frida-rcs-hack/scripts/spoof.js

const mcc = "{{mcc}}"
const mnc = "{{mnc}}"
const simOperator = "{{simOperator}}"
const networkOperator = "{{networkOperator}}"
const simSerialNumber = "{{simSerialNumber}}"
const iccId = "{{iccId}}"
const number = "{{number}}"
const imei = "{{imei}}"
const imsi = "{{imsi}}"
const countryIso = "{{countryIso}}"
const subId = "{{subId}}"

class Log {
    static TAG = "[SMS]"
    static Debug = false
    static format(...msg) {
        let m = []
        for (let i = 0; i < msg.length; i++) {
            if (typeof msg[i] === "object") {
                m.push(JSON.stringify(msg[i]))
            } else {
                m.push(msg[i])
            }
        }
        m = m.join(" ")
        return m
    }
    static i(...msg) {
        if (!this.Debug) return
        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static w(...msg) {
        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static e(...msg) {
        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static s(...msg) {
        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
}

setImmediate(() => {
    Java.perform(function () {
        Log.i("")
        Log.i("[.] Cert Pinning Bypass/Re-Pinning")

        var CertificateFactory = Java.use(
            "java.security.cert.CertificateFactory"
        )
        var FileInputStream = Java.use("java.io.FileInputStream")
        var BufferedInputStream = Java.use("java.io.BufferedInputStream")
        var X509Certificate = Java.use("java.security.cert.X509Certificate")
        var KeyStore = Java.use("java.security.KeyStore")
        var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory")
        var SSLContext = Java.use("javax.net.ssl.SSLContext")

        // Load CAs from an InputStream
        Log.i("[+] Loading our CA...")
        var cf = CertificateFactory.getInstance("X.509")

        try {
            var fileInputStream = FileInputStream.$new(
                "/data/local/tmp/cert-der.crt"
            )
        } catch (err) {
            Log.i("[o] " + err)
        }

        var bufferedInputStream = BufferedInputStream.$new(fileInputStream)
        var ca = cf.generateCertificate(bufferedInputStream)
        bufferedInputStream.close()

        var certInfo = Java.cast(ca, X509Certificate)
        Log.i("[o] Our CA Info: " + certInfo.getSubjectDN())

        // Create a KeyStore containing our trusted CAs
        Log.i("[+] Creating a KeyStore for our CA...")
        var keyStoreType = KeyStore.getDefaultType()
        var keyStore = KeyStore.getInstance(keyStoreType)
        keyStore.load(null, null)
        keyStore.setCertificateEntry("ca", ca)

        // Create a TrustManager that trusts the CAs in our KeyStore
        Log.i(
            "[+] Creating a TrustManager that trusts the CA in our KeyStore..."
        )
        var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm()
        var tmf = TrustManagerFactory.getInstance(tmfAlgorithm)
        tmf.init(keyStore)
        Log.i("[+] Our TrustManager is ready...")

        Log.i("[+] Hijacking SSLContext methods now...")
        Log.i("[-] Waiting for the app to invoke SSLContext.init()...")

        SSLContext.init.overload(
            "[Ljavax.net.ssl.KeyManager;",
            "[Ljavax.net.ssl.TrustManager;",
            "java.security.SecureRandom"
        ).implementation = function (a, b, c) {
            Log.i("[o] App invoked javax.net.ssl.SSLContext.init...")
            SSLContext.init
                .overload(
                    "[Ljavax.net.ssl.KeyManager;",
                    "[Ljavax.net.ssl.TrustManager;",
                    "java.security.SecureRandom"
                )
                .call(this, a, tmf.getTrustManagers(), c)
            Log.i(
                "[+] SSLContext initialized with our custom TrustManager!"
            )
        }

        const SmsManager = Java.use("android.telephony.SmsManager")
        SmsManager.getSmsManagerForSubscriptionId.overload(
            "int"
        ).implementation = function (i) {
            const _smsManager = this.getSmsManagerForSubscriptionId(i)
            Log.i(`SmsManager.getSmsManagerForSubscriptionId: ${i}`)
            return _smsManager
        }

