.

injects/sendsms.js

@@ -1,11 +1,17 @@
 import frida from "frida"
 import fs from "fs"
+import url from "url"
+import path from "path"
+
+const filePath = url.fileURLToPath(import.meta.url)
+const __dirname = path.dirname(filePath)
+
+const source = fs.readFileSync(path.resolve(__dirname, "../scripts/sendsms.js"))
+
 const device = await frida.getUsbDevice()
 const phoneProcess = await device.getProcess("com.android.phone")
 const session = await device.attach(phoneProcess.pid)
-const script = await session.createScript(
-    fs.readFileSync("scripts/sendsms.js")
-)
+const script = await session.createScript(source)
 script.message.connect(message => {
     console.log("[*] Message:", message)
 
@@ -13,4 +19,4 @@ script.message.connect(message => {
         script.unload()
     }
 })
-await script.load()
+await script.load()

injects/spoof.js

@@ -19,7 +19,7 @@ const countryIso = "ua"
 const subId = ""
 
 const source = fs
-    .readFileSync(path.resolve(__dirname, "../scripts/spoof.js"))
+    .readFileSync(path.resolve(__dirname, "../scripts/spoof1.js"))
     .toString()
     .replace("{{mcc}}", mcc)
     .replace("{{mnc}}", mnc)
@@ -35,6 +35,10 @@ const source = fs
 
 fs.writeFileSync(path.resolve(__dirname, "../scripts/_spoof.js"), source)
 
+const source_ssl = fs.readFileSync(
+    path.resolve(__dirname, "../scripts/ssl_bypass.js")
+)
+
 let device = null
 let tracers = []
 
@@ -121,6 +125,9 @@ class Tracer {
         script.message.connect(this._onScriptMessage.bind(this))
         await script.load()
 
+        // const script_ssl = await session.createScript(source_ssl)
+        // await script_ssl.load()
+
         await device.resume(this.pid)
     }
 
@@ -133,4 +140,4 @@ class Tracer {
     }
 }
 
-main() 
+main()

injects/spoof_gms.js

@@ -2,6 +2,7 @@ import frida from "frida"
 import fs from "fs"
 import url from "url"
 import path from "path"
+import { setTimeout } from "timers/promises"
 
 const filePath = url.fileURLToPath(import.meta.url)
 const __dirname = path.dirname(filePath)
@@ -33,18 +34,32 @@ const source_gms = fs
     .replace("{{countryIso}}", countryIso)
     .replace("{{subId}}", subId)
 
+const source_ssl = fs.readFileSync(
+    path.resolve(__dirname, "../scripts/ssl_bypass.js")
+)
+
 let device = null
 
 async function main() {
     device = await frida.getUsbDevice()
 
-    const processes = await device.enumerateProcesses()
+    let processes = await device.enumerateProcesses()
+    const p = processes.find(p => p.name == "com.google.android.gms")
+    if (p) {
+        await device.kill(p.pid)
+        console.log("[*] Killed", p.pid, p.name)
+    }
+    await setTimeout(1000)
+    processes = await device.enumerateProcesses()
     for (const process of processes) {
         if (process.name.startsWith("com.google.android.gms")) {
             console.log("[*] Attaching to", process.pid, process.name)
             const session = await device.attach(process.pid)
             const script = await session.createScript(source_gms)
             await script.load()
+
+            const script_ssl = await session.createScript(source_ssl)
+            await script_ssl.load()
         }
     }
 }

scripts/_spoof.js

@@ -10,291 +10,333 @@ const imsi = "255065007246456"
 const countryIso = "ua"
 const subId = ""
 
-Java.perform(function () {
-    const SmsManager = Java.use("android.telephony.SmsManager")
-    SmsManager.getSmsManagerForSubscriptionId.overload("int").implementation =
-        function (i) {
+setImmediate(() => {
+    Java.perform(function () {
+        console.log("")
+        console.log("[.] Cert Pinning Bypass/Re-Pinning")
+
+        var CertificateFactory = Java.use(
+            "java.security.cert.CertificateFactory"
+        )
+        var FileInputStream = Java.use("java.io.FileInputStream")
+        var BufferedInputStream = Java.use("java.io.BufferedInputStream")
+        var X509Certificate = Java.use("java.security.cert.X509Certificate")
+        var KeyStore = Java.use("java.security.KeyStore")
+        var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory")
+        var SSLContext = Java.use("javax.net.ssl.SSLContext")
+
+        // Load CAs from an InputStream
+        console.log("[+] Loading our CA...")
+        var cf = CertificateFactory.getInstance("X.509")
+
+        try {
+            var fileInputStream = FileInputStream.$new(
+                "/data/local/tmp/cert-der.crt"
+            )
+        } catch (err) {
+            console.log("[o] " + err)
+        }
+
+        var bufferedInputStream = BufferedInputStream.$new(fileInputStream)
+        var ca = cf.generateCertificate(bufferedInputStream)
+        bufferedInputStream.close()
+
+        var certInfo = Java.cast(ca, X509Certificate)
+        console.log("[o] Our CA Info: " + certInfo.getSubjectDN())
+
+        // Create a KeyStore containing our trusted CAs
+        console.log("[+] Creating a KeyStore for our CA...")
+        var keyStoreType = KeyStore.getDefaultType()
+        var keyStore = KeyStore.getInstance(keyStoreType)
+        keyStore.load(null, null)
+        keyStore.setCertificateEntry("ca", ca)
+
+        // Create a TrustManager that trusts the CAs in our KeyStore
+        console.log(
+            "[+] Creating a TrustManager that trusts the CA in our KeyStore..."
+        )
+        var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm()
+        var tmf = TrustManagerFactory.getInstance(tmfAlgorithm)
+        tmf.init(keyStore)
+        console.log("[+] Our TrustManager is ready...")
+
+        console.log("[+] Hijacking SSLContext methods now...")
+        console.log("[-] Waiting for the app to invoke SSLContext.init()...")
+
+        SSLContext.init.overload(
+            "[Ljavax.net.ssl.KeyManager;",
+            "[Ljavax.net.ssl.TrustManager;",
+            "java.security.SecureRandom"
+        ).implementation = function (a, b, c) {
+            console.log("[o] App invoked javax.net.ssl.SSLContext.init...")
+            SSLContext.init
+                .overload(
+                    "[Ljavax.net.ssl.KeyManager;",
+                    "[Ljavax.net.ssl.TrustManager;",
+                    "java.security.SecureRandom"
+                )
+                .call(this, a, tmf.getTrustManagers(), c)
+            console.log(
+                "[+] SSLContext initialized with our custom TrustManager!"
+            )
+        }
+
+        const SmsManager = Java.use("android.telephony.SmsManager")
+        SmsManager.getSmsManagerForSubscriptionId.overload(
+            "int"
+        ).implementation = function (i) {
             const _smsManager = this.getSmsManagerForSubscriptionId(i)
             console.log(`SmsManager.getSmsManagerForSubscriptionId: ${i}`)
             return _smsManager
         }
 
