Unable to Bypass "pairipcore"

[HoffiF]

It appears that the "pairipcore" protection mechanism is increasingly being integrated into apps, making it challenging to utilize tools such as frida-interception-and-unpinning.

About Pairipcore:

Pairipcore is an advanced protection technology that prevents repacking, tampering, code injection, and the usage of tools such as frida-server. The following features are part of its protection suite:

• Integrity checks: Both Java-based and C++ library-based.
• Pseudo-VM code injection: Complex obfuscation using virtual machine techniques.
• Control flow & code obfuscation: Applied to the C++ libraries.
• Dynamic imports obfuscation: Uses custom functions (dlopen, dlsym, syscall, etc.) for bionic libc.
• Anti-debugging: Implemented using prctl, clone, waitpid, and ptrace.
• Process checks: Scans /proc/self/maps and /proc/self/status.
• System property and file checks: Verifies files and directories using access, opendir, readdir, and related functions.
• Enhanced Frida detection: Scans for frida-server on various ports, beyond the default checks (similar to Promon Shield).

This makes static and dynamic analysis significantly harder, and currently, frida-interception-and-unpinning is unable to bypass this protection.

Affected Applications:

For instance, the app nl.efteling.android implements Pairipcore, effectively blocking the use of scripts like those provided by HTTP Toolkit.

Suggested Actions:

It would be helpful to explore potential enhancements or new methods to bypass or counteract the protection mechanisms employed by Pairipcore. If the issue cannot be resolved directly, documenting any possible workarounds or mitigations would greatly benefit the community.

More:

https://github.com/Solaree/pairipcore

Thank you for your work!

[pimterry]

Interesting! I wasn't aware of this. I'm definitely open to including mitigations for those kinds of protections in here, but I think it's unlikely I'm going to have any time to do the research to build that from scratch myself. From the description in https://github.com/Solaree/pairipcore it sounds like this will be possible to work around this, but only manually right now - it's not currently practical for totally automatic use. Once people have an automateable solution, I'd love to integrate that into the scripts here.

If you or anybody else run into a good solution like that, do let me know 😄

[ItsMarcoDE]

I’m definitely interested in this topic as well. However, I’m just starting to learn how to analyze apps, so I’m still in the early stages of building up my skills.

If anyone could share tips or guidance on how to approach bypassing something like Pairipcore, I’d be more than happy to contribute where I can!

Unfortunately, I’ve only come across a few resources about circumventing Pairipcore so far, and most of them seem outdated. Any pointers to more current methods or tools would be greatly appreciated.

Looking forward to learning more and hopefully helping out!