How Marvel Rivals' Anti-Cheat Actually Works — NeacSafe Explained

If you read three Marvel Rivals cheat blogs in May 2026, at least two of them confidently state that Marvel Rivals uses Easy Anti-Cheat. They are wrong. Marvel Rivals has never shipped with EAC. The driver loading at ring 0 the moment you launch the game is NeacSafe64.sys — NetEase's in-house kernel anti-cheat, packed with VMProtect, loaded out of %TEMP%, and then deleted off disk after the kernel binds it. The 0x90.sh June 2025 reverse-engineering walkthrough is the authoritative public analysis. If you've been buying cheats from vendors advertising "EAC bypass for Marvel Rivals," you've been buying products tuned for the wrong anti-cheat.

This post is a cluster of the Marvel Rivals Cheats Complete 2026 Guide pillar. The pillar gave you the buyer-facing summary of why NeacSafe matters. This piece goes deep on the technical architecture — the driver's anti-analysis surface, its hardware fingerprint read profile, how it differs from EAC and BattlEye at the kernel level, and what the Feb 2025 RCE disclosure changed about NetEase's patch cadence.

The product is NeacSafe, also called NEP, also called NetEase Game Security

Three names for the same thing. NeacSafe is what the community uses (the driver file is NeacSafe64.sys on disk). NEP stands for NetEase Enterprise Protection — you'll see it referenced in the user-mode loader NEP_Usermode.dll and in some leaked NetEase internal documentation. NetEase Game Security is the name NetEase uses in its own consumer-facing support docs.

It's one product. NetEase ships it across the entire NetEase game lineup — Naraka: Bladepoint, Identity V, Once Human, and Marvel Rivals all run the same driver layer. This matters for the cross-NetEase HWID ban behavior covered in Marvel Rivals HWID spoofer + cross-game ban, but it also matters technically because reverse-engineering work done on NeacSafe in Naraka applies almost directly to Marvel Rivals. The 0x90.sh analysis predates Marvel Rivals' launch but applies to it.

NeacSafe is closed-source. NetEase has never published documentation on its detection surface, its kernel callback registrations, or its hardware identifier read profile. Everything in this post comes from independent reverse-engineering — primarily the 0x90.sh writeup, supplemented by community RE work on Naraka and Identity V, plus direct observation of driver behavior in our own research environment.

The driver is VMProtect-packed, which actually matters

EAC is closed-source but readable enough. Static-analysis tools can map its imports, identify its callback registrations, and dump its signature database with effort. BattlEye's BEDaisy.sys is similar — protected but tractable.

NeacSafe is packed with VMProtect 2.x/3.x. VMProtect is a commercial code-obfuscation product (sold separately from any anti-cheat) that virtualizes the protected code into a custom bytecode running on an embedded interpreter. Static analysis becomes dramatically harder. Instead of x86 instructions, you see VM handlers dispatching opaque bytecode opcodes. Defeating VMProtect requires either devirtualization tooling (commercial or in-house — both are non-trivial) or runtime tracing.

What this means in practice: the bypass research investment for NeacSafe is meaningfully larger than for EAC. A vendor that ports their EAC bypass to Marvel Rivals and calls it a day is going to ship a broken product. NeacSafe's behavior — when it scans, what it reads, how it responds to anomalies — has to be observed dynamically because the static binary is essentially unreadable without VMProtect tooling.

The protection is not unbreakable. The 0x90.sh writeup demonstrates that determined RE work yields enough understanding of the driver's behavior to build bypass infrastructure. But it's not the kind of work a reseller scraping forum dumps can do. Real Marvel Rivals bypass capacity requires in-house engineering, which is part of why Raw Rivals is built on our own bypass stack rather than reselling someone else's.

No DriverUnload routine, no kernel-to-user heartbeat

Two technical details from the 0x90.sh analysis that genuinely differentiate NeacSafe from EAC and BattlEye.