-    SmsManager.getDefault.overload().implementation = function () {
-        const _smsManager = this.getDefault(i)
-        console.log(`SmsManager.getDefault`)
-        return _smsManager
-    }
+        SmsManager.getDefault.overload().implementation = function () {
+            const _smsManager = this.getDefault(i)
+            console.log(`SmsManager.getDefault`)
+            return _smsManager
+        }
+
+        SmsManager.getDefaultSmsSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getDefaultSmsSubscriptionId()
+                console.log(`SmsManager.getDefaultSmsSubscriptionId: ${_subId}`)
+                return _subId
+            }
 
-    SmsManager.getDefaultSmsSubscriptionId.overload().implementation =
-        function () {
-            const _subId = this.getDefaultSmsSubscriptionId()
-            console.log(`SmsManager.getDefaultSmsSubscriptionId: ${_subId}`)
+        SmsManager.getSubscriptionId.overload().implementation = function () {
+            const _subId = this.getSubscriptionId()
+            console.log(`SmsManager.getSubscriptionId: ${_subId}`)
             return _subId
         }
 
-    SmsManager.getSubscriptionId.overload().implementation = function () {
-        const _subId = this.getSubscriptionId()
-        console.log(`SmsManager.getSubscriptionId: ${_subId}`)
-        return _subId
-    }
-
-    const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
-    SubscriptionInfo.getMcc.overload().implementation = function () {
-        const _mcc = this.getMcc()
-        console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
-        return parseInt(mcc)
-    }
-
-    SubscriptionInfo.getMnc.overload().implementation = function () {
-        const _mnc = this.getMnc()
-        console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
-        return parseInt(mnc)
-    }
-
-    SubscriptionInfo.getMccString.overload().implementation = function () {
-        const _mccString = this.getMccString()
-        console.log(
-            `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
-        )
-        return mcc
-    }
-
-    SubscriptionInfo.getMncString.overload().implementation = function () {
-        const _mncString = this.getMncString()
-        console.log(
-            `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
-        )
-        return mnc
-    }
-
-    SubscriptionInfo.getNumber.overload().implementation = function () {
-        const _number = this.getNumber()
-        console.log(`spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`)
-        return number
-    }
-
-    SubscriptionInfo.getIccId.overload().implementation = function () {
-        const _iccId = this.getIccId()
-        console.log(`spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`)
-        return iccId
-    }
-
-    SubscriptionInfo.getCountryIso.overload().implementation = function () {
-        const _countryIso = this.getCountryIso()
-        console.log(
-            `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
-        )
-        return countryIso
-    }
+        const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
+        SubscriptionInfo.getMcc.overload().implementation = function () {
+            const _mcc = this.getMcc()
+            console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
+            return parseInt(mcc)
+        }
 
-    SubscriptionInfo.getSubscriptionId.overload().implementation = function () {
-        const _subId = this.getSubscriptionId()
-        if (!subId) {
-            console.log(_subId)
-            return _subId
+        SubscriptionInfo.getMnc.overload().implementation = function () {
+            const _mnc = this.getMnc()
+            console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
+            return parseInt(mnc)
         }
-        console.log(
-            `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
-        )
-        return parseInt(subId)
-    }
 
-    const TelephonyManager = Java.use("android.telephony.TelephonyManager")
-    TelephonyManager.getLine1Number.overload().implementation = function () {
-        const _number = this.getLine1Number()
-        console.log(
-            `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
-        )
-        return number
-    }
+        SubscriptionInfo.getMccString.overload().implementation = function () {
+            const _mccString = this.getMccString()
+            console.log(
+                `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
+            )
+            return mcc
+        }
 
-    TelephonyManager.getSimOperator.overload().implementation = function () {
-        const _simOperator = this.getSimOperator()
-        console.log(
-            `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
-        )
-        return simOperator
-    }
+        SubscriptionInfo.getMncString.overload().implementation = function () {
+            const _mncString = this.getMncString()
+            console.log(
+                `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
+            )
+            return mnc
+        }
 
-    TelephonyManager.getNetworkOperator.overload().implementation =
-        function () {
-            const _networkOperator = this.getNetworkOperator()
+        SubscriptionInfo.getNumber.overload().implementation = function () {
+            const _number = this.getNumber()
             console.log(
-                `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
+                `spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`
             )
-            return networkOperator
+            return number
         }
 
-    TelephonyManager.getSimSerialNumber.overload().implementation =
-        function () {
-            const _simSerialNumber = this.getSimSerialNumber()
+        SubscriptionInfo.getIccId.overload().implementation = function () {
+            const _iccId = this.getIccId()
             console.log(
-                `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
+                `spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`
             )
-            return simSerialNumber
+            return iccId
         }
 
-    TelephonyManager.getSubscriberId.overload().implementation = function () {
-        const _imsi = this.getSubscriberId()
-        console.log(
-            `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
-        )
-        return imsi
-    }
-
-    TelephonyManager.getImei.overload().implementation = function () {
-        const _imei = this.getImei()
-        console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
-        return imei
-    }
-
-    TelephonyManager.getNetworkCountryIso.overload().implementation =
-        function () {
-            const _countryIso = this.getNetworkCountryIso()
+        SubscriptionInfo.getCountryIso.overload().implementation = function () {
+            const _countryIso = this.getCountryIso()
             console.log(
-                `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
+                `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
             )
             return countryIso
         }
 
-    TelephonyManager.getSimCountryIso.overload().implementation = function () {
-        const _countryIso = this.getSimCountryIso()
-        console.log(
-            `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
-        )
-        return countryIso
-    }
+        SubscriptionInfo.getSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getSubscriptionId()
+                if (!subId) {
+                    console.log(_subId)
+                    return _subId
+                }
+                console.log(
+                    `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
+                )
+                return parseInt(subId)
+            }
 
-    TelephonyManager.getSubscriptionId.overload().implementation = function () {
-        const _subId = this.getSubscriptionId()
-        if (!subId) {
-            console.log(_subId)
-            return _subId
-        }
-        console.log(
-            `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
-        )
-        return parseInt(subId)
-    }
-
-    // const asos = Java.use("asos")
-    // asos.b.overload().implementation = function () {
-    //     console.log("asos.b")
-    //     return true
-    // }
-
-    const asmy = Java.use("asmy")
-    const bqni = Java.use("bqni")
-    const askd = Java.use("askd")
-    // asmy.b.overload().implementation = function () {
-    //     this.$super.b()
-    //     this._a.value.Q(bqni.b(19))
-    //     this._a.value.av(27)
-    //     const a = this._a.value._P.value.a()
-    //     var c = askd.c(a, "")
-    //     console.log(this._a.value.r)
-    //     var ar = Java.cast(this._a.value, Java.use("arqs"))
-    //     ar.r(36, Java.cast(c, Java.use("java.lang.Object")))
-    // }
-
-    const PhoneNumberVerification = Java.use(
-        "com.google.android.gms.constellation.PhoneNumberVerification"
-    )
-    PhoneNumberVerification.$init.overload(
-        "java.lang.String",
-        "long",
-        "int",
-        "int",
-        "java.lang.String",
-        "android.os.Bundle"
-    ).implementation = function (str, j, i, i2, str2, bundle) {
-        console.log("PhoneNumberVerification.$init")
-
-        console.log(`str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}`)
-        // print bundle
-        if (bundle) {
-            const keySet = bundle.keySet().toArray()
-            for (let i = 0; i < keySet.length; i++) {
-                const key = keySet[i]
-                console.log(`key: ${key}, value: ${bundle.get(key)}`)
+        const TelephonyManager = Java.use("android.telephony.TelephonyManager")
+        TelephonyManager.getLine1Number.overload().implementation =
+            function () {
+                const _number = this.getLine1Number()
+                console.log(
+                    `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
+                )
+                return number
             }
-        }
 
