playing the game, as it decrypts values during runtime and throughout the game. At regular intervals, Denuvo will check if the fingerprint's hardware and software features match the token's. It's all somewhat confusing.

To do all this and make a very brief summary of Maurice's work, he painstakingly added over 2,000 patches and hooks to the game by hand using a reverse engineering tool called Qiling. Through more hard work, he built a framework around Qiling that allowed him to find features that belonged to the fingerprint.

"Getting fully accommodated to Qiling and finding most of the fingerprint features took me about two months. Discovering the last one took the remaining 3 months, and I only discovered it by accident. To verify that a certain feature really is part of the fingerprint, I patched/spoofed it, checked that my previously valid Denuvo Token is now invalid, and showed the error dialog. For most of my patches, I had to use quite a lot of runtime disassembling to dynamically build my hooks and stubs, which led me to discover quite a few bugs in various disassemblers."

The performance

It seems more calls come during loading. (Image credit: Maurice Huemann)

So how about performance? Is Denuvo the big bad we all think it is? 

Before getting into this, I was an enormous opponent of Denuvo before reading Maurice's work. To an extent, I still am. Any negative performance impact of a game that doesn't actually improve the said game is a detriment that doesn't belong. According to him, in-game performance seems unaffected, at least to the point that it's immeasurable. 

"Note that this analysis only applies to Hogwarts Legacy. I don't know if any of that applies to other games protected by Denuvo! Whenever the console prints [MOMO] OVERHEAD, one of my hooks triggers. This essentially means Denuvo intervenes in executing the game (that I had to patch). This, in turn, means Denuvo causes at least "some" (non-zero) performance overhead during those times."

As he states, and as readers can see from the timestamps in the image, the Denuvo check isn't happening often. However, this doesn't measure the impact of each check, as he's unable to calculate the removal of what the check is doing without the removal of Denuvo.

As someone who's written entire servers for GTA FiveM, a modded role-playing game, I know that coding based on continuous checks can substantially impact. Depending on the code each check executes, you can see an entire server hitch upon loading the executable code. In my experience, this has mainly affected CPU performance, and independent analysis confirms this.

In Denuvo's case, while framerates are primarily unaffected, loading times and file size are. In every instance of the video above, game loading times are far lengthier in Denuvo builds than for games without. 

Some games, like Conan Unconquered, show a 16% performance bump after Denuvo's removal. Overall, the framerate impact depends on a developer's implementation of Denuvo rather than on Denuvo itself.

Maurice's work is impressive and deserves praise for documenting Denuvo's entanglement in video games. Moreover, this type of work pays the creator no money but grants lasting knowledge to those willing to listen. Here's to hoping many do.

What's your take on this whole situation? How do you feel about Denuvo? Let us know below or on our social media pages. I'm interested to see what you all have to say! As always, happy gaming!

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.