Hypervisor-based bypasses defeat Denuvo with day-zero cracks, but a countermeasure is already in the works

Pirating games has been around for years, and protecting them has been just as persistent a challenge. A common name in the anti-piracy world is Denuvo, an Irdeto-owned protection software that managed to delay pirated releases long enough for companies to adopt it as their first line of defense. It protected games from being cracked during early release windows, when most sales are generated.

That changed recently when a pirated version of Resident Evil: Requiem, Capcom's latest entry in its zombie-slaying action adventure series, was uploaded just hours after its official release. Turns out, a wave of hypervisor-based (more on this later) Denuvo bypasses were enabling zero-day releases of major titles, including Crimson Desert.

In response, an Irdeto executive confirmed to TorrentFreak that Denuvo is already preparing enhanced security features to tackle these hypervisor exploits. In an interview, Irdeto's head of communications, Daniel Butschek, also assured gamers that the new security measures will not become a performance hazard for DRM-supported titles.

We're already working on updated security versions for games impacted by hypervisor bypasses. For players, performance will not be compromised by these strengthened security measures.

Traditionally, crackers had to reverse-engineer Denuvo's DRM pathways to patch the game, a process that takes months. Hypervisor bypasses take a very different approach. Instead of interfering with the game directly, they operate beneath the operating system's standard security visibility level, a layer called Ring -1. At this level, with key security features disabled, hypervisor bypasses can intercept Denuvo's CPU instructions and feed back false data, making the game believe the DRM is still playing its role.

3

These bypasses are much easier to develop, which is why pirated cracks are now coming out faster than ever, sometimes within hours of a game's release.

However, Hypervisor bypasses are a serious security concern. For the bypass to work, pirates essentially have to disable a key-protection layer on their own machines. This gives the hypervisor far broader control than a standard driver, making the system more vulnerable to kernel-level malware while also causing performance and stability issues. In fact, popular game repacker FitGirl, while publishing hypervisor repacks, openly acknowledges their drawbacks and visibly labels them with a HYPERVISOR tag.

3

As for how Irdeto plans to respond, the exact countermeasure remains unclear. But the executive confirmed that any countermeasure will not require the DRM to move into Ring-1 or deeper kernel territory. Denuvo could check whether third-party hypervisors are running by checking CPUIDs or measuring CPU latency. FitGirl has suggested that Irdeto could also shift to daily license ticket checks, though that would be a nuisance for legitimate players and may still be bypassed.

For now, hypervisor bypasses have made Day 0 pirate releases a reality, and Irdeto's likely goal is to get back to a world where games remain crack-free for at least weeks, if not months.