I reversed Tower of Fantasy's anti-cheat driver: a BYOVD toolkit never loaded
3 months ago
- #anti-cheat
- #kernel-driver
- #security
- Tower of Fantasy's anti-cheat driver (GameDriverX64.sys) lacks obfuscation, making it easy to reverse-engineer.
- The driver has weak authentication: a hardcoded 32-bit magic value, bypassable DLL checks, and flawed whitelist validation.
- Vulnerabilities include arbitrary process termination (IOCTL 0x222040) and process protection (IOCTL 0x222004), enabling BYOVD (Bring Your Own Vulnerable Driver) attacks.
- The driver is not actively loaded by the game, reducing immediate risk, but remains a security liability.
- HVCI (Hypervisor-Protected Code Integrity) constraints likely led to the removal of VMProtect obfuscation, exposing the driver's flaws.