function rootChecking() { var RootPackages = [ "com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu", "com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.koushikdutta.rommanager", "com.koushikdutta.rommanager.license", "com.dimonvideo.luckypatcher", "com.chelpus.lackypatch", "com.ramdroid.appquarantine", "com.ramdroid.appquarantinepro", "com.devadvance.rootcloak", "com.devadvance.rootcloakplus", "de.robv.android.xposed.installer", "com.saurik.substrate", "com.zachspong.temprootremovejb", "com.amphoras.hidemyroot", "com.amphoras.hidemyrootadfree", "com.formyhm.hiderootPremium", "com.formyhm.hideroot", "me.phh.superuser", "eu.chainfire.supersu.pro", "com.kingouser.com", "com.topjohnwu.magisk", ]; var RootBinaries = [ "su", "busybox", "supersu", "Superuser.apk", "KingoUser.apk", "SuperSu.apk", "magisk", ]; var RootProperties = { "ro.build.selinux": "1", "ro.debuggable": "0", "service.adb.root": "0", "ro.secure": "1", }; var RootPropertiesKeys = []; for (var k in RootProperties) RootPropertiesKeys.push(k); var PackageManager = Java.use("android.app.ApplicationPackageManager"); var Runtime = Java.use("java.lang.Runtime"); var NativeFile = Java.use("java.io.File"); var String = Java.use("java.lang.String"); var SystemProperties = Java.use("android.os.SystemProperties"); var BufferedReader = Java.use("java.io.BufferedReader"); var ProcessBuilder = Java.use("java.lang.ProcessBuilder"); var StringBuffer = Java.use("java.lang.StringBuffer"); var loaded_classes = Java.enumerateLoadedClassesSync(); send("Loaded " + loaded_classes.length + " classes!"); var useKeyInfo = false; var useProcessManager = false; send("loaded: " + loaded_classes.indexOf("java.lang.ProcessManager")); if (loaded_classes.indexOf("java.lang.ProcessManager") != -1) { try { //useProcessManager = true; //var ProcessManager = Java.use('java.lang.ProcessManager'); } catch (err) { send("ProcessManager Hook failed: " + err); } } else { send("ProcessManager hook not loaded"); } var KeyInfo = null; if (loaded_classes.indexOf("android.security.keystore.KeyInfo") != -1) { try { //useKeyInfo = true; //var KeyInfo = Java.use('android.security.keystore.KeyInfo'); } catch (err) { send("KeyInfo Hook failed: " + err); } } else { send("KeyInfo hook not loaded"); } PackageManager.getPackageInfo.overload( "java.lang.String", "int" ).implementation = function (pname, flags) { var shouldFakePackage = RootPackages.indexOf(pname) > -1; if (shouldFakePackage) { send("Bypass root check for package: " + pname); pname = "set.package.name.to.a.fake.one.so.we.can.bypass.it"; } return this.getPackageInfo .overload("java.lang.String", "int") .call(this, pname, flags); }; NativeFile.exists.implementation = function () { var name = NativeFile.getName.call(this); var shouldFakeReturn = RootBinaries.indexOf(name) > -1; if (shouldFakeReturn) { send("Bypass return value for binary: " + name); return false; } else { return this.exists.call(this); } }; var exec = Runtime.exec.overload("[Ljava.lang.String;"); var exec1 = Runtime.exec.overload("java.lang.String"); var exec2 = Runtime.exec.overload("java.lang.String", "[Ljava.lang.String;"); var exec3 = Runtime.exec.overload( "[Ljava.lang.String;", "[Ljava.lang.String;" ); var exec4 = Runtime.exec.overload( "[Ljava.lang.String;", "[Ljava.lang.String;", "java.io.File" ); var exec5 = Runtime.exec.overload( "java.lang.String", "[Ljava.lang.String;", "java.io.File" ); exec5.implementation = function (cmd, env, dir) { if ( cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh" ) { var fakeCmd = "grep"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } return exec5.call(this, cmd, env, dir); }; exec4.implementation = function (cmdarr, env, file) { for (var i = 0; i < cmdarr.length; i = i + 1) { var tmp_cmd = cmdarr[i]; if ( tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh" ) { var fakeCmd = "grep"; send("Bypass " + cmdarr + " command"); return exec1.call(this, fakeCmd); } if (tmp_cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmdarr + " command"); return exec1.call(this, fakeCmd); } } return exec4.call(this, cmdarr, env, file); }; exec3.implementation = function (cmdarr, envp) { for (var i = 0; i < cmdarr.length; i = i + 1) { var tmp_cmd = cmdarr[i]; if ( tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh" ) { var fakeCmd = "grep"; send("Bypass " + cmdarr + " command"); return exec1.call(this, fakeCmd); } if (tmp_cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmdarr + " command"); return exec1.call(this, fakeCmd); } } return