.

__handlers__/aoks/d.js

@@ -0,0 +1,35 @@
+/*
+ * Auto-generated by Frida. Please modify to match the signature of aoks.d.
+ *
+ * For full API reference, see: https://frida.re/docs/javascript-api/
+ */
+
+{
+  /**
+   * Called synchronously when about to call aoks.d.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {array} args - Java method arguments.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onEnter(log, args, state) {
+    log(`aoks.d(${args.map(JSON.stringify).join(', ')})`);
+  },
+
+  /**
+   * Called synchronously when about to return from aoks.d.
+   *
+   * See onEnter for details.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {NativePointer} retval - Return value.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onLeave(log, retval, state) {
+    if (retval !== undefined) {
+      log(`<= ${JSON.stringify(retval)}`);
+    }
+  }
+}

__handlers__/com.google.android.gms.constellation.PhoneNumberVerification/_init.js

@@ -0,0 +1,35 @@
+/*
+ * Auto-generated by Frida. Please modify to match the signature of PhoneNumberVerification.$init.
+ *
+ * For full API reference, see: https://frida.re/docs/javascript-api/
+ */
+
+{
+  /**
+   * Called synchronously when about to call PhoneNumberVerification.$init.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {array} args - Java method arguments.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onEnter(log, args, state) {
+    log(`PhoneNumberVerification.$init(${args.map(JSON.stringify).join(', ')})`);
+  },
+
+  /**
+   * Called synchronously when about to return from PhoneNumberVerification.$init.
+   *
+   * See onEnter for details.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {NativePointer} retval - Return value.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onLeave(log, retval, state) {
+    if (retval !== undefined) {
+      log(`<= ${JSON.stringify(retval)}`);
+    }
+  }
+}

__handlers__/com.google.android.gms.constellation.PhoneNumberVerification/writeToParcel.js

@@ -0,0 +1,35 @@
+/*
+ * Auto-generated by Frida. Please modify to match the signature of PhoneNumberVerification.writeToParcel.
+ *
+ * For full API reference, see: https://frida.re/docs/javascript-api/
+ */
+
+{
+  /**
+   * Called synchronously when about to call PhoneNumberVerification.writeToParcel.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {array} args - Java method arguments.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onEnter(log, args, state) {
+    log(`PhoneNumberVerification.writeToParcel(${args.map(JSON.stringify).join(', ')})`);
+  },
+
+  /**
+   * Called synchronously when about to return from PhoneNumberVerification.writeToParcel.
+   *
+   * See onEnter for details.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {NativePointer} retval - Return value.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onLeave(log, retval, state) {
+    if (retval !== undefined) {
+      log(`<= ${JSON.stringify(retval)}`);
+    }
+  }
+}

__handlers__/com.google.android.gms.constellation.VerifyPhoneNumberRequest/_init.js

@@ -0,0 +1,35 @@
+/*
+ * Auto-generated by Frida. Please modify to match the signature of VerifyPhoneNumberRequest.$init.
+ *
+ * For full API reference, see: https://frida.re/docs/javascript-api/
+ */
+
+{
+  /**
+   * Called synchronously when about to call VerifyPhoneNumberRequest.$init.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {array} args - Java method arguments.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onEnter(log, args, state) {
+    log(`VerifyPhoneNumberRequest.$init(${args.map(JSON.stringify).join(', ')})`);
+  },
+
+  /**
+   * Called synchronously when about to return from VerifyPhoneNumberRequest.$init.
+   *
+   * See onEnter for details.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {NativePointer} retval - Return value.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onLeave(log, retval, state) {
+    if (retval !== undefined) {
+      log(`<= ${JSON.stringify(retval)}`);
+    }
+  }
+}

__handlers__/com.google.android.gms.constellation.VerifyPhoneNumberRequest/writeToParcel.js

@@ -0,0 +1,35 @@
+/*
+ * Auto-generated by Frida. Please modify to match the signature of VerifyPhoneNumberRequest.writeToParcel.
+ *
+ * For full API reference, see: https://frida.re/docs/javascript-api/
+ */
+
+{
+  /**
+   * Called synchronously when about to call VerifyPhoneNumberRequest.writeToParcel.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {array} args - Java method arguments.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onEnter(log, args, state) {
+    log(`VerifyPhoneNumberRequest.writeToParcel(${args.map(JSON.stringify).join(', ')})`);
+  },
+
+  /**
+   * Called synchronously when about to return from VerifyPhoneNumberRequest.writeToParcel.
+   *
+   * See onEnter for details.
+   *
+   * @this {object} - The Java class or instance.
+   * @param {function} log - Call this function with a string to be presented to the user.
+   * @param {NativePointer} retval - Return value.
+   * @param {object} state - Object allowing you to keep state across function calls.
+   */
+  onLeave(log, retval, state) {
+    if (retval !== undefined) {
+      log(`<= ${JSON.stringify(retval)}`);
+    }
+  }
+}

injects/spoof_gms.js

@@ -1,47 +1,23 @@
-import frida from "frida"
-import fs from "fs"
-import url from "url"
-import path from "path"
-import { setTimeout } from "timers/promises"
+import frida from 'frida'
+import fs from 'fs'
+import url from 'url'
+import path from 'path'
+import { setTimeout } from 'timers/promises'
 
 const filePath = url.fileURLToPath(import.meta.url)
 const __dirname = path.dirname(filePath)
 
-const mcc = "255"
-const mnc = "06"
-const simOperator = "25506"
-const networkOperator = "25506"
-const simSerialNumber = "89380062300689132983"
+const mcc = '255'
+const mnc = '06'
+const simOperator = '25506'
+const networkOperator = '25506'
+const simSerialNumber = '89380062300689132983'
 const iccId = simSerialNumber
-const number = "969379250"
-const imei = "860114061248785"
-const imsi = "255065209546456"
-const countryIso = "ua"
-const subId = "8"
-
-const source_gms = fs
-    .readFileSync(path.resolve(__dirname, "../scripts/spoof_gms.js"))
-    .toString()
-    .replace("{{mcc}}", mcc)
-    .replace("{{mnc}}", mnc)
-    .replace("{{simOperator}}", simOperator)
-    .replace("{{networkOperator}}", networkOperator)
-    .replace("{{simSerialNumber}}", simSerialNumber)
-    .replace("{{iccId}}", iccId)
-    .replace("{{number}}", number)
-    .replace("{{imei}}", imei)
-    .replace("{{imsi}}", imsi)
-    .replace("{{countryIso}}", countryIso)
-    .replace("{{subId}}", subId)
-
-const source_ssl = fs.readFileSync(
-    path.resolve(__dirname, "../scripts/ssl_bypass.js")
-)
-
-fs.writeFileSync(
-    path.resolve(__dirname, "../scripts/_spoof_gms.js"),
-    source_gms
-)
+const number = '969379250'
+const imei = '860114061248785'
+const imsi = '255065209546456'
+const countryIso = 'ua'
+const subId = '8'
 
 let device = null
 
@@ -49,14 +25,13 @@ async function main() {
     device = await frida.getUsbDevice()
     const processes = await device.enumerateProcesses()
     for (const process of processes) {
-        if (process.name.startsWith("com.google.android.gms")) {
-            console.log("[*] Attaching to", process.pid, process.name)
+        if (process.name.startsWith('com.google.android.gms')) {
+            console.log('[*] Attaching to', process.pid, process.name)
             const session = await device.attach(process.pid)
-            const script = await session.createScript(source_gms)
+            const script = await session.createScript(
+                fs.readFileSync(path.resolve(__dirname, '../scripts/gms.js'))
+            )
             await script.load()
-
-            const script_ssl = await session.createScript(source_ssl)
-            await script_ssl.load()
         }
     }
 }

scripts/gms.js

@@ -34,9 +34,15 @@ class Log {
 
 Java.perform(function () {
     const aoks = Java.use('aoks')
-    const Bundle = Java.use('android.os.Bundle')
+    aoks.$init.overload('aokt', 'android.os.Handler').implementation = function (aokt, handler) {
+        Log.i(`${this.a.value}`)
+        return this.$init(aokt, handler)
+    }
     aoks.d.overload('boolean', 'java.util.Map').implementation = function (b, map) {
-        trace('aoks.d()')
+        Log.e(`${map.keySet().toArray()}, ${this.a.value._f.value}`)
+        // Log.e(`${map.get('UPI_FEATURES_ENABLED')}`)
+        // Log.e(`${map.get('515039672404610')}`)
+        // Java.cast(map.get('515039672404610'), Bundle).putString('IMSI', '515039672404610')
         return this.d(b, map)
     }
 
