IMRP Launcher analysis - Spyware or not?

water

New member
Joined
Apr 21, 2021
Messages
2
Reaction score
0
Location
Russia
IMRP is probably one of the oldest SAMP servers which is still running.

The gamemode is a combination of Roleplay and Deathmatch which is enjoyable for many players.

Several years ago, woot aka the server owner, introduced an IMRP launcher (which is actually anti-cheat).

Recently, there has been talks about account breaching, which made IMRP players question what this IMRP launcher is actually acessing to.
Some say it is a spyware, some say it can check your GTA folders, other say it can check your whole HDD. Some say it records your game in real time, but nobody gave an exact answer.

I willdrop a download link of this thing down below; if anyone with a little more experience would like to check and analyze what this program actually does, it would answer many questions.
(Original download link is at their website, I am not sure if I am allowed to post it)
 

Attachments

  • IMRP.rar
    18.3 KB · Views: 23
Last edited:

0x_

Wtf I'm not new....
Staff member
Administrator
Joined
Feb 18, 2013
Messages
1,123
Reaction score
174
// Update:
I analyzed it a little bit for 5 minutes, low security and it's not recording your screen permanently.
What it does (this list will expand while im analyzing but cbf rn):
  • It's able to screenshot your game (in that case everything in the dx buffer) you can bypass that by hooking D3DXSaveSurfaceToFileInMemory and temporarily disabling overlay(s) and everything alike.
  • It's iterating trough your GTA:SA dir (who thought that omg!).
  • Maybe more?
But whatever, it contains some auto update stuff so malicous code could be removed already above knowledge is only based on the game side of things.
Don't see many reasons to go further into it, it's some shitty C# stuff with a simple not encrypted tcp stream and http calls. You can easily get some basic code going to emulate this thing.

They can smuggle malicous code into it any time they want so meh, just don't use it if you dont trust them. Any program you run can do something malicious there's nothing stopping them.

You could also hijack the socket and imitate their weird ping pong stuff and just don't send info.
 
Last edited:

SobFoX

Expert
Joined
Jul 14, 2015
Messages
1,464
Solutions
5
Reaction score
916
Location
Israel
He just needs to use the DLL injection that will work for him
 

0x_

Wtf I'm not new....
Staff member
Administrator
Joined
Feb 18, 2013
Messages
1,123
Reaction score
174
He just needs to use the DLL injection that will work for him
What? dunno if they iterate modules yet but if his cheat has some GUI they can easily make a screen snap if there isn't something to counteract that.
 
Joined
Jul 14, 2015
Messages
11
Reaction score
0
Been looking for cheats that work with their launcher, couldn't find one so I gave up a long time ago.
 

SobFoX

Expert
Joined
Jul 14, 2015
Messages
1,464
Solutions
5
Reaction score
916
Location
Israel
Been looking for cheats that work with their launcher, couldn't find one so I gave up a long time ago.
Everything works, just instead of using the injection
ASI LOADER, inject them with a thrown DLL
From another folder (not the game folder)
 

Parazitas

God
Staff member
Joined
Jan 2, 2017
Messages
3,315
Solutions
7
Reaction score
935
Location
Lithuania
Everything works, just instead of using the injection
ASI LOADER, inject them with a thrown DLL
From another folder (not the game folder)

You should make video about that, only 10% understand what you just write ..
 

SobFoX

Expert
Joined
Jul 14, 2015
Messages
1,464
Solutions
5
Reaction score
916
Location
Israel
You should make video about that, only 10% understand what you just write ..
It's not worth a video
Take the ASI files including your CLEO, SAMPFUNCS, MOONALODER folder
To another folder (separate)
Rename the file from the end of "ASI" to "DLL" and use the DLL fountain and inject into the game as in the next video
By the way you can see a bit how the first part works
 

Attachments

  • IMRP.Launcher.zip
    21.9 KB · Views: 14

monday

Expert
Joined
Jun 23, 2014
Messages
1,127
Solutions
1
Reaction score
158
I remember testing it long time ago and it additionally sent a list of currently running processes. Whenever you started a new program, it sent an update as far as I can remember.

