Tools

Tools: I Reversed Tower Of Fantasy's Anti-cheat Driver: A Byovd Toolkit...

2026-02-06 0 views admin
Tools: I Reversed Tower Of Fantasy's Anti-cheat Driver: A Byovd Toolkit...

This all started because I wanted to delete my Tower of Fantasy account from over 4 years ago.

For the life of me, I couldn’t find a way to do it without having the game installed. There was no web portal and no obvious support route. Eventually I gave up and decided to just download it.

Tower of Fantasy is over 100 GB so it would be a long install. I already knew the game shipped with an anti-cheat driver from past experience, so while the download crawled along I started poking around the launcher directory. That’s when I noticed GameDriverX64.sys.

Kernel drivers run with the highest privileges on your machine. Anti-cheat drivers use this power to protect games from cheaters, but when they’re poorly written, attackers can abuse that same power against you.

I opened the driver in IDA expecting a wall of virtualized code, probably VMProtect. Instead I got clean, readable functions with no obfuscation or virtualization at all.

By now, the install was at 9%. I had time to dig in.

The previous version of this driver (KSophon_x64.sys) was VMProtect’d to hell, so I was curious why they’d strip protection from a security-critical kernel component. The reason is due to HVCI.

HVCI (Hypervisor-Protected Code Integrity) is a Windows security feature that uses Hyper-V to enforce code integrity above the NT kernel, enabled by default on clean Windows 11 installs. The key constraint: W^X (Write XOR Execute) enforcement means code pages can’t be both writable and executable. VMProtect’s packing and import protection both violate this, so the driver fails integrity checks on HVCI-enabled systems.

VMProtect can still work under HVCI if you stick to mutation and virtualization macros while avoiding the features that break W^X. They could still protect their imports manually and virtualize the bulk of their code. For some reason, they did neither.

Even with VMProtect, these vulnerabilities would still exist. The IOCTLs still do what they do and the authentication is essentially nonexistent. Obfuscation makes reversing harder, not impossible.

Source: HackerNews

🏷️ Tags

tooldownload

More from Tools

Tools: How to generate a PDF from HTML in Node.js (without Puppeteer)

Tools: How to generate a PDF from HTML in Node.js (without Puppeteer)

2026-02-25 0
Tools: How I Manage AI Coding Rules Across Claude Code, Cursor, and Codex With One CLI

Tools: How I Manage AI Coding Rules Across Claude Code, Cursor, and Codex With One CLI

2026-02-25 0
Tools: Your Dev Tools Are Leaking Data. Here’s Why I Built Mine to Run Entirely in the Browser.

Tools: Your Dev Tools Are Leaking Data. Here’s Why I Built Mine to Run Entirely in the Browser.

2026-02-25 0
Tools: Vibe Coding is best for repid development but, most of programmer don't knows about .

Tools: Vibe Coding is best for repid development but, most of programmer don't knows about .

2026-02-25 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views