-        return this.$init(str, j, i, i2, str2, bundle)
-    }
+        TelephonyManager.getSimOperator.overload().implementation =
+            function () {
+                const _simOperator = this.getSimOperator()
+                console.log(
+                    `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
+                )
+                return simOperator
+            }
+
+        TelephonyManager.getNetworkOperator.overload().implementation =
+            function () {
+                const _networkOperator = this.getNetworkOperator()
+                console.log(
+                    `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
+                )
+                return networkOperator
+            }
 
-    const aays = Java.use("aays")
-    aays.d.overload("int", "boolean").implementation = function (i, z) {
-        console.log("aays.d", i, z, Object.keys(this.f.value))
+        TelephonyManager.getSimSerialNumber.overload().implementation =
+            function () {
+                const _simSerialNumber = this.getSimSerialNumber()
+                console.log(
+                    `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
+                )
+                return simSerialNumber
+            }
 
-        return number
-    }
+        TelephonyManager.getSubscriberId.overload().implementation =
+            function () {
+                const _imsi = this.getSubscriberId()
+                console.log(
+                    `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
+                )
+                return imsi
+            }
 
-    const aoor = Java.use("aoor")
-    aoor.h.overload("android.content.Context", "int").implementation =
-        function (c, i) {
-            const _i = this.h(c, i)
-            console.log("aoor.h", c, i, _i)
-            return _i
+        TelephonyManager.getImei.overload().implementation = function () {
+            const _imei = this.getImei()
+            console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
+            return imei
         }
 
-    const SetAsterismConsentRequest = Java.use(
-        "com.google.android.gms.asterism.SetAsterismConsentRequest"
-    )
-    SetAsterismConsentRequest.$init.overload(
-        //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8
-        "int",
-        "int",
-        "int",
-        "[I",
-        "java.lang.Long",
-        "int",
-        "android.os.Bundle",
-        "int",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String"
-    ).implementation = function (
-        i,
-        i2,
-        i3,
-        iArr,
-        l,
-        i4,
-        bundle,
-        i5,
-        str,
-        str2,
-        str3,
-        str4,
-        str5,
-        str6,
-        str7,
-        str8
-    ) {
-        console.log(
-            Java.use("android.util.Log").getStackTraceString(
-                Java.use("java.lang.Throwable").$new()
-            )
-        )
-        console.log("SetAsterismConsentRequest.$init")
+        TelephonyManager.getNetworkCountryIso.overload().implementation =
+            function () {
+                const _countryIso = this.getNetworkCountryIso()
+                console.log(
+                    `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
+                )
+                return countryIso
+            }
 
-        console.log(
-            `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}`
+        TelephonyManager.getSimCountryIso.overload().implementation =
+            function () {
+                const _countryIso = this.getSimCountryIso()
+                console.log(
+                    `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
+                )
+                return countryIso
+            }
+
+        TelephonyManager.getSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getSubscriptionId()
+                if (!subId) {
+                    console.log(_subId)
+                    return _subId
+                }
+                console.log(
+                    `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
+                )
+                return parseInt(subId)
+            }
+
+        // const asos = Java.use("asos")
+        // asos.b.overload().implementation = function () {
+        //     console.log("asos.b")
+        //     return true
+        // }
+
+        const asmy = Java.use("asmy")
+        const bqni = Java.use("bqni")
+        const askd = Java.use("askd")
+        // asmy.b.overload().implementation = function () {
+        //     this.$super.b()
+        //     this._a.value.Q(bqni.b(19))
+        //     this._a.value.av(27)
+        //     const a = this._a.value._P.value.a()
+        //     var c = askd.c(a, "")
+        //     console.log(this._a.value.r)
+        //     var ar = Java.cast(this._a.value, Java.use("arqs"))
+        //     ar.r(36, Java.cast(c, Java.use("java.lang.Object")))
+        // }
+
+        const PhoneNumberVerification = Java.use(
+            "com.google.android.gms.constellation.PhoneNumberVerification"
         )
-        // print bundle
-        const keySet = bundle.keySet().toArray()
-        for (let i = 0; i < keySet.length; i++) {
-            const key = keySet[i]
-            console.log(`key: ${key}, value: ${bundle.get(key)}`)
+        PhoneNumberVerification.$init.overload(
+            "java.lang.String",
+            "long",
+            "int",
+            "int",
+            "java.lang.String",
+            "android.os.Bundle",
+            "int",
+            "long"
+        ).implementation = function (str, l, i, i2, str2, bundle, i3, l2) {
+            console.log("PhoneNumberVerification.$init")
+
+            console.log(
+                `str: ${str}, l: ${l}, i: ${i}, i2: ${i2}, str2: ${str2}, i3: ${i3}, l2: ${l2}`
+            )
+            // print bundle
+            if (bundle) {
+                const keySet = bundle.keySet().toArray()
+                for (let i = 0; i < keySet.length; i++) {
+                    const key = keySet[i]
+                    console.log(`key: ${key}, value: ${bundle.get(key)}`)
+                }
+            }
+
+            return this.$init(str, l, i, i2, str2, bundle, i3, l2)
         }
 
-        return this.$init(
+        // const aays = Java.use("aays")
+        // aays.d.overload("int", "boolean").implementation = function (i, z) {
+        //     console.log("aays.d", i, z, Object.keys(this.f.value))
+
+        //     return number
+        // }
+
+        const SetAsterismConsentRequest = Java.use(
+            "com.google.android.gms.asterism.SetAsterismConsentRequest"
+        )
+        SetAsterismConsentRequest.$init.overload(
+            //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8
+            "int",
+            "int",
+            "int",
+            "[I",
+            "java.lang.Long",
+            "int",
+            "android.os.Bundle",
+            "int",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String"
+        ).implementation = function (
             i,
             i2,
             i3,
@@ -311,25 +353,66 @@ Java.perform(function () {
             str6,
             str7,
             str8
-        )
-    }
-
-    const SetAsterismConsentResponse = Java.use(
-        "com.google.android.gms.asterism.SetAsterismConsentResponse"
-    )
-    SetAsterismConsentResponse.$init.overload(
-        "int",
-        "java.lang.String",
-        "java.lang.String"
-    ).implementation = function (i, str, str2) {
-        console.log(
-            Java.use("android.util.Log").getStackTraceString(
-                Java.use("java.lang.Throwable").$new()
+        ) {
+            console.log(
+                Java.use("android.util.Log").getStackTraceString(
+                    Java.use("java.lang.Throwable").$new()
+                )
+            )
+            console.log("SetAsterismConsentRequest.$init")
+
+            console.log(
+                `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}`
             )
+            // print bundle
+            const keySet = bundle.keySet().toArray()
+            for (let i = 0; i < keySet.length; i++) {
+                const key = keySet[i]
+                console.log(`key: ${key}, value: ${bundle.get(key)}`)
+            }
+
+            return this.$init(
+                i,
+                i2,
+                i3,
+                iArr,
+                l,
+                i4,
+                bundle,
+                i5,
+                str,
+                str2,
+                str3,
+                str4,
+                str5,
+                str6,
+                str7,
+                str8
+            )
+        }
+
+        const SetAsterismConsentResponse = Java.use(
+            "com.google.android.gms.asterism.SetAsterismConsentResponse"
         )
+        SetAsterismConsentResponse.$init.overload(
+            "int",
+            "java.lang.String",
+            "java.lang.String"
+        ).implementation = function (i, str, str2) {
+            console.log(
+                Java.use("android.util.Log").getStackTraceString(
+                    Java.use("java.lang.Throwable").$new()
+                )
+            )
 
