const mcc = "{{mcc}}" const mnc = "{{mnc}}" const simOperator = "{{simOperator}}" const networkOperator = "{{networkOperator}}" const simSerialNumber = "{{simSerialNumber}}" const iccId = "{{iccId}}" const number = "{{number}}" const imei = "{{imei}}" const imsi = "{{imsi}}" const countryIso = "{{countryIso}}" const subId = "{{subId}}" class Log { static TAG = "[SMS]" static Debug = false static format(...msg) { let m = [] for (let i = 0; i < msg.length; i++) { if (typeof msg[i] === "object") { m.push(JSON.stringify(msg[i])) } else { m.push(msg[i]) } } m = m.join(" ") return m } static i(...msg) { if (!this.Debug) return console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`) } static w(...msg) { console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`) } static e(...msg) { console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`) } static s(...msg) { console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`) } } setImmediate(() => { Java.perform(function () { Log.i("") Log.i("[.] Cert Pinning Bypass/Re-Pinning") var CertificateFactory = Java.use( "java.security.cert.CertificateFactory" ) var FileInputStream = Java.use("java.io.FileInputStream") var BufferedInputStream = Java.use("java.io.BufferedInputStream") var X509Certificate = Java.use("java.security.cert.X509Certificate") var KeyStore = Java.use("java.security.KeyStore") var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory") var SSLContext = Java.use("javax.net.ssl.SSLContext") // Load CAs from an InputStream Log.i("[+] Loading our CA...") var cf = CertificateFactory.getInstance("X.509") try { var fileInputStream = FileInputStream.$new( "/data/local/tmp/cert-der.crt" ) } catch (err) { Log.i("[o] " + err) } var bufferedInputStream = BufferedInputStream.$new(fileInputStream) var ca = cf.generateCertificate(bufferedInputStream) bufferedInputStream.close() var certInfo = Java.cast(ca, X509Certificate) Log.i("[o] Our CA Info: " + certInfo.getSubjectDN()) // Create a KeyStore containing our trusted CAs Log.i("[+] Creating a KeyStore for our CA...") var keyStoreType = KeyStore.getDefaultType() var keyStore = KeyStore.getInstance(keyStoreType) keyStore.load(null, null) keyStore.setCertificateEntry("ca", ca) // Create a TrustManager that trusts the CAs in our KeyStore Log.i( "[+] Creating a TrustManager that trusts the CA in our KeyStore..." ) var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm() var tmf = TrustManagerFactory.getInstance(tmfAlgorithm) tmf.init(keyStore) Log.i("[+] Our TrustManager is ready...") Log.i("[+] Hijacking SSLContext methods now...") Log.i("[-] Waiting for the app to invoke SSLContext.init()...") SSLContext.init.overload( "[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom" ).implementation = function (a, b, c) { Log.i("[o] App invoked javax.net.ssl.SSLContext.init...") SSLContext.init .overload( "[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom" ) .call(this, a, tmf.getTrustManagers(), c) Log.i( "[+] SSLContext initialized with our custom TrustManager!" ) } const SmsManager = Java.use("android.telephony.SmsManager") SmsManager.getSmsManagerForSubscriptionId.overload( "int" ).implementation = function (i) { const _smsManager = this.getSmsManagerForSubscriptionId(i) Log.i(`SmsManager.getSmsManagerForSubscriptionId: ${i}`) return _smsManager } SmsManager.getDefault.overload().implementation = function () { const _smsManager = this.getDefault() Log.i(`SmsManager.getDefault`) return _smsManager } SmsManager.getDefaultSmsSubscriptionId.overload().implementation = function () { const _subId = this.getDefaultSmsSubscriptionId() Log.i( `spoof SmsManager.getDefaultSmsSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } SmsManager.getSubscriptionId.overload().implementation = function () { const _subId = this.getSubscriptionId() Log.i(`SmsManager.getSubscriptionId: ${_subId} -> ${subId}`) return parseInt(subId) } SmsManager.getCarrierConfigValues.overload().implementation = function () { const _config = this.getCarrierConfigValues() Log.i(`SmsManager.getCarrierConfigValues: ${_config}`) return _config } const CarrierConfigManager = Java.use( "android.telephony.CarrierConfigManager" ) CarrierConfigManager.getConfigForSubId.overload("int").implementation = function (i) { const _config = this.getConfigForSubId(i) Log.i(`CarrierConfigManager.getConfigForSubId: ${i}`) return _config } const SubscriptionManager = Java.use( "android.telephony.SubscriptionManager" ) SubscriptionManager.getActiveSubscriptionInfoCount.overload().implementation = function () { const _count = this.getActiveSubscriptionInfoCount() Log.i( `SubscriptionManager.getActiveSubscriptionInfoCount: ${_count}` ) return _count } SubscriptionManager.getDefaultSubscriptionId.overload().implementation = function () { const _subId = this.getDefaultSubscriptionId() Log.i( `spoof SubscriptionManager.getDefaultSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } SubscriptionManager.getDefaultSmsSubscriptionId.overload().implementation = function () { const _subId = this.getDefaultSmsSubscriptionId() Log.i( `spoof