Tech News
← Back to articles

I reversed Tower of Fantasy's anti-cheat driver: a BYOVD toolkit never loaded

2026-02-06 | original
read original related products more articles

This all started because I wanted to delete my Tower of Fantasy account from over 4 years ago.

For the life of me, I couldn’t find a way to do it without having the game installed. There was no web portal and no obvious support route. Eventually I gave up and decided to just download it.

Tower of Fantasy is over 100 GB so it would be a long install. I already knew the game shipped with an anti-cheat driver from past experience, so while the download crawled along I started poking around the launcher directory. That’s when I noticed GameDriverX64.sys .

Note Kernel drivers run with the highest privileges on your machine. Anti-cheat drivers use this power to protect games from cheaters, but when they’re poorly written, attackers can abuse that same power against you.

I opened the driver in IDA expecting a wall of virtualized code, probably VMProtect. Instead I got clean, readable functions with no obfuscation or virtualization at all.

By now, the install was at 9%. I had time to dig in.

Important There’s a lot of noise online about kernel anti-cheats being “spyware” or inherently privacy-invasive. Most of it misidentifies the actual risk. A usermode game client can already steal your browser cookies, log keystrokes, and exfiltrate files without ever touching the kernel. The real concern with kernel anti-cheats isn’t surveillance, it’s that they are security-critical code running at the highest privilege level. When they’re poorly written, they become attack surface, and when they fail, they can take your entire system down with them (e.g the CrowdStrike incident). For a thorough, level-headed breakdown of the privacy and security tradeoffs, I’d recommend this post by Bevan Philip.

Why Isn’t This Obfuscated?

The previous version of this driver ( KSophon_x64.sys ) was VMProtect’d to hell, so I was curious why they’d strip protection from a security-critical kernel component. The reason is due to HVCI.

Definition HVCI (Hypervisor-Protected Code Integrity) is a Windows security feature that uses Hyper-V to enforce code integrity above the NT kernel, enabled by default on clean Windows 11 installs. The key constraint: W^X (Write XOR Execute) enforcement means code pages can’t be both writable and executable. VMProtect’s packing and import protection both violate this, so the driver fails integrity checks on HVCI-enabled systems.

... continue reading

Related:
Tesla hit with another wrongful death suit over its electronic door handles
Modernizing Linux swapping: introducing the swap table
Nioh 3 refines Team Ninja's formula into its most ambitious Soulslike yet
EDR killer tool uses signed kernel driver from forensic software
China bans all retractable car door handles, starting next year

© 2026 GoKawiil