44 comments on “Reversing Cemu.

          • “I do wonder why you lurk here now though.”

            I don’t really know how to respond to that. This specific blog post was posted to r/Emulation. I was the one who approved the post; didn’t know this blog existed prior to that. So, not really lurking. Wandered back here again now to pull up the link on your info on JohnGBA to let someone on the Nvidia Shield forums know they’re better off not using it and remembered I commented here.

        • You do know it’s coming out for free right? There is a difference between pirating stuff because you would not be able to afford stuff, and pirating because you did not want to pay. I suspect you are the former

  1. Any chance you could upload the modified exe or is this strictly educational? This is a really well done article/tutorial, but even with the screenshots I was lost haha. I’m sure I could follow if I knew jack shit about using x64dbg or coding in general. Hopefully in the future.

  2. I’d say not encrypting the executable or at least a vital part of it is a huge mistake on their part (though the executable might get detected as malicious obviously). Simple code encryption with a hardware-bound key (so you need the licensee hardware data as well to decrypt) sent by a server is usually enough for niche software like this that doesn’t have some huge userbase or dedicated crackers, just be careful and don’t encrypt stuff that can be copypasted from previous builds. With current protection, the executable can be shared with a cracker by anyone who happened to “purchase” it, if it were encrypted it would at least require the cracker to purchase it or to cooperate with the license holder who would need to either intercept the key, dump decrypted code or provide the hardware data.

    • Which is what I suggested. Obfuscation of any kind using a protection system will be a massive help. Many DRMs in the shareware world bind encryption to serial numbers, so its not hard at all. Though this has flaws, like Armadillo’s “secured sections” method, which wasn’t secure at all as proven by the likes of Mr eXodia/TPoRT and Fungus/SnD. (read: decryption without even a valid serial key)

    • Literally they’re not considering that CEmu’s Devs always release the free version of the patreon builds, 1 week after those. In any case, Mudlord’s suggestions would strongly improve the trend that you seem to hate/dislike anyways.

  3. Thank you for this wonderful article, so so interesting. Is there any chance you could circle exactly which code you are talking about in each screenshot?
    I wish to understand this much better

  4. Pretty cool!

    I noticed they use HTTPS on the URLs. For the user’s (and their pocket’s) sake, they should really use HTTPS and really check if the cert is OK.

      • I wonder if it’s because the Cemu team’s focus is on developing the emulator and they are just trying to apply cursory protection against someone who might abuse the early Patreon releases. As was mentioned earlier, they release the same build into the wild only one week later, so I wonder if they just “threw some DRM in” to protect the Patreon value and called it good.

        Of course, I don’t know much about DRM implementation. Employing a more robust system may be very simple. (Your conclusions lead to believe that they might be easier to apply than I originally thought.) I’m just glad that they don’t spend TOO much time on that portion.

        An excellently written article and a fascinating exercise. Thank you for walking is through the logic and tools you use while reverse engineering.

  5. This article is awesome! Does anyone know where I can find similar articles for other x86 software? I’ve done reversing for Android apps but would love to learn more about PC software ๐Ÿ™‚

    • Assuming I don’t get into trouble with my webhost for hosting such tutorials, maybe I should continue looking at other payware emulator stuff to see where their implementations can be improved. Or other stuff in general.

      I am not sure where to find stuff these days. Usually places like Exetools and other places in the P2P scene would have stuff like this.

  6. Thanks for the patch! Now I can run the 1.7.0 I found a download link for at full speed without paying. :o)

    • I am not allowed to have an opinion on what you said, lest the reddit community bring out torch and pitchforks. So I am going to remain silent.

      Right now they are more busily debating morality instead of the objective, technical aspects of the article. Which I guess is to be expected, especially from reddit’s emulation “community”. Only a tiny minority have read it it seems, and the rest seem to be based on morality.

      Shame that reddit does not allow practical discussion of reverse engineering, for reasons that stifle freedom of information.

      • There’s /r/ReverseEngineering, I’m not sure if your post would be allowed there but an article on cracking Sublime Text was submitted both there and /r/programming recently and it stayed just fine.

  7. Do know anything about removing UPlay or Steam DRM so can run games without having their client running in the background wasting RAM causing problems etc.
    One of the main problems with uPlay games i’m having is I can’t inject d3d9.dll wrappers for things like hialgo SWITCH or custom textures / texture or model ripping.