-        console.log("SetAsterismConsentResponse.$init")
-        console.log(`i: ${i}, str: ${str}, str2: ${str2}`)
-        return this.$init(1, 'c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq', 'c4q5zP5Ft4A')
-    }
+            console.log("SetAsterismConsentResponse.$init")
+            console.log(`i: ${i}, str: ${str}, str2: ${str2}`)
+            // return this.$init(
+            //     1,
+            //     "c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq",
+            //     "c4q5zP5Ft4A"
+            // )
+            return this.$init(i, str, str2)
+        }
+    })
 })

scripts/sendsms.js

@@ -20,7 +20,7 @@ Java.perform(() => {
             const intent = RcsHackTool.createSmsIntent(
                 instance.mContext.value,
                 "3456",
-                "Your Messenger verification code is G-040263",
+                "Your Messenger verification code is G-790643",
             )
             // instance.mContext.value.sendBroadcast(intent)
 

scripts/spoof.js

@@ -10,291 +10,339 @@ const imsi = "{{imsi}}"
 const countryIso = "{{countryIso}}"
 const subId = "{{subId}}"
 
-Java.perform(function () {
-    const SmsManager = Java.use("android.telephony.SmsManager")
-    SmsManager.getSmsManagerForSubscriptionId.overload("int").implementation =
-        function (i) {
+setImmediate(() => {
+    Java.perform(function () {
+        console.log("")
+        console.log("[.] Cert Pinning Bypass/Re-Pinning")
+
+        var CertificateFactory = Java.use(
+            "java.security.cert.CertificateFactory"
+        )
+        var FileInputStream = Java.use("java.io.FileInputStream")
+        var BufferedInputStream = Java.use("java.io.BufferedInputStream")
+        var X509Certificate = Java.use("java.security.cert.X509Certificate")
+        var KeyStore = Java.use("java.security.KeyStore")
+        var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory")
+        var SSLContext = Java.use("javax.net.ssl.SSLContext")
+
+        // Load CAs from an InputStream
+        console.log("[+] Loading our CA...")
+        var cf = CertificateFactory.getInstance("X.509")
+
+        try {
+            var fileInputStream = FileInputStream.$new(
+                "/data/local/tmp/cert-der.crt"
+            )
+        } catch (err) {
+            console.log("[o] " + err)
+        }
+
+        var bufferedInputStream = BufferedInputStream.$new(fileInputStream)
+        var ca = cf.generateCertificate(bufferedInputStream)
+        bufferedInputStream.close()
+
+        var certInfo = Java.cast(ca, X509Certificate)
+        console.log("[o] Our CA Info: " + certInfo.getSubjectDN())
+
+        // Create a KeyStore containing our trusted CAs
+        console.log("[+] Creating a KeyStore for our CA...")
+        var keyStoreType = KeyStore.getDefaultType()
+        var keyStore = KeyStore.getInstance(keyStoreType)
+        keyStore.load(null, null)
+        keyStore.setCertificateEntry("ca", ca)
+
+        // Create a TrustManager that trusts the CAs in our KeyStore
+        console.log(
+            "[+] Creating a TrustManager that trusts the CA in our KeyStore..."
+        )
+        var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm()
+        var tmf = TrustManagerFactory.getInstance(tmfAlgorithm)
+        tmf.init(keyStore)
+        console.log("[+] Our TrustManager is ready...")
+
+        console.log("[+] Hijacking SSLContext methods now...")
+        console.log("[-] Waiting for the app to invoke SSLContext.init()...")
+
+        SSLContext.init.overload(
+            "[Ljavax.net.ssl.KeyManager;",
+            "[Ljavax.net.ssl.TrustManager;",
+            "java.security.SecureRandom"
+        ).implementation = function (a, b, c) {
+            console.log("[o] App invoked javax.net.ssl.SSLContext.init...")
+            SSLContext.init
+                .overload(
+                    "[Ljavax.net.ssl.KeyManager;",
+                    "[Ljavax.net.ssl.TrustManager;",
+                    "java.security.SecureRandom"
+                )
+                .call(this, a, tmf.getTrustManagers(), c)
+            console.log(
+                "[+] SSLContext initialized with our custom TrustManager!"
+            )
+        }
+
+        const SmsManager = Java.use("android.telephony.SmsManager")
+        SmsManager.getSmsManagerForSubscriptionId.overload(
+            "int"
+        ).implementation = function (i) {
             const _smsManager = this.getSmsManagerForSubscriptionId(i)
             console.log(`SmsManager.getSmsManagerForSubscriptionId: ${i}`)
             return _smsManager
         }
 
-    SmsManager.getDefault.overload().implementation = function () {
-        const _smsManager = this.getDefault(i)
-        console.log(`SmsManager.getDefault`)
-        return _smsManager
-    }
+        SmsManager.getDefault.overload().implementation = function () {
+            const _smsManager = this.getDefault(i)
+            console.log(`SmsManager.getDefault`)
+            return _smsManager
+        }
+
+        SmsManager.getDefaultSmsSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getDefaultSmsSubscriptionId()
+                console.log(`SmsManager.getDefaultSmsSubscriptionId: ${_subId}`)
+                return _subId
+            }
 
-    SmsManager.getDefaultSmsSubscriptionId.overload().implementation =
-        function () {
-            const _subId = this.getDefaultSmsSubscriptionId()
-            console.log(`SmsManager.getDefaultSmsSubscriptionId: ${_subId}`)
+        SmsManager.getSubscriptionId.overload().implementation = function () {
+            const _subId = this.getSubscriptionId()
+            console.log(`SmsManager.getSubscriptionId: ${_subId}`)
             return _subId
         }
 
