.

getnumber.js

@@ -0,0 +1,27 @@
+import { createHash, randomUUID } from 'crypto'
+import axios from 'axios'
+const gatewayId = 'account_RcsTest'
+const key = 'd0f3acdd-9e4b-4625-880d-a7f9052b4a6d'
+
+async function getNumber() {
+    const timestamp = new Date().getTime()
+    const nonce = randomUUID()
+    console.log(timestamp, nonce)
+    const sign = createHash('sha256').update(`${gatewayId}_${nonce}_${new Date().getTime()}_${key}`).digest('hex')
+    console.log(createHash('sha256').update("myname_ojlfdsnatdKDgtfdsaf_1669620328175_mykey",'utf8').digest('hex'))
+    console.log(sign)
+    const { data } = await axios.post(
+        'http://api.code-sms.net:54722/sms/openApi/phone',
+        { country: 'USA', appId: 25 },
+        {
+            headers: {
+                gatewayId: gatewayId,
+                nonce: nonce,
+                timestamp: timestamp,
+                signature: sign
+            }
+        }
+    )
+    console.log(data)
+}
+getNumber()

injects/spoof_sms.js

@@ -0,0 +1,167 @@
+import frida from 'frida'
+import fs from 'fs'
+import url from 'url'
+import path from 'path'
+import util from 'util'
+import Vorpal from 'vorpal'
+import { spawn, execSync } from 'child_process'
+import { setTimeout } from 'timers/promises'
+
+const filePath = url.fileURLToPath(import.meta.url)
+const __dirname = path.dirname(filePath)
+
+function loadSource(filePath) {
+    Log.s(`Loading ${filePath}`)
+    return fs.readFileSync(path.resolve(__dirname, filePath)).toString()
+}
+
+class Log {
+    static TAG = ''
+    static format(...msg) {
+        let m = []
+        for (let i = 0; i < msg.length; i++) {
+            if (typeof msg[i] === 'object') {
+                if ('[object Object]' === msg[i].toString()) {
+                    m.push(util.inspect(msg[i]))
+                }
+            } else {
+                m.push(msg[i])
+            }
+        }
+        m = m.join(' ')
+        return m
+    }
+    static i(...msg) {
+        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static w(...msg) {
+        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static e(...msg) {
+        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static s(...msg) {
+        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+}
+
+let device = null
+let tracers = []
+
+async function stop() {
+    Log.i('[*] Stopping all tracers')
+    for (const tracer of tracers) {
+        Log.i('[*] Stopping', tracer.pid)
+        tracer.session.detach()
+        try {
+            await device.kill(tracer.pid)
+        } catch (error) {}
+    }
+    process.exit(1)
+}
+
+process.on('SIGTERM', stop)
+process.on('SIGINT', stop)
+
+async function main() {
+    device = await frida.getUsbDevice()
+    device.spawnAdded.connect(onSpawnAdded)
+
+    Log.i('[*] Enabling spawn gating')
+    await device.enableSpawnGating()
+    Log.i('[*] Enabled spawn gating')
+
+    // Log.i("[*] Spawning com.google.android.apps.messaging")
+    // const pid = await device.spawn("com.google.android.apps.messaging")
+    // Log.i("[*] Spawned com.google.android.apps.messaging: " + pid)
+    // const tracer = await Tracer.open(pid)
+    // tracers.push(tracer)
+    const processes = await device.enumerateProcesses()
+    for (const process of processes) {
+        if (process.name.startsWith('com.google.android.apps.messaging') || process.name.startsWith('信息')) {
+            console.log('[*] Attaching to', process.pid, process.name)
+            const session = await device.attach(process.pid)
+            const script = await session.createScript(loadSource('../scripts/sms.js'))
+            await script.load()
+        }
+    }
+}
+
+async function onSpawnAdded(spawn) {
+    try {
+        if (spawn.identifier.startsWith('com.google.android.apps.messaging')) {
+            Log.i('[*] Tracing', spawn.pid, spawn.identifier)
+            const tracer = await Tracer.open(spawn.pid, '../scripts/sms.js')
+            tracers.push(tracer)
+        } else {
+            Log.i('[*] Resuming', spawn.pid, spawn.identifier)
+            await device.resume(spawn.pid)
+        }
+    } catch (e) {
+        Log.e(`err: ${e}`)
+    }
+}
+
+class Tracer {
+    static async open(pid, source) {
+        const tracer = new Tracer(pid, source)
+        await tracer._initialize()
+        return tracer
+    }
+
+    constructor(pid, sourceFile) {
+        this.pid = pid
+        this.sourceFile = sourceFile
+        this.source = loadSource(sourceFile)
+        this.session = null
+        this.script = null
+    }
+
+    async _initialize() {
+        const session = await device.attach(this.pid)
+        this.session = session
+        session.detached.connect(this._onSessionDetached.bind(this))
+
+        const script = await session.createScript(this.source)
+        this.script = script
+        script.message.connect(this._onScriptMessage.bind(this))
+        await script.load()
+
+        // const script_ssl = await session.createScript(source_ssl)
+        // await script_ssl.load()
+
+        try {
+            await device.resume(this.pid)
+        } catch (e) {
+            Log.e(e)
+        }
+    }
+
+    async reload() {
+        if (this.script) {
+            this.script.unload()
+        }
+        this.source = loadSource(this.sourceFile)
+        this.script = await this.session.createScript(this.source)
+        this.script.message.connect(this._onScriptMessage.bind(this))
+        await this.script.load()
+    }
+
+    _onSessionDetached(reason) {
+        Log.i(`[PID ${this.pid}] onSessionDetached(reason='${reason}')`)
+        const i = tracers.findIndex((tracer) => tracer.pid === this.pid)
+        if (i !== -1) {
+            tracers.splice(i, 1)
+        }
+    }
+
+    _onScriptMessage(message, data) {
+        if (message.type === 'error') {
+            Log.e(`[PID ${this.pid}] onScriptMessage()`, message, data ? JSON.stringify(data) : '')
+        } else {
+            Log.i(`[PID ${this.pid}] onScriptMessage()`, message, data ? JSON.stringify(data) : '')
+        }
+    }
+}
+
+main()