exec3.call(this, cmdarr, envp); }; exec2.implementation = function (cmd, env) { if ( cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh" ) { var fakeCmd = "grep"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } return exec2.call(this, cmd, env); }; exec.implementation = function (cmd) { for (var i = 0; i < cmd.length; i = i + 1) { var tmp_cmd = cmd[i]; if ( tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh" ) { var fakeCmd = "grep"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (tmp_cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } } return exec.call(this, cmd); }; exec1.implementation = function (cmd) { if ( cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh" ) { var fakeCmd = "grep"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } return exec1.call(this, cmd); }; String.contains.implementation = function (name) { if (name == "test-keys") { send("Bypass test-keys check"); return false; } return this.contains.call(this, name); }; var get = SystemProperties.get.overload("java.lang.String"); get.implementation = function (name) { if (RootPropertiesKeys.indexOf(name) != -1) { send("Bypass " + name); return RootProperties[name]; } return this.get.call(this, name); }; Interceptor.attach(Module.findExportByName("libc.so", "fopen"), { onEnter: function (args) { var path = Memory.readCString(args[0]); path = path.split("/"); var executable = path[path.length - 1]; var shouldFakeReturn = RootBinaries.indexOf(executable) > -1; if (shouldFakeReturn) { Memory.writeUtf8String(args[0], "/notexists"); send("Bypass native fopen"); } }, onLeave: function (retval) {}, }); Interceptor.attach(Module.findExportByName("libc.so", "system"), { onEnter: function (args) { var cmd = Memory.readCString(args[0]); send("SYSTEM CMD: " + cmd); if ( cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" ) { send("Bypass native system: " + cmd); Memory.writeUtf8String(args[0], "grep"); } if (cmd == "su") { send("Bypass native system: " + cmd); Memory.writeUtf8String( args[0], "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled" ); } }, onLeave: function (retval) {}, }); /* TO IMPLEMENT: Exec Family int execl(const char *path, const char *arg0, ..., const char *argn, (char *)0); int execle(const char *path, const char *arg0, ..., const char *argn, (char *)0, char *const envp[]); int execlp(const char *file, const char *arg0, ..., const char *argn, (char *)0); int execlpe(const char *file, const char *arg0, ..., const char *argn, (char *)0, char *const envp[]); int execv(const char *path, char *const argv[]); int execve(const char *path, char *const argv[], char *const envp[]); int execvp(const char *file, char *const argv[]); int execvpe(const char *file, char *const argv[], char *const envp[]); */ BufferedReader.readLine.overload("boolean").implementation = function () { var text = this.readLine.overload("boolean").call(this); if (text === null) { // just pass , i know it's ugly as hell but test != null won't work :( } else { var shouldFakeRead = text.indexOf("ro.build.tags=test-keys") > -1; if (shouldFakeRead) { send("Bypass build.prop file read"); text = text.replace( "ro.build.tags=test-keys", "ro.build.tags=release-keys" ); } } return text; }; var executeCommand = ProcessBuilder.command.overload("java.util.List"); ProcessBuilder.start.implementation = function () { var cmd = this.command.call(this); var shouldModifyCommand = false; for (var i = 0; i < cmd.size(); i = i + 1) { var tmp_cmd = cmd.get(i).toString(); if ( tmp_cmd.indexOf("getprop") != -1 || tmp_cmd.indexOf("mount") != -1 || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd.indexOf("id") != -1 ) { shouldModifyCommand = true; } } if (shouldModifyCommand) { send("Bypass ProcessBuilder " + cmd); this.command.call(this, ["grep"]); return this.start.call(this); } if (cmd.indexOf("su") != -1) { send("Bypass ProcessBuilder " + cmd); this.command.call(this, [ "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled", ]); return this.start.call(this); } return this.start.call(this); }; if (useProcessManager) { var ProcManExec = ProcessManager.exec.overload( "[Ljava.lang.String;", "[Ljava.lang.String;", "java.io.File", "boolean" ); var ProcManExecVariant = ProcessManager.exec.overload( "[Ljava.lang.String;", "[Ljava.lang.String;", "java.lang.String", "java.io.FileDescriptor", "java.io.FileDescriptor", "java.io.FileDescriptor", "boolean" ); ProcManExec.implementation = function (cmd, env, workdir, redirectstderr) { var fake_cmd = cmd; for (var i = 0; i < cmd.length; i = i + 