-    SmsManager.getSubscriptionId.overload().implementation = function () {
-        const _subId = this.getSubscriptionId()
-        console.log(`SmsManager.getSubscriptionId: ${_subId}`)
-        return _subId
-    }
-
-    const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
-    SubscriptionInfo.getMcc.overload().implementation = function () {
-        const _mcc = this.getMcc()
-        console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
-        return parseInt(mcc)
-    }
-
-    SubscriptionInfo.getMnc.overload().implementation = function () {
-        const _mnc = this.getMnc()
-        console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
-        return parseInt(mnc)
-    }
-
-    SubscriptionInfo.getMccString.overload().implementation = function () {
-        const _mccString = this.getMccString()
-        console.log(
-            `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
-        )
-        return mcc
-    }
-
-    SubscriptionInfo.getMncString.overload().implementation = function () {
-        const _mncString = this.getMncString()
-        console.log(
-            `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
-        )
-        return mnc
-    }
-
-    SubscriptionInfo.getNumber.overload().implementation = function () {
-        const _number = this.getNumber()
-        console.log(`spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`)
-        return number
-    }
-
-    SubscriptionInfo.getIccId.overload().implementation = function () {
-        const _iccId = this.getIccId()
-        console.log(`spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`)
-        return iccId
-    }
-
-    SubscriptionInfo.getCountryIso.overload().implementation = function () {
-        const _countryIso = this.getCountryIso()
-        console.log(
-            `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
-        )
-        return countryIso
-    }
+        const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
+        SubscriptionInfo.getMcc.overload().implementation = function () {
+            const _mcc = this.getMcc()
+            console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
+            return parseInt(mcc)
+        }
 
-    SubscriptionInfo.getSubscriptionId.overload().implementation = function () {
-        const _subId = this.getSubscriptionId()
-        if (!subId) {
-            console.log(_subId)
-            return _subId
+        SubscriptionInfo.getMnc.overload().implementation = function () {
+            const _mnc = this.getMnc()
+            console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
+            return parseInt(mnc)
         }
-        console.log(
-            `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
-        )
-        return parseInt(subId)
-    }
 
-    const TelephonyManager = Java.use("android.telephony.TelephonyManager")
-    TelephonyManager.getLine1Number.overload().implementation = function () {
-        const _number = this.getLine1Number()
-        console.log(
-            `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
-        )
-        return number
-    }
+        SubscriptionInfo.getMccString.overload().implementation = function () {
+            const _mccString = this.getMccString()
+            console.log(
+                `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
+            )
+            return mcc
+        }
 
-    TelephonyManager.getSimOperator.overload().implementation = function () {
-        const _simOperator = this.getSimOperator()
-        console.log(
-            `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
-        )
-        return simOperator
-    }
+        SubscriptionInfo.getMncString.overload().implementation = function () {
+            const _mncString = this.getMncString()
+            console.log(
+                `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
+            )
+            return mnc
+        }
 
-    TelephonyManager.getNetworkOperator.overload().implementation =
-        function () {
-            const _networkOperator = this.getNetworkOperator()
+        SubscriptionInfo.getNumber.overload().implementation = function () {
+            const _number = this.getNumber()
             console.log(
-                `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
+                `spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`
             )
-            return networkOperator
+            return number
         }
 
-    TelephonyManager.getSimSerialNumber.overload().implementation =
-        function () {
-            const _simSerialNumber = this.getSimSerialNumber()
+        SubscriptionInfo.getIccId.overload().implementation = function () {
+            const _iccId = this.getIccId()
             console.log(
-                `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
+                `spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`
             )
-            return simSerialNumber
+            return iccId
         }
 
-    TelephonyManager.getSubscriberId.overload().implementation = function () {
-        const _imsi = this.getSubscriberId()
-        console.log(
-            `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
-        )
-        return imsi
-    }
-
-    TelephonyManager.getImei.overload().implementation = function () {
-        const _imei = this.getImei()
-        console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
-        return imei
-    }
-
-    TelephonyManager.getNetworkCountryIso.overload().implementation =
-        function () {
-            const _countryIso = this.getNetworkCountryIso()
+        SubscriptionInfo.getCountryIso.overload().implementation = function () {
+            const _countryIso = this.getCountryIso()
             console.log(
-                `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
+                `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
             )
             return countryIso
         }
 
-    TelephonyManager.getSimCountryIso.overload().implementation = function () {
-        const _countryIso = this.getSimCountryIso()
-        console.log(
-            `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
-        )
-        return countryIso
-    }
+        SubscriptionInfo.getSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getSubscriptionId()
+                if (!subId) {
+                    console.log(_subId)
+                    return _subId
+                }
+                console.log(
+                    `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
+                )
+                return parseInt(subId)
+            }
 
-    TelephonyManager.getSubscriptionId.overload().implementation = function () {
-        const _subId = this.getSubscriptionId()
-        if (!subId) {
-            console.log(_subId)
-            return _subId
-        }
-        console.log(
-            `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
-        )
-        return parseInt(subId)
-    }
-
-    // const asos = Java.use("asos")
-    // asos.b.overload().implementation = function () {
-    //     console.log("asos.b")
-    //     return true
-    // }
-
-    const asmy = Java.use("asmy")
-    const bqni = Java.use("bqni")
-    const askd = Java.use("askd")
-    // asmy.b.overload().implementation = function () {
-    //     this.$super.b()
-    //     this._a.value.Q(bqni.b(19))
-    //     this._a.value.av(27)
-    //     const a = this._a.value._P.value.a()
-    //     var c = askd.c(a, "")
-    //     console.log(this._a.value.r)
-    //     var ar = Java.cast(this._a.value, Java.use("arqs"))
-    //     ar.r(36, Java.cast(c, Java.use("java.lang.Object")))
-    // }
-
-    const PhoneNumberVerification = Java.use(
-        "com.google.android.gms.constellation.PhoneNumberVerification"
-    )
-    PhoneNumberVerification.$init.overload(
-        "java.lang.String",
-        "long",
-        "int",
-        "int",
-        "java.lang.String",
-        "android.os.Bundle"
-    ).implementation = function (str, j, i, i2, str2, bundle) {
-        console.log("PhoneNumberVerification.$init")
-
-        console.log(`str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}`)
-        // print bundle
-        if (bundle) {
-            const keySet = bundle.keySet().toArray()
-            for (let i = 0; i < keySet.length; i++) {
-                const key = keySet[i]
-                console.log(`key: ${key}, value: ${bundle.get(key)}`)
+        const TelephonyManager = Java.use("android.telephony.TelephonyManager")
+        TelephonyManager.getLine1Number.overload().implementation =
+            function () {
+                const _number = this.getLine1Number()
+                console.log(
+                    `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
+                )
+                return number
+            }
+
+        TelephonyManager.getSimOperator.overload().implementation =
+            function () {
+                const _simOperator = this.getSimOperator()
+                console.log(
+                    `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
+                )
+                return simOperator
             }
-        }
 
-        return this.$init(str, j, i, i2, str2, bundle)
-    }
+        TelephonyManager.getNetworkOperator.overload().implementation =
+            function () {
+                const _networkOperator = this.getNetworkOperator()
+                console.log(
+                    `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
+                )
+                return networkOperator
+            }
 
-    const aays = Java.use("aays")
-    aays.d.overload("int", "boolean").implementation = function (i, z) {
-        console.log("aays.d", i, z, Object.keys(this.f.value))
+        TelephonyManager.getSimSerialNumber.overload().implementation =
+            function () {
+                const _simSerialNumber = this.getSimSerialNumber()
+                console.log(
+                    `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
+                )
+                return simSerialNumber
+            }
 
-        return number
-    }
+        TelephonyManager.getSubscriberId.overload().implementation =
+            function () {
+                const _imsi = this.getSubscriberId()
+                console.log(
+                    `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
+                )
+                return imsi
+            }
 
