Help! APK Mod Protection

DDeveloper

DDeveloper

1/3 Games Approved
Aug 12, 2020
25
13
3
sbenny.com
Here's what I have found so far in this protection. First of all there's a signature check. It can be easily bypassed by removing the "verifyIntegrity" method from the com.pairip.application class. There's a license check as well to check if user downloaded the app from playstore or not. It can be also bypassed by removing codes from onActivityCreate method in com.pairip.licensecheck3 class. Now coming to the main feature which this security provides is the uninitialized strings found in all the java codes. As you may have noticed there are some classes which have uninitialized strings such as these:
1658211071334.png

These strings are used in the runtime for various things related to app, here's a usage example:

1658211125918.png

The libpairipcore.so is responsible for initializing those uninitialized strings. I haven't been able to understand how exactly it does but it's confirmed that it initializes them. The lib also checks for the app integrity and makes the game crash if it fails. Also from my observation it does not detect root or unlocked bootloader but it does detect emulators and "frida server".

I hope the above findings help someone :)
 
  • Like
Reactions: Ali.P.1368, nowhere_222 and A-tom ッ
NullCoder

NullCoder

Inactive Approved Modder
Original poster
Jun 8, 2020
110
900
93
21
None
DDeveloper said:
Here's what I have found so far in this protection. First of all there's a signature check. It can be easily bypassed by removing the "verifyIntegrity" method from the com.pairip.application class. There's a license check as well to check if user downloaded the app from playstore or not. It can be also bypassed by removing codes from onActivityCreate method in com.pairip.licensecheck3 class. Now coming to the main feature which this security provides is the uninitialized strings found in all the java codes. As you may have noticed there are some classes which have uninitialized strings such as these:
View attachment 432685

These strings are used in the runtime for various things related to app, here's a usage example:

View attachment 432686

The libpairipcore.so is responsible for initializing those uninitialized strings. I haven't been able to understand how exactly it does but it's confirmed that it initializes them. The lib also checks for the app integrity and makes the game crash if it fails. Also from my observation it does not detect root or unlocked bootloader but it does detect emulators and "frida server".

I hope the above findings help someone :)
Click to expand...
Thank you of course for taking the time to write such a volume of text and trying to help in general. But I knew about everything described above myself, I looked at libpairipcore.so through IDA Pro and noticed that something was overflowing, some array of objects, because of which a crash was caused in lib, I still didn’t understand how to correct.
 
H

hienngocloveyou

Solid & Active Platinian
May 16, 2021
61
7
8
38
VN
DDeveloper said:
Here's what I have found so far in this protection. First of all there's a signature check. It can be easily bypassed by removing the "verifyIntegrity" method from the com.pairip.application class. There's a license check as well to check if user downloaded the app from playstore or not. It can be also bypassed by removing codes from onActivityCreate method in com.pairip.licensecheck3 class. Now coming to the main feature which this security provides is the uninitialized strings found in all the java codes. As you may have noticed there are some classes which have uninitialized strings such as these:
View attachment 432685

These strings are used in the runtime for various things related to app, here's a usage example:

View attachment 432686

The libpairipcore.so is responsible for initializing those uninitialized strings. I haven't been able to understand how exactly it does but it's confirmed that it initializes them. The lib also checks for the app integrity and makes the game crash if it fails. Also from my observation it does not detect root or unlocked bootloader but it does detect emulators and "frida server".

I hope the above findings help someone :)
Click to expand...
Hi,
Can you help me bypass signature check for zooba game ?
com.wildlife.games.battle.royale.free.zooba

I used apk signature killer but it can work for emulator with android 7, but with the device phone with android 9 and above,
the game can detect the mod.


Can I inbox you for details ?

Regards,
 
  • Like
Reactions: webston
AndnixSH

AndnixSH

PMT Elite Modder
Staff member
Modding-Team
Jun 27, 2017
4,539
302,617
1,213
Modding World
NullCoder said:
Thank you of course for taking the time to write such a volume of text and trying to help in general. But I knew about everything described above myself, I looked at libpairipcore.so through IDA Pro and noticed that something was overflowing, some array of objects, because of which a crash was caused in lib, I still didn’t understand how to correct.
Click to expand...
Isn't the lib obfuscated?
 
  • Like
Reactions: nowhere_222
DDeveloper

DDeveloper

1/3 Games Approved
Aug 12, 2020
25
13
3
sbenny.com
I doubt that would help since the VM needs to initialize all the strings. Currently there's only one way which I know and that would be to analyze the whole VM to see how it initializes those strings. However judging by the amount of code into it, It would take a significant amount of time to get any productive results.
 
supersukilo

supersukilo

Rookie
May 3, 2021
2
0
1
25
Houston, Texas
the vm doesn't initialize strings. pairipcore is a VM that is fed individual programs. the obfuscated strings you see are the names of the programs that exist in the app's asset folder. the java side of pairip loads these files into a byte array and sends it off to pairipcore where the program is decrypted and executed.

that said, its extremely easy to bypass as the apps it's installed into dont rely on any of its functions or methods.

and no, libpairipcore.so isn't obfuscated. it's just stripped.
 
AndnixSH

AndnixSH

PMT Elite Modder
Staff member
Modding-Team
Jun 27, 2017
4,539
302,617
1,213
Modding World
supersukilo said:
the vm doesn't initialize strings. pairipcore is a VM that is fed individual programs. the obfuscated strings you see are the names of the programs that exist in the app's asset folder. the java side of pairip loads these files into a byte array and sends it off to pairipcore where the program is decrypted and executed.

that said, its extremely easy to bypass as the apps it's installed into dont rely on any of its functions or methods.

and no, libpairipcore.so isn't obfuscated. it's just stripped.
Click to expand...
So are you bypassing it by restoring the codes fully? I tried BlackDex to dump dex and hook to restore missing codes but it fails lol. Here is an example from the README thats shows how it looks like when partially successfully restoring missing codes from other packer

1679569412958.png


And are you sure libpairipcore.so isn't obfuscated? there aren't any useful strings (not talking about function names)
 
M

marcelalexandru

Rookie
Aug 2, 2023
1
0
1
25
Romania
The anti tempering is not in the library code but in the bytecode (assets) it loads and executes. In VMRunner you can enable debug logs and see in adb logcat | grep VMRunner what's the last asset loaded and just stopping it from being loaded. Mainly in .class public final Lcom/pairip/StartupLauncher;.

P.S: it can also load strings, or other code needed by the application, this I also had to stop another bytecode from being loaded by the vmrunner because it crashed the app due to the first one being also blocked.

20230802_204714.jpg


This tho, it seems to break integrity checks with the server,
the openai server does not authorize the play integrity response after doing all of this

{
"detail": {
"description": "Not authorized.",
"type": "unauthorized_verdict"
}
}
 
You must log in or register to reply here.
Top Bottom