frida-rcs-hack/scripts/spoof.js

const mcc = "{{mcc}}"
const mnc = "{{mnc}}"
const simOperator = "{{simOperator}}"
const networkOperator = "{{networkOperator}}"
const simSerialNumber = "{{simSerialNumber}}"
const iccId = "{{iccId}}"
const number = "{{number}}"
const imei = "{{imei}}"
const imsi = "{{imsi}}"
const countryIso = "{{countryIso}}"
const subId = "{{subId}}"

setImmediate(() => {
    Java.perform(function () {
        console.log("")
        console.log("[.] Cert Pinning Bypass/Re-Pinning")

        var CertificateFactory = Java.use(
            "java.security.cert.CertificateFactory"
        )
        var FileInputStream = Java.use("java.io.FileInputStream")
        var BufferedInputStream = Java.use("java.io.BufferedInputStream")
        var X509Certificate = Java.use("java.security.cert.X509Certificate")
        var KeyStore = Java.use("java.security.KeyStore")
        var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory")
        var SSLContext = Java.use("javax.net.ssl.SSLContext")

        // Load CAs from an InputStream
        console.log("[+] Loading our CA...")
        var cf = CertificateFactory.getInstance("X.509")

        try {
            var fileInputStream = FileInputStream.$new(
                "/data/local/tmp/cert-der.crt"
            )
        } catch (err) {
            console.log("[o] " + err)
        }

        var bufferedInputStream = BufferedInputStream.$new(fileInputStream)
        var ca = cf.generateCertificate(bufferedInputStream)
        bufferedInputStream.close()

        var certInfo = Java.cast(ca, X509Certificate)
        console.log("[o] Our CA Info: " + certInfo.getSubjectDN())

        // Create a KeyStore containing our trusted CAs
        console.log("[+] Creating a KeyStore for our CA...")
        var keyStoreType = KeyStore.getDefaultType()
        var keyStore = KeyStore.getInstance(keyStoreType)
        keyStore.load(null, null)
        keyStore.setCertificateEntry("ca", ca)

        // Create a TrustManager that trusts the CAs in our KeyStore
        console.log(
            "[+] Creating a TrustManager that trusts the CA in our KeyStore..."
        )
        var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm()
        var tmf = TrustManagerFactory.getInstance(tmfAlgorithm)
        tmf.init(keyStore)
        console.log("[+] Our TrustManager is ready...")

        console.log("[+] Hijacking SSLContext methods now...")
        console.log("[-] Waiting for the app to invoke SSLContext.init()...")

        SSLContext.init.overload(
            "[Ljavax.net.ssl.KeyManager;",
            "[Ljavax.net.ssl.TrustManager;",
            "java.security.SecureRandom"
        ).implementation = function (a, b, c) {
            console.log("[o] App invoked javax.net.ssl.SSLContext.init...")
            SSLContext.init
                .overload(
                    "[Ljavax.net.ssl.KeyManager;",
                    "[Ljavax.net.ssl.TrustManager;",
                    "java.security.SecureRandom"
                )
                .call(this, a, tmf.getTrustManagers(), c)
            console.log(
                "[+] SSLContext initialized with our custom TrustManager!"
            )
        }

        const SmsManager = Java.use("android.telephony.SmsManager")
        SmsManager.getSmsManagerForSubscriptionId.overload(
            "int"
        ).implementation = function (i) {
            const _smsManager = this.getSmsManagerForSubscriptionId(i)
            console.log(`SmsManager.getSmsManagerForSubscriptionId: ${i}`)
            return _smsManager
        }

        SmsManager.getDefault.overload().implementation = function () {
            const _smsManager = this.getDefault()
            console.log(`SmsManager.getDefault`)
            return _smsManager
        }

        SmsManager.getDefaultSmsSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getDefaultSmsSubscriptionId()
                console.log(
                    `SmsManager.getDefaultSmsSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }

        SmsManager.getSubscriptionId.overload().implementation = function () {
            const _subId = this.getSubscriptionId()
            console.log(`SmsManager.getSubscriptionId: ${_subId} -> ${subId}`)
            return parseInt(subId)
        }

        const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
        SubscriptionInfo.getMcc.overload().implementation = function () {
            const _mcc = this.getMcc()
            console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
            return parseInt(mcc)
        }

        SubscriptionInfo.getMnc.overload().implementation = function () {
            const _mnc = this.getMnc()
            console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
            return parseInt(mnc)
        }

        SubscriptionInfo.getMccString.overload().implementation = function () {
            const _mccString = this.getMccString()
            console.log(
                `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
            )
            return mcc
        }

        SubscriptionInfo.getMncString.overload().implementation = function () {
            const _mncString = this.getMncString()
            console.log(
                `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
            )
            return mnc
        }

        SubscriptionInfo.getNumber.overload().implementation = function () {
            const _number = this.getNumber()
            console.log(
                `spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`
            )
            return number
        }

        SubscriptionInfo.getIccId.overload().implementation = function () {
            const _iccId = this.getIccId()
            console.log(
                `spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`
            )
            return iccId
        }

        SubscriptionInfo.getCountryIso.overload().implementation = function () {
            const _countryIso = this.getCountryIso()
            console.log(
                `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
            )
            return countryIso
        }

        SubscriptionInfo.getSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getSubscriptionId()
                if (!subId) {
                    console.log(_subId)
                    return _subId
                }
                console.log(
                    `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }

        const TelephonyManager = Java.use("android.telephony.TelephonyManager")
        TelephonyManager.getLine1Number.overload().implementation =
            function () {
                const _number = this.getLine1Number()
                console.log(
                    `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
                )
                return number
            }

        TelephonyManager.getSimOperator.overload().implementation =
            function () {
                const _simOperator = this.getSimOperator()
                console.log(
                    `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
                )
                return simOperator
            }

        TelephonyManager.getNetworkOperator.overload().implementation =
            function () {
                const _networkOperator = this.getNetworkOperator()
                console.log(
                    `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
                )
                return networkOperator
            }

        TelephonyManager.getSimSerialNumber.overload().implementation =
            function () {
                const _simSerialNumber = this.getSimSerialNumber()
                console.log(
                    `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
                )
                return simSerialNumber
            }

        TelephonyManager.getSubscriberId.overload().implementation =
            function () {
                const _imsi = this.getSubscriberId()
                console.log(
                    `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
                )
                return imsi
            }

        TelephonyManager.getImei.overload().implementation = function () {
            const _imei = this.getImei()
            console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
            return imei
        }

        TelephonyManager.getNetworkCountryIso.overload().implementation =
            function () {
                const _countryIso = this.getNetworkCountryIso()
                console.log(
                    `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
                )
                return countryIso
            }

        TelephonyManager.getSimCountryIso.overload().implementation =
            function () {
                const _countryIso = this.getSimCountryIso()
                console.log(
                    `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
                )
                return countryIso
            }

        TelephonyManager.getSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getSubscriptionId()
                if (!subId) {
                    console.log(_subId)
                    return _subId
                }
                console.log(
                    `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }

        TelephonyManager.getSimState.overload().implementation = function () {
            const _simState = this.getSimState()
            console.log(`spoof TelephonyManager.getSimState: ${_simState} -> 5`)
            return 5
        }

        const PhoneNumberVerification = Java.use(
            "com.google.android.gms.constellation.PhoneNumberVerification"
        )
        PhoneNumberVerification.$init.overload(
            "java.lang.String",
            "long",
            "int",
            "int",
            "java.lang.String",
            "android.os.Bundle"
        ).implementation = function (str, j, i, i2, str2, bundle) {
            console.log("PhoneNumberVerification.$init")

            console.log(
                `str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}`
            )
            // print bundle
            if (bundle) {
                const keySet = bundle.keySet().toArray()
                for (let i = 0; i < keySet.length; i++) {
                    const key = keySet[i]
                    console.log(`key: ${key}, value: ${bundle.get(key)}`)
                }
            }

            return this.$init(str, j, i, i2, str2, bundle)
        }

        const aays = Java.use("aays")
        aays.d.overload("int", "boolean").implementation = function (i, z) {
            console.log("aays.d", i, z, Object.keys(this.f.value))

            return number
        }

        const aoor = Java.use("aoor")
        aoor.h.overload("android.content.Context", "int").implementation =
            function (c, i) {
                const _i = this.h(c, i)
                console.log("aoor.h", c, i, _i)
                return _i
            }

        const SetAsterismConsentRequest = Java.use(
            "com.google.android.gms.asterism.SetAsterismConsentRequest"
        )
        SetAsterismConsentRequest.$init.overload(
            //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8
            "int",
            "int",
            "int",
            "[I",
            "java.lang.Long",
            "int",
            "android.os.Bundle",
            "int",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String"
        ).implementation = function (
            i,
            i2,
            i3,
            iArr,
            l,
            i4,
            bundle,
            i5,
            str,
            str2,
            str3,
            str4,
            str5,
            str6,
            str7,
            str8
        ) {
            console.log(
                Java.use("android.util.Log").getStackTraceString(
                    Java.use("java.lang.Throwable").$new()
                )
            )
            console.log("SetAsterismConsentRequest.$init")

            console.log(
                `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}`
            )
            // print bundle
            const keySet = bundle.keySet().toArray()
            for (let i = 0; i < keySet.length; i++) {
                const key = keySet[i]
                console.log(`key: ${key}, value: ${bundle.get(key)}`)
            }

            return this.$init(
                i,
                i2,
                i3,
                iArr,
                l,
                i4,
                bundle,
                i5,
                str,
                str2,
                str3,
                str4,
                str5,
                str6,
                str7,
                str8
            )
        }

        const SetAsterismConsentResponse = Java.use(
            "com.google.android.gms.asterism.SetAsterismConsentResponse"
        )
        SetAsterismConsentResponse.$init.overload(
            "int",
            "java.lang.String",
            "java.lang.String"
        ).implementation = function (i, str, str2) {
            console.log(
                Java.use("android.util.Log").getStackTraceString(
                    Java.use("java.lang.Throwable").$new()
                )
            )

            console.log("SetAsterismConsentResponse.$init")
            console.log(`i: ${i}, str: ${str}, str2: ${str2}`)
            // return this.$init(
            //     1,
            //     "c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq",
            //     "c4q5zP5Ft4A"
            // )
            return this.$init(i, str, str2)
        }
    })

    // spoof sim to exist
    const bjsf = Java.use("athm")
    bjsf.r.overload("android.content.Context").implementation = function (c) {
        console.log("athm.r")
        return true
    }

    const asts = Java.use("asts")
    asts.b.overload().implementation = function () {
        const url = this.b()
        console.log("asts.b(configUrl)", url.orElse("null"))
        console.log("l", this.l())
        console.log("g", this.g())
        console.log("k", this.k())
        const str = Java.use("arhb").M().s().a()
        console.log("str", str)
        // todo: rcs-acs-mcc%s.jibe.google.com
        return Java.use("j$.util.Optional").of(
            "http://rcs-acs-mcc255.jibe.google.com/"
        )
    }
})