    • Some uPlay games iirc are protected with VMProtect or Denuvo which are designed to be very hard to circumvent.. It depends on the game, but I seen FarCry 4 using VMProtect to obfuscate things. The Orbit (uPlay) API itself is fairly simple to bypass, just needs a proxy DLL.

    • Well, out of curiosity, I looked at one of the newer 1.7.3 builds floating around. I noticed that they changed the hashing and the hwids yet again, which means yet more reversing. So instead I shot some holes into it so my old method would still work with it. Not as elegant, but did the job. Would I release it? Doubt it. I thought that writing a tutorial on the DRM would instruct people on it, not to lead to people begging just for cracks.

  8. hey, this was a pretty spiffy tutorial, i found it looking for some general tutorials on using x64dbg.

    nice work, hope one day you’ll consider video tutorials too!

    • The problem I find with video tutorials is they don’t really teach much. They are just some person point and clicking instead of explaining how in depth something is done so then you can work the rest out yourself. To me, video tutorials are just a means to show off :/.

      • I mostly share your view, when the video only shows the finish line (an impressive result, with none of steps that lead to there).

        By the way, there are effective pros for videos:

        – Practical, puts things together, teaches wider than you are intending to: if you track down calls that built an UI-string (“verified”, “unverified”), maybe you’ll do some twist, some tooling combo-move with your toolbox. This would probably never be told in a written version of the tutorial. Also, in the written version, you could jump from one step to another, with its transition being uneasy to understand. In the written version, this gap was made to be concise or to gain time. Orally, there would be no doubt about this transition

        – Less time consuming for the author: think of the learning move you want to take, prepare a text buffer to share important bits with spectators, turn on recording, speak, and that’s all probably: no screenshots, not much of text or grammatical brainstorming to get it down on paper

        – Sexual arousal ..!Oo.

        The main pitfall is probably purposely not struggling to be explicit orally: going too fast, doing stuff without commenting with voice, not saying loud shortcuts or.. Well, there is a risk to drop off the tutorial topic also, by going into too much side-topics.

        Video looks more like a proficient but messy teaching toolbox in fact. At school, we’re teached by “live” hologram videos (i.e. teachers) all day long :p

  9. Hey, thanks for making a step by step I tried to follow it but was definitely too hard for me Cemu 1.7.3d stopped working and I learned about DRM. Any hope for you to do it again or PM link a working version ? Or do I have to wait for the 18th, anyway I learned something.

  10. Nice tutorial for noobs, well done. You can give a man fish and he will depend on you or you can teach him to fish and he will have the tool’s to feed himself
    If you want to learn reverse engineering Google leena crack me
    Cemu doesn’t really offer much protection, it’s actually embarrassing simple, but I believe that’s only because they are focused on the emulator itself, the fact that they are responding to your hacking attempts sujests they are taking greater efforts and will probably continue if you continue to release cracked versions. The question I have to ask you is if these guy’s release the full version 1 week after patron release then why bother cracking it? For the punter’s? Let them wait, they suck up your ass because they want your talent, it’s not like they are students of RE. Crack the protection, post your proof, but don’t give these kiddies the drug’s, all they want is instant gratification, make them wait, I do

    • Yah, Lena’s stuff is quite nice for shit like this. There has been other tutorial series too. I got sick and tired of all the constant begging for cracks.

      Your idea of posting proof is nice…..I could just post videos showing I cracked it. Guess there is no harm in doing that.

      • It all depend on who you crack for ๐Ÿ˜‰ These guys will give you credit because you give them something they didnt want to wait 1 week for, and yep they will always want more. Worse still is when you dont give it to them, they will bait you with bullshit like this protection must be too hard for you, a never ending cycle. Posting proof shows them you can but keeps them from what they want..and yes they will cry and moan for it, i loved this post because it was informative and is a nice clear explanation of the process involved in RE software,
        Lena`s tutorials was where i started, and your guide is certainly complementary for anyone wanting to see real world examples, keep up the great posts and fuck the scabs, they dont even understand the beautiful challenge of reverse engineering

Leave a Reply

Your email address will not be published. Required fields are marked *