Hi，大家好，我是编程小6，很荣幸遇见你，我把这些年在开发过程中遇到的问题或想法写出来，今天说一说
攻防世界pwn新手区_攻防世界是什么,希望能够帮助你!!!。

前言

下面介绍两个反编译工具

• jadx是一个用于反编译Android APK文件的开源工具，静态反编译，查找索引功能强大
• jeb和IDA很像，属于动态调试，可以看java汇编也可以生成伪代码，还可以动态attach到目标调试

对于so文件的逆向工具选择

• IDA逆向工具是一款反汇编器，被广泛应用于软件逆向工程领域，能够反汇编各种不同平台的二进制程序代码，并还原成可读的汇编代码。

Objection是一款移动设备运行时漏洞利用工具，该工具由Frida驱动，可以帮助研究人员访问移动端应用程序，并在无需越狱或root操作的情况下对移动端应用程序的安全进行评估检查。

安装命令

pip3 install objection 

frida是一款便携的、自由的、支持全平台的hook框架，可以通过编写JavaScript、Python代码来和frida_server端进行交互

frida的安装可以参考：https://www.jianshu.com/p/60cfd3f6afde

一、你是谁

1.题目

2.答题

2.1 运行app

发现是游戏，需要找到语音函数

2.2 jadx反编译app

package xyz.konso.testsrtp; import android.app.Activity; import android.media.AudioManager; import android.os.Bundle; import android.util.Log; import android.widget.Button; import android.widget.Toast; import com.iflytek.cloud.InitListener; import com.iflytek.cloud.RecognizerListener; import com.iflytek.cloud.RecognizerResult; import com.iflytek.cloud.SpeechConstant; import com.iflytek.cloud.SpeechError; import com.iflytek.cloud.SpeechRecognizer; import com.iflytek.cloud.SpeechSynthesizer; import com.iflytek.cloud.SpeechUtility; import com.iflytek.cloud.SynthesizerListener; import org.json.JSONObject; /* loaded from: classes.dex */ public class MainActivity extends Activity { 
    private Button button1; private Button button2; private AudioManager mAudioManager; private SpeechRecognizer mIat; private SpeechSynthesizer mTts; private JSONObject res; private String ss; private String TAG = "shitou"; private InitListener mInitListener = new InitListener() { 
    // from class: xyz.konso.testsrtp.MainActivity.1 @Override // com.iflytek.cloud.InitListener public void onInit(int code) { 
    Log.d(MainActivity.this.TAG, "SpeechRecognizer init() code = " + code); } }; private SynthesizerListener mSynListener = new SynthesizerListener() { 
    // from class: xyz.konso.testsrtp.MainActivity.2 @Override // com.iflytek.cloud.SynthesizerListener public void onCompleted(SpeechError error) { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onBufferProgress(int percent, int beginPos, int endPos, String info) { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onSpeakBegin() { 
    Log.d(MainActivity.this.TAG, "speakcheck"); } @Override // com.iflytek.cloud.SynthesizerListener public void onSpeakPaused() { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onSpeakProgress(int percent, int beginPos, int endPos) { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onSpeakResumed() { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onEvent(int arg0, int arg1, int arg2, Bundle arg3) { 
    } }; private RecognizerListener recognizerListener = new RecognizerListener() { 
    // from class: xyz.konso.testsrtp.MainActivity.3 @Override // com.iflytek.cloud.RecognizerListener public void onBeginOfSpeech() { 
    } @Override // com.iflytek.cloud.RecognizerListener public void onError(SpeechError error) { 
    } @Override // com.iflytek.cloud.RecognizerListener public void onEndOfSpeech() { 
    } @Override // com.iflytek.cloud.RecognizerListener public void onResult(RecognizerResult results, boolean isLast) { 
    Log.d(MainActivity.this.TAG, results.getResultString()); try { 
    JSONObject res = new JSONObject(results.getResultString()).getJSONArray("ws").getJSONObject(0).getJSONArray("cw").getJSONObject(0); MainActivity.this.ss = res.getString("w"); } catch (Exception e) { 
    Log.d(MainActivity.this.TAG, "catch Excepetion"); } if (MainActivity.this.ss.equals("你好")) { 
    MainActivity.this.getsna(); } Log.d(MainActivity.this.TAG, MainActivity.this.ss); } @Override // com.iflytek.cloud.RecognizerListener public void onVolumeChanged(int volume, byte[] var2) { 
    } @Override // com.iflytek.cloud.RecognizerListener public void onEvent(int eventType, int arg1, int arg2, Bundle obj) { 
    } }; @Override // android.app.Activity protected void onCreate(Bundle savedInstanceState) { 
    super.onCreate(savedInstanceState); setContentView(new background(this)); this.mAudioManager = (AudioManager) getSystemService("audio"); this.mAudioManager.setBluetoothScoOn(true); this.mAudioManager.startBluetoothSco(); SpeechUtility.createUtility(this, "appid=561e6833"); this.mIat = SpeechRecognizer.createRecognizer(this, this.mInitListener); this.mTts = SpeechSynthesizer.createSynthesizer(this, null); } public void setParam() { 
    this.mIat.setParameter(SpeechConstant.DOMAIN, "iat"); this.mIat.setParameter(SpeechConstant.LANGUAGE, "zh_cn"); this.mIat.setParameter(SpeechConstant.ACCENT, "mandarin"); } public void getsna() { 
    Toast.makeText(this, "haha", 0).show(); } @Override // android.app.Activity protected void onDestroy() { 
    super.onDestroy(); this.mAudioManager.setBluetoothScoOn(false); this.mAudioManager.stopBluetoothSco(); } } 

