IMRP Launcher analysis - Spyware or not?

[water]

IMRP is probably one of the oldest SAMP servers which is still running.

The gamemode is a combination of Roleplay and Deathmatch which is enjoyable for many players.

Several years ago, woot aka the server owner, introduced an IMRP launcher (which is actually anti-cheat).

Recently, there has been talks about account breaching, which made IMRP players question what this IMRP launcher is actually acessing to.
Some say it is a spyware, some say it can check your GTA folders, other say it can check your whole HDD. Some say it records your game in real time, but nobody gave an exact answer.

I willdrop a download link of this thing down below; if anyone with a little more experience would like to check and analyze what this program actually does, it would answer many questions.
(Original download link is at their website, I am not sure if I am allowed to post it)

 

[0x_]

// Update:
I analyzed it a little bit for 5 minutes, low security and it's not recording your screen permanently.
What it does (this list will expand while im analyzing but cbf rn):

• It's able to screenshot your game (in that case everything in the dx buffer) you can bypass that by hooking D3DXSaveSurfaceToFileInMemory and temporarily disabling overlay(s) and everything alike.
• It's iterating trough your GTA:SA dir (who thought that omg!).
• Maybe more?

But whatever, it contains some auto update stuff so malicous code could be removed already above knowledge is only based on the game side of things.
Don't see many reasons to go further into it, it's some shitty C# stuff with a simple not encrypted tcp stream and http calls. You can easily get some basic code going to emulate this thing.

They can smuggle malicous code into it any time they want so meh, just don't use it if you dont trust them. Any program you run can do something malicious there's nothing stopping them.

You could also hijack the socket and imitate their weird ping pong stuff and just don't send info.

 

[SobFoX]

He just needs to use the DLL injection that will work for him

 

[0x_]

He just needs to use the DLL injection that will work for him

What? dunno if they iterate modules yet but if his cheat has some GUI they can easily make a screen snap if there isn't something to counteract that.

 

[Marshall_Crawford]

Been looking for cheats that work with their launcher, couldn't find one so I gave up a long time ago.

 

[SobFoX]

Been looking for cheats that work with their launcher, couldn't find one so I gave up a long time ago.

Everything works, just instead of using the injection
ASI LOADER, inject them with a thrown DLL
From another folder (not the game folder)

 

[Parazitas]

Everything works, just instead of using the injection
ASI LOADER, inject them with a thrown DLL
From another folder (not the game folder)

You should make video about that, only 10% understand what you just write ..

 

[SobFoX]

You should make video about that, only 10% understand what you just write ..

It's not worth a video
Take the ASI files including your CLEO, SAMPFUNCS, MOONALODER folder
To another folder (separate)
Rename the file from the end of "ASI" to "DLL" and use the DLL fountain and inject into the game as in the next video

By the way you can see a bit how the first part works

 

[monday]

I remember testing it long time ago and it additionally sent a list of currently running processes. Whenever you started a new program, it sent an update as far as I can remember.

Edit:
Btw, is there a chance that you post a link to imrp threads where people talk about it? @water

 

[0x_]

I remember testing it long time ago and it additionally sent a list of currently running processes. Whenever you started a new program, it sent an update as far as I can remember.

Edit:
Btw, is there a chance that you post a link to imrp threads where people talk about it? @water

Yea the injected C# module (IMRP.Core) does that. (Process32 WinAPI stuff)

 

[water]

// Update:
I analyzed it a little bit for 5 minutes, low security and it's not recording your screen permanently.
What it does (this list will expand while im analyzing but cbf rn):

• It's able to screenshot your game (in that case everything in the dx buffer) you can bypass that by hooking D3DXSaveSurfaceToFileInMemory and temporarily disabling overlay(s) and everything alike.
• It's iterating trough your GTA:SA dir (who thought that omg!).
• Maybe more?

But whatever, it contains some auto update stuff so malicous code could be removed already above knowledge is only based on the game side of things.
Don't see many reasons to go further into it, it's some shitty C# stuff with a simple not encrypted tcp stream and http calls. You can easily get some basic code going to emulate this thing.

They can smuggle malicous code into it any time they want so meh, just don't use it if you dont trust them. Any program you run can do something malicious there's nothing stopping them.

You could also hijack the socket and imitate their weird ping pong stuff and just don't send info.

Thank you so much for the response. Thank you for pointing out what you have captured so far.
I believe peoples main concern currently is if the stuff they've got on their HDD is safe. Nobody would care if it scans the GTA directory only, but if it goes through HDD, then we have a problem (This would be breaking privacy laws in dozen of countries).

Everything works, just instead of using the injection
ASI LOADER, inject them with a thrown DLL
From another folder (not the game folder)

If the launcher can capture your screen, as 0x said above, does that mean you will get busted either way if checked by the owners, if you are using an obvious cheat like m0d sa or nametags (example)?

I remember testing it long time ago and it additionally sent a list of currently running processes. Whenever you started a new program, it sent an update as far as I can remember.

Edit:
Btw, is there a chance that you post a link to imrp threads where people talk about it? @water

Server general talk on the forums. However this thread is constatly spammed by shitposters, so you might scroll back a little.

 

[SobFoX]

Thank you so much for the response. Thank you for pointing out what you have captured so far.
I believe peoples main concern currently is if the stuff they've got on their HDD is safe. Nobody would care if it scans the GTA directory only, but if it goes through HDD, then we have a problem (This would be breaking privacy laws in dozen of countries).


If the launcher can capture your screen, as 0x said above, does that mean you will get busted either way if checked by the owners, if you are using an obvious cheat like m0d sa or nametags (example)?


Server general talk on the forums. However this thread is constatly spammed by shitposters, so you might scroll back a little.

If it is possible to get a download link to the file it downloads from you (IMRP.Launcher.exe)
To see the use of "D3DXSaveSurfaceToFileInMemory" and more ..
We can patch and hack, basically undo the parts of the code that are causing problems for you,
Some time ago I did this with software that would send a picture of my game
I changed it to a picture of my ass ..

 

[0x_]

@SobFoX
Just hook DirectX no need to edit their module.

@water
That's hard to say, they could target individual people with their auto updater or implement fishy stuff and then remove it the next day..

For extra security you could block specific packets for the detection (if there are any dunno yet)

 

[SobFoX]

@SobFoX
Just hook DirectX no need to edit their module.

@water
That's hard to say, they could target individual people with their auto updater or implement fishy stuff and then remove it the next day..

For extra security you could block specific packets for the detection (if there are any dunno yet)

Look at the details