        SmsManager.getDefault.overload().implementation = function () {
            const _smsManager = this.getDefault()
            Log.i(`SmsManager.getDefault`)
            return _smsManager
        }

        SmsManager.getDefaultSmsSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getDefaultSmsSubscriptionId()
                Log.i(
                    `spoof SmsManager.getDefaultSmsSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }

        SmsManager.getSubscriptionId.overload().implementation = function () {
            const _subId = this.getSubscriptionId()
            Log.i(`SmsManager.getSubscriptionId: ${_subId} -> ${subId}`)
            return parseInt(subId)
        }
        SmsManager.getCarrierConfigValues.overload().implementation =
            function () {
                const _config = this.getCarrierConfigValues()
                Log.i(`SmsManager.getCarrierConfigValues: ${_config}`)
                return _config
            }

        const CarrierConfigManager = Java.use(
            "android.telephony.CarrierConfigManager"
        )
        CarrierConfigManager.getConfigForSubId.overload("int").implementation =
            function (i) {
                const _config = this.getConfigForSubId(i)
                Log.i(`CarrierConfigManager.getConfigForSubId: ${i}`)
                return _config
            }

        const SubscriptionManager = Java.use(
            "android.telephony.SubscriptionManager"
        )
        SubscriptionManager.getActiveSubscriptionInfoCount.overload().implementation =
            function () {
                const _count = this.getActiveSubscriptionInfoCount()
                Log.i(
                    `SubscriptionManager.getActiveSubscriptionInfoCount: ${_count}`
                )
                return _count
            }
        SubscriptionManager.getDefaultSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getDefaultSubscriptionId()
                Log.i(
                    `spoof SubscriptionManager.getDefaultSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }
        SubscriptionManager.getDefaultSmsSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getDefaultSmsSubscriptionId()
                Log.i(
                    `spoof SubscriptionManager.getDefaultSmsSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }
        SubscriptionManager.getDefaultVoiceSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getDefaultVoiceSubscriptionId()
                Log.i(
                    `spoof SubscriptionManager.getDefaultVoiceSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }
        SubscriptionManager.getActiveDataSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getActiveDataSubscriptionId()
                Log.i(
                    `spoof SubscriptionManager.getActiveDataSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }
        SubscriptionManager.getSlotIndex.overload("int").implementation =
            function (i) {
                const _slotIndex = this.getSlotIndex(i)
                Log.i(
                    `spoof SubscriptionManager.getSlotIndex: ${_slotIndex} -> 0`
                )
                return 0
            }
        SubscriptionManager.isUsableSubscriptionId.overload(
            "int"
        ).implementation = function (i) {
            const _isUsable = this.isUsableSubscriptionId(i)
            Log.i(
                `SubscriptionManager.isUsableSubscriptionId: ${_isUsable}`
            )
            return _isUsable
        }
        SubscriptionManager.isValidSubscriptionId.overload(
            "int"
        ).implementation = function (i) {
            const _isValid = this.isValidSubscriptionId(i)
            Log.i(
                `spoof SubscriptionManager.isValidSubscriptionId(${i}): ${_isValid} -> true`
            )
            return true
        }
        SubscriptionManager.getPhoneNumber.overload("int").implementation =
            function (i) {
                Log.i(
                    `spoof SubscriptionManager.getPhoneNumber(${i}): -> ${number}`
                )
                return number
            }
        SubscriptionManager.getPhoneNumber.overload(
            "int",
            "int"
        ).implementation = function (i, i2) {
            Log.i(
                `spoof SubscriptionManager.getPhoneNumber(${i},${i2}): -> ${number}`
            )
            return number
        }
        SubscriptionManager.getActiveSubscriptionInfoList.overload().implementation =
            function () {
                const _list = this.getActiveSubscriptionInfoList()
                Log.i(
                    `SubscriptionManager.getActiveSubscriptionInfoList ${_list.size()}`
                )
                return _list
            }
        SubscriptionManager.getActiveSubscriptionIdList.overload().implementation =
            function () {
                const _list = this.getActiveSubscriptionIdList()
                Log.i(
                    `spoof SubscriptionManager.getActiveSubscriptionIdList ${_list} -> ${subId}`
                )
                return [parseInt(subId)]
            }
        SubscriptionManager.getActiveSubscriptionInfo.overload(
            "int"
        ).implementation = function (i) {
            const _info = this.getActiveSubscriptionInfo(i)