真正有用的是getsna函数。得到语音识别的字符串arg11，并比较计算结果。

package xyz.konso.testsrtp; import android.content.Context; import android.graphics.Bitmap; import android.graphics.BitmapFactory; import android.graphics.Canvas; import android.graphics.Paint; import android.graphics.RectF; import android.media.AudioManager; import android.os.Bundle; import android.util.Log; import android.view.MotionEvent; import android.view.SurfaceHolder; import android.view.SurfaceView; import android.view.View; import android.widget.Button; import android.widget.Toast; import com.iflytek.cloud.InitListener; import com.iflytek.cloud.RecognizerListener; import com.iflytek.cloud.RecognizerResult; import com.iflytek.cloud.SpeechConstant; import com.iflytek.cloud.SpeechError; import com.iflytek.cloud.SpeechRecognizer; import com.iflytek.cloud.SpeechSynthesizer; import com.iflytek.cloud.SpeechUtility; import com.iflytek.cloud.SynthesizerListener; import java.lang.reflect.Array; import org.json.JSONObject; /* loaded from: classes.dex */ public class background extends SurfaceView implements View.OnTouchListener { 
    private Button button1; private Button button2; private AudioManager mAudioManager; private SpeechRecognizer mIat; private SpeechSynthesizer mTts; private JSONObject res; private String ss; private String TAG = "shitou"; private final int WIDTH = 106; private final int LENGTH = 10; private final int COL = 10; private final int ROW = 10; SurfaceHolder.Callback c = new SurfaceHolder.Callback() { 
    // from class: xyz.konso.testsrtp.background.1 @Override // android.view.SurfaceHolder.Callback public void surfaceCreated(SurfaceHolder holder) { 
    background.this.redraw(); } @Override // android.view.SurfaceHolder.Callback public void surfaceChanged(SurfaceHolder holder, int format, int width, int height) { 
    } @Override // android.view.SurfaceHolder.Callback public void surfaceDestroyed(SurfaceHolder holder) { 
    } }; private InitListener mInitListener = new InitListener() { 
    // from class: xyz.konso.testsrtp.background.2 @Override // com.iflytek.cloud.InitListener public void onInit(int code) { 
    Log.d(background.this.TAG, "SpeechRecognizer init() code = " + code); } }; private SynthesizerListener mSynListener = new SynthesizerListener() { 
    // from class: xyz.konso.testsrtp.background.3 @Override // com.iflytek.cloud.SynthesizerListener public void onCompleted(SpeechError error) { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onBufferProgress(int percent, int beginPos, int endPos, String info) { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onSