Disclaimer
This blog post is for educational and research purposes only. Bypassing anti-cheat mechanisms in online games violates terms of service and can result in bans. Do not attempt to use this knowledge for malicious or unfair gameplay. In addition this information might be outdated once released.
Overview
NetEase's Marvel Rivals employs a custom anti-cheat system known as NetEase (game security, protection ultra xd cringe). The system leverages kernel-mode protection via a VMProtect-obfuscated driver. This post provides a technical summary of how the anti-cheat behaves and how it could theoretically be bypassed too help understanding the lack of security in the anti cheat space.
Technical background
The NEP* driver is:This blog post is for educational and research purposes only. Bypassing anti-cheat mechanisms in online games violates terms of service and can result in bans. Do not attempt to use this knowledge for malicious or unfair gameplay. In addition this information might be outdated once released.
Overview
NetEase's Marvel Rivals employs a custom anti-cheat system known as NetEase (game security, protection ultra xd cringe). The system leverages kernel-mode protection via a VMProtect-obfuscated driver. This post provides a technical summary of how the anti-cheat behaves and how it could theoretically be bypassed too help understanding the lack of security in the anti cheat space.
Technical background
- Downloaded into the %TEMP% folder.
- Loaded into kernel space.
- Immediately deleted from disk post-load, reducing forensic traces.
The driver is wrapped in VMProtect (versions 2.x–3.x), which adds significant static analysis resistance and anti-debugging features.
The driver does not implement a proper DriverUnload routine. Therefore, it:
- Cannot be stopped or unloaded using sc stop or via Process Hacker.
- Requires kernel-level access to forcibly remove it from memory.
Bypass Strategy
We gonna load our own driver (manual mapped, signed and loaded or abusing a vuln driver) enumerate modules, find the NEP* driver and just directly unlink and free memory region properly.
This bypass works because:
- The user-mode component of Marvel Rivals (NEP_Usermode.dll) has no anti-cheat ping-back mechanism.
- Once the driver is removed, the game runs without detecting its absence.
- This leads to a fully functional game session with the anti-cheat effectively neutralized.
Conclusion
The lack of a robust heartbeat between user-mode and kernel-mode components in Marvel Rivals anti-cheat makes it essetnially possible too just disable the anticheat. This is incredibly bad practice.
