Mhyprot Insider: Introduction

  • windows
  • mhyprot
  • NT-Kernel

Mhyprot Insider: Introduction

Today, I’ve decided to start a new series, the Mhyprot Insider.
China company MihoYo, who releases Genshin Impact and it’s Anti-Cheat measure, mhyprot.

In this series, I’ll keep update about explain how mhyprot work and how sloppy implementation is.


Mhyprot is a original kernel-mode anti-cheat implementation of MihoYo.
Which I discovered and reported, in Disclosure of its vulnerability

After several months from my report, they were completely ignored me, but they certainly noticed there were critical vulnerabilities. stealthily.

Then, December 2020, They signed and released new version of the driver.

The driver IOCTL was using an original payload encryption measure.
It looks like they shutted down their IOCTL command that allows user process to copy arbitrary kernel virtual memory.
That IOCTL command was used to snatch a seed that used to encrypt their encrypted-dedicated special IOCTL commands.

But since both encryption and decryption are completed at the client, there’s no heistate to say that we are still able to defeat their encryption measures.

That’s one of the reasons why cheats haven’t been effectively suppressed even modern anti-cheats. there’s always possibility to bypass ANYTHING. No exception.

Next: Mhyprot Insider: Callbacks