xiongzhu
/
frida-rcs-hack


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191
							function trace(tag) {
    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
}

function buff2json(buf) {
    console.log(`buffer length: ${buf.byteLength}`)
    try {
        var decoded = String.fromCharCode(...new Uint8Array(buf))
        console.log(`decoded: ${decoded}`)
        return JSON.parse(decoded.trim())
    } catch (e) {
        console.error(e)
        return null
    }
}

class Interaction {
    failure(err) {
        console.error(err.message)
        Java.use('android.util.Log').d('frida-phone', err.message)
    }

    accepted(connection) {
        console.warn('accepted')
        connection.input.read(2000).then((data) => {
            try {
                const json = buff2json(data)
                console.log('received', json)
                this.messageFn && this.messageFn(json)
            } catch (e) {}
            connection.close()
        })
    }

    accept_loop(listener) {
        var next_iter = this.accept_loop.bind(this, listener)
        listener
            .accept()
            .then(this.accepted.bind(this))
            .catch(this.failure.bind(this))
            .finally(function () {
                setImmediate(next_iter)
            })
    }

    listened(listener) {
        console.warn('listened')
        this.accept_loop(listener)
    }

    start(port, messageFn) {
        this.messageFn = messageFn
        console.warn('starting on port', port)
        Socket.listen({ family: 'ipv4', host: '0.0.0.0', port: port })
            .then(this.listened.bind(this))
            .catch(this.failure.bind(this))
    }
}

setImmediate(() => {
    Java.perform(function () {
        const Log = Java.use('android.util.Log')
        const Uri = Java.use('android.net.Uri')
        const File = Java.use('java.io.File')

        const BufferedReader = Java.use('java.io.BufferedReader')
        const FileInputStream = Java.use('java.io.FileInputStream')
        const FileOutputStream = Java.use('java.io.FileOutputStream')
        const InputStreamReader = Java.use('java.io.InputStreamReader')
        const OutputStreamWriter = Java.use('java.io.OutputStreamWriter')

        function log(msg) {
            console.log(`\x1b[32m[system_server] ${msg}\x1b[0m`)
            Log.d('frida-phone', msg + '')
        }

        function getContext() {
            try {
                var ActivityThread = Java.use('android.app.ActivityThread')
                var application = ActivityThread.currentApplication()
                return application.getApplicationContext()
            } catch (e) {
                console.log(e)
                return null
            }
        }

        function readFile(file) {
            if (!file.exists()) {
                return null
            }
            var fileInputStream = FileInputStream.$new(file)

            var inputStreamReader = InputStreamReader.$new(Java.cast(fileInputStream, Java.use('java.io.InputStream')))
            var bufferedReader = BufferedReader.$new(inputStreamReader)
            var line
            var content = ''
            while ((line = bufferedReader.readLine()) !== null) {
                content += line + '\n'
            }

            bufferedReader.close()
            inputStreamReader.close()
            fileInputStream.close()

            return content
        }

        function writeFile(file, content) {
            if (!file.exists()) {
                file.createNewFile()
            }
            var fileOutputStream = FileOutputStream.$new(file)
            var outputStreamWriter = OutputStreamWriter.$new(
                Java.cast(fileOutputStream, Java.use('java.io.OutputStream'))
            )
            outputStreamWriter.write(content, 0, content.length)
            outputStreamWriter.flush()
            outputStreamWriter.close()
            fileOutputStream.close()
        }

        function readConfig() {
            const context = getContext()
            const configFile = File.$new(context.getExternalFilesDir('config'), 'config.json')
            log(`read config from ${configFile.getAbsolutePath()}`)
            const json = readFile(configFile)
            if (!json) {
                return {}
            } else {
                log(`config: ${json}`)
                return JSON.parse(json)
            }
        }

        function saveConfig(config) {
            const context = getContext()
            const configFile = File.$new(context.getExternalFilesDir('config'), 'config.json')
            log(`save config to ${configFile.getAbsolutePath()}`)
            const json = JSON.stringify(config)
            log(`config: ${json}`)
            writeFile(configFile, json)
        }

        function queryConfig(key) {
            const context = getContext()
            if (!context) {
                return null
            }
            const cr = context.getContentResolver()
            const uri = Uri.parse('content://SimInfo')
            const cursor = cr.query(uri, null, null, null, null)
            if (!cursor) {
                return null
            }
            if (!cursor.moveToFirst()) {
                cursor.close()
                return null
            }
            const idx = cursor.getColumnIndex(key)
            if (idx < 0) {
                cursor.close()
                return null
            }
            const value = cursor.getString(idx)
            cursor.close()
            return value
        }

        // log(readConfig('serial_no'))
        // setTimeout(() => {
        //     new Interaction().start(23946, (msg) => {
        //         log(`received message: ${JSON.stringify(msg)}`)
        //         if (msg.action === 'saveConfig') {
        //             config = msg.data
        //             saveConfig(config)
        //         }
        //     })
        // }, 30000)

        const PhoneInterfaceManager = Java.use('com.android.phone.PhoneInterfaceManager')
        PhoneInterfaceManager.getImeiForSlot.overload('int', 'java.lang.String', 'java.lang.String').implementation =
            function (slotId, callingPackage, callingFeatureId) {
                const original = this.getImeiForSlot(slotId, callingPackage, callingFeatureId)
                const spoofed = readConfig().imei || original
                log(`PhoneInterfaceManager.getImeiForSlot(${slotId}, ${callingPackage}, ${callingFeatureId}) called`)
                log(`  ${original} -> ${spoofed}`)
                return spoofed
            }
    })
})