Edit:
Btw, is there a chance that you post a link to imrp threads where people talk about it? @water
 

0x_

Wtf I'm not new....
Staff member
Administrator
Joined
Feb 18, 2013
Messages
1,123
Reaction score
174
I remember testing it long time ago and it additionally sent a list of currently running processes. Whenever you started a new program, it sent an update as far as I can remember.

Edit:
Btw, is there a chance that you post a link to imrp threads where people talk about it? @water

Yea the injected C# module (IMRP.Core) does that. (Process32 WinAPI stuff)
 

water

New member
Joined
Apr 21, 2021
Messages
2
Reaction score
0
Location
Russia
// Update:
I analyzed it a little bit for 5 minutes, low security and it's not recording your screen permanently.
What it does (this list will expand while im analyzing but cbf rn):
  • It's able to screenshot your game (in that case everything in the dx buffer) you can bypass that by hooking D3DXSaveSurfaceToFileInMemory and temporarily disabling overlay(s) and everything alike.
  • It's iterating trough your GTA:SA dir (who thought that omg!).
  • Maybe more?
But whatever, it contains some auto update stuff so malicous code could be removed already above knowledge is only based on the game side of things.
Don't see many reasons to go further into it, it's some shitty C# stuff with a simple not encrypted tcp stream and http calls. You can easily get some basic code going to emulate this thing.

They can smuggle malicous code into it any time they want so meh, just don't use it if you dont trust them. Any program you run can do something malicious there's nothing stopping them.

You could also hijack the socket and imitate their weird ping pong stuff and just don't send info.

Thank you so much for the response. Thank you for pointing out what you have captured so far.
I believe peoples main concern currently is if the stuff they've got on their HDD is safe. Nobody would care if it scans the GTA directory only, but if it goes through HDD, then we have a problem (This would be breaking privacy laws in dozen of countries).

Everything works, just instead of using the injection
ASI LOADER, inject them with a thrown DLL
From another folder (not the game folder)
If the launcher can capture your screen, as 0x said above, does that mean you will get busted either way if checked by the owners, if you are using an obvious cheat like m0d sa or nametags (example)?

I remember testing it long time ago and it additionally sent a list of currently running processes. Whenever you started a new program, it sent an update as far as I can remember.

Edit:
Btw, is there a chance that you post a link to imrp threads where people talk about it? @water
Server general talk on the forums. However this thread is constatly spammed by shitposters, so you might scroll back a little.
 

SobFoX

Expert
Joined
Jul 14, 2015
Messages
1,464
Solutions
5
Reaction score
916
Location
Israel
Thank you so much for the response. Thank you for pointing out what you have captured so far.
I believe peoples main concern currently is if the stuff they've got on their HDD is safe. Nobody would care if it scans the GTA directory only, but if it goes through HDD, then we have a problem (This would be breaking privacy laws in dozen of countries).


If the launcher can capture your screen, as 0x said above, does that mean you will get busted either way if checked by the owners, if you are using an obvious cheat like m0d sa or nametags (example)?


Server general talk on the forums. However this thread is constatly spammed by shitposters, so you might scroll back a little.
If it is possible to get a download link to the file it downloads from you (IMRP.Launcher.exe)
To see the use of "D3DXSaveSurfaceToFileInMemory" and more ..
We can patch and hack, basically undo the parts of the code that are causing problems for you,
Some time ago I did this with software that would send a picture of my game
I changed it to a picture of my ass ..
 

0x_

Wtf I'm not new....
Staff member
Administrator
Joined
Feb 18, 2013
Messages
1,123
Reaction score
174
@SobFoX
Just hook DirectX no need to edit their module.

@water
That's hard to say, they could target individual people with their auto updater or implement fishy stuff and then remove it the next day..

For extra security you could block specific packets for the detection (if there are any dunno yet)
 

SobFoX

Expert
Joined
Jul 14, 2015
Messages
1,464
Solutions
5
Reaction score
916
Location
Israel
@SobFoX
Just hook DirectX no need to edit their module.

@water
That's hard to say, they could target individual people with their auto updater or implement fishy stuff and then remove it the next day..

For extra security you could block specific packets for the detection (if there are any dunno yet)
Look at the details
 
Top