Most kernel drivers expose a DriverUnload routine — a function the kernel can call to cleanly tear down the driver. It exists for a normal reason: the OS needs a way to release the driver's resources at shutdown. Anti-cheat drivers also use it as part of clean game-exit teardown. The presence of DriverUnload also gives cheat developers a hook point — calling the unload routine with crafted state is one of several techniques for surgically removing an AC driver.

NeacSafe ships with no DriverUnload routine. The driver is intended to live in kernel memory until the system reboots. There is no clean way to tell it to leave. This is unusual and aggressive — it means even cleanly exiting Marvel Rivals does not unload the AC; the kernel module persists across game sessions until shutdown.

Most modern kernel ACs use a heartbeat protocol — a regular timed exchange between the kernel driver and a user-mode service. The heartbeat does two things: it lets the AC verify its user-mode component hasn't been tampered with, and it lets the kernel detect if the user-mode component is dead (crashed, killed, or replaced with a fake). When the heartbeat fails, the AC takes action — terminate the game, flag the session, escalate.

NeacSafe has no kernel-user heartbeat. The kernel driver and user-mode loader operate more independently than EAC's split. From a defensive engineering standpoint, this is a downside — it means the kernel can't easily detect if its user-mode helper has been compromised. From an offensive engineering standpoint (cheats), it changes the bypass surface significantly. Techniques that target heartbeat manipulation are useless against NeacSafe; the bypass focus shifts to evading the kernel driver's direct memory reads and scan behavior.

Driver loads from %TEMP%, deletes itself off disk

This is the load-and-delete pattern that confuses most forensic analysis.

When Marvel Rivals launches, the user-mode component NEP_Usermode.dll (loaded into the game process) extracts the NeacSafe64.sys driver image from an encrypted resource. The driver is dropped to a path inside the user's %TEMP% directory — typically %TEMP%\<random-name>.sys. The user-mode loader then issues the standard NT load-driver sequence to map the driver into kernel memory.

Once the driver is loaded, the on-disk file is deleted. From this point forward, a forensic snapshot of the filesystem reveals no NeacSafe driver. The kernel-resident driver image is still there in memory, doing its job, but the disk artifact is gone. If you check C:\Windows\System32\drivers\ looking for NeacSafe64.sys, you'll find nothing — the file never lived there in the first place.

This complicates several detection-evasion techniques. Tools that monitor \Driver\ namespace registrations can still see the driver is loaded; tools that watch on-disk files for AC binaries will miss it. The pattern also makes after-the-fact forensic work harder — if you took a disk snapshot after Marvel Rivals had been running for an hour, you would have a snapshot of a system with NeacSafe in kernel memory but no NeacSafe driver file. Investigators unfamiliar with the load-and-delete pattern often conclude there's no AC, which is wrong.

For cheat developers, the pattern is information that informs bypass design. For privacy-concerned players, the pattern means NeacSafe is genuinely harder to confirm-and-remove than most kernel ACs.

The hardware fingerprint read profile (16 identifier categories)

NeacSafe's HWID fingerprint composition is one of the most detailed in the kernel-AC market. The driver reads, at minimum, the following identifier categories. Each gets composed into a hash and sent to NetEase's identification server at session start.

• SMBIOS UUID (the motherboard's primary unique identifier — same field EAC reads)
• Motherboard serial (SMBIOS Type 2)
• Motherboard manufacturer + product strings (SMBIOS Type 1/2)
• All disk serials (SATA + NVMe, every drive attached)
• MAC addresses (every active network adapter, including virtual)
• GPU device UUID (NVIDIA/AMD/Intel — the device-level UUID, not just the device name)
• RAM module serial numbers (where readable from SMBIOS Type 17 — newer RAM modules expose this)
• MachineGuid (Windows registry value at HKLM\Software\Microsoft\Cryptography)
• BIOS version + BIOS release date (SMBIOS Type 0)
• CPU serial (where available — Intel since vPro, AMD via PSP)
• Volume serial numbers (NTFS volume identifiers)
• Network adapter hardware IDs (separate from MAC; identifies the physical NIC chip)
• Monitor EDID (the manufacturer + serial in the monitor's EDID data)
• USB controller IDs (the USB host controller hardware identifiers, not connected device IDs)
• TPM endorsement key (where TPM 2.0 is present and exposed — Win11 systems primarily)
• BIOS UUID (separate from SMBIOS UUID in some implementations)

