{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The first scriptable xposed module, provides a new way to change the application behavior.
Powered by Lua and made with ♥
Features
Lua scripting
Simple and intuitive hook API
Share your package with others by publish it at WeiJu2-Scripts
Q&AHow to write a hook?
Code:
local Toast = import("android.widget.Toast")
local Activity = import("android.app.Activity")
local Bundle = import("android.os.Bundle")
local StringBuilder = import("java.lang.StringBuilder")
hook {
class = Activity,
returns = void,
method = "onCreate",
params = {
Bundle
},
after = function(this, params)
-- This will call the `StringBuilder(CharSequence seq)` constructor
-- to instantiate a StringBuilder object
local sb = StringBuilder("Hello, ")
sb:append("WeiJu2")
Toast:makeText(this, sb:toString(), Toast.LENGTH_SHORT):show()
-- ^
-- Note: `this` is the Activity instance
end,
}
How to modify class fields?
Code:
-- With the `import` function you can bind any java class, and access all the fields and methods that defined
-- in that class. No more `XposedHelper.setStaticObjectField(Build.class, "DEVICE", "coral")` much cleaner!
local Build = import("android.os.Build")
Build.DEVICE = "coral"
Build.PRODUCT = "coral"
Build.MODEL = "Google Pixel 4XL"
Build.BRAND = "google"
Build.MANUFACTURER = "google"
Build.VERSION.RELEASE = "13"
How to import a package?
Code:
require("ikws4.system_variable").setup {
-- configs goes here
}
How to create a package?
A basic package template:
Code:
--[[
@metadata
return {
name = "my_package",
author = "you",
version = "1.0.0",
description = "Describle your package"
}
@end
--]]
local config = {
}
local M = {}
M.setup = function(opts)
config = table.extend(config, opts or {})
end
return M
Want to share your work with others? Create a PR at WeiJu2-Scripts
Screenshots
Video guide
DownloadGithub release: nightly build
zhipingne said:
scriptable xposed module
Click to expand...
Click to collapse
Looks good
i wish you good luck
Hi @zhipingne
Since from what i understand, it is possible to inject Lua code via Xposed with your application, in your opinion would it be possible to act on all applications embedding web browsers to navigate on web pages adapted to mobiles?
Example: inject CSS rules globally on all user applications to affect some like Spotify, Discord, Teams and others?
If it's possible I'll have fun!
Rom said:
Hi @zhipingne
Since from what i understand, it is possible to inject Lua code via Xposed with your application, in your opinion would it be possible to act on all applications embedding web browsers to navigate on web pages adapted to mobiles?
Example: inject CSS rules globally on all user applications to affect some like Spotify, Discord, Teams and others?
If it's possible I'll have fun!
Click to expand...
Click to collapse
Sorry for the late response, I was experiment a way to inject custom css into WebView in the last two days, And finally got a working demo. (It took so mush time because of the `object` function, in order to proxy a concrete class we need to generate dex file at runtime lol)
FYI, I followed this article: https://medium.com/@fanisveizis/usi...d-js-scripts-on-android-webviews-6da0502d6595
UPDATE
It stop working... The `dex` file that generate at runtime does not loaded back properly in the next launch time.
zhipingne said:
Sorry for the late response, I was experiment a way to inject custom css into WebView in the last two days, And finally got a working demo. (It took so mush time because of the `object` function, in order to proxy a concrete class we need to generate dex file at runtime lol)
FYI, I followed this article: https://medium.com/@fanisveizis/usi...d-js-scripts-on-android-webviews-6da0502d6595
UPDATE
It stop working... The `dex` file that generate at runtime does not loaded back properly in the next launch time.
Click to expand...
Click to collapse
Ok, do you think it is possible to achieve something functional in the end?
I would be very interested.
Thx
Rom said:
Ok, do you think it is possible to achieve something functional in the end?
I would be very interested.
Thx
Click to expand...
Click to collapse
Yes, I think it's possible
When i think about it, in fact your module can become as powerful as substratum if we want?
