Sponsored By

How would you crack the UbiDRM?

Talking about the latest implementation of the UbiDRM, and what it does. If you're looking for help in breaking the DRM, this is sadly lacking in any information that will help you. But might help understand the difficult process it is!

James Grimshaw, Blogger

December 21, 2010

12 Min Read
Game Developer logo in a gray background | Game Developer

Of course I am not going to tell you how to do it exactly. For a number of reasons, the first and foremost is that I don’t know how Ubisoft DRM works. Just like the crackers of the DRM software, you make good guesses, explore the program and try to work around what you have. It’s about repeating these long, arduous and mundane steps until the games DRM is cracked. From the point of view of the scene, I can respect the challenge!

Ubisoft doesn’t have just one DRM system; it in fact released several different versions of the UbiDRM, testing the waters as to what works best. Some games like Prince of Persia and Splinter Cell Conviction used a less sophisticated method of the DRM. But the newer UbiDRM, being used now, uses an incremental release of the play files.

Clever!

This means if the games DRM is bypassed, a cracker has to double check the whole file, otherwise it could look bad on their part. Of course this means that when Ubisoft were boasting it hadn’t been cracked, and the crackers where saying here you are, they where both right. But it was wrong of Ubisoft to say anything in the first place, then to say nothing afterwards. However at the moment the DRM is proving its ground. And good luck to it!

Not that it ever was a weak DRM in the first place. Much to the surprise of many people, the first round of UbiDRM was not cracked straight away. Even though it was widely reported as being done in 24 hours, it was not completely true, but what happened is a story in itself.

Personally I don’t agree with the UbiDRM! There is no denying that this is a very clever system, but it breaks one of the most fundamental rules of the ten DRM commandments.

I. You shall not have any DRM before me! (One DRM protection method per Game is enough!)
II. You shall not make for yourself any likeness of the Game or DRM! To those that crack games or illegally distribute you shall not bow down to them nor serve them.
III. You shall not take the customer’s name your god in vain, for the customer will not hold him guiltless who takes his name in vain!
IV. Remember the Game, to keep it holy. For days the customer shall labor, but the weekend is for serious gaming.
V. Honour thy Game Publisher and Developer, that your gaming may be long upon the land which they have provided for you.
VI. You shall not corrupt the gamers rig.
VII. You shall not cheat on the gamer.
VIII. You shall not steal the gamer’s personal information.
IX. You shall not bear false witness against thy gamers rig.
X. You shall not covert thy neighbour’s DRM, Rig, Gaming Experience, nor anything that is your neighbour’s!

Yes, UbiDRM breaks the third DRM commandment:

It takes the customer for granted. Well honestly it breaks more than one, but the third commandment is such an important one. To say we are constantly watching you! Is saying that you don’t trust the honest customers, no matter what benefits you dress it up with, Ubisoft is branding all as the one. And that’s insulting, and of course this is the territory of the double edge sword.

You want to target the illegal downloaders and convert them into happy customers. You don’t want to target everyone, force them to the doors of the credit card company and force them to pay!

I pre-ordered Assassins Creed 2, then some months later when more details came out. I found out that it would come with this uPlay/UbiDRM system; at that time I don’t think it had a name. So my internet connection being weak and intermittent I just knew that it would never work out. I sent out a complaint to Ubisoft and they never even bother to reply.

Instead they hired some third party PR company to solve all their complaints. The Third Party PR Company were fantastic and did everything Ubisoft has failed to do, respect the customer. I cancelled my pre-ordered copy and they sent me out a free game. It was King Kong 2005, the one with StarForce protection system. The thought was nice, but I don’t attribute this goodwill gesture with Ubisoft. Sometimes I get the impression they can’t even be bother or even worst they don’t care!

Anyhow!

It’s interesting to know how UbiDRM or the always online DRMs differ from the past protection methods such as SecuROM. These newer DRM, in comparison are a whole different ball game when it comes to breaking the DRM. In the old days, with SecuROM, you’d come to some code that performed a security check, which basically look like this:

[--GAME CODE--]
Perform Security Check!
If it FAILS{ Stop the Program from Working EXIT}
If it PASSES { Continue playing Game }
[--GAME CODE--]

With a very liberal brush, I am tarring all the old DRMs as employing this simple method. It’s not true, but the point is that problem is that once the game kicks you out, this gives away a tell-tale sign. This tells me some security protection happened at this point. So with a debugger, a common programming tool, a lot of time, you can rewrite the main exe file to skip the security check. So it now looks like this:

[--GAME CODE--]
Skip 3 lines down!
Perform Security Check!
If it FAILS{ Stop the Program from Working EXIT}
If it PASSES { Continue playing Game }
[--GAME CODE--]

Of course I really have underestimated the brilliance of what crackers do and the brilliance of the security companies too. Most of the newer DRM version don’t do these simple security checks any more, but still use this exception rule of kicking you out of the game. That is enough to give crackers a starting point, and all they need.

As my old college professor used to say “let hack to learn, not learn to hack!”

Currently there are a number of implementations that make up the UbiDRM. The one here is specifically for the PC game Tom Clancy’s H.a.w.x. 2 released on the 16th November 2010. What Ubisoft has decided to do, and quiet rightly, is to use a whole host of security methods. Because time is the enemy of the gamer, and there is a limit to the amount of time an illegal downloader is willing to wait.

The things that UbiDRM uses is the handshake, UDP connection, Cookie, Server Checks, Ubi Launcher, partial files and maybe some other methods. And of course I want to make it perfectly clear; I haven’t discovered or explored any of these.