            const simCount = this.getActiveSubscriptionInfoCountMax()

            let subInfo = null
            try {
                for (let i = 0; i < simCount; i++) {
                    subInfo = this.getActiveSubscriptionInfoForSimSlotIndex(i)
                    if (subInfo) {
                        break
                    }
                }
                Log.i(
                    `spoof SubscriptionManager.getActiveSubscriptionInfo(${i})`
                )
            } catch (error) {
                console.error(
                    `spoof error SubscriptionManager.getActiveSubscriptionInfo(${i})`
                )
                error.printStackTrace()
            }
            return subInfo
        }
        SubscriptionManager.getActiveSubscriptionInfoForSimSlotIndex.overload(
            "int"
        ).implementation = function (i) {
            const _info = this.getActiveSubscriptionInfoForSimSlotIndex(i)
            Log.i(
                `SubscriptionManager.getActiveSubscriptionInfoForSimSlotIndex(${i}): ${
                    _info ? "ok" : "null"
                }`
            )
            return _info
        }
        SubscriptionManager.isActiveSubscriptionId.overload(
            "int"
        ).implementation = function (i) {
            const _isActive = this.isActiveSubscriptionId(i)
            Log.i(
                `spoof SubscriptionManager.isActiveSubscriptionId(${i}): ${_isActive} -> true`
            )
            return true
        }

        const SubscriptionInfo = Java.use("android.telephony.SubscriptionInfo")
        SubscriptionInfo.getMcc.overload().implementation = function () {
            const _mcc = this.getMcc()
            Log.i(`spoof SubscriptionInfo.getMcc: ${_mcc} -> ${mcc}`)
            return parseInt(mcc)
        }

        SubscriptionInfo.getMnc.overload().implementation = function () {
            const _mnc = this.getMnc()
            Log.i(`spoof SubscriptionInfo.getMnc: ${_mnc} -> ${mnc}`)
            return parseInt(mnc)
        }

        SubscriptionInfo.getMccString.overload().implementation = function () {
            const _mccString = this.getMccString()
            Log.i(
                `spoof SubscriptionInfo.getMccString: ${_mccString} -> ${mcc}`
            )
            return mcc
        }

        SubscriptionInfo.getMncString.overload().implementation = function () {
            const _mncString = this.getMncString()
            Log.i(
                `spoof SubscriptionInfo.getMncString: ${_mncString} -> ${mnc}`
            )
            return mnc
        }

        SubscriptionInfo.getNumber.overload().implementation = function () {
            const _number = this.getNumber()
            Log.i(
                `spoof SubscriptionInfo.getNumber: ${_number} -> ${number}`
            )
            return number
        }

        SubscriptionInfo.getIccId.overload().implementation = function () {
            const _iccId = this.getIccId()
            Log.i(
                `spoof SubscriptionInfo.getIccId: ${_iccId} -> ${iccId}`
            )
            return iccId
        }

        SubscriptionInfo.getCountryIso.overload().implementation = function () {
            const _countryIso = this.getCountryIso()
            Log.i(
                `spoof SubscriptionInfo.getCountryIso: ${_countryIso} -> ${countryIso}`
            )
            return countryIso
        }

