。

injects/sendsms.js

@@ -3,7 +3,6 @@ import fs from "fs"
 const device = await frida.getUsbDevice()
 const phoneProcess = await device.getProcess("com.android.phone")
 const session = await device.attach(phoneProcess.pid)
-
 const script = await session.createScript(
     fs.readFileSync("../scripts/sendsms.js")
 )
@@ -14,4 +13,4 @@ script.message.connect(message => {
         script.unload()
     }
 })
-await script.load()
+await script.load()

injects/spoof.js

@@ -6,22 +6,23 @@ import path from "path"
 const filePath = url.fileURLToPath(import.meta.url)
 const __dirname = path.dirname(filePath)
 
-const device = await frida.getUsbDevice()
 const mcc = "255"
 const mnc = "06"
 const simOperator = "25506"
 const networkOperator = "25506"
-const simSerialNumber = "89380062300689131836"
-const iccId = "89380062300689131836"
-const number = "733765567"
+const simSerialNumber = "89380062300689131876"
+const iccId = simSerialNumber
+const number = "731848010"
 const imei = "864929043714851"
-const imsi = "255065007246414"
+const imsi = "255065007246456"
+const countryIso = "ua"
+const subId = ""
 
 const scriptContent = fs
     .readFileSync(path.resolve(__dirname, "../scripts/spoof.js"))
     .toString()
-    .replace('"{{mcc}}"', mcc)
-    .replace('"{{mnc}}"', mnc)
+    .replace("{{mcc}}", mcc)
+    .replace("{{mnc}}", mnc)
     .replace("{{simOperator}}", simOperator)
     .replace("{{networkOperator}}", networkOperator)
     .replace("{{simSerialNumber}}", simSerialNumber)
@@ -29,42 +30,109 @@ const scriptContent = fs
     .replace("{{number}}", number)
     .replace("{{imei}}", imei)
     .replace("{{imsi}}", imsi)
+    .replace("{{countryIso}}", countryIso)
+    .replace("{{subId}}", subId)
 
-console.log(scriptContent)
+fs.writeFileSync(path.resolve(__dirname, "../scripts/_spoof.js"), scriptContent)
 
-// fs.writeFileSync("../_sendsms.js", scriptContent)
+let device = null
+let tracers = []
 
-async function attachRcsService() {
-    const rcsProcess = (await device.enumerateProcesses()).filter(
-        p => p.name === "com.google.android.apps.messaging:rcs"
-    )[0]
-
-    const session = await device.attach(rcsProcess.pid)
+async function stop() {
+    console.log("[*] Stopping all tracers")
+    for (const tracer of tracers) {
+        console.log("[*] Stopping", tracer.pid)
+        tracer.session.detach()
+        try {
+            await device.kill(tracer.pid)
+        } catch (error) {}
+    }
+    process.exit(1)
+}
 
-    const script = await session.createScript(scriptContent)
-    script.message.connect(message => {
-        console.log("[*] Message:", message)
+process.on("SIGTERM", stop)
+process.on("SIGINT", stop)
 
-        if (message.type === "send" && message.payload === "ok") {
-            script.unload()
-        }
+async function main() {
+    const deviceMgr = frida.getDeviceManager()
+    deviceMgr.enumerateDevices().then(devices => {
+        devices.forEach(device => {
+            console.log("[*] Device:", device.id, device.name, device.type)
+        })
     })
-    await script.load()
-}
+    device = await frida.getUsbDevice()
+    device.spawnAdded.connect(onSpawnAdded)
+
+    console.log("[*] Enabling spawn gating")
+    await device.enableSpawnGating()
+    console.log("[*] Enabled spawn gating")
 
