This is the AMP version of this page.
If you want to load the real page instead, click this text.

Help! APK Mod Protection

NullCoder

Inactive Approved Modder
Hello! I really want to hack "Motor Depot" in which they introduced a new protection against changing the APK. I searched smali and found signature verification and license verification. The application does not respond when changed or was stopped, that's what I see when I try to modify the APK.

To bypass the signature verification protection, I tried to use the APK signature killer for base.apk, and to verify the license, I used the Lucky Pather patches. But everything turned out to be unsuccessful.

The game only supports ARMv6
Maybe I'm doing something wrong ... If there are people who could help me, please write either in a personal or here, I'll be glad for any help.

Link to split files: Motor_Depot.zip
 
Sort by date Sort by votes
Here's what I have found so far in this protection. First of all there's a signature check. It can be easily bypassed by removing the "verifyIntegrity" method from the com.pairip.application class. There's a license check as well to check if user downloaded the app from playstore or not. It can be also bypassed by removing codes from onActivityCreate method in com.pairip.licensecheck3 class. Now coming to the main feature which this security provides is the uninitialized strings found in all the java codes. As you may have noticed there are some classes which have uninitialized strings such as these:

These strings are used in the runtime for various things related to app, here's a usage example:


The libpairipcore.so is responsible for initializing those uninitialized strings. I haven't been able to understand how exactly it does but it's confirmed that it initializes them. The lib also checks for the app integrity and makes the game crash if it fails. Also from my observation it does not detect root or unlocked bootloader but it does detect emulators and "frida server".

I hope the above findings help someone :)
 
Upvote 0 Downvote

Thank you of course for taking the time to write such a volume of text and trying to help in general. But I knew about everything described above myself, I looked at libpairipcore.so through IDA Pro and noticed that something was overflowing, some array of objects, because of which a crash was caused in lib, I still didn’t understand how to correct.
 
Upvote 0 Downvote

Hi,
Can you help me bypass signature check for zooba game ?
com.wildlife.games.battle.royale.free.zooba

I used apk signature killer but it can work for emulator with android 7, but with the device phone with android 9 and above,
the game can detect the mod.


Can I inbox you for details ?

Regards,
 
Upvote 0 Downvote
Isn't the lib obfuscated?
 
Upvote 0 Downvote
I doubt that would help since the VM needs to initialize all the strings. Currently there's only one way which I know and that would be to analyze the whole VM to see how it initializes those strings. However judging by the amount of code into it, It would take a significant amount of time to get any productive results.
 
Upvote 0 Downvote
the vm doesn't initialize strings. pairipcore is a VM that is fed individual programs. the obfuscated strings you see are the names of the programs that exist in the app's asset folder. the java side of pairip loads these files into a byte array and sends it off to pairipcore where the program is decrypted and executed.

that said, its extremely easy to bypass as the apps it's installed into dont rely on any of its functions or methods.

and no, libpairipcore.so isn't obfuscated. it's just stripped.
 
Upvote 0 Downvote
So are you bypassing it by restoring the codes fully? I tried BlackDex to dump dex and hook to restore missing codes but it fails lol. Here is an example from the README thats shows how it looks like when partially successfully restoring missing codes from other packer



And are you sure libpairipcore.so isn't obfuscated? there aren't any useful strings (not talking about function names)
 
Upvote 0 Downvote
The anti tempering is not in the library code but in the bytecode (assets) it loads and executes. In VMRunner you can enable debug logs and see in adb logcat | grep VMRunner what's the last asset loaded and just stopping it from being loaded. Mainly in .class public final Lcom/pairip/StartupLauncher;.

P.S: it can also load strings, or other code needed by the application, this I also had to stop another bytecode from being loaded by the vmrunner because it crashed the app due to the first one being also blocked.



This tho, it seems to break integrity checks with the server,
the openai server does not authorize the play integrity response after doing all of this

{
"detail": {
"description": "Not authorized.",
"type": "unauthorized_verdict"
}
}
 
Upvote 0 Downvote
Hey AndnixSH, did you ever find a way to bypass the pairip?
 
Upvote 0 Downvote
You must log in or register to reply here.
Menu
Log in
Register