The composite hash makes the fingerprint resilient to single-component swaps. Replace the motherboard alone? The disk serials, GPU UUID, MAC addresses, RAM serials, monitor EDID, USB controller IDs all stay the same; the new composite hash is still close enough to the old one to flag. Replace the motherboard AND swap drives AND change network adapter AND change monitor? Now you have a meaningfully different fingerprint — but you've also spent more on hardware than years of cheat subscriptions.

This is why Raw Spoofer is non-optional for Marvel Rivals. The cluster on Marvel Rivals HWID spoofer + cross-game ban walks through the per-category spoofability matrix.

How NeacSafe differs from EAC at the kernel level

The architectural comparison most cheat-buying guides skip.

Detection model. EAC runs a signature-scanner-plus-behavioral-telemetry model. The kernel driver scans process memory and kernel memory at regular intervals against a maintained signature database; Epic's behavioral analysis layer (a separate, server-side system) ingests gameplay telemetry. NeacSafe is more scan-and-callback heavy at the kernel level. It registers kernel callbacks on process creation, thread creation, image loading, and handle operations; it scans memory regions on a tighter interval; its server-side behavioral component is less developed (NetEase doesn't have Epic's gameplay telemetry pipeline).

Update cadence. EAC pushes silent updates to its signature database constantly — sometimes multiple times per week. NeacSafe updates are less frequent but more disruptive. When NetEase ships a NeacSafe update, it tends to include kernel-level behavioral changes (not just signature additions), which means cheat bypasses often need engineering work rather than just a database refresh. Cheat vendors that depend on signature-evasion get caught more often on Marvel Rivals than on Fortnite for this reason.

Anti-debug surface. EAC has a published anti-debug surface that anyone with Cheat Engine + WinDbg can characterize after a few hours. NeacSafe's anti-debug is VMProtect-wrapped, which means each anti-debug check looks like opaque VM bytecode rather than identifiable instructions. The development cycle for bypass research is longer.

HWID composition. EAC reads roughly 8-10 identifier categories. NeacSafe reads 16+ categories (see above) and composites them more aggressively. Single-component HWID spoofers that work against EAC frequently fail against NeacSafe because the composite hash is more sensitive.

The February 2025 RCE disclosure changed NetEase's patch posture

A security researcher published a remote code execution disclosure against Marvel Rivals in February 2025. The vulnerability allowed a crafted in-game packet to execute attacker-controlled code on a target player's machine. PC Gamer's coverage walked through the high-level details; the technical writeup is on the researcher's site.

NetEase patched within 24 hours and never issued a public statement about the vulnerability, but the patch landed faster than NeacSafe driver updates typically do. The episode demonstrated that NetEase can move fast on emergency patches when motivated, and that the Marvel Rivals security team is actively monitoring outside disclosures. This matters for cheat operators because it means the "fly under the radar" window after a quiet, non-publicized vulnerability gets shorter when NetEase is paying attention.

The post-Feb-2025 NetEase posture has been more responsive than the pre-Feb-2025 posture. Detection windows on widely-distributed public cheats narrowed from weeks to days. Detection windows on smaller-distribution private cheats are still measured in months, but only because the lower volume keeps them out of NetEase's notice — not because the AC is fundamentally slower.

The bypass surface — surface-only, no methods

We're not going to detail the specific bypass methods we use. That's standard operating policy across Raw Rivals and every other product in the RawCheats lineup. What we can describe at the architectural level:

External cheat, not internal injection. Raw Rivals runs as its own process. NeacSafe's kernel scanner can't sweep memory regions it doesn't own — process memory belonging to a separate process is outside its primary scan surface. Combined with kernel-level memory access for the read side, this gives an externally-running cheat a meaningfully smaller scan-detection surface than an injected cheat would have.

