The emmVRC Issue

Update 2021

Credit where credit's due. As of version 3.0.0 emmVRC now can notify you before using the updated assembly; only if --emmvrc.paranoid is present in your launch options.

Paranoid Mode from emmVRC 3.0.0 (emmVRCLoader 1.5.0)

https://gitlab.com/mltn/emmvrc-source

Summary

While there may be no malicious intent, the emmVRC team is acting recklessly and putting too much trust in their own servers (which the mod is forced to connect to for functionality) to the point where they could easily remotely execute code on your machine, on top of the mod sending out your user ID and the world ID to their servers every time you join an instance.

Transparency

Transparency is important, especially when it comes to mods. Not only do you have to trust that they won't put you in trouble by being malicious or detectable (because yes, most games have a TOS that disallows modding, malicious or not), but you're also still running their code on your system.

Hypocrisy

Most (if not all other) VRChat mods are open-source, emmVRC isn't, and as I said, modifying the VRChat client is very much against the TOS, it sucks, but that's how it is. EmmVRC as well as all other mods break that TOS, the difference is that emmVRC is being hypocritical.

Their EULA says a similar thing:

Restrictions:

You agree not to, and you will not permit others to:

b) Reverse engineer, decompile, modify, or otherwise override emmVRC, or its limitations.

That's a very gullible, hypocritical, and overall suspicious stance.

The Loader

The biggest issue with the emmVRC is the loader, as you might have noticed, the emmVRCLoader.dll file is only around 14 KB, while other big mods such as UIExpansionKit.dll are at around 236 KB.

That's because the actual mod is getting downloaded from the internet, at runtime, every time you launch VRChat.

Code snippet that downloads and decodes the mod

This means that your system is at the mercy of https://thetrueyoshifan.com/ every time you launch the game. If anyone were to compromise their server or even their DNS, they could execute any mono code that they want for everyone that launched VRChat with emmVRCLoader from that point forward.

Me locally spoofing the network traffic to replace emmVRC with malicious fake

The loader also has a remote killswitch that asks https://www.thetrueyoshifan.com/BakaUpdate.php?shouldload whenever the mod should launch, but other than being a bit odd to me, it doesn't seem malicious.

Networking

emmVRC is a heavily networked mod.

Code ran every time you load into a world

Reporting all worlds you enter to an external central server is definitely not ideal, but it would still be understandable due to them wanting to have a blacklist for somewhat competitive worlds, but for some reason, they also grab your user id. This allows them to track what worlds each individual user enters, public or not. I can't say whenever they actually abuse this power or not, but it doesn't change the fact that this puts even more trust in the server and decreases everyone's privacy.

Bad Actors

The only reason I can come up with for them to keep the mod closed-source and strictly prohibit reverse engineering is to stop bad actors, but let's be honest, bad actors don't care and only legitimate curious users are impacted. Decompiling mono code is jokingly easy, because of that keeping your mod closed will only stop people trying to help by opening issues and creating pull requests with fixes.

Alternatives

If you are using emmVRC, and you aren't willing to lose out on the features that it brings, please, at least switch to alternative open-source mods. Most emmVRC features are available as independent and not connected to the internet open-source mods.

Remember that if you're missing a useful feature from VRChat, it's probably already submitted to the official feedback page. Help everyone out by upvoting it https://feedback.vrchat.com/

The Semi-Solution

If you will continue to use emmVRC, you might as well minimize how vulnerable the launcher makes you. I made a very small open-source program for downloading emmVRC into a .dll file.

You can check out the source code at https://gitlab.com/2qe7pAyD9TK5Ci5b/emmvrc-keeper/-/blob/master/Program.cs

or get the prebuilt program at https://gitlab.com/2qe7pAyD9TK5Ci5b/emmvrc-keeper/-/releases

Run the program to generate the emmVRC.dll file (or check for updates if that file already exists).

Now to force the launcher to load the local binary instead of downloading it from the web. You can either modify the launcher yourself with dnSpy or a similar tool (The code is in emmVRCLoader.UpdateManager to be precise) or choose the easy way out and just pass an argument.

The original snippet of code that checks for the argument

If the emmVRCLoader will detect a --emmvrc.devmode argument, it will load the mod from a "Dependencies" directory instead of downloading it at runtime.

Try to launch VRChat after adding the dev mode argument, the Melon Loader console should show a System.IO error. This means that you did everything correctly and the launcher tried to load a local file instead of downloading it from the web.

Close VRChat and move the emmVRC.dll file into a "Dependencies" folder in the root of VRChat.

From now on, emmVRC won't update without consent, and if the server were to get compromised, at least you're not going to automatically run malicious code.

Keep in mind that VRChat updates and so does emmVRC from time to time, make sure to keep track of emmVRC updates, and when an update releases and gets verified, re-run emmVRC keeper to redownload emmVRC.dll and copy it over to Dependencies replacing the old version.

What's next?

I will keep this post updated if something were to change. If you want to get in contact with me for whatever reason, at the moment you can email me at u8Vz9ubWNr7s9zh54dj5bLn32Q7hc6q3@protonmail.com