-async function attachUI() {
+    await showPendingSpawn()
+
+    console.log("[*] Spawning com.google.android.apps.messaging")
     const pid = await device.spawn("com.google.android.apps.messaging")
-    const session = await device.attach(pid)
-    const script = await session.createScript(scriptContent)
-    script.message.connect(message => {
-        console.log("[*] Message:", message)
-
-        if (message.type === "send" && message.payload === "ok") {
-            console.log("Unloading script")
-            script.unload()
+    console.log("[*] Spawned com.google.android.apps.messaging: " + pid)
+    const tracer = await Tracer.open(pid)
+    tracers.push(tracer)
+}
+
+async function showPendingSpawn() {
+    const pending = await device.enumeratePendingSpawn()
+    console.log("[*] enumeratePendingSpawn():", pending)
+}
+
+async function onSpawnAdded(spawn) {
+    try {
+        await showPendingSpawn()
+
+        if (spawn.identifier.startsWith("com.google.android.apps.messaging")) {
+            console.log("[*] Tracing", spawn.pid, spawn.identifier)
+            const tracer = await Tracer.open(spawn.pid)
+            tracers.push(tracer)
+        } else {
+            console.log("[*] Resuming", spawn.pid)
+            await device.resume(spawn.pid)
         }
-    })
-    await script.load()
+    } catch (e) {
+        console.error("err: ", e)
+    }
+}
+
+class Tracer {
+    static async open(pid) {
+        const tracer = new Tracer(pid)
+        await tracer._initialize()
+        return tracer
+    }
+
+    constructor(pid) {
+        this.pid = pid
+        this.session = null
+        this.script = null
+    }
+
+    async _initialize() {
+        const session = await device.attach(this.pid)
+        this.session = session
+        session.detached.connect(this._onSessionDetached.bind(this))
+
+        const script = await session.createScript(scriptContent)
+        this.script = script
+        script.message.connect(this._onScriptMessage.bind(this))
+        await script.load()
+
+        await device.resume(this.pid)
+    }
+
+    _onSessionDetached(reason) {
+        console.log(`[PID ${this.pid}] onSessionDetached(reason='${reason}')`)
+    }
+
+    _onScriptMessage(message, data) {
+        console.log(`[PID ${this.pid}] onScriptMessage()`, message)
+    }
 }
 
-await attachUI()
+main().catch(e => {
+    console.error(e)
+})

