Description
It appears that the "pairipcore" protection mechanism is increasingly being integrated into apps, making it challenging to utilize tools such as frida-interception-and-unpinning.
About Pairipcore:
Pairipcore is an advanced protection technology that prevents repacking, tampering, code injection, and the usage of tools such as frida-server. The following features are part of its protection suite:
- Integrity checks: Both Java-based and C++ library-based.
- Pseudo-VM code injection: Complex obfuscation using virtual machine techniques.
- Control flow & code obfuscation: Applied to the C++ libraries.
- Dynamic imports obfuscation: Uses custom functions (
dlopen,dlsym,syscall, etc.) for bionic libc. - Anti-debugging: Implemented using
prctl,clone,waitpid, andptrace. - Process checks: Scans
/proc/self/mapsand/proc/self/status. - System property and file checks: Verifies files and directories using
access,opendir,readdir, and related functions. - Enhanced Frida detection: Scans for
frida-serveron various ports, beyond the default checks (similar to Promon Shield).
This makes static and dynamic analysis significantly harder, and currently, frida-interception-and-unpinning is unable to bypass this protection.
Affected Applications:
For instance, the app nl.efteling.android implements Pairipcore, effectively blocking the use of scripts like those provided by HTTP Toolkit.
Suggested Actions:
It would be helpful to explore potential enhancements or new methods to bypass or counteract the protection mechanisms employed by Pairipcore. If the issue cannot be resolved directly, documenting any possible workarounds or mitigations would greatly benefit the community.
More:
https://github.com/Solaree/pairipcore
Thank you for your work!