Code:
{
"builtin": false,
"collection": "Privacy",
"group": "Use.Tracking",
"name": "DeviceIntegrityCheck\/checkIntegrity",
"author": "B!",
"version": 0,
"description": "Skip asitplus device integrity check",
"className": "at.asitplus.utils.deviceintegrity.DeviceIntegrityCheck",
"methodName": "checkIntegrity",
"parameterTypes": [],
"returnType": "void",
"minSdk": 1,
"maxSdk": 999,
"minApk": 0,
"maxApk": 2147483647,
"enabled": true,
"optional": false,
"usage": true,
"notify": false,
"luaScript": "function before(hook, param)\n param:setResult(nil)\n return true\nend\n"
}
(Thanks to B!GBOY)
Is it possible to run such a XPrivacyLua script? If so, how formatted?
maxafe said:
Code:
{
"builtin": false,
"collection": "Privacy",
"group": "Use.Tracking",
"name": "DeviceIntegrityCheck\/checkIntegrity",
"author": "B!",
"version": 0,
"description": "Skip asitplus device integrity check",
"className": "at.asitplus.utils.deviceintegrity.DeviceIntegrityCheck",
"methodName": "checkIntegrity",
"parameterTypes": [],
"returnType": "void",
"minSdk": 1,
"maxSdk": 999,
"minApk": 0,
"maxApk": 2147483647,
"enabled": true,
"optional": false,
"usage": true,
"notify": false,
"luaScript": "function before(hook, param)\n param:setResult(nil)\n return true\nend\n"
}
(Thanks to B!GBOY)
Is it possible to run such a XPrivacyLua script? If so, how formatted?
Click to expand...
Click to collapse
Code:
local DeviceIntegrityCheck = import("at.asitplus.utils.deviceintegrity.DeviceIntegrityCheck")
hook {
class = DeviceIntegrityCheck,
returns = void,
method = "checkIntegrity",
before = function(this, params)
return nil
end
}
Maybe, I can write a convertor for this.
@zhipingne
Awesome. Worked right away. Thank you very much!
The version is not available...
xerel89 said:
The version is not available...
Click to expand...
Click to collapse
I'm sorry for the late response.
What do you mean not available? Is it can not be downloaded?
If so, here is the google drive link https://drive.google.com/file/d/1upurJDTJ5nS3RodsqLTCJKFg9daN4EaH/view?usp=sharing
zhipingne said:
I'm sorry for the late response.
What do you mean not available? Is it can not be downloaded?
If so, here is the google drive link https://drive.google.com/file/d/1upurJDTJ5nS3RodsqLTCJKFg9daN4EaH/view?usp=sharing
Click to expand...
Click to collapse
Thank you for this module, it looks awesome! Do you think it would be possible to use it to implement java code, such as a java script to disable the elastic overscroll in Android 12+? There is an example in java located here that I would like to test.
https://github.com/ionic-team/capacitor/issues/5384
jal3223 said:
Thank you for this module, it looks awesome! Do you think it would be possible to use it to implement java code, such as a java script to disable the elastic overscroll in Android 12+? There is an example in java located here that I would like to test.
https://github.com/ionic-team/capacitor/issues/5384
Click to expand...
Click to collapse
Yes, you can translate java code in to WeiJu2 scripts, here is an example:
Code:
local BridgeActivity = import("com.getcapacitor.BridgeActivity")
hook {
class = BridgeActivity,
returns = void,
method = "onStart",
after = function(this, params)
local webview = this:getBridge():getWebView();
webview:setOverScrollMode(webview.OVER_SCROLL_NEVER);
end
}
Note: I did't test the code, it just an example to show it's possible to implement java code using WeiJu2 hook.
UPDATE
How to disable Programmatically Android 12 Elastic Scroll Animation
how can I turn off the elastic scroll effect that comes with android 12? Best regards
stackoverflow.com
https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/java/android/view/View.java;drc=c645853ab73ac8c5889b42f4ce7dc9353ee8fd35;bpv=1;bpt=1;l=3657
I think this code will make all view non over scrollable.
Code:
local View = import("android.view.View")
hook {
class = View,
returns = void,
method = "setOverScrollMode",
before = function(this, params)
local OVER_SCROLL_NEVER = 2
params[1] = OVER_SCROLL_NEVER
end
}
zhipingne said:
Yes, you can translate java code in to WeiJu2 scripts, here is an example:
Code:
local BridgeActivity = import("com.getcapacitor.BridgeActivity")
hook {
class = BridgeActivity,
returns = void,
method = "onStart",
after = function(this, params)
local webview = this:getBridge():getWebView();
webview:setOverScrollMode(webview.OVER_SCROLL_NEVER);
end
}
Note: I did't test the code, it just an example to show it's possible to implement java code using WeiJu2 hook.