scripts/_spoof.js

@@ -0,0 +1,203 @@
+const mcc = "255"
+const mnc = "06"
+const simOperator = "25506"
+const networkOperator = "25506"
+const simSerialNumber = "89380062300689131876"
+const iccId = "89380062300689131876"
+const number = "731848010"
+const imei = "864929043714851"
+const imsi = "255065007246456"
+const countryIso = "ua"
+const subId = ""
+
+Java.perform(function () {
+    const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
+    SubscriptionInfo.getMcc.overload().implementation = function () {
+        const _mcc = this.getMcc()
+        console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
+        return parseInt(mcc)
+    }
+
+    SubscriptionInfo.getMnc.overload().implementation = function () {
+        const _mnc = this.getMnc()
+        console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
+        return parseInt(mnc)
+    }
+
+    SubscriptionInfo.getMccString.overload().implementation = function () {
+        const _mccString = this.getMccString()
+        console.log(
+            `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
+        )
+        return mcc
+    }
+
+    SubscriptionInfo.getMncString.overload().implementation = function () {
+        const _mncString = this.getMncString()
+        console.log(
+            `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
+        )
+        return mnc
+    }
+
+    SubscriptionInfo.getNumber.overload().implementation = function () {
+        const _number = this.getNumber()
+        console.log(`spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`)
+        return number
+    }
+
+    SubscriptionInfo.getIccId.overload().implementation = function () {
+        const _iccId = this.getIccId()
+        console.log(`spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`)
+        return iccId
+    }
+
+    SubscriptionInfo.getCountryIso.overload().implementation = function () {
+        const _countryIso = this.getCountryIso()
+        console.log(
+            `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
+        )
+        return countryIso
+    }
+
+    SubscriptionInfo.getSubscriptionId.overload().implementation = function () {
+        const _subId = this.getSubscriptionId()
+        if (!subId) {
+            console.log(_subId)
+            return _subId
+        }
+        console.log(
+            `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
+        )
+        return parseInt(subId)
+    }
+
+    const TelephonyManager = Java.use("android.telephony.TelephonyManager")
+    TelephonyManager.getLine1Number.overload().implementation = function () {
+        const _number = this.getLine1Number()
+        console.log(
+            `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
+        )
+        return number
+    }
+
+    TelephonyManager.getSimOperator.overload().implementation = function () {
+        const _simOperator = this.getSimOperator()
+        console.log(
+            `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
+        )
+        return simOperator
+    }
+
+    TelephonyManager.getNetworkOperator.overload().implementation =
+        function () {
+            const _networkOperator = this.getNetworkOperator()
+            console.log(
+                `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
+            )
+            return networkOperator
+        }
+
+    TelephonyManager.getSimSerialNumber.overload().implementation =
+        function () {
+            const _simSerialNumber = this.getSimSerialNumber()
+            console.log(
+                `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
+            )
+            return simSerialNumber
+        }
+
+    TelephonyManager.getSubscriberId.overload().implementation = function () {
+        const _imsi = this.getSubscriberId()
+        console.log(
+            `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
+        )
+        return imsi
+    }
+
+    TelephonyManager.getImei.overload().implementation = function () {
+        const _imei = this.getImei()
+        console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
+        return imei
+    }
+
+    TelephonyManager.getNetworkCountryIso.overload().implementation =
+        function () {
+            const _countryIso = this.getNetworkCountryIso()
+            console.log(
+                `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
+            )
+            return countryIso
+        }
+
+    TelephonyManager.getSimCountryIso.overload().implementation = function () {
+        const _countryIso = this.getSimCountryIso()
+        console.log(
+            `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
+        )
+        return countryIso
+    }
+
+    TelephonyManager.getSubscriptionId.overload().implementation = function () {
+        const _subId = this.getSubscriptionId()
+        if (!subId) {
+            console.log(_subId)
+            return _subId
+        }
+        console.log(
+            `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
+        )
+        return parseInt(subId)
+    }
+
+    // const asos = Java.use("asos")
+    // asos.b.overload().implementation = function () {
+    //     console.log("asos.b")
+    //     return true
+    // }
+
+    const asmy = Java.use("asmy")
+    const bqni = Java.use("bqni")
+    const askd = Java.use("askd")
+    // asmy.b.overload().implementation = function () {
+    //     this.$super.b()
+    //     this._a.value.Q(bqni.b(19))
+    //     this._a.value.av(27)
+    //     const a = this._a.value._P.value.a()
+    //     var c = askd.c(a, "")
+    //     console.log(this._a.value.r)
+    //     var ar = Java.cast(this._a.value, Java.use("arqs"))
+    //     ar.r(36, Java.cast(c, Java.use("java.lang.Object")))
+    // }
+
+    const PhoneNumberVerification = Java.use(
+        "com.google.android.gms.constellation.PhoneNumberVerification"
+    )
+    PhoneNumberVerification.$init.overload(
+        "java.lang.String",
+        "long",
+        "int",
+        "int",
+        "java.lang.String",
+        "android.os.Bundle"
+    ).implementation = function (str, j, i, i2, str2, bundle) {
+        console.log("PhoneNumberVerification.$init")
+
+        console.log(`str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}`)
+        // print bundle
+        const entrySet = bundle.entrySet().toArray()
+        for (let i = 0; i < entrySet.length; i++) {
+            const entry = entrySet[i]
+            console.log(`key: ${entry.getKey()}, value: ${entry.getValue()}`)
+        }
+
+        return this.$init(str, j, i, i2, str2, bundle)
+    }
+
+    const aays = Java.use("aays")
+    aays.d.overload("int", "boolean").implementation = function (i, z) {
+        console.log("aays.d", i, z, Object.keys(this.f.value))
+       
+        return number
+    }
+})

scripts/spoof.js

@@ -7,18 +7,36 @@ const iccId = "{{iccId}}"
 const number = "{{number}}"
 const imei = "{{imei}}"
 const imsi = "{{imsi}}"
+const countryIso = "{{countryIso}}"
+const subId = "{{subId}}"
 