Multi-layered anti-detection. We don't rely on a single technique. Signature scanning, anti-debug detection, and process-memory enumeration all need to be defeated for a kernel-AC bypass to hold across NeacSafe updates. We treat the bypass infrastructure as a moving target — when NetEase ships a NeacSafe behavioral change, we ship a tuned Raw Rivals build within 6-12 hours. The Marvel Rivals ban wave history cluster shows the historical detection-window numbers.

Hardware fingerprint hardening. Raw Spoofer handles all 16 NeacSafe identifier categories at the spoofer level, with per-session randomization. Cross-NetEase HWID ban risk is the reason this is essential rather than optional.

Internal-mode complement planned for the future. Some rage-tier features (exploit-class capabilities) benefit from internal injection. We've committed to an internal-mode complement on the roadmap; the legit-tier core stays external. We're not going to commit to a date, but it's on the HWID Spoofer complete 2026 guide pillar's adjacency.

FAQ — Quick answers on NeacSafe specifics

Is NeacSafe a rootkit? Rhetorically, sure — Steam community threads use the term constantly. Technically, no. NeacSafe operates as a standard ring-0 kernel driver, same architectural pattern as Vanguard, EAC, BattlEye, FACEIT AC, and every other commercial kernel anti-cheat. The "rootkit" framing is informally correct in the sense that all kernel ACs are technically rootkit-class software; it's not specific to NetEase or to NeacSafe.

Does NeacSafe send my data to China? NetEase is a Chinese company headquartered in Hangzhou. Marvel Rivals' anti-cheat telemetry transits NetEase's infrastructure. Whether this constitutes "sending your data to China" depends on what you mean — the telemetry includes the hardware fingerprint, behavioral observations, and session state. It does not include browser history, banking credentials, or general system contents (unlike, say, a Vidar 2.0 infostealer). If your threat model excludes Chinese-headquartered software from your machine entirely, you can't install Marvel Rivals safely. If your threat model is "kernel AC accepted, just not generic credential theft," NeacSafe is comparable to other kernel ACs.

Why doesn't NeacSafe have a heartbeat? Engineering choice by NetEase. The downside is reduced defense against user-mode tampering; the upside (from NetEase's perspective) is simpler architecture and one less component to break. The choice is unusual but defensible.

Can NeacSafe be reverse-engineered fully? Yes, with enough VMProtect-defeating tooling and time. The 0x90.sh writeup demonstrates partial RE. Full RE has not been publicly published. Some bypass developers have proprietary RE capability that exceeds what's been disclosed publicly.

Does NeacSafe scan my entire disk? No. It reads hardware identifiers (SMBIOS, registry, etc.) but does not enumerate disk contents. The kernel-level memory scans cover process memory and kernel memory pools, not user file content.

What this means for cheat buyers

The takeaway from the technical deep-dive: the difference between a Marvel Rivals cheat vendor who knows what NeacSafe is and one who pretends it's EAC is not cosmetic. It's the difference between a product built for the actual anti-cheat and a product tuned for a different game's anti-cheat.

When you're shopping for Marvel Rivals cheats, the editorial-credibility test is simple — does the vendor name NeacSafe? Do they reference the VMProtect packing? Do they acknowledge cross-NetEase HWID ban risk? If yes on all three, they've done the research. If no, they're probably reselling an EAC bypass with the wrong label.

Raw Rivals is built specifically for NeacSafe's behavior — not generic kernel-AC bypass code with a Marvel Rivals logo slapped on. The pillar Marvel Rivals Cheats Complete 2026 Guide covers the broader buyer-facing context; the comparison cluster Raw Rivals vs elitepvpers providers runs the NeacSafe-credibility test on the major 2026 vendors.