        SubscriptionInfo.getSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getSubscriptionId()
                if (!subId) {
                    Log.i(_subId)
                    return _subId
                }
                Log.i(
                    `spoof SubscriptionInfo.getSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }

        const TelephonyManager = Java.use("android.telephony.TelephonyManager")
        TelephonyManager.createForSubscriptionId.overload(
            "int"
        ).implementation = function (i) {
            Log.i(`spoof TelephonyManager.createForSubscriptionId: ${i}`)
            return this
        }

        TelephonyManager.getLine1Number.overload().implementation =
            function () {
                const _number = this.getLine1Number()
                Log.i(
                    `spoof TelephonyManager.getLine1Number: ${_number} -> ${number}`
                )
                return number
            }

        TelephonyManager.getSimOperator.overload().implementation =
            function () {
                const _simOperator = this.getSimOperator()
                Log.i(
                    `spoof TelephonyManager.getSimOperator: ${_simOperator} -> ${simOperator}`
                )
                return simOperator
            }

        TelephonyManager.getNetworkOperator.overload().implementation =
            function () {
                const _networkOperator = this.getNetworkOperator()
                Log.i(
                    `spoof TelephonyManager.getNetworkOperator: ${_networkOperator} -> ${networkOperator}`
                )
                return networkOperator
            }

        TelephonyManager.getSimSerialNumber.overload().implementation =
            function () {
                const _simSerialNumber = this.getSimSerialNumber()
                Log.i(
                    `spoof TelephonyManager.getSimSerialNumber: ${_simSerialNumber} -> ${simSerialNumber}`
                )
                return simSerialNumber
            }

        TelephonyManager.getSubscriberId.overload().implementation =
            function () {
                const _imsi = this.getSubscriberId()
                Log.i(
                    `spoof TelephonyManager.getSubscriberId: ${_imsi} -> ${imsi}`
                )
                return imsi
            }

        TelephonyManager.getImei.overload().implementation = function () {
            const _imei = this.getImei()
            Log.i(`spoof TelephonyManager.getImei: ${_imei} -> ${imei}`)
            return imei
        }

        TelephonyManager.getNetworkCountryIso.overload().implementation =
            function () {
                const _countryIso = this.getNetworkCountryIso()
                Log.i(
                    `spoof TelephonyManager.getNetworkCountryIso: ${_countryIso} -> ${countryIso}`
                )
                return countryIso
            }

        TelephonyManager.getSimCountryIso.overload().implementation =
            function () {
                const _countryIso = this.getSimCountryIso()
                Log.i(
                    `spoof TelephonyManager.getSimCountryIso: ${_countryIso} -> ${countryIso}`
                )
                return countryIso
            }

        TelephonyManager.getSubscriptionId.overload().implementation =
            function () {
                const _subId = this.getSubscriptionId()
                if (!subId) {
                    Log.i(_subId)
                    return _subId
                }
                Log.i(
                    `spoof TelephonyManager.getSubscriptionId: ${_subId} -> ${subId}`
                )
                return parseInt(subId)
            }

        TelephonyManager.getSimState.overload().implementation = function () {
            const _simState = this.getSimState()
            Log.i(`spoof TelephonyManager.getSimState: ${_simState} -> 5`)
            return 5
        }

        const PhoneNumberVerification = Java.use(
            "com.google.android.gms.constellation.PhoneNumberVerification"
        )
        PhoneNumberVerification.$init.overload(
            "java.lang.String",
            "long",
            "int",
            "int",
            "java.lang.String",
            "android.os.Bundle"
        ).implementation = function (str, j, i, i2, str2, bundle) {
            Log.i("PhoneNumberVerification.$init")

