| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418 |
- const mcc = "255"
- const mnc = "06"
- const simOperator = "25506"
- const networkOperator = "25506"
- const simSerialNumber = "89380062300689131876"
- const iccId = "89380062300689131876"
- const number = "731848010"
- const imei = "864929043714851"
- const imsi = "255065007246456"
- const countryIso = "ua"
- const subId = ""
- setImmediate(() => {
- Java.perform(function () {
- console.log("")
- console.log("[.] Cert Pinning Bypass/Re-Pinning")
- var CertificateFactory = Java.use(
- "java.security.cert.CertificateFactory"
- )
- var FileInputStream = Java.use("java.io.FileInputStream")
- var BufferedInputStream = Java.use("java.io.BufferedInputStream")
- var X509Certificate = Java.use("java.security.cert.X509Certificate")
- var KeyStore = Java.use("java.security.KeyStore")
- var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory")
- var SSLContext = Java.use("javax.net.ssl.SSLContext")
- // Load CAs from an InputStream
- console.log("[+] Loading our CA...")
- var cf = CertificateFactory.getInstance("X.509")
- try {
- var fileInputStream = FileInputStream.$new(
- "/data/local/tmp/cert-der.crt"
- )
- } catch (err) {
- console.log("[o] " + err)
- }
- var bufferedInputStream = BufferedInputStream.$new(fileInputStream)
- var ca = cf.generateCertificate(bufferedInputStream)
- bufferedInputStream.close()
- var certInfo = Java.cast(ca, X509Certificate)
- console.log("[o] Our CA Info: " + certInfo.getSubjectDN())
- // Create a KeyStore containing our trusted CAs
- console.log("[+] Creating a KeyStore for our CA...")
- var keyStoreType = KeyStore.getDefaultType()
- var keyStore = KeyStore.getInstance(keyStoreType)
- keyStore.load(null, null)
- keyStore.setCertificateEntry("ca", ca)
- // Create a TrustManager that trusts the CAs in our KeyStore
- console.log(
- "[+] Creating a TrustManager that trusts the CA in our KeyStore..."
- )
- var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm()
- var tmf = TrustManagerFactory.getInstance(tmfAlgorithm)
- tmf.init(keyStore)
- console.log("[+] Our TrustManager is ready...")
- console.log("[+] Hijacking SSLContext methods now...")
- console.log("[-] Waiting for the app to invoke SSLContext.init()...")
- SSLContext.init.overload(
- "[Ljavax.net.ssl.KeyManager;",
- "[Ljavax.net.ssl.TrustManager;",
- "java.security.SecureRandom"
- ).implementation = function (a, b, c) {
- console.log("[o] App invoked javax.net.ssl.SSLContext.init...")
- SSLContext.init
- .overload(
- "[Ljavax.net.ssl.KeyManager;",
- "[Ljavax.net.ssl.TrustManager;",
- "java.security.SecureRandom"
- )
- .call(this, a, tmf.getTrustManagers(), c)
- console.log(
- "[+] SSLContext initialized with our custom TrustManager!"
- )
- }
- const SmsManager = Java.use("android.telephony.SmsManager")
- SmsManager.getSmsManagerForSubscriptionId.overload(
- "int"
- ).implementation = function (i) {
- const _smsManager = this.getSmsManagerForSubscriptionId(i)
- console.log(`SmsManager.getSmsManagerForSubscriptionId: ${i}`)
- return _smsManager
- }
- SmsManager.getDefault.overload().implementation = function () {
- const _smsManager = this.getDefault(i)
- console.log(`SmsManager.getDefault`)
- return _smsManager
- }
- SmsManager.getDefaultSmsSubscriptionId.overload().implementation =
- function () {
- const _subId = this.getDefaultSmsSubscriptionId()
- console.log(`SmsManager.getDefaultSmsSubscriptionId: ${_subId}`)
- return _subId
- }
- SmsManager.getSubscriptionId.overload().implementation = function () {
- const _subId = this.getSubscriptionId()
- console.log(`SmsManager.getSubscriptionId: ${_subId}`)
- return _subId
- }
- const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
- SubscriptionInfo.getMcc.overload().implementation = function () {
- const _mcc = this.getMcc()
- console.log(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
- return parseInt(mcc)
- }
- SubscriptionInfo.getMnc.overload().implementation = function () {
- const _mnc = this.getMnc()
- console.log(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
- return parseInt(mnc)
- }
- SubscriptionInfo.getMccString.overload().implementation = function () {
- const _mccString = this.getMccString()
- console.log(
- `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
- )
- return mcc
- }
- SubscriptionInfo.getMncString.overload().implementation = function () {
- const _mncString = this.getMncString()
- console.log(
- `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
- )
- return mnc
- }
- SubscriptionInfo.getNumber.overload().implementation = function () {
- const _number = this.getNumber()
- console.log(
- `spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`
- )
- return number
- }
- SubscriptionInfo.getIccId.overload().implementation = function () {
- const _iccId = this.getIccId()
- console.log(
- `spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`
- )
- return iccId
- }
- SubscriptionInfo.getCountryIso.overload().implementation = function () {
- const _countryIso = this.getCountryIso()
- console.log(
- `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
- )
- return countryIso
- }
- SubscriptionInfo.getSubscriptionId.overload().implementation =
- function () {
- const _subId = this.getSubscriptionId()
- if (!subId) {
- console.log(_subId)
- return _subId
- }
- console.log(
- `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
- )
- return parseInt(subId)
- }
- const TelephonyManager = Java.use("android.telephony.TelephonyManager")
- TelephonyManager.getLine1Number.overload().implementation =
- function () {
- const _number = this.getLine1Number()
- console.log(
- `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
- )
- return number
- }
- TelephonyManager.getSimOperator.overload().implementation =
- function () {
- const _simOperator = this.getSimOperator()
- console.log(
- `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
- )
- return simOperator
- }
- TelephonyManager.getNetworkOperator.overload().implementation =
- function () {
- const _networkOperator = this.getNetworkOperator()
- console.log(
- `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
- )
- return networkOperator
- }
- TelephonyManager.getSimSerialNumber.overload().implementation =
- function () {
- const _simSerialNumber = this.getSimSerialNumber()
- console.log(
- `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
- )
- return simSerialNumber
- }
- TelephonyManager.getSubscriberId.overload().implementation =
- function () {
- const _imsi = this.getSubscriberId()
- console.log(
- `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
- )
- return imsi
- }
- TelephonyManager.getImei.overload().implementation = function () {
- const _imei = this.getImei()
- console.log(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
- return imei
- }
- TelephonyManager.getNetworkCountryIso.overload().implementation =
- function () {
- const _countryIso = this.getNetworkCountryIso()
- console.log(
- `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
- )
- return countryIso
- }
- TelephonyManager.getSimCountryIso.overload().implementation =
- function () {
- const _countryIso = this.getSimCountryIso()
- console.log(
- `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
- )
- return countryIso
- }
- TelephonyManager.getSubscriptionId.overload().implementation =
- function () {
- const _subId = this.getSubscriptionId()
- if (!subId) {
- console.log(_subId)
- return _subId
- }
- console.log(
- `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
- )
- return parseInt(subId)
- }
- // const asos = Java.use("asos")
- // asos.b.overload().implementation = function () {
- // console.log("asos.b")
- // return true
- // }
- const asmy = Java.use("asmy")
- const bqni = Java.use("bqni")
- const askd = Java.use("askd")
- // asmy.b.overload().implementation = function () {
- // this.$super.b()
- // this._a.value.Q(bqni.b(19))
- // this._a.value.av(27)
- // const a = this._a.value._P.value.a()
- // var c = askd.c(a, "")
- // console.log(this._a.value.r)
- // var ar = Java.cast(this._a.value, Java.use("arqs"))
- // ar.r(36, Java.cast(c, Java.use("java.lang.Object")))
- // }
- const PhoneNumberVerification = Java.use(
- "com.google.android.gms.constellation.PhoneNumberVerification"
- )
- PhoneNumberVerification.$init.overload(
- "java.lang.String",
- "long",
- "int",
- "int",
- "java.lang.String",
- "android.os.Bundle",
- "int",
- "long"
- ).implementation = function (str, l, i, i2, str2, bundle, i3, l2) {
- console.log("PhoneNumberVerification.$init")
- console.log(
- `str: ${str}, l: ${l}, i: ${i}, i2: ${i2}, str2: ${str2}, i3: ${i3}, l2: ${l2}`
- )
- // print bundle
- if (bundle) {
- const keySet = bundle.keySet().toArray()
- for (let i = 0; i < keySet.length; i++) {
- const key = keySet[i]
- console.log(`key: ${key}, value: ${bundle.get(key)}`)
- }
- }
- return this.$init(str, l, i, i2, str2, bundle, i3, l2)
- }
- // const aays = Java.use("aays")
- // aays.d.overload("int", "boolean").implementation = function (i, z) {
- // console.log("aays.d", i, z, Object.keys(this.f.value))
- // return number
- // }
- const SetAsterismConsentRequest = Java.use(
- "com.google.android.gms.asterism.SetAsterismConsentRequest"
- )
- SetAsterismConsentRequest.$init.overload(
- //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8
- "int",
- "int",
- "int",
- "[I",
- "java.lang.Long",
- "int",
- "android.os.Bundle",
- "int",
- "java.lang.String",
- "java.lang.String",
- "java.lang.String",
- "java.lang.String",
- "java.lang.String",
- "java.lang.String",
- "java.lang.String",
- "java.lang.String"
- ).implementation = function (
- i,
- i2,
- i3,
- iArr,
- l,
- i4,
- bundle,
- i5,
- str,
- str2,
- str3,
- str4,
- str5,
- str6,
- str7,
- str8
- ) {
- console.log(
- Java.use("android.util.Log").getStackTraceString(
- Java.use("java.lang.Throwable").$new()
- )
- )
- console.log("SetAsterismConsentRequest.$init")
- console.log(
- `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}`
- )
- // print bundle
- const keySet = bundle.keySet().toArray()
- for (let i = 0; i < keySet.length; i++) {
- const key = keySet[i]
- console.log(`key: ${key}, value: ${bundle.get(key)}`)
- }
- return this.$init(
- i,
- i2,
- i3,
- iArr,
- l,
- i4,
- bundle,
- i5,
- str,
- str2,
- str3,
- str4,
- str5,
- str6,
- str7,
- str8
- )
- }
- const SetAsterismConsentResponse = Java.use(
- "com.google.android.gms.asterism.SetAsterismConsentResponse"
- )
- SetAsterismConsentResponse.$init.overload(
- "int",
- "java.lang.String",
- "java.lang.String"
- ).implementation = function (i, str, str2) {
- console.log(
- Java.use("android.util.Log").getStackTraceString(
- Java.use("java.lang.Throwable").$new()
- )
- )
- console.log("SetAsterismConsentResponse.$init")
- console.log(`i: ${i}, str: ${str}, str2: ${str2}`)
- // return this.$init(
- // 1,
- // "c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq",
- // "c4q5zP5Ft4A"
- // )
- return this.$init(i, str, str2)
- }
- })
- })
|