@@ -47,6 +53,17 @@ Java.perform(function () {
     }
 
     const aokt = Java.use('aokt')
+    aokt.$init.overload(
+        'android.content.Context',
+        'aoli',
+        'com.google.android.gms.constellation.VerifyPhoneNumberRequest',
+        'java.lang.String',
+        'aoiy'
+    ).implementation = function (context, aoli, request, str, aoiy) {
+        Log.e(`${request.a.value} ${request.b.value}`)
+        trace('[aokt]')
+        return this.$init(context, aoli, request, str, aoiy)
+    }
     aokt.c.overload(
         'com.google.android.gms.constellation.VerifyPhoneNumberRequest',
         'com.google.android.gms.constellation.VerifyPhoneNumberResponse',
@@ -61,8 +78,126 @@ Java.perform(function () {
         const value = this.getInt(key, i)
         // Log.e(`[BaseBundle]${key}, ${i} -> ${value}`)
         if (key == 'sim_slot_index') {
+            Log.e(`[BaseBundle]sim_slot_index`)
             return 0
         }
         return this.getInt(key, i)
     }
+
+    const PhoneNumberVerification = Java.use('com.google.android.gms.constellation.PhoneNumberVerification')
+    PhoneNumberVerification.$init.overload(
+        'java.lang.String',
+        'long',
+        'int',
+        'int',
+        'java.lang.String',
+        'android.os.Bundle',
+        'int',
+        'long'
+    ).implementation = function (str, j, i, i2, str2, bundle, i3, l) {
+        Log.e(`PhoneNumberVerification.$init(str=${str}, j=${j}, i=${i}, i2=${i2}, str2=${str2}, i3=${i3}, l=${l}`)
+        // print bundle
+        const keySet = bundle.keySet().toArray()
+
+        for (let i = 0; i < keySet.length; i++) {
+            const key = keySet[i]
+            Log.i(`PhoneNumberVerification(key: ${key}, value: ${bundle.get(key)})`)
+        }
+
+        return this.$init(str, j, i, i2, str2, bundle, i3, l)
+    }
+
+    const VerifyPhoneNumberRequest = Java.use('com.google.android.gms.constellation.VerifyPhoneNumberRequest')
+    VerifyPhoneNumberRequest.$init.overload(
+        //String str, long j, IdTokenRequest idTokenRequest, Bundle bundle, List list, boolean z, int i, List list2
+        'java.lang.String',
+        'long',
+        'com.google.android.gms.constellation.IdTokenRequest',
+        'android.os.Bundle',
+        'java.util.List',
+        'boolean',
+        'int',
+        'java.util.List'
+    ).implementation = function (str, j, idTokenRequest, bundle, list, z, i, list2) {
+        Log.e(`VerifyPhoneNumberRequest.$init(
+            str=${str}, j=${j}, idTokenRequest=${idTokenRequest}, bundle=${bundle}, list=${list}, z=${z}, i=${i}, list2=${list2})`)
+        // print bundle
+        const keySet = bundle.keySet().toArray()
+        for (let i = 0; i < keySet.length; i++) {
+            const key = keySet[i]
+            Log.i(`VerifyPhoneNumberRequest.Bundle(key=${key}, value=${bundle.get(key)})`)
+        }
+
+        return this.$init(str, j, idTokenRequest, bundle, list, z, i, list2)
+    }
+    const SetAsterismConsentRequest = Java.use('com.google.android.gms.asterism.SetAsterismConsentRequest')
+    SetAsterismConsentRequest.$init.overload(
+        'int',
+        'int',
+        'int',
+        '[I',
+        'java.lang.Long',
+        'int',
+        'android.os.Bundle',
+        'int',
+        'java.lang.String',
+        'java.lang.String',
+        'java.lang.String',
+        'java.lang.String',
+        'java.lang.String',
+        'java.lang.String',
+        'java.lang.String',
+        'java.lang.String',
+        'int'
+    ).implementation = function (
+        i,
+        i2,
+        i3,
+        iArr,
+        l,
+        i4,
+        bundle,
+        i5,
+        str,
+        str2,
+        str3,
+        str4,
+        str5,
+        str6,
+        str7,
+        str8,
+        i6
+    ) {
+        Log.i(
+            `SetAsterismConsentRequest.$init(
+                i=${i}, i2=${i2}, i3=${i3}, iArr=${iArr}, l=${l},
+                i4=${i4}, bundle=${bundle}, i5=${i5}, str=${str},
+                str2=${str2}, str3=${str3}, str4=${str4}, str5=${str5},
+                str6=${str6}, str7=${str7}, str8=${str8}, i6=${i6})`
+        )
+        // print bundle
+        const keySet = bundle.keySet().toArray()
+        for (let i = 0; i < keySet.length; i++) {
+            const key = keySet[i]
+            Log.i(`SetAsterismConsentRequest.Bundle(key=${key}, value=${bundle.get(key)})`)
+        }
+
+        return this.$init(i, i2, i3, iArr, l, i4, bundle, i5, str, str2, str3, str4, str5, str6, str7, str8, i6)
+    }
+
+    const SetAsterismConsentResponse = Java.use('com.google.android.gms.asterism.SetAsterismConsentResponse')
+    SetAsterismConsentResponse.$init.overload('int', 'java.lang.String', 'java.lang.String').implementation = function (
+        i,
+        str,
+        str2
+    ) {
+        Log.i(`SetAsterismConsentResponse.$init(i=${i}, str=${str}, str2=${str2})`)
+        return this.$init(i, str, str2)
+    }
+
+    const EventManager = Java.use('com.google.android.gms.constellation.EventManager')
+    EventManager.onHandleIntent.overload('android.content.Intent').implementation = function (intent) {
+        Log.i('EventManager.onHandleIntent(intent)')
+        return this.onHandleIntent(intent)
+    }
 })