UPDATE
How to disable Programmatically Android 12 Elastic Scroll Animation
how can I turn off the elastic scroll effect that comes with android 12? Best regards
stackoverflow.com
https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/java/android/view/View.java;drc=c645853ab73ac8c5889b42f4ce7dc9353ee8fd35;bpv=1;bpt=1;l=3657
I think this code will make all view non over scrollable.
Code:
local View = import("android.view.View")
hook {
class = View,
returns = void,
method = "setOverScrollMode",
before = function(this, params)
local OVER_SCROLL_NEVER = 2
params[1] = OVER_SCROLL_NEVER
end
}
Click to expand...
Click to collapse
Thank you for the reply. That's awesome to hear. I'm going to keep messing around with it to see if I can disable the overscroll then. The code that you provided unfortunately doesn't work for all apps. It does work for some however. I believe there is another hook somewhere that must be disabled as well. If you have any ideas they would be greatly appreciated.
Thank you again for the app. It's amazing!
jal3223 said:
Thank you for the reply. That's awesome to hear. I'm going to keep messing around with it to see if I can disable the overscroll then. The code that you provided unfortunately doesn't work for all apps. It does work for some however. I believe there is another hook somewhere that must be disabled as well. If you have any ideas they would be greatly appreciated.
Thank you again for the app. It's amazing!
Click to expand...
Click to collapse
Try this to see if it works
Code:
local View = import "android.view.View"
local OVER_SCROLL_NEVER = 2
hook {
class = View,
params = {
Context,
AttributeSet,
int,
},
after = function(this, params)
this.mOverScrollMode = OVER_SCROLL_NEVER
end,
}
hook {
class = View,
returns = void,
method = "setOverScrollMode",
before = function(this, params)
params[1] = OVER_SCROLL_NEVER
end,
}
zhipingne said:
Try this to see if it works
Code:
local View = import "android.view.View"
local OVER_SCROLL_NEVER = 2
hook {
class = View,
params = {
Context,
AttributeSet,
int,
},
after = function(this, params)
this.mOverScrollMode = OVER_SCROLL_NEVER
end,
}
hook {
class = View,
returns = void,
method = "setOverScrollMode",
before = function(this, params)
params[1] = OVER_SCROLL_NEVER
end,
}
Click to expand...
Click to collapse
Thank you for the attempt, but unfortunately, that doesn't seem to fix it either. I've asked multiple developers to see if they could sort it and nobody has been able to so far. I don't know how Google implemented it so deep, but it seems very difficult to remove the "accordion" scroll. Thank you for trying though. If you have any ideas though, they would be greatly appreciated.
zhipingne said:
I'm sorry for the late response.
What do you mean not available? Is it can not be downloaded?
If so, here is the google drive link https://drive.google.com/file/d/1upurJDTJ5nS3RodsqLTCJKFg9daN4EaH/view?usp=sharing
Click to expand...
Click to collapse
Thanks! The apk isn't posted on the first post or on github.
This does seem like a replacement for XprivacyLua which just stopped being supported.
It work perfectly! Thank you very much.
One more thing, Is there a way we can load script from local file instead of write directly on module interface, please?
wanting2521 said:
It work perfectly! Thank you very much.
One more thing, Is there a way we can load script from local file instead of write directly on module interface, please?
Click to expand...
Click to collapse
File access causes me a lot of headache, and current implementation still have some flaw it.
Why would want load script from file?
ref: https://github.com/ikws4/WeiJu2/issues/7#issuecomment-1248109818
Modify the root of trust in local attestations.
This module modify the byte array obtained from certificate extensions (link) to spoof a fake root of trust, so we get a fake attestation with a locked bootloader.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
More info about certificate extensions:
Verifying hardware-backed key pairs with Key Attestation | Android Developers
A tool for verifying security properties of hardware-backed key pairs.
developer.android.com
NOTES:
- This module doesn't work with devices which TEE is broken, like OnePlus.
- You won't pass MEETS_STRONG_INTEGRITY using this.
Source code and download:
GitHub - chiteroman/BootloaderSpoofer: Spoof a locked bootloader in local attestations
Spoof a locked bootloader in local attestations. Contribute to chiteroman/BootloaderSpoofer development by creating an account on GitHub.
github.com
Apps detecting a locked bootloader:
- Key Attestation Demo (WORKING)
- CIB Egypt Mobile Banking (WORKING)
- Bet365 Authenticator (NOT WORKING)
swer45 said:
Spoofs a fake root of trust in local attestations.NOTE: this Xposed module won't help you to pass MEETS_STRONG_INTEGRITY in Play Integrity API.
