Binary obfuscation used in AAA Games(blog.farzon.org)
111 points by noztol 2 days ago | 14 comments
wincy 8 hours ago
This is decidedly not what I’d expect to be discussed at Thotcon. That said, super interesting!

As an avid pirate, I’ll say these days even the Denuvo game which were going years without cracks now have “cracks”, although they rely on hypervisor fixes and disabling secure boot and giving the hypervisor cracks unfettered access to your system to intercept the Denuvo checks. [0] It’s a dangerous game we’re playing to keep these AAA games bottom lines fat.

[0] https://www.thefpsreview.com/2026/04/03/denuvo-has-been-brok...

tossit444 7 hours ago
The main site to get these hypervisor cracks thoroughly vets them, requiring the devs to publish the source code to it all.
sneusse 2 hours ago
What I'm wondering for a while now: How do the game streaming services run the Denuvo titles? Do they get special builds? They will not run on bare metal hardware but in some kind of VM right? Wouldn't Denuvo detect that and stop working?
meinersbur 1 hour ago
They get their own build. E.g.

* GeForce NOW SDK: https://developer.geforcenow.com/learn/guides/offerings-sdk

* Stadia SDK: developer.stadia.com (offline)

* Xbox Cloud Gaming: https://learn.microsoft.com/en-us/gaming/gdk/docs/features/c...

* ...

Just like every Game Store requires its own build: Steamworks SDK, even GOG: https://docs.gog.com/sdk/

Some games allow browsing files locally for savegames, music libray, ... . Imagine if you could do that on the cloud VM.

sneusse 1 hour ago
That makes a lot of sense, thanks for clarifying!
userbinator 7 hours ago
disabling secure boot

...making it even more clear what "secure" boot actually secures: the control others have over your own computer.

chii 7 hours ago
It has their uses. If, for example, a company wants to issue fleet computers to workers or school to students, you want to have secure boot on those devices to prevent tampering. Secure boot makes it so that physical access is not the end all of security.

If you own the computer yourself, you "ought" to be able to turn off these measures in a way that is undetectable. Being unable to do so would be the red line imho - and looking at those hypervisor cracks available, it's not quite being crossed. The pessimistic, but realistic future prediction is that various media companies would want and lobby for machines to have unbreakable enclaves for which they can "trust" to DRM your machine, and it's just boiling the frog right now. Windows 11's new TPM requirement is testament to that.

Switch to linux asap - that's about the only thing a consumer is capable of doing.

Vogtinator 4 hours ago
> If, for example, a company wants to issue fleet computers to workers or school to students, you want to have secure boot on those devices to prevent tampering. Secure boot makes it so that physical access is not the end all of security.

Measured boot is actually better for that: You can still boot whatever you want however you want, but hashes are different which can be used for e.g. remote attestation. Secure boot has to prevent that "unauthorized" code (whatever that means for each setup) can ever run. If it does, game over. That means less freedom and flexibility.

bitwize 6 hours ago
This is coming. In particular, without a Secure-Boot-enforced allowlist of operating systems, it will be near impossible to verify that an OS connecting to the internet complies with your locality's age verification laws, so it will soon be illegal to run a computer that does not make Secure Boot mandatory and connect it to the network.

If you're starting to think "huh, maybe that's why these age verification laws suddenly became all the rage", you're onto something. Whatever the case, "general purpose computing" is definitely cooked.

ndriscoll 59 minutes ago
The laws in my locality place requirements on the service provider (e.g. the adult website operator), not on random computer owners or manufacturers or software vendors.
5 hours ago
charcircuit 4 hours ago
General purpose computing as it was done in the 1900s is cooked for the average user because there is no market incentive for it to exist. The actual market incentive revolves around apps as they provide user value along with the ability to deploy custom apps.
saidnooneever 5 hours ago
it is stupid to turn it off. It is incredibly easy to infect your system components without your knowning.

that being said, it does assume a certain trust in firmware vendors / oems. If you dont trust those, then dont buy from them.

i think for most ppl trusting OEM or trusting rando from interwebz with a custom hypervisor and requirement to cripple my system security are totally different things ..

u know they could actually make theyr HV support secure boot etc. to do it properly and have ur system run the cracks but not have gaping holes left by them -_-. lazy.

maccard 5 hours ago
If you’re downloading torrents and running code with elevated privileges that infects your PC, 99% of people are absolutely hosed at that point anyway. I don’t see th real distinction between being owned at an elevated system level and owned by disabling system secure boot for a home user
bandrami 2 hours ago
As always in security, It Depends™; there are vulnerabilities that only impact systems with secure boot (and result in a situation worse than not having secure boot to begin with).
walletdrainer 1 hour ago
> there are vulnerabilities that only impact systems with secure boot

Boring claim, obviously true.

> and result in a situation worse than not having secure boot to begin with

A very big claim that requires evidence.

dwattttt 6 hours ago
It would work just as well if the instructions instead told you to enrol your own key and sign the cracks. Those instructions just aren't as popular.
charcircuit 4 hours ago
Having an operating system purposefully allow support to installing rootkits should clearly be a bad idea. It shouldn't be surprising you have to turn off security features to install a rootkit.
7bit 7 hours ago
Cheap take
maxwg 8 hours ago
Link to the slides (almost missed it when i was reading): https://farzon.org/files/presentations/Thotcon_talk_may_2025...