The first thing you have to realise is that human speech isn’t like computer speech. Computers need order and timing; otherwise it would get into a big mess. As for human speech, it is a big mess, but we normally use visual clues as to when we can talk back. Computers use a handshake, and at its most basic level it’s a greeting from one computer and an acknowledgement from another. In this handshake, the computers agree on the message size, frequency and a whole other list of protocol issues. But in its simplest terms, if you think of two radio stations, you can think of it as agreeing to say “over” at the end of the conversation.

UDP, now this is surprising as all other UbiDRM games used the TCP method of transmission. Basically Transmission Control Protocol is message system that uses the handshake method, it is very controlled and every message sent is sure to be received and acknowledged. While UDP, User Datagram Protocol, doesn’t use a handshake method. It’s more fire and forget, if the message gets there then so be it.

Ubisoft must have its own internal handshake sent on an unreliable transmission system. Or that the game files don’t regard the transmissions as important, which means there must be a leeway in the time between communications. But as it turns out, blocking the UDP ports still allows the game to function, so they can’t play a huge role in the protection system.

There is also a theory going around that UbiDRM uses http cookies, of sorts, that it creates text files that the server can then analyse. Cookies, basically a bite size chuck of information stored for your web browser. They are not code and cannot be run, but contain instructions that can be used by something else. This is why you are warned so often about cookies, as they can be to store information on your computer and you.

Server check makes the majority of the security protection system here. If Ubisoft can constantly make changes to the DRM from the server side, this is good as they have total control. But its bad, if Big Brother is going to watch the honest gamers who have purchase the games. They might as well take it one step further and setup all games in Ubisoft HQ and play under their watchful eyes. This further punishes the honest gamers, but at the moment the H.a.w.x. 2 still doesn’t have a crack. But the real test will be Assassins Creed Brotherhood due out next year.

The Ubi Launcher is a security system in itself, not only does employ some of the tactics, such as communication with the server, it also has a CD check. Currently, this isn’t a problem as the cracker groups have release a work around for this. A very good start, but means nothing at the moment. As you are able to bypass the security check to gain access to the main menu, just not play the singleplayer game, however you can play the LAN.

The partial file is also a good system to use, as it means that someone has to play the whole game, and upload it for someone else to work on. Because rarely are the two the same people, this means more time is needed before the game is cracked for the general populous. Black ops sold 7 million copies in the first 24 hours, this means you only have to protect a new game for a short while to get the majority of sales.

Of course in the pirate world this isn’t completely true. For starters I believe that illegal downloaders are so use to having a crack, they are prepared to wait for the one stubborn game. But after 1-2 weeks that patience wanes significantly, but of course it depends on the game. If Black Ops was protected for the length as H.a.w.x. 2 is, I believe that the sales number would be very significant.

Tom Clancy’s H.a.w.x. 2 was released on the 16th November 2010, and it is now crack free for 34 days (20/12/2010) and still counting.

Unfortunately the waiting game is also a double edge sword as new titles are constantly being released. If one game proves to be very secure, but not in high demand, people just move on. But if publishers don’t protect their games, they lose money, if they do and it takes too long people move on, there just seems to be no winning for the publishers at all. A protection company would need a constant series of wins, before becoming a threat.

Even though Ubisoft uPlay system is very customer unfriendly, it seems to be doing the trick. There seems to be only two ways to crack the UbiDRM, either by pretending to be the server (emulation) or through removing the DRM from the game exe file. Both are difficult tasks.

The first round of UbiDRM was removed through a cracking process and the sever side emulation, through a program called dormine. Skidrow have created the crack and released it, but to the jeers of the other groups, who believe that they have stolen code. Technically it’s not it not completely true, did they take the dormine code, yes. But in the rules, yes cracking groups do have unspoken ones, there has never been any mention of not being able to borrow code. And as it stands the dormine program will only get you to second base with UbiDRM. It only solves the handshake, TCP, and encryption, i.e. once you have the message you still have to know the correct responses. Skidrow did a commendable job in figuring out the rest and for the first Ubisoft games, all their bases where belonging to Skidrow.

The second method is just a pure crack, this doesn’t require an emulation of the server because it will strip out the protection code completely. However this is a difficult task, because you have to manually search for the parts figure what it is doing, try to remove it, and make sure that you haven’t missed anything. Finally it’s extremely difficult if Ubisoft are withholding parts of the game files. Because now its not about removing the security protection, is about rewriting the missing parts.

Imagine, I could tell you the story of Bram Stoker’s Dracula, but could you write a page or even a paragraph, exactly from memory. How hard would that be? We know Ubisoft is on to a winner with this security protection system. But as for creating a revenue source from their DRM, they have a long way to go.

As for Tom Clancy’s H.a.w.x. 2, this is unfortunately a game with an average want value. Most people are willing to wait for this game to be cracked, because it’s not high on their Christmas list. Now next year Ubisoft will be releasing Assassins Creed brotherhood, a highly anticipated game. It will be on everyone’s want list. This is the real litmus test, and I fear why Ubisoft should have released this DRM with that game. As this has given the crackers time to explore this method, and depending on the circumstances, could hinder the UbiDRM protecting Assassins Creed Brotherhood.

But for the many illegal downloaders looking to get their hands on H.a.w.x. 2 it’s a case of singing “All I want for Christmas!” And it’ll probably happen too!

Read more about:

Blogs
Daily news, dev blogs, and stories from Game Developer straight to your inbox

You May Also Like