-    const aoor = Java.use("aoor")
-    aoor.h.overload("android.content.Context", "int").implementation =
-        function (c, i) {
-            const _i = this.h(c, i)
-            console.log("aoor.h", c, i, _i)
-            return _i
+        TelephonyManager.getImei.overload().implementation = function () {
+            const _imei = this.getImei()
+            console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
+            return imei
         }
 
-    const SetAsterismConsentRequest = Java.use(
-        "com.google.android.gms.asterism.SetAsterismConsentRequest"
-    )
-    SetAsterismConsentRequest.$init.overload(
-        //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8
-        "int",
-        "int",
-        "int",
-        "[I",
-        "java.lang.Long",
-        "int",
-        "android.os.Bundle",
-        "int",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String",
-        "java.lang.String"
-    ).implementation = function (
-        i,
-        i2,
-        i3,
-        iArr,
-        l,
-        i4,
-        bundle,
-        i5,
-        str,
-        str2,
-        str3,
-        str4,
-        str5,
-        str6,
-        str7,
-        str8
-    ) {
-        console.log(
-            Java.use("android.util.Log").getStackTraceString(
-                Java.use("java.lang.Throwable").$new()
-            )
-        )
-        console.log("SetAsterismConsentRequest.$init")
+        TelephonyManager.getNetworkCountryIso.overload().implementation =
+            function () {
+                const _countryIso = this.getNetworkCountryIso()
+                console.log(
+                    `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
+                )
+                return countryIso
+            }
 
-        console.log(
-            `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}`
+        TelephonyManager.getSimCountryIso.overload().implementation =
+            function () {
+                const _countryIso = this.getSimCountryIso()
+                console.log(
+                    `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
+                )
+                return countryIso
+            }
+
+        TelephonyManager.getSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getSubscriptionId()
+                if (!subId) {
+                    console.log(_subId)
+                    return _subId
+                }
+                console.log(
+                    `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
+                )
+                return parseInt(subId)
+            }
+
+        // const asos = Java.use("asos")
+        // asos.b.overload().implementation = function () {
+        //     console.log("asos.b")
+        //     return true
+        // }
+
+        const asmy = Java.use("asmy")
+        const bqni = Java.use("bqni")
+        const askd = Java.use("askd")
+        // asmy.b.overload().implementation = function () {
+        //     this.$super.b()
+        //     this._a.value.Q(bqni.b(19))
+        //     this._a.value.av(27)
+        //     const a = this._a.value._P.value.a()
+        //     var c = askd.c(a, "")
+        //     console.log(this._a.value.r)
+        //     var ar = Java.cast(this._a.value, Java.use("arqs"))
+        //     ar.r(36, Java.cast(c, Java.use("java.lang.Object")))
+        // }
+
+        const PhoneNumberVerification = Java.use(
+            "com.google.android.gms.constellation.PhoneNumberVerification"
         )
-        // print bundle
-        const keySet = bundle.keySet().toArray()
-        for (let i = 0; i < keySet.length; i++) {
-            const key = keySet[i]
-            console.log(`key: ${key}, value: ${bundle.get(key)}`)
+        PhoneNumberVerification.$init.overload(
+            "java.lang.String",
+            "long",
+            "int",
+            "int",
+            "java.lang.String",
+            "android.os.Bundle"
+        ).implementation = function (str, j, i, i2, str2, bundle) {
+            console.log("PhoneNumberVerification.$init")
+
+            console.log(
+                `str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}`
+            )
+            // print bundle
+            if (bundle) {
+                const keySet = bundle.keySet().toArray()
+                for (let i = 0; i < keySet.length; i++) {
+                    const key = keySet[i]
+                    console.log(`key: ${key}, value: ${bundle.get(key)}`)
+                }
+            }
+
+            return this.$init(str, j, i, i2, str2, bundle)
+        }
+
+        const aays = Java.use("aays")
+        aays.d.overload("int", "boolean").implementation = function (i, z) {
+            console.log("aays.d", i, z, Object.keys(this.f.value))
+
+            return number
         }
 
-        return this.$init(
+        const aoor = Java.use("aoor")
+        aoor.h.overload("android.content.Context", "int").implementation =
+            function (c, i) {
+                const _i = this.h(c, i)
+                console.log("aoor.h", c, i, _i)
+                return _i
+            }
+
+        const SetAsterismConsentRequest = Java.use(
+            "com.google.android.gms.asterism.SetAsterismConsentRequest"
+        )
+        SetAsterismConsentRequest.$init.overload(
+            //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8
+            "int",
+            "int",
+            "int",
+            "[I",
+            "java.lang.Long",
+            "int",
+            "android.os.Bundle",
+            "int",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String"
+        ).implementation = function (
             i,
             i2,
             i3,
@@ -311,25 +359,65 @@ Java.perform(function () {
             str6,
             str7,
             str8
-        )
-    }
-
-    const SetAsterismConsentResponse = Java.use(
-        "com.google.android.gms.asterism.SetAsterismConsentResponse"
-    )
-    SetAsterismConsentResponse.$init.overload(
-        "int",
-        "java.lang.String",
-        "java.lang.String"
-    ).implementation = function (i, str, str2) {
-        console.log(
-            Java.use("android.util.Log").getStackTraceString(
-                Java.use("java.lang.Throwable").$new()
+        ) {
+            console.log(
+                Java.use("android.util.Log").getStackTraceString(
+                    Java.use("java.lang.Throwable").$new()
+                )
+            )
+            console.log("SetAsterismConsentRequest.$init")
+
+            console.log(
+                `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}`
+            )
+            // print bundle
+            const keySet = bundle.keySet().toArray()
+            for (let i = 0; i < keySet.length; i++) {
+                const key = keySet[i]
+                console.log(`key: ${key}, value: ${bundle.get(key)}`)
+            }
+
+            return this.$init(
+                i,
+                i2,
+                i3,
+                iArr,
+                l,
+                i4,
+                bundle,
+                i5,
+                str,
+                str2,
+                str3,
+                str4,
+                str5,
+                str6,
+                str7,
+                str8
             )
+        }
+
+        const SetAsterismConsentResponse = Java.use(
+            "com.google.android.gms.asterism.SetAsterismConsentResponse"
         )
+        SetAsterismConsentResponse.$init.overload(
+            "int",
+            "java.lang.String",
+            "java.lang.String"
+        ).implementation = function (i, str, str2) {
+            console.log(
+                Java.use("android.util.Log").getStackTraceString(
+                    Java.use("java.lang.Throwable").$new()
+                )
+            )
 