Which provides way more information than the article

Zironic 1 hour ago
I'm a bit perplexed by the choice of Nintendo Switch as the example hardware. I was under the impression that the switch was locked down and you can't run offset based cheat software like cheatengine on it.
NooneAtAll3 9 hours ago
> While security researchers love the entropy of randomized function layouts

I don't think any competent security researcher has anything positive to say about "security through obscurity"

at best this is lawyer position

lm411 7 hours ago
I disagree, obscurity wastes attacker resources and easily fools a lot of simple vulnerability scanners.

Obscurity is totally underrated. Attacker resources are limited.

otikik 1 hour ago
It’s kind of having a line of cardboard tanks. Can be helpful in some circumstances, but it can’t always replace actual tanks
dahcryn 6 hours ago
thank you, I had this debate at work so many times.

Sure it's not a security measure as such, but it's still a worthwile component to the overall defense system.

fsflover 5 hours ago
The problem with this is, you spend a lot of effort for low benefit. You should spend it on actual security instead.
alkonaut 5 minutes ago
What would be "actual security" in this context?

This isn't about security of the same kind as authentication/encryption etc where security by obscurity is a bad idea. This is an effort where obscurity is almost the only idea there is, and where even a marginal increase in difficulty for tampering/inspecting/exploiting is well worth it.

literalAardvark 4 hours ago
Changing a port and enabling aslr are not "a lot of effort".
nithril 3 hours ago
Changing the port is not the kind of security measure that will consume a lot of the attacker resources
literalAardvark 30 minutes ago
It will conserve a lot of defender resources, it will completely bypass all mass scans, and it will make "determined attackers" much more visible as they will have to find the port first which will show up in logs and potentially land them in a tarpit.
dagmx 6 hours ago
Security through obscurity is bad only if the obscurity is the only measure
landr0id 6 hours ago
It's not something to over-index on, but it's not a strong protection measure. It simply raises the overall cost to attack and analyze a system.

Take the PS5 for example. It has execute-only memory. Even if you find a bug, how do you exploit it if you can't read the executable text of your ROP/JOP target?

Starlevel004 4 hours ago
Security through obscurity is an excellent first-line defense, as long as you have other real defenses at the next layer.
m-schuetz 3 hours ago
Security through obscurity is like a bike lock. It can be cracked with the right tools and effort, but massively improves security compared to leaving it out unlocked.
hsbauauvhabzb 9 hours ago
It’s not about security, it’s about wasting a crackers time.

Some people find cracking them interesting and fun.

corysama 7 hours ago
Agreed. I’ve done trivial obfuscation for games. In my observation, if you make it trivial to hack your game, huge numbers will trivially hack it. If you make it even slightly non-trivial, the numbers decrease exponentially. The more you waste their time, put up hurdles, the lower the number of successful hackers goes.

The goal is not perfect security in all situations for all products. The goal is to make the effort required for your particular product excessive compared to the payoff.

zer0zzz 7 hours ago
ASLR (for example) is a pretty standard technique, I thought all commercial OSes enabled this generally. What's the purpose of picking at this portion?
khalic 3 hours ago
The amount of work that goes into moats, for stuff that nobody will care about in 6 months, is kind of insane. I understand it for security reasons, but in video games? Just more bloat for nothing
RobotToaster 1 hour ago
Between this and rootkits masquerading as anticheat, video games are starting to look indistinguishable from malware
p1necone 9 hours ago
Echoing the other comments here - why? What is the threat model here and how does this protect you from it?
cyberrock 2 hours ago
It also frustrates datamining of secret client-side game mechanics, story spoilers, and unreleased content (good branch management is not priority for some devs). Yeah this wouldn't stand up to the best of the best, but not all game communities have a George Hotz, so this suffices for most cases.
lunar_rover 5 hours ago
From my understanding the goal is to prevent pirates and hackers from modifying the game's binary.

I have no idea why would anyone want to do that on Nintendo Switch though, Switch 1 doesn't have any headroom and Switch 2 OS security hasn't been defeated yet.

john_strinlai 7 hours ago
the threat is people who cheat in games. obfuscation slows them down, but incurs a performance cost. this work is focused on reducing the performance cost.

- from the slides

zer0zzz 7 hours ago
Exactly. That and in game currencies. You like competing in games, or for game-bucks? Well you need some level of obfuscation and hardening to make that viable.
8 hours ago
mahmoudimus 8 hours ago
oh fascinating. i just finished reverse engineering Aegis and now working on their newest Eidolon. pretty cool technology.
djmips 9 hours ago
why bother?
LunicLynx 7 hours ago
I guess it’s mainly to sell the technology and the illusion that comes with that.

So, money, for supposed control. Which is not true of course

brcmthrowaway 10 hours ago
What is the fps hit?
bartvk 7 hours ago
The reduction of Frames Per Second.
saghm 50 minutes ago
Yes, I think they're asking how big it is
bartvk 19 minutes ago
Oh, of course… thanks for clarifying.
Fokamul 7 hours ago
and this is insight from "other" side :) https://www.unknowncheats.me/forum/overwatch/639855-overwatc...
10 hours ago
10 hours ago