xiongzhu
/
frida-rcs-hack


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
							class Log {
    static TAG = '[SMS]'
    static Debug = true
    static format(...msg) {
        let m = []
        for (let i = 0; i < msg.length; i++) {
            if (typeof msg[i] === 'object') {
                m.push(JSON.stringify(msg[i]))
            } else {
                m.push(msg[i])
            }
        }
        m = m.join(' ')
        return m
    }
    static i(...msg) {
        if (!this.Debug) return
        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static w(...msg) {
        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static e(...msg) {
        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static s(...msg) {
        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
}

function trace(tag) {
    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
}

setImmediate(() => {
    Java.perform(function () {
        const dubm = Java.use('dubm')
        dubm.$init.overload().implementation = function () {
            Log.e('dubm.$init()')
            trace()
            return this.$init()
        }
        const SystemProperties = Java.use('android.os.SystemProperties')
        const imsi = SystemProperties.get('persist.spoof.imsi')
        console.log('imsi:', imsi)
        const ImsiRequest = Java.use('com.google.android.gms.constellation.ImsiRequest')
        const VerifyPhoneNumberRequest = Java.use('com.google.android.gms.constellation.VerifyPhoneNumberRequest')
        VerifyPhoneNumberRequest.$init.overload(
            //String str, long j, IdTokenRequest idTokenRequest, Bundle bundle, List list, boolean z, int i, List list2
            'java.lang.String',
            'long',
            'com.google.android.gms.constellation.IdTokenRequest',
            'android.os.Bundle',
            'java.util.List',
            'boolean',
            'int',
            'java.util.List'
        ).implementation = function (str, j, idTokenRequest, bundle, list, z, i, list2) {
            Log.e(`VerifyPhoneNumberRequest.$init(
                str=${str}, j=${j}, 
                idTokenRequest=${idTokenRequest}, 
                bundle=${bundle}, 
                list=${list.size()}, 
                z=${z}, 
                i=${i}, 
                list2=${list2.size()})`)
            trace()

            for (let i = 0; i < list.size(); i++) {
                Log.e(`  list[${i}] = ${list.get(i)}`)
            }
            for (let i = 0; i < list2.size(); i++) {
                Log.e(`  list2[${i}] = ${list2.get(i)}`)
            }

            // bundle.putString('IMSI', imsi)
            // list.clear()
            // list2.clear()
            // z = false

            if (list.size() > 0) {
                const imsiRequest = Java.cast(list.get(0), ImsiRequest)
                Log.e(`ImsiRequest(a=${imsiRequest.a.value}, b=${imsiRequest.b.value})`)
            }

            // return this.$init('upi-carrier-id-with-mo-sms-relax', j, idTokenRequest, bundle, list, z, i, list2)
            return this.$init(str, j, idTokenRequest, bundle, list, z, i, list2)
        }
        VerifyPhoneNumberRequest.writeToParcel.overload('android.os.Parcel', 'int').implementation = function (
            parcel,
            i
        ) {
            Log.e(`VerifyPhoneNumberRequest.writeToParcel(parcel=${parcel}, i=${i})`)
            trace()
            return this.writeToParcel(parcel, i)
        }

        //com/google/android/apps/messaging/shared/mobileconfiguration/accessor/MobileConfigurationRetriever
        // const MobileConfigurationRetriever = Java.use(
        //     'com.google.android.apps.messaging.shared.mobileconfiguration.accessor.MobileConfigurationRetriever.MobileConfigurationRetriever'
        // )
        // console.log('MobileConfigurationRetriever:', MobileConfigurationRetriever)

        const dupb = Java.use('dupb')
        dupb.$init.overload().implementation = function () {
            Log.e('dupb.$init()')
            trace()
            return this.$init()
        }

        const bhyo = Java.use('bhyo')
        bhyo.d.overload('java.lang.String').implementation = function (str) {
            Log.e(`bhyo.d(str=${str})`)
            const res = this.d(str)
            Log.s(`dupb.b=${res.b.value}`)
            res.b.value = 'upi-carrier-id-with-mo-sms-relax'
            return res
        }

        console.log(dubm.J.value.C.value)
        bhyo.c.overload('java.lang.String').implementation = function (str) {
            Log.e(`bhyo.c(str=${str})`)
            const res = this.c(str)
            console.log(res.C, Object.keys(res.C))
            res.C.value = 1
            return res
        }
    })
}, 0)