SubscriptionManager.getDefaultSmsSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } SubscriptionManager.getDefaultVoiceSubscriptionId.overload().implementation = function () { const _subId = this.getDefaultVoiceSubscriptionId() Log.i( `spoof SubscriptionManager.getDefaultVoiceSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } SubscriptionManager.getActiveDataSubscriptionId.overload().implementation = function () { const _subId = this.getActiveDataSubscriptionId() Log.i( `spoof SubscriptionManager.getActiveDataSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } SubscriptionManager.getSlotIndex.overload("int").implementation = function (i) { const _slotIndex = this.getSlotIndex(i) Log.i( `spoof SubscriptionManager.getSlotIndex: ${_slotIndex} -> 0` ) return 0 } SubscriptionManager.isUsableSubscriptionId.overload( "int" ).implementation = function (i) { const _isUsable = this.isUsableSubscriptionId(i) Log.i( `SubscriptionManager.isUsableSubscriptionId: ${_isUsable}` ) return _isUsable } SubscriptionManager.isValidSubscriptionId.overload( "int" ).implementation = function (i) { const _isValid = this.isValidSubscriptionId(i) Log.i( `spoof SubscriptionManager.isValidSubscriptionId(${i}): ${_isValid} -> true` ) return true } SubscriptionManager.getPhoneNumber.overload("int").implementation = function (i) { Log.i( `spoof SubscriptionManager.getPhoneNumber(${i}): -> ${number}` ) return number } SubscriptionManager.getPhoneNumber.overload( "int", "int" ).implementation = function (i, i2) { Log.i( `spoof SubscriptionManager.getPhoneNumber(${i},${i2}): -> ${number}` ) return number } SubscriptionManager.getActiveSubscriptionInfoList.overload().implementation = function () { const _list = this.getActiveSubscriptionInfoList() Log.i( `SubscriptionManager.getActiveSubscriptionInfoList ${_list.size()}` ) return _list } SubscriptionManager.getActiveSubscriptionIdList.overload().implementation = function () { const _list = this.getActiveSubscriptionIdList() Log.i( `spoof SubscriptionManager.getActiveSubscriptionIdList ${_list} -> ${subId}` ) return [parseInt(subId)] } SubscriptionManager.getActiveSubscriptionInfo.overload( "int" ).implementation = function (i) { const _info = this.getActiveSubscriptionInfo(i) const simCount = this.getActiveSubscriptionInfoCountMax() let subInfo = null try { for (let i = 0; i < simCount; i++) { subInfo = this.getActiveSubscriptionInfoForSimSlotIndex(i) if (subInfo) { break } } Log.i( `spoof SubscriptionManager.getActiveSubscriptionInfo(${i})` ) } catch (error) { console.error( `spoof error SubscriptionManager.getActiveSubscriptionInfo(${i})` ) error.printStackTrace() } return subInfo } SubscriptionManager.getActiveSubscriptionInfoForSimSlotIndex.overload( "int" ).implementation = function (i) { const _info = this.getActiveSubscriptionInfoForSimSlotIndex(i) Log.i( `SubscriptionManager.getActiveSubscriptionInfoForSimSlotIndex(${i}): ${ _info ? "ok" : "null" }` ) return _info } SubscriptionManager.isActiveSubscriptionId.overload( "int" ).implementation = function (i) { const _isActive = this.isActiveSubscriptionId(i) Log.i( `spoof SubscriptionManager.isActiveSubscriptionId(${i}): ${_isActive} -> true` ) return true } const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo") SubscriptionInfo.getMcc.overload().implementation = function () { const _mcc = this.getMcc() Log.i(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`) return parseInt(mcc) } SubscriptionInfo.getMnc.overload().implementation = function () { const _mnc = this.getMnc() Log.i(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`) return parseInt(mnc) } SubscriptionInfo.getMccString.overload().implementation = function () { const _mccString = this.getMccString() Log.i( `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}` ) return mcc } SubscriptionInfo.getMncString.overload().implementation = function () { const _mncString = this.getMncString() Log.i( `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}` ) return mnc } SubscriptionInfo.getNumber.overload().implementation = function () { const _number = this.getNumber() Log.i( `spoof SubscriptionInfo.getNumber: ${_number} -> ${number}` ) return number } SubscriptionInfo.getIccId.overload().implementation = function () { const _iccId = this.getIccId() Log.i( `spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}` ) return iccId } SubscriptionInfo.getCountryIso.overload().implementation = function () { const _countryIso = this.getCountryIso() Log.i( `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}` ) return countryIso } SubscriptionInfo.getSubscriptionId.overload().implementation = function () { const _subId = this.getSubscriptionId() if (!subId) { Log.i(_subId) return _subId } Log.i( `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } const TelephonyManager = Java.use("android.telephony.TelephonyManager") TelephonyManager.createForSubscriptionId.overload( "int" ).implementation = function (i) { Log.i(`spoof TelephonyManager.createForSubscriptionId: ${i}`) return this } TelephonyManager.getLine1Number.overload().implementation = function () { const _number = this.getLine1Number() Log.i( `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}` ) return number } TelephonyManager.getSimOperator.overload().implementation = function () { const _simOperator = this.getSimOperator() Log.i( `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}` ) return simOperator } TelephonyManager.getNetworkOperator.overload().implementation = function () { const _networkOperator = this.getNetworkOperator() Log.i( `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}` ) return networkOperator } TelephonyManager.getSimSerialNumber.overload().implementation = function () { const _simSerialNumber = this.getSimSerialNumber() Log.i( `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}` ) return simSerialNumber } TelephonyManager.getSubscriberId.overload().implementation = function () { const _imsi = this.getSubscriberId() Log.i( `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}` ) return imsi } TelephonyManager.getImei.overload().implementation = function () { const _imei = this.getImei() Log.i(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`) return imei } TelephonyManager.getNetworkCountryIso.overload().implementation = function () { const _countryIso = this.getNetworkCountryIso() Log.i( `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}` ) return countryIso } TelephonyManager.getSimCountryIso.overload().implementation = function () { const _countryIso = this.getSimCountryIso() Log.i( `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}` ) return countryIso } TelephonyManager.getSubscriptionId.overload().implementation = function () { const _subId = this.getSubscriptionId() if (!subId) { Log.i(_subId) return _subId } Log.i( `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}` ) return parseInt(subId) } TelephonyManager.getSimState.overload().implementation = function () { const _simState = this.getSimState() Log.i(`spoof TelephonyManager.getSimState: ${_simState} -> 5`) return 5 } const PhoneNumberVerification = Java.use( "com.google.android.gms.constellation.PhoneNumberVerification" ) PhoneNumberVerification.$init.overload( "java.lang.String", "long", "int", "int", "java.lang.String", "android.os.Bundle" ).implementation = function (str, j, i, i2, str2, bundle) { Log.i("PhoneNumberVerification.$init") Log.i( `str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}` ) // print bundle if (bundle) { const keySet = bundle.keySet().toArray() for (let i = 0; i < keySet.length; i++) { const key = keySet[i] Log.i(`key: ${key}, value: ${bundle.get(key)}`) } } return this.$init(str, j, i, i2, str2, bundle) } const aays = Java.use("aays") aays.d.overload("int", "boolean").implementation = function (i, z) { Log.i("aays.d", i, z, Object.keys(this.f.value)) return number } const aoor = Java.use("aoor") aoor.h.overload("android.content.Context", "int").implementation = function (c, i) { const _i = this.h(c, i) Log.i("aoor.h", c, i, _i) return _i } const SetAsterismConsentRequest = Java.use( "com.google.android.gms.asterism.SetAsterismConsentRequest" ) SetAsterismConsentRequest.$init.overload( //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8 "int", "int", "int", "[I", "java.lang.Long", "int", "android.os.Bundle", "int", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String", "java.lang.String" ).implementation = function ( i, i2, i3, iArr, l, i4, bundle, i5, str, str2, str3, str4, str5, str6, str7, str8 ) { Log.i( Java.use("android.util.Log").getStackTraceString( Java.use("java.lang.Throwable").$new() ) ) Log.i("SetAsterismConsentRequest.$init") Log.i( `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}` ) // print bundle const keySet = bundle.keySet().toArray() for (let i = 0; i < keySet.length; i++) { const key = keySet[i] Log.i(`key: ${key}, value: ${bundle.get(key)}`) } return this.$init( i, i2, i3, iArr, l, i4, bundle, i5, str, str2, str3, str4, str5, str6, str7, str8 ) } const SetAsterismConsentResponse = Java.use( "com.google.android.gms.asterism.SetAsterismConsentResponse" ) SetAsterismConsentResponse.$init.overload( "int", "java.lang.String", "java.lang.String" ).implementation = function (i, str, str2) { Log.i( Java.use("android.util.Log").getStackTraceString( Java.use("java.lang.Throwable").$new() ) ) Log.i("SetAsterismConsentResponse.$init") Log.i(`i: ${i}, str: ${str}, str2: ${str2}`) // return this.$init( // 1, // "c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq", // "c4q5zP5Ft4A" // ) return this.$init(i, str, str2) } }) // spoof sim to exist const bjsf = Java.use("bjsf") bjsf.s.overload("android.content.Context").implementation = function (c) { Log.i("bjsf.s") return true } const asts = Java.use("asts") asts.b.overload().implementation = function () { const url = this.b() Log.i("asts.b(configUrl)", url.orElse("null")) Log.i("l", this.l()) Log.i("g", this.g()) Log.i("k", this.k()) const str = Java.use("arhb").M().s().a() Log.i("str", str) // todo: rcs-acs-mcc%s.jibe.google.com return Java.use("j$.util.Optional").of( "http://rcs-acs-mcc255.jibe.google.com/" ) } })