-        console.log("SetAsterismConsentResponse.$init")
-        console.log(`i: ${i}, str: ${str}, str2: ${str2}`)
-        return this.$init(1, 'c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq', 'c4q5zP5Ft4A')
-    }
+            console.log("SetAsterismConsentResponse.$init")
+            console.log(`i: ${i}, str: ${str}, str2: ${str2}`)
+            return this.$init(
+                1,
+                "c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq",
+                "c4q5zP5Ft4A"
+            )
+        }
+    })
 })

scripts/spoof1.js

@@ -0,0 +1,418 @@
+const mcc = "{{mcc}}"
+const mnc = "{{mnc}}"
+const simOperator = "{{simOperator}}"
+const networkOperator = "{{networkOperator}}"
+const simSerialNumber = "{{simSerialNumber}}"
+const iccId = "{{iccId}}"
+const number = "{{number}}"
+const imei = "{{imei}}"
+const imsi = "{{imsi}}"
+const countryIso = "{{countryIso}}"
+const subId = "{{subId}}"
+
+setImmediate(() => {
+    Java.perform(function () {
+        console.log("")
+        console.log("[.] Cert Pinning Bypass/Re-Pinning")
+
+        var CertificateFactory = Java.use(
+            "java.security.cert.CertificateFactory"
+        )
+        var FileInputStream = Java.use("java.io.FileInputStream")
+        var BufferedInputStream = Java.use("java.io.BufferedInputStream")
+        var X509Certificate = Java.use("java.security.cert.X509Certificate")
+        var KeyStore = Java.use("java.security.KeyStore")
+        var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory")
+        var SSLContext = Java.use("javax.net.ssl.SSLContext")
+
+        // Load CAs from an InputStream
+        console.log("[+] Loading our CA...")
+        var cf = CertificateFactory.getInstance("X.509")
+
+        try {
+            var fileInputStream = FileInputStream.$new(
+                "/data/local/tmp/cert-der.crt"
+            )
+        } catch (err) {
+            console.log("[o] " + err)
+        }
+
+        var bufferedInputStream = BufferedInputStream.$new(fileInputStream)
+        var ca = cf.generateCertificate(bufferedInputStream)
+        bufferedInputStream.close()
+
+        var certInfo = Java.cast(ca, X509Certificate)
+        console.log("[o] Our CA Info: " + certInfo.getSubjectDN())
+
+        // Create a KeyStore containing our trusted CAs
+        console.log("[+] Creating a KeyStore for our CA...")
+        var keyStoreType = KeyStore.getDefaultType()
+        var keyStore = KeyStore.getInstance(keyStoreType)
+        keyStore.load(null, null)
+        keyStore.setCertificateEntry("ca", ca)
+
+        // Create a TrustManager that trusts the CAs in our KeyStore
+        console.log(
+            "[+] Creating a TrustManager that trusts the CA in our KeyStore..."
+        )
+        var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm()
+        var tmf = TrustManagerFactory.getInstance(tmfAlgorithm)
+        tmf.init(keyStore)
+        console.log("[+] Our TrustManager is ready...")
+
+        console.log("[+] Hijacking SSLContext methods now...")
+        console.log("[-] Waiting for the app to invoke SSLContext.init()...")
+
+        SSLContext.init.overload(
+            "[Ljavax.net.ssl.KeyManager;",
+            "[Ljavax.net.ssl.TrustManager;",
+            "java.security.SecureRandom"
+        ).implementation = function (a, b, c) {
+            console.log("[o] App invoked javax.net.ssl.SSLContext.init...")
+            SSLContext.init
+                .overload(
+                    "[Ljavax.net.ssl.KeyManager;",
+                    "[Ljavax.net.ssl.TrustManager;",
+                    "java.security.SecureRandom"
+                )
+                .call(this, a, tmf.getTrustManagers(), c)
+            console.log(
+                "[+] SSLContext initialized with our custom TrustManager!"
+            )
+        }
+
+        const SmsManager = Java.use("android.telephony.SmsManager")
+        SmsManager.getSmsManagerForSubscriptionId.overload(
+            "int"
+        ).implementation = function (i) {
+            const _smsManager = this.getSmsManagerForSubscriptionId(i)
+            console.log(`SmsManager.getSmsManagerForSubscriptionId: ${i}`)
+            return _smsManager
+        }
+
+        SmsManager.getDefault.overload().implementation = function () {
+            const _smsManager = this.getDefault(i)
+            console.log(`SmsManager.getDefault`)
+            return _smsManager
+        }
+
+        SmsManager.getDefaultSmsSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getDefaultSmsSubscriptionId()
+                console.log(`SmsManager.getDefaultSmsSubscriptionId: ${_subId}`)
+                return _subId
+            }
+
+        SmsManager.getSubscriptionId.overload().implementation = function () {
+            const _subId = this.getSubscriptionId()
+            console.log(`SmsManager.getSubscriptionId: ${_subId}`)
+            return _subId
+        }
+
+        const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
+        SubscriptionInfo.getMcc.overload().implementation = function () {
+            const _mcc = this.getMcc()
+            console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
+            return parseInt(mcc)
+        }
+
+        SubscriptionInfo.getMnc.overload().implementation = function () {
+            const _mnc = this.getMnc()
+            console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
+            return parseInt(mnc)
+        }
+
+        SubscriptionInfo.getMccString.overload().implementation = function () {
+            const _mccString = this.getMccString()
+            console.log(
+                `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
+            )
+            return mcc
+        }
+
+        SubscriptionInfo.getMncString.overload().implementation = function () {
+            const _mncString = this.getMncString()
+            console.log(
+                `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
+            )
+            return mnc
+        }
+
+        SubscriptionInfo.getNumber.overload().implementation = function () {
+            const _number = this.getNumber()
+            console.log(
+                `spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`
+            )
+            return number
+        }
+
+        SubscriptionInfo.getIccId.overload().implementation = function () {
+            const _iccId = this.getIccId()
+            console.log(
+                `spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`
+            )
+            return iccId
+        }
+
+        SubscriptionInfo.getCountryIso.overload().implementation = function () {
+            const _countryIso = this.getCountryIso()
+            console.log(
+                `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
+            )
+            return countryIso
+        }
+
+        SubscriptionInfo.getSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getSubscriptionId()
+                if (!subId) {
+                    console.log(_subId)
+                    return _subId
+                }
+                console.log(
+                    `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
+                )
+                return parseInt(subId)
+            }
+
+        const TelephonyManager = Java.use("android.telephony.TelephonyManager")
+        TelephonyManager.getLine1Number.overload().implementation =
+            function () {
+                const _number = this.getLine1Number()
+                console.log(
+                    `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
+                )
+                return number
+            }
+
+        TelephonyManager.getSimOperator.overload().implementation =
+            function () {
+                const _simOperator = this.getSimOperator()
+                console.log(
+                    `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
+                )
+                return simOperator
+            }
+
+        TelephonyManager.getNetworkOperator.overload().implementation =
+            function () {
+                const _networkOperator = this.getNetworkOperator()
+                console.log(
+                    `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
+                )
+                return networkOperator
+            }
+
+        TelephonyManager.getSimSerialNumber.overload().implementation =
+            function () {
+                const _simSerialNumber = this.getSimSerialNumber()
+                console.log(
+                    `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
+                )
+                return simSerialNumber
+            }
+
+        TelephonyManager.getSubscriberId.overload().implementation =
+            function () {
+                const _imsi = this.getSubscriberId()
+                console.log(
+                    `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
+                )
+                return imsi
+            }
+
+        TelephonyManager.getImei.overload().implementation = function () {
+            const _imei = this.getImei()
+            console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
+            return imei
+        }
+
+        TelephonyManager.getNetworkCountryIso.overload().implementation =
+            function () {
+                const _countryIso = this.getNetworkCountryIso()
+                console.log(
+                    `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
+                )
+                return countryIso
+            }
+
+        TelephonyManager.getSimCountryIso.overload().implementation =
+            function () {
+                const _countryIso = this.getSimCountryIso()
+                console.log(
+                    `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
+                )
+                return countryIso
+            }
+
+        TelephonyManager.getSubscriptionId.overload().implementation =
+            function () {
+                const _subId = this.getSubscriptionId()
+                if (!subId) {
+                    console.log(_subId)
+                    return _subId
+                }
+                console.log(
+                    `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
+                )
+                return parseInt(subId)
+            }
+
+        // const asos = Java.use("asos")
+        // asos.b.overload().implementation = function () {
+        //     console.log("asos.b")
+        //     return true
+        // }
+
+        const asmy = Java.use("asmy")
+        const bqni = Java.use("bqni")
+        const askd = Java.use("askd")
+        // asmy.b.overload().implementation = function () {
+        //     this.$super.b()
+        //     this._a.value.Q(bqni.b(19))
+        //     this._a.value.av(27)
+        //     const a = this._a.value._P.value.a()
+        //     var c = askd.c(a, "")
+        //     console.log(this._a.value.r)
+        //     var ar = Java.cast(this._a.value, Java.use("arqs"))
+        //     ar.r(36, Java.cast(c, Java.use("java.lang.Object")))
+        // }
+
+        const PhoneNumberVerification = Java.use(
+            "com.google.android.gms.constellation.PhoneNumberVerification"
+        )
+        PhoneNumberVerification.$init.overload(
+            "java.lang.String",
+            "long",
+            "int",
+            "int",
+            "java.lang.String",
+            "android.os.Bundle",
+            "int",
+            "long"
+        ).implementation = function (str, l, i, i2, str2, bundle, i3, l2) {
+            console.log("PhoneNumberVerification.$init")
+
+            console.log(
+                `str: ${str}, l: ${l}, i: ${i}, i2: ${i2}, str2: ${str2}, i3: ${i3}, l2: ${l2}`
+            )
+            // print bundle
+            if (bundle) {
+                const keySet = bundle.keySet().toArray()
+                for (let i = 0; i < keySet.length; i++) {
+                    const key = keySet[i]
+                    console.log(`key: ${key}, value: ${bundle.get(key)}`)
+                }
+            }
+
+            return this.$init(str, l, i, i2, str2, bundle, i3, l2)
+        }
+
+        // const aays = Java.use("aays")
+        // aays.d.overload("int", "boolean").implementation = function (i, z) {
+        //     console.log("aays.d", i, z, Object.keys(this.f.value))
+
+        //     return number
+        // }
+
+        const SetAsterismConsentRequest = Java.use(
+            "com.google.android.gms.asterism.SetAsterismConsentRequest"
+        )
+        SetAsterismConsentRequest.$init.overload(
+            //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8
+            "int",
+            "int",
+            "int",
+            "[I",
+            "java.lang.Long",
+            "int",
+            "android.os.Bundle",
+            "int",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String",
+            "java.lang.String"
+        ).implementation = function (
+            i,
+            i2,
+            i3,
+            iArr,
+            l,
+            i4,
+            bundle,
+            i5,
+            str,
+            str2,
+            str3,
+            str4,
+            str5,
+            str6,
+            str7,
+            str8
+        ) {
+            console.log(
+                Java.use("android.util.Log").getStackTraceString(
+                    Java.use("java.lang.Throwable").$new()
+                )
+            )
+            console.log("SetAsterismConsentRequest.$init")
+
+            console.log(
+                `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}`
+            )
+            // print bundle
+            const keySet = bundle.keySet().toArray()
+            for (let i = 0; i < keySet.length; i++) {
+                const key = keySet[i]
+                console.log(`key: ${key}, value: ${bundle.get(key)}`)
+            }
+
+            return this.$init(
+                i,
+                i2,
+                i3,
+                iArr,
+                l,
+                i4,
+                bundle,
+                i5,
+                str,
+                str2,
+                str3,
+                str4,
+                str5,
+                str6,
+                str7,
+                str8
+            )
+        }
+
+        const SetAsterismConsentResponse = Java.use(
+            "com.google.android.gms.asterism.SetAsterismConsentResponse"
+        )
+        SetAsterismConsentResponse.$init.overload(
+            "int",
+            "java.lang.String",
+            "java.lang.String"
+        ).implementation = function (i, str, str2) {
+            console.log(
+                Java.use("android.util.Log").getStackTraceString(
+                    Java.use("java.lang.Throwable").$new()
+                )
+            )
+
+            console.log("SetAsterismConsentResponse.$init")
+            console.log(`i: ${i}, str: ${str}, str2: ${str2}`)
+            // return this.$init(
+            //     1,
+            //     "c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq",
+            //     "c4q5zP5Ft4A"
+            // )
+            return this.$init(i, str, str2)
+        }
+    })
+})