It only works in local attestations, for example, Key Attestation Demo or some bank apps like CIB.
If you are a developer and want to check if the device has an unlocked bootloader, never trust user data. You must send to a secure server the X509Certificate and check the attestation extension in that server, or use Play Integrity API. NEVER TRUST USER DATA BECAUSE THINGS LIKE THIS MODULE MAY HAPPEN
Also Play Integrity API isn't perfect, I can pass MEETS_STRONG_INTEGRITY with my unlocked bootloader device.
Sooo, don't check nothing. Lets users do whatever they want with their devices.
Like safetynet-fix by kdrag0n, this should be implemented in custom ROMs, so Xposed won't be required and can't be detected by apps like Momo.
View attachment 5911247View attachment 5911245
You can get a locked bootloader with this
I'm working in Zygisk module.
Repo and download: https://github.com/swer45/AttestationSpoofer
Click to expand...
Click to collapse
What apps to choose in LSPosed module settings? Google Play, Google Services, System Framework???
Moreover, it's fully compatible with USNF Mod of Displax or SN Sensitive Props of HuskyDG please ?
Really sorry, because it's rather on this thread that I had to ask this question
Edit : Again sorry for the inconvenience, because here is the answer
innit said:
What apps to choose in LSPosed module settings? Google Play, Google Services, System Framework???
Click to expand...
Click to collapse
None of these, just add apps that detect an unlocked bootloader like CIB.
MobAndro said:
Moreover, it's fully compatible with USNF Mod of Displax or SN Sensitive Props of HuskyDG please ?
Click to expand...
Click to collapse
Yes.
swer45 said:
Yes.
Click to expand...
Click to collapse
Thank you
Hi mate, thanks for the module. I'm just curious what did you mean here:
swer45 said:
Also Play Integrity API isn't perfect, I can pass MEETS_STRONG_INTEGRITY with my unlocked bootloader device.
Click to expand...
Click to collapse
Did you mean that you have found some kind of real fix for unlocked bootloaders, but you don't want it to go public or that your device is a very specific one and passes strong integrity because of some built-in bug?
Gleniu said:
Hi mate, thanks for the module. I'm just curious what did you mean here:
Did you mean that you have found some kind of real fix for unlocked bootloaders, but you don't want it to go public or that your device is a very specific one and passes strong integrity because of some built-in bug?
Click to expand...
Click to collapse
Nothing of the sort. There is a more mundane explanation. Simply, Google has bugs in their servers that allow certain certificates you submit for certain device models with early TEE's you can replicate and forge them, I still don't quite know how it's done but the folks at xiaomi.eu have it implemented in some of their ROMs.
I have edited the thread name and post to make it clear what my module does and what limits it has. I have also added a list with the apps I know that detect if you have the bootloader locked, if you know more apps that do the same, pass them here and I will add them.
Can You Include InstaPay - QNB
For InstaPay Here after using Apktool - found that it depends on this Smali file for connection suspension :
.class public final Lo/onConnectionSuspended;
.super Ljava/lang/Object;
.source ""
# static fields
.field public static final APP_TAMPERED:I = 0x80
.field public static final CERTIFICATE_TAMPERED:I = 0x40
.field public static final CLOCK_RATE_INTEGRITY:I = 0x400
.field public static final DEBUGGABLE:I = 0x4
.field public static final DEBUGGER_ATTACHED:I = 0x10
.field public static final DEBUG_BLOCKER_ATTACKED:I = 0x2000
.field public static final DEBUG_BLOCKER_FAILED:I = 0x1000
.field public static final EMULATOR:I = 0x8
.field public static final FILES_TAMPERED:I = 0x100
.field public static final HOOKED:I = 0x1
.field public static final MEMORY_INTEGRITY:I = 0x800
.field public static final ROOTED:I = 0x2
.field public static final SELINUX_INTEGRITY:I = 0x4000
.field public static final SIGNED_WITH_DEBUG_KEYS:I = 0x200
.field public static final VIRTUAL_ENVIRONMENT:I = 0x20
# direct methods
.method public constructor <init>()V
.locals 0
.line 15
invoke-direct {p0}, Ljava/lang/Object;-><init>()V
return-void
.end method
Dear swear45, could you also take a look on this Repo that could be able to remove the checks from both apps
GitHub - Crazyphil/digitales-amt-liberator: Removes root and bootloader checks from the Digitales Amt app
Removes root and bootloader checks from the Digitales Amt app - GitHub - Crazyphil/digitales-amt-liberator: Removes root and bootloader checks from the Digitales Amt app
github.com
.
