xiongzhu
/
frida-rcs-hack


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233
							function trace(tag) {
    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
}

function randomMac() {
    var mac = '00:16:3e'
    for (var i = 0; i < 3; i++) {
        mac += ':' + ('00' + Math.floor(Math.random() * 256).toString(16)).slice(-2)
    }
    return mac
}

function buff2json(buf) {
    console.log(`buffer length: ${buf.byteLength}`)
    try {
        var decoded = String.fromCharCode(...new Uint8Array(buf))
        console.log(`decoded: ${decoded}`)
        return JSON.parse(decoded.trim())
    } catch (e) {
        console.error(e)
        return null
    }
}

class Interaction {
    failure(err) {
        console.error(err.message)
    }

    accepted(connection) {
        console.warn('accepted')
        connection.input.read(2000).then((data) => {
            try {
                const json = buff2json(data)
                console.log('received', json)
                this.messageFn && this.messageFn(json)
            } catch (e) {}
            connection.close()
        })
    }

    accept_loop(listener) {
        var next_iter = this.accept_loop.bind(this, listener)
        listener
            .accept()
            .then(this.accepted.bind(this))
            .catch(this.failure.bind(this))
            .finally(function () {
                setImmediate(next_iter)
            })
    }

    listened(listener) {
        console.warn('listened')
        this.accept_loop(listener)
    }

    start(port, messageFn) {
        this.messageFn = messageFn
        console.warn('starting on port', port)
        Socket.listen({ family: 'ipv4', host: '0.0.0.0', port: port })
            .then(this.listened.bind(this))
            .catch(this.failure.bind(this))
    }
}

setImmediate(() => {
    Java.perform(function () {
        const Log = Java.use('android.util.Log')
        const Uri = Java.use('android.net.Uri')
        const File = Java.use('java.io.File')

        const BufferedReader = Java.use('java.io.BufferedReader')
        const FileInputStream = Java.use('java.io.FileInputStream')
        const FileOutputStream = Java.use('java.io.FileOutputStream')
        const InputStreamReader = Java.use('java.io.InputStreamReader')
        const OutputStreamWriter = Java.use('java.io.OutputStreamWriter')

        function log(msg) {
            console.log(`\x1b[32m[system_server] ${msg}\x1b[0m`)
            Log.d('frida-system_server', msg + '')
        }

        function getContext() {
            try {
                var ActivityThread = Java.use('android.app.ActivityThread')
                var application = ActivityThread.currentApplication()
                return application.getApplicationContext()
            } catch (e) {
                console.log(e)
                return null
            }
        }

        function readFile(file) {
            if (!file.exists()) {
                return null
            }
            var fileInputStream = FileInputStream.$new(file)

            var inputStreamReader = InputStreamReader.$new(Java.cast(fileInputStream, Java.use('java.io.InputStream')))
            var bufferedReader = BufferedReader.$new(inputStreamReader)
            var line
            var content = ''
            while ((line = bufferedReader.readLine()) !== null) {
                content += line + '\n'
            }

            bufferedReader.close()
            inputStreamReader.close()
            fileInputStream.close()

            return content
        }

        function writeFile(file, content) {
            if (!file.exists()) {
                file.createNewFile()
            }
            var fileOutputStream = FileOutputStream.$new(file)
            var outputStreamWriter = OutputStreamWriter.$new(
                Java.cast(fileOutputStream, Java.use('java.io.OutputStream'))
            )
            outputStreamWriter.write(content, 0, content.length)
            outputStreamWriter.flush()
            outputStreamWriter.close()
            fileOutputStream.close()
        }

        function readConfig() {
            const configFile = File.$new('/data/system/config.json')
            log(`read config from ${configFile.getAbsolutePath()}`)
            const json = readFile(configFile)
            if (!json) {
                return {}
            } else {
                log(`config: ${json}`)
                return JSON.parse(json)
            }
        }

        function saveConfig(config) {
            const configFile = File.$new('/data/system/config.json')
            log(`save config to ${configFile.getAbsolutePath()}`)
            const json = JSON.stringify(config)
            log(`config: ${json}`)
            writeFile(configFile, json)
        }

        function queryConfig(key) {
            const context = getContext()
            if (!context) {
                return null
            }
            const cr = context.getContentResolver()
            const uri = Uri.parse('content://SimInfo')
            const cursor = cr.query(uri, null, null, null, null)
            if (!cursor) {
                return null
            }
            if (!cursor.moveToFirst()) {
                cursor.close()
                return null
            }
            const idx = cursor.getColumnIndex(key)
            if (idx < 0) {
                cursor.close()
                return null
            }
            const value = cursor.getString(idx)
            cursor.close()
            return value
        }

        // saveConfig({ a: 1 })
        let config = readConfig()
        new Interaction().start(23947, (msg) => {
            console.log('on message', msg)
            if (msg.action === 'saveConfig') {
                config = msg.data
                saveConfig(config)
            }
        })

        const DeviceIdentifiersPolicy = Java.use(
            'com.android.server.os.DeviceIdentifiersPolicyService$DeviceIdentifiersPolicy'
        )

        DeviceIdentifiersPolicy.getSerial.overload().implementation = function () {
            const original = this.getSerial()
            const spoof = config.serialNo || original
            log(`DeviceIdentifiersPolicy.getSerial() called, returning: ${spoof}, original: ${original}`)
            return spoof
        }

        DeviceIdentifiersPolicy.getSerialForPackage.overload('java.lang.String', 'java.lang.String').implementation =
            function (callingPackage, callingFeatureId) {
                const original = this.getSerialForPackage(callingPackage, callingFeatureId)
                const spoof = config.serialNo || original
                log(`DeviceIdentifiersPolicy.getSerialForPackage(${callingPackage}, ${callingFeatureId}) called`)
                log(`  ${original} -> ${spoof}`)
                return spoof
            }

        const classLoaders = Java.enumerateClassLoadersSync()
        const wifiClassLoader = classLoaders.find((i) => i.toString().includes('wifi'))
        Java.classFactory.loader = wifiClassLoader
        const WifiServiceImpl = Java.use('com.android.server.wifi.WifiServiceImpl')
        WifiServiceImpl.getFactoryMacAddresses.overload().implementation = function () {
            const original = this.getFactoryMacAddresses()
            const spoof = [config.mac || randomMac()]
            log(`WifiServiceImpl.getFactoryMacAddresses() called`)
            log(`  ${original} -> ${spoof}`)
            return spoof
        }
        WifiServiceImpl.getConnectionInfo.overload('java.lang.String', 'java.lang.String').implementation = function (
            callingPackage,
            callingFeatureId
        ) {
            const original = this.getConnectionInfo(callingPackage, callingFeatureId)
            const originalMac = original.getMacAddress()
            const originalBSSID = original.getBSSID()
            const spoofedMac = config.mac || randomMac()
            const spoofedBSSID = config.bssid || randomMac()
            original.setMacAddress(spoofedMac)
            original.setBSSID(spoofedBSSID)
            log(`WifiServiceImpl.getConnectionInfo(${callingPackage}, ${callingFeatureId}) called`)
            log(`  MAC: ${originalMac} -> ${spoofedMac}`)
            log(`  BSSID: ${originalBSSID} -> ${spoofedBSSID}`)
            return original
        }
    })
})