const mcc = "255" const mnc = "06" const simOperator = "25506" const networkOperator = "25506" const simSerialNumber = "89380062300689133048" const iccId = "89380062300689133048" const number = "969379250" const imei = "864929043714851" const imsi = "255065209546456" const countryIso = "ua" const subId = "12" setImmediate(() => { Java.perform(function () { console.log("") console.log("[.] Cert Pinning Bypass/Re-Pinning") var CertificateFactory = Java.use( "java.security.cert.CertificateFactory" ) var FileInputStream = Java.use("java.io.FileInputStream") var BufferedInputStream = Java.use("java.io.BufferedInputStream") var X509Certificate = Java.use("java.security.cert.X509Certificate") var KeyStore = Java.use("java.security.KeyStore") var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory") var SSLContext = Java.use("javax.net.ssl.SSLContext") // Load CAs from an InputStream console.log("[+] Loading our CA...") var cf = CertificateFactory.getInstance("X.509") try { var fileInputStream = FileInputStream.$new( "/data/local/tmp/cert-der.crt" ) } catch (err) { console.log("[o] " + err) } var bufferedInputStream = BufferedInputStream.$new(fileInputStream) var ca = cf.generateCertificate(bufferedInputStream) bufferedInputStream.close() var certInfo = Java.cast(ca, X509Certificate) console.log("[o] Our CA Info: " + certInfo.getSubjectDN()) // Create a KeyStore containing our trusted CAs console.log("[+] Creating a KeyStore for our CA...") var keyStoreType = KeyStore.getDefaultType() var keyStore = KeyStore.getInstance(keyStoreType) keyStore.load(null, null) keyStore.setCertificateEntry("ca", ca) // Create a TrustManager that trusts the CAs in our KeyStore console.log( "[+] Creating a TrustManager that trusts the CA in our KeyStore..." ) var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm() var tmf = TrustManagerFactory.getInstance(tmfAlgorithm) tmf.init(keyStore) console.log("[+] Our TrustManager is ready...") console.log("[+] Hijacking SSLContext methods now...") console.log("[-] Waiting for the app to invoke SSLContext.init()...") SSLContext.init.overload( "[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom" ).implementation = function (a, b, c) { console.log("[o] App invoked javax.net.ssl.SSLContext.init...") SSLContext.init .overload( "[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom" ) .call(this, a, tmf.getTrustManagers(), c) console.log( "[+] SSLContext initialized with our custom TrustManager!" ) } const SmsManager = Java.use("android.telephony.SmsManager") SmsManager.getSmsManagerForSubscriptionId.overload( "int" ).implementation = function (i) { const _smsManager = this.getSmsManagerForSubscriptionId(i) console.log(`SmsManager.getSmsManagerForSubscriptionId: ${i}`) return _smsManager } SmsManager.getDefault.overload().implementation = function () { const _smsManager = this.getDefault() console.log(`SmsManager.getDefault`) return _smsManager } SmsManager.getDefaultSmsSubscriptionId.overload().implementation = function () { const _subId = this.getDefaultSmsSubscriptionId() console.log( `SmsManager.getDefaultSmsSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } SmsManager.getSubscriptionId.overload().implementation = function () { const _subId = this.getSubscriptionId() console.log(`SmsManager.getSubscriptionId: ${_subId} -> ${subId}`) return parseInt(subId) } const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo") SubscriptionInfo.getMcc.overload().implementation = function () { const _mcc = this.getMcc() console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`) return parseInt(mcc) } SubscriptionInfo.getMnc.overload().implementation = function () { const _mnc = this.getMnc() console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`) return parseInt(mnc) } SubscriptionInfo.getMccString.overload().implementation = function () { const _mccString = this.getMccString() console.log( `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}` ) return mcc } SubscriptionInfo.getMncString.overload().implementation = function () { const _mncString = this.getMncString() console.log( `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}` ) return mnc } SubscriptionInfo.getNumber.overload().implementation = function () { const _number = this.getNumber() console.log( `spoof SubscriptionInfo.getNumber: ${_number} -> ${number}` ) return number } SubscriptionInfo.getIccId.overload().implementation = function () { const _iccId = this.getIccId() console.log( `spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}` ) return iccId } SubscriptionInfo.getCountryIso.overload().implementation = function () { const _countryIso = this.getCountryIso() console.log( `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}` ) return countryIso } SubscriptionInfo.getSubscriptionId.overload().implementation = function () { const _subId = this.getSubscriptionId() if (!subId) { console.log(_subId) return _subId } console.log( `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } const TelephonyManager = Java.use("android.telephony.TelephonyManager") TelephonyManager.getLine1Number.overload().implementation = function () { const _number = this.getLine1Number() console.log( `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}` ) return number } TelephonyManager.getSimOperator.overload().implementation = function () { const _simOperator = this.getSimOperator() console.log( `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}` ) return simOperator } TelephonyManager.getNetworkOperator.overload().implementation = function () { const _networkOperator = this.getNetworkOperator() console.log( `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}` ) return networkOperator } TelephonyManager.getSimSerialNumber.overload().implementation = function () { const _simSerialNumber = this.getSimSerialNumber() console.log( `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}` ) return simSerialNumber } TelephonyManager.getSubscriberId.overload().implementation = function () { const _imsi = this.getSubscriberId() console.log( `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}` ) return imsi } TelephonyManager.getImei.overload().implementation = function () { const _imei = this.getImei() console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`) return imei } TelephonyManager.getNetworkCountryIso.overload().implementation = function () { const _countryIso = this.getNetworkCountryIso() console.log( `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}` ) return countryIso } TelephonyManager.getSimCountryIso.overload().implementation = function () { const _countryIso = this.getSimCountryIso() console.log( `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}` ) return countryIso } TelephonyManager.getSubscriptionId.overload().implementation = function () { const _subId = this.getSubscriptionId() if (!subId) { console.log(_subId) return _subId } console.log( `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } TelephonyManager.getSimState.overload().implementation = function () { const _simState = this.getSimState() console.log(`spoof TelephonyManager.getSimState: ${_simState} -> 5`) return 5 } const PhoneNumberVerification = Java.use( "com.google.android.gms.constellation.PhoneNumberVerification" ) PhoneNumberVerification.$init.overload( "java.lang.String", "long", "int", "int", "java.lang.String", "android.os.Bundle" ).implementation = function (str, j, i, i2, str2, bundle) { console.log("PhoneNumberVerification.$init") console.log( `str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}` ) // print bundle if (bundle) { const keySet = bundle.keySet().toArray() for (let i = 0; i < keySet.length; i++) { const key = keySet[i] console.log(`key: ${key}, value: ${bundle.get(key)}`) } } return this.$init(str, j, i, i2, str2, bundle) } const aays = Java.use("aays") aays.d.overload("int", "boolean").implementation = function (i, z) { console.log("aays.d", i, z, Object.keys(this.f.value)) return number } const aoor = Java.use("aoor") aoor.h.overload("android.content.Context", "int").implementation = function (c, i) { const _i = this.h(c, i) console.log("aoor.h", c, i, _i) return _i } const SetAsterismConsentRequest = Java.use( "com.google.android.gms.asterism.SetAsterismConsentRequest" ) SetAsterismConsentRequest.$init.overload( //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8 "int", "int", "int", "[I", "java.lang.Long", "int", "android.os.Bundle", "int", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String" ).implementation = function ( i, i2, i3, iArr, l, i4, bundle, i5, str, str2, str3, str4, str5, str6, str7, str8 ) { console.log( Java.use("android.util.Log").getStackTraceString( Java.use("java.lang.Throwable").$new() ) ) console.log("SetAsterismConsentRequest.$init") console.log( `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}` ) // print bundle const keySet = bundle.keySet().toArray() for (let i = 0; i < keySet.length; i++) { const key = keySet[i] console.log(`key: ${key}, value: ${bundle.get(key)}`) } return this.$init( i, i2, i3, iArr, l, i4, bundle, i5, str, str2, str3, str4, str5, str6, str7, str8 ) } const SetAsterismConsentResponse = Java.use( "com.google.android.gms.asterism.SetAsterismConsentResponse" ) SetAsterismConsentResponse.$init.overload( "int", "java.lang.String", "java.lang.String" ).implementation = function (i, str, str2) { console.log( Java.use("android.util.Log").getStackTraceString( Java.use("java.lang.Throwable").$new() ) ) console.log("SetAsterismConsentResponse.$init") console.log(`i: ${i}, str: ${str}, str2: ${str2}`) // return this.$init( // 1, // "c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq", // "c4q5zP5Ft4A" // ) return this.$init(i, str, str2) } }) // spoof sim to exist const bjsf = Java.use("athm") bjsf.r.overload("android.content.Context").implementation = function (c) { console.log("athm.r") return true } const asts = Java.use("asts") asts.b.overload().implementation = function () { const url = this.b() console.log("asts.b(configUrl)", url.orElse("null")) console.log("l", this.l()) console.log("g", this.g()) console.log("k", this.k()) const str = Java.use("arhb").M().s().a() console.log("str", str) // todo: rcs-acs-mcc%s.jibe.google.com return Java.use("j$.util.Optional").of( "http://rcs-acs-mcc255.jibe.google.com/" ) } })