            Log.i(
                `str: ${str}, j: ${j}, i: ${i}, i2: ${i2}, str2: ${str2}`
            )
            // print bundle
            if (bundle) {
                const keySet = bundle.keySet().toArray()
                for (let i = 0; i < keySet.length; i++) {
                    const key = keySet[i]
                    Log.i(`key: ${key}, value: ${bundle.get(key)}`)
                }
            }

            return this.$init(str, j, i, i2, str2, bundle)
        }

        const aays = Java.use("aays")
        aays.d.overload("int", "boolean").implementation = function (i, z) {
            Log.i("aays.d", i, z, Object.keys(this.f.value))

            return number
        }

        const aoor = Java.use("aoor")
        aoor.h.overload("android.content.Context", "int").implementation =
            function (c, i) {
                const _i = this.h(c, i)
                Log.i("aoor.h", c, i, _i)
                return _i
            }

        const SetAsterismConsentRequest = Java.use(
            "com.google.android.gms.asterism.SetAsterismConsentRequest"
        )
        SetAsterismConsentRequest.$init.overload(
            //int i, int i2, int i3, int[] iArr, Long l, int i4, Bundle bundle, int i5, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8
            "int",
            "int",
            "int",
            "[I",
            "java.lang.Long",
            "int",
            "android.os.Bundle",
            "int",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String",
            "java.lang.String"
        ).implementation = function (
            i,
            i2,
            i3,
            iArr,
            l,
            i4,
            bundle,
            i5,
            str,
            str2,
            str3,
            str4,
            str5,
            str6,
            str7,
            str8
        ) {
            Log.i(
                Java.use("android.util.Log").getStackTraceString(
                    Java.use("java.lang.Throwable").$new()
                )
            )
            Log.i("SetAsterismConsentRequest.$init")

            Log.i(
                `i: ${i}, i2: ${i2}, i3: ${i3}, iArr: ${iArr}, l: ${l}, i4: ${i4}, i5: ${i5}, str: ${str}, str2: ${str2}, str3: ${str3}, str4: ${str4}, str5: ${str5}, str6: ${str6}, str7: ${str7}, str8: ${str8}`
            )
            // print bundle
            const keySet = bundle.keySet().toArray()
            for (let i = 0; i < keySet.length; i++) {
                const key = keySet[i]
                Log.i(`key: ${key}, value: ${bundle.get(key)}`)
            }

            return this.$init(
                i,
                i2,
                i3,
                iArr,
                l,
                i4,
                bundle,
                i5,
                str,
                str2,
                str3,
                str4,
                str5,
                str6,
                str7,
                str8
            )
        }

        const SetAsterismConsentResponse = Java.use(
            "com.google.android.gms.asterism.SetAsterismConsentResponse"
        )
        SetAsterismConsentResponse.$init.overload(
            "int",
            "java.lang.String",
            "java.lang.String"
        ).implementation = function (i, str, str2) {
            Log.i(
                Java.use("android.util.Log").getStackTraceString(
                    Java.use("java.lang.Throwable").$new()
                )
            )

            Log.i("SetAsterismConsentResponse.$init")
            Log.i(`i: ${i}, str: ${str}, str2: ${str2}`)
            // return this.$init(
            //     1,
            //     "c4q5zP5Ft4A:APA91bEASr50HwwOY789LSZrcHPT8aG_fT19xlelS35qgIJeC3UBYypAHmmL9IygzlphzTKKz0wCdiQwuoPZMJKvgKPmGi3_imdr1CY0s7fs8qa_LMgNDFfvWEnpTCReAYc7IjThhFQq",
            //     "c4q5zP5Ft4A"
            // )
            return this.$init(i, str, str2)
        }
    })

    // spoof sim to exist
    const bjsf = Java.use("bjsf")
    bjsf.s.overload("android.content.Context").implementation = function (c) {
        Log.i("bjsf.s")
        return true
    }

    const asts = Java.use("asts")
    asts.b.overload().implementation = function () {
        const url = this.b()
        Log.i("asts.b(configUrl)", url.orElse("null"))
        Log.i("l", this.l())
        Log.i("g", this.g())
        Log.i("k", this.k())
        const str = Java.use("arhb").M().s().a()
        Log.i("str", str)
        // todo: rcs-acs-mcc%s.jibe.google.com
        return Java.use("j$.util.Optional").of(
            "http://rcs-acs-mcc255.jibe.google.com/"
        )
    }
})