.

injects/spoof_sms.js

@@ -81,7 +81,7 @@ async function main() {
         if (process.name.startsWith('com.google.android.apps.messaging') || process.name.startsWith('信息')) {
             console.log('[*] Attaching to', process.pid, process.name)
             const session = await device.attach(process.pid)
-            const script = await session.createScript(loadSource('../scripts/sms.js'))
+            const script = await session.createScript(loadSource('../scripts/spoof_sms.js'))
             await script.load()
         }
     }
@@ -91,7 +91,7 @@ async function onSpawnAdded(spawn) {
     try {
         if (spawn.identifier.startsWith('com.google.android.apps.messaging')) {
             Log.i('[*] Tracing', spawn.pid, spawn.identifier)
-            const tracer = await Tracer.open(spawn.pid, '../scripts/sms.js')
+            const tracer = await Tracer.open(spawn.pid, '../scripts/spoof_sms.js')
             tracers.push(tracer)
         } else {
             Log.i('[*] Resuming', spawn.pid, spawn.identifier)

scripts/spoof_gms.js

@@ -45,15 +45,7 @@ Java.perform(function () {
         'int',
         'long'
     ).implementation = function (str, j, i, i2, str2, bundle, i3, l) {
-        Log.e(`PhoneNumberVerification.$init(str=${str}, j=${j}, i=${i}, i2=${i2}, str2=${str2}, i3=${i3}, l=${l}`)
-        // print bundle
-        const keySet = bundle.keySet().toArray()
-
-        for (let i = 0; i < keySet.length; i++) {
-            const key = keySet[i]
-            Log.i(`PhoneNumberVerification(key: ${key}, value: ${bundle.get(key)})`)
-        }
-
+        Log.i('PhoneNumberVerification.$init', str, j, i, i2, str2, bundle, i3, l)
         return this.$init(str, j, i, i2, str2, bundle, i3, l)
     }
 
@@ -71,19 +63,10 @@ Java.perform(function () {
     ).implementation = function (str, j, idTokenRequest, bundle, list, z, i, list2) {
         Log.e(`VerifyPhoneNumberRequest.$init(
             str=${str}, j=${j}, idTokenRequest=${idTokenRequest}, bundle=${bundle}, list=${list}, z=${z}, i=${i}, list2=${list2})`)
-        trace()
-        // print bundle
-        const keySet = bundle.keySet().toArray()
-        for (let i = 0; i < keySet.length; i++) {
-            const key = keySet[i]
-            Log.i(`VerifyPhoneNumberRequest.Bundle(key=${key}, value=${bundle.get(key)})`)
-        }
-
-        return this.$init('upi-carrier-id-with-mo-sms-relax', j, idTokenRequest, bundle, list, z, i, list2)
+        return this.$init(str, j, idTokenRequest, bundle, list, z, i, list2)
     }
     VerifyPhoneNumberRequest.writeToParcel.overload('android.os.Parcel', 'int').implementation = function (parcel, i) {
         Log.e(`VerifyPhoneNumberRequest.writeToParcel(parcel=${parcel}, i=${i})`)
-        trace()
         return this.writeToParcel(parcel, i)
     }
 })

scripts/spoof_sms.js

@@ -35,11 +35,41 @@ function trace(tag) {
 
 setImmediate(() => {
     Java.perform(function () {
+        const PhoneNumberVerification = Java.use('com.google.android.gms.constellation.PhoneNumberVerification')
+        PhoneNumberVerification.$init.overload(
+            'java.lang.String',
+            'long',
+            'int',
+            'int',
+            'java.lang.String',
+            'android.os.Bundle',
+            'int',
+            'long'
+        ).implementation = function (a, b, c, d, e, f, g, h) {
+            Log.i('PhoneNumberVerification.$init', a, b, c, d, e, f, g, h)
+            return this.$init(a, b, c, d, e, f, g, h)
+        }
+
+        const VerifyPhoneNumberRequest = Java.use('com.google.android.gms.constellation.VerifyPhoneNumberRequest')
+        VerifyPhoneNumberRequest.$init.overload(
+            'java.lang.String',
+            'long',
+            'com.google.android.gms.constellation.IdTokenRequest',
+            'android.os.Bundle',
+            'java.util.List',
+            'boolean',
+            'int',
+            'java.util.List'
+        ).implementation = function (a, b, c, d, e, f, g, h) {
+            Log.i('VerifyPhoneNumberRequest.$init', a, b, c, d, e, f, g, h)
+            return this.$init(a, b, c, d, e, f, g, h)
+        }
+
         const bhyo = Java.use('bhyo')
         bhyo.d.overload('java.lang.String').implementation = function (str) {
             Log.s(`bhyo.d(str=${str}) modify res.b to upi-carrier-id-with-mo-sms-relax`)
             const res = this.d(str)
-            res.b.value = 'upi-carrier-id-with-mo-sms-relax'
+            // res.b.value = 'upi-carrier-id-with-mo-sms-relax'
             Log.s(res)
             return res
         }
@@ -47,7 +77,7 @@ setImmediate(() => {
         bhyo.c.overload('java.lang.String').implementation = function (str) {
             Log.s(`bhyo.c(str=${str}) modify res.C to 1`)
             const res = this.c(str)
-            res.C.value = 1
+            res.C.value = 2
             return res
         }
     })

scripts/spoof_sms_043001RC00.js

@@ -0,0 +1,54 @@
+// 043001RC00
+class Log {
+    static TAG = '[SMS]'
+    static Debug = true
+    static format(...msg) {
+        let m = []
+        for (let i = 0; i < msg.length; i++) {
+            if (typeof msg[i] === 'object') {
+                m.push(JSON.stringify(msg[i]))
+            } else {
+                m.push(msg[i])
+            }
+        }
+        m = m.join(' ')
+        return m
+    }
+    static i(...msg) {
+        if (!this.Debug) return
+        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static w(...msg) {
+        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static e(...msg) {
+        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static s(...msg) {
+        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+}
+
+function trace(tag) {
+    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
+}
+
+setImmediate(() => {
+    Java.perform(function () {
+        const bhyo = Java.use('bhyo')
+        bhyo.d.overload('java.lang.String').implementation = function (str) {
+            Log.s(`bhyo.d(str=${str}) modify res.b to upi-carrier-id-with-mo-sms-relax`)
+            const res = this.d(str)
+            res.b.value = 'upi-carrier-id-with-mo-sms-relax'
+            Log.s(res)
+            return res
+        }
+
+        bhyo.c.overload('java.lang.String').implementation = function (str) {
+            Log.s(`bhyo.c(str=${str}) modify res.C to 1`)
+            const res = this.c(str)
+            res.C.value = 1
+            return res
+        }
+    })
+}, 0)