 Java.perform(function () {
     const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
     SubscriptionInfo.getMcc.overload().implementation = function () {
         const _mcc = this.getMcc()
         console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
-        return mcc
+        return parseInt(mcc)
     }
 
     SubscriptionInfo.getMnc.overload().implementation = function () {
         const _mnc = this.getMnc()
         console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
+        return parseInt(mnc)
+    }
+
+    SubscriptionInfo.getMccString.overload().implementation = function () {
+        const _mccString = this.getMccString()
+        console.log(
+            `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
+        )
+        return mcc
+    }
+
+    SubscriptionInfo.getMncString.overload().implementation = function () {
+        const _mncString = this.getMncString()
+        console.log(
+            `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
+        )
         return mnc
     }
 
@@ -34,6 +52,26 @@ Java.perform(function () {
         return iccId
     }
 
+    SubscriptionInfo.getCountryIso.overload().implementation = function () {
+        const _countryIso = this.getCountryIso()
+        console.log(
+            `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
+        )
+        return countryIso
+    }
+
+    SubscriptionInfo.getSubscriptionId.overload().implementation = function () {
+        const _subId = this.getSubscriptionId()
+        if (!subId) {
+            console.log(_subId)
+            return _subId
+        }
+        console.log(
+            `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
+        )
+        return parseInt(subId)
+    }
+
     const TelephonyManager = Java.use("android.telephony.TelephonyManager")
     TelephonyManager.getLine1Number.overload().implementation = function () {
         const _number = this.getLine1Number()
@@ -83,12 +121,41 @@ Java.perform(function () {
         return imei
     }
 
-    const asos = Java.use("asos")
-    asos.b.overload().implementation = function () {
-        console.log("asos.b")
-        return true
+    TelephonyManager.getNetworkCountryIso.overload().implementation =
+        function () {
+            const _countryIso = this.getNetworkCountryIso()
+            console.log(
+                `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
+            )
+            return countryIso
+        }
+
+    TelephonyManager.getSimCountryIso.overload().implementation = function () {
+        const _countryIso = this.getSimCountryIso()
+        console.log(
+            `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
+        )
+        return countryIso
+    }
+
+    TelephonyManager.getSubscriptionId.overload().implementation = function () {
+        const _subId = this.getSubscriptionId()
+        if (!subId) {
+            console.log(_subId)
+            return _subId
+        }
+        console.log(
+            `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
+        )
+        return parseInt(subId)
     }
 
+    // const asos = Java.use("asos")
+    // asos.b.overload().implementation = function () {
+    //     console.log("asos.b")
+    //     return true
+    // }
+
     const asmy = Java.use("asmy")
     const bqni = Java.use("bqni")
     const askd = Java.use("askd")
@@ -102,4 +169,35 @@ Java.perform(function () {
     //     var ar = Java.cast(this._a.value, Java.use("arqs"))
     //     ar.r(36, Java.cast(c, Java.use("java.lang.Object")))
     // }
+
+    const PhoneNumberVerification = Java.use(
+        "com.google.android.gms.constellation.PhoneNumberVerification"
+    )
+    PhoneNumberVerification.$init.overload(
+        "java.lang.String",
+        "long",
+        "int",
+        "int",
+        "java.lang.String",
+        "android.os.Bundle"
+    ).implementation = function (str, j, i, i2, str2, bundle) {
+        console.log("PhoneNumberVerification.$init")
+
+        console.log(`str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}`)
+        // print bundle
+        const entrySet = bundle.entrySet().toArray()
+        for (let i = 0; i < entrySet.length; i++) {
+            const entry = entrySet[i]
+            console.log(`key: ${entry.getKey()}, value: ${entry.getValue()}`)
+        }
+
+        return this.$init(str, j, i, i2, str2, bundle)
+    }
+
+    const aays = Java.use("aays")
+    aays.d.overload("int", "boolean").implementation = function (i, z) {
+        console.log("aays.d", i, z, Object.keys(this.f.value))
+       
+        return number
+    }
 })