1) { var tmp_cmd = cmd[i]; if ( tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" ) { var fake_cmd = ["grep"]; send("Bypass " + cmdarr + " command"); } if (tmp_cmd == "su") { var fake_cmd = [ "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled", ]; send("Bypass " + cmdarr + " command"); } } return ProcManExec.call(this, fake_cmd, env, workdir, redirectstderr); }; ProcManExecVariant.implementation = function ( cmd, env, directory, stdin, stdout, stderr, redirect ) { var fake_cmd = cmd; for (var i = 0; i < cmd.length; i = i + 1) { var tmp_cmd = cmd[i]; if ( tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" ) { var fake_cmd = ["grep"]; send("Bypass " + cmdarr + " command"); } if (tmp_cmd == "su") { var fake_cmd = [ "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled", ]; send("Bypass " + cmdarr + " command"); } } return ProcManExecVariant.call( this, fake_cmd, env, directory, stdin, stdout, stderr, redirect ); }; } if (useKeyInfo) { KeyInfo.isInsideSecureHardware.implementation = function () { send("Bypass isInsideSecureHardware"); return true; }; } } var config = { package: "com.margento.slovenskezeleznice", printSummary: true, printDefinition: true, printArgs: true, printReturn: true, excludeStrings: [], timeout: 500, }; var levels = { info: "INFO", warn: "WARN", error: "ERROR", }; var colors = { reset: "\x1b[39;49;00m", black: "\x1b[30;01m", blue: "\x1b[34;01m", cyan: "\x1b[36;01m", gray: "\x1b[37;11m", green: "\x1b[32;01m", purple: "\x1b[35;01m", red: "\x1b[31;01m", yellow: "\x1b[33;01m", light: { black: "\x1b[30;11m", blue: "\x1b[34;11m", cyan: "\x1b[36;11m", gray: "\x1b[37;01m", green: "\x1b[32;11m", purple: "\x1b[35;11m", red: "\x1b[31;11m", yellow: "\x1b[33;11m", }, }; function log(level, text) { console.log( `${ level === levels.info ? colors.light.blue : level === levels.warn ? colors.light.yellow : colors.light.red }[${level}]${colors.reset} ${text}` ); } function inspectClass(obj) { var methods = obj.class.getDeclaredMethods(); methods.forEach((m) => { var name = m.getName(); var method = obj[name]; if (!method) { return; } if (config.printSummary) { log(levels.info, `\t\t- Method: ${name}`); } var overloads = method.overloads; for (var overload of overloads) { overload.implementation = function () { log( levels.warn, `+ Call: ${ config.printDefinition ? m : m.getDeclaringClass().getName() + "." + name }` ); if (config.printArgs) { var i = 0; for (var arg of arguments) { if (arg !== null && arg !== undefined) { log(levels.warn, `\t\t- Args[${i}]: ${arg.toString()}`); } i++; } } var ret = this[name].apply(this, arguments); if (config.printReturn) { if (ret !== null && ret !== undefined) { log(levels.warn, `\t\t- Return: ${ret.toString()}`); } } return ret; }; } }); } function tracePackage() { console.log(); Java.enumerateLoadedClassesSync() .filter((c) => c.includes(config.package)) .forEach((c) => { try { if (config.printSummary) { log(levels.info, `+ Class: ${c}`); } if ( config.excludeStrings.filter((e) => c.toString().includes(e)).length ) { return; } var obj = Java.use(c); inspectClass(obj); } catch (e) { log(levels.error, e); } }); } Java.perform(function () { rootChecking(); }); Java.perform(function () { //tracePackage(); }); function triggerClient() { Java.perform(function () { Java.choose("u11", { onMatch: (instance) => { inspectClass(instance); instance.getRequest.implementation = function (request) { const body = this.getRequest(request); console.log(body); return body; }; return instance; }, onComplete: () => {}, }); }); } Java.perform(function () { const JString = Java.use("java.lang.String"); const JBase64 = Java.use("android.util.Base64"); const JStandardCharsets = Java.use("java.nio.charset.StandardCharsets"); const cryptoUtil = Java.use( "com.margento.slovenskezeleznice.util.CryptoUtil" ); // Decryption cryptoUtil.a.implementation = function (encrypted, context) { const jsonByteArray = this.a(encrypted, context); const json = JString.$new(jsonByteArray); console.log("Response decrypted: ", json); console.log("Response encrypted: ", JBase64.encodeToString(encrypted, 2)); return jsonByteArray; }; // Encryption cryptoUtil.b.implementation = function (json, context) { const encrypted = this.b(json, context); console.log("Request decrypted: ", json); console.log("Request encrypted: ", JString.$new(encrypted)); return encrypted; }; cryptoUtil.r.implementation = function (authnticateDeviceResult) { this.r(authnticateDeviceResult); console.log("TOKEN: ", authnticateDeviceResult.getToken()); }; });