scripts/ssl_bypass.js

@@ -0,0 +1,66 @@
+/* 
+   Android SSL Re-pinning frida script v0.2 030417-pier 
+
+   $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
+   $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
+
+   https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
+   
+   UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
+*/
+
+setTimeout(function(){
+    Java.perform(function (){
+    	console.log("");
+	    console.log("[.] Cert Pinning Bypass/Re-Pinning");
+
+	    var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
+	    var FileInputStream = Java.use("java.io.FileInputStream");
+	    var BufferedInputStream = Java.use("java.io.BufferedInputStream");
+	    var X509Certificate = Java.use("java.security.cert.X509Certificate");
+	    var KeyStore = Java.use("java.security.KeyStore");
+	    var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
+	    var SSLContext = Java.use("javax.net.ssl.SSLContext");
+
+	    // Load CAs from an InputStream
+	    console.log("[+] Loading our CA...")
+	    var cf = CertificateFactory.getInstance("X.509");
+	    
+	    try {
+	    	var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
+	    }
+	    catch(err) {
+	    	console.log("[o] " + err);
+	    }
+	    
+	    var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
+	  	var ca = cf.generateCertificate(bufferedInputStream);
+	    bufferedInputStream.close();
+
+		var certInfo = Java.cast(ca, X509Certificate);
+	    console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
+
+	    // Create a KeyStore containing our trusted CAs
+	    console.log("[+] Creating a KeyStore for our CA...");
+	    var keyStoreType = KeyStore.getDefaultType();
+	    var keyStore = KeyStore.getInstance(keyStoreType);
+	    keyStore.load(null, null);
+	    keyStore.setCertificateEntry("ca", ca);
+	    
+	    // Create a TrustManager that trusts the CAs in our KeyStore
+	    console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
+	    var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
+	    var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
+	    tmf.init(keyStore);
+	    console.log("[+] Our TrustManager is ready...");
+
+	    console.log("[+] Hijacking SSLContext methods now...")
+	    console.log("[-] Waiting for the app to invoke SSLContext.init()...")
+
+	   	SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
+	   		console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
+	   		SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
+	   		console.log("[+] SSLContext initialized with our custom TrustManager!");
+	   	}
+    });
+},0);