package.json

@@ -1,7 +1,7 @@
 {
   "dependencies": {
     "axios": "^1.6.8",
-    "frida": "^16.2.1",
+    "frida": "^16.4.5",
     "node-imei": "^1.0.8",
     "randomstring": "^1.3.0",
     "twilio": "^5.0.3",

scripts/sms.js

@@ -0,0 +1,44 @@
+function trace(tag) {
+    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
+}
+
+class Log {
+    static TAG = '[GMS]'
+    static Debug = false
+    static format(...msg) {
+        let m = []
+        for (let i = 0; i < msg.length; i++) {
+            if (typeof msg[i] === 'object') {
+                m.push(msg[i] + '')
+            } else {
+                m.push(msg[i])
+            }
+        }
+        m = m.join(' ')
+        return m
+    }
+    static i(...msg) {
+        if (!this.Debug) return
+        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static w(...msg) {
+        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static e(...msg) {
+        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static s(...msg) {
+        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+}
+
+Java.perform(function () {
+    setImmediate(() => {
+        const bvqg = Java.use('bvqg')
+        bvqg.h.overload('int').implementation = function (i) {
+            const res = this.h(3)
+            Log.i('bvqg.h(3) =', res)
+            return res
+        }
+    })
+})

scripts/spoof_phone3.js

@@ -46,5 +46,31 @@ setImmediate(() => {
             Log.e(`getActiveSubscriptionInfoList(${callingPackage}, ${callingFeature})`) 
             return this.getActiveSubscriptionInfoList(callingPackage, callingFeature)
         }
+
+        const SubscriptionInfo = Java.use('android.telephony.SubscriptionInfo')
+        SubscriptionInfo.getCarrierId.overload().implementation = function () {
+            const carrierId = this.getCarrierId()
+            Log.e(`getCarrierId()=${carrierId}`)
+            return carrierId
+        }
+
+        SubscriptionInfo.getMccString.overload().implementation = function () {
+            const mcc = this.getMccString()
+            Log.e(`getMccString()=${mcc}`)
+            return mcc
+        }
+
+        SubscriptionInfo.getMcc.overload().implementation = function () {
+            const mcc = this.getMcc()
+            Log.e(`getMcc()=${mcc}`)
+            return mcc
+        }
+
+        const TelephoneyManager = Java.use('android.telephony.TelephonyManager')
+        TelephoneyManager.getSimCarrierId.overload().implementation = function () {
+            const carrierId = this.getSimCarrierId()
+            Log.e(`getSimCarrierId()=${carrierId}`)
+            return carrierId
+        }
     })
 })

yarn.lock

@@ -268,10 +268,10 @@ form-data@^4.0.0:
     combined-stream "^1.0.8"
     mime-types "^2.1.12"
 
-frida@^16.2.1:
-  version "16.2.1"
-  resolved "https://registry.npmmirror.com/frida/-/frida-16.2.1.tgz#70717c0c67ad6955596eb468323f5a2b7ab74536"
-  integrity sha512-H3MDnuTccEsxTDOuqeHGxprTj5G61vHcxKNHXl+xbH3QvhwXfDLCxPHhsyxI7pJJWq0Rv65ChXKbypRl8VYZwQ==
+frida@^16.4.5:
+  version "16.4.5"
+  resolved "https://registry.npmmirror.com/frida/-/frida-16.4.5.tgz#817cbe98f850a239327eb5aea966157d02b87372"
+  integrity sha512-Je6q1MqJL3HZkfvBJ7wCMt+fpO2CHmIUXzHezOnf782845X7iSElbCaVI8RxXNOW3FAUYAcLVxE6hl1CcDaG8A==
   dependencies:
     bindings "^1.5.0"
     minimatch "^9.0.3"