.
Also this method isn't the best and it's very complicated, I don't know why the devs use it. It's much better to obtain the certificate (signed) of the phone using a native library, send it to a server, and check the certificate extensions. That will be impossible to hack or bypass (unless you hack the server or hack the TEE).
Would this allow gpay to work?
travisjshepherd said:
Would this allow gpay to work?
Click to expand...
Click to collapse
Gpay doesn't check the bootloader status, install this Zygisk modules:
- https://github.com/Displax/safetynet-fix/releases/latest
- https://github.com/LSPosed/LSPosed.github.io/releases/latest
Reboot the device and check the PI result: https://play.google.com/store/apps/details?id=gr.nikolasspyr.integritycheck
You should pass all checks except Strong
swer45 said:
Gpay doesn't check the bootloader status, install this Zygisk modules:
- https://github.com/Displax/safetynet-fix/releases/latest
- https://github.com/LSPosed/LSPosed.github.io/releases/latest
Reboot the device and check the PI result: https://play.google.com/store/apps/details?id=gr.nikolasspyr.integritycheck
You should pass all checks except Strong
Click to expand...
Click to collapse
Does gpay look for root or various other tampered settings / props? I know it's a bit off topic but I'm interested to understand what the app looks for it to trip / find root.
spida_singh said:
Does gpay look for root or various other tampered settings / props? I know it's a bit off topic but I'm interested to understand what the app looks for it to trip / find root.
Click to expand...
Click to collapse
All Google apps use Droidguard (like an anticheat for Android) to check root or Xposed. Just tick GMS in Magisk deny list (without enforce it) and you will hide root (for this you need Shamiko module). But also you need a valid device with locked bootloader, since Google still don't check well that, you can fake your device's fingerprint to an older one (Universal Safety Net Bypass module) and bypass it. The result in Play Integrity you will pass BASIC and DEVICE integrity (STRONG requires a locked bootloader o spoof certificates which is difficult). No one known app require STRONG integrity by the moment, but there are a few apps that check bootloader status, that's why I created this module.
swer45 said:
All Google apps use Droidguard (like an anticheat for Android) to check root or Xposed. Just tick GMS in Magisk deny list (without enforce it) and you will hide root (for this you need Shamiko module). But also you need a valid device with locked bootloader, since Google still don't check well that, you can fake your device's fingerprint to an older one (Universal Safety Net Bypass module) and bypass it. The result in Play Integrity you will pass BASIC and DEVICE integrity (STRONG requires a locked bootloader o spoof certificates which is difficult). No one known app require STRONG integrity by the moment, but there are a few apps that check bootloader status, that's why I created this module.
Click to expand...
Click to collapse
Understood thanks. If gpay doesn't check for the bootloader status. And Magisk hides root from droidguard.... What's the need for USNF by displax in this use case for GPAY? Does this do something in addition to Magisk deny list and shamiko?
The reason I'm asking is that there is a method to build GrapheneOS from source rooted with a locked bootloader. But USNF by displax doesn't work on that OS and was wondering if your module baked into source would help GrapheneOS pass PI.
GMS is not a privelaged app on GrapheneOS, but didn't know if gpay cared about that.
Thanks for this. I'll probably have to do more digging
swer45 said:
All Google apps use Droidguard (like an anticheat for Android) to check root or Xposed. Just tick GMS in Magisk deny list (without enforce it) and you will hide root (for this you need Shamiko module). But also you need a valid device with locked bootloader, since Google still don't check well that, you can fake your device's fingerprint to an older one (Universal Safety Net Bypass module) and bypass it. The result in Play Integrity you will pass BASIC and DEVICE integrity (STRONG requires a locked bootloader o spoof certificates which is difficult). No one known app require STRONG integrity by the moment, but there are a few apps that check bootloader status, that's why I created this module.
Click to expand...
Click to collapse
Someone mentioned hidemyapp is better to use for hiding root from apps don't know how accurate that info is though.
It is confusing what to be using and gets regular updates, as so many modules do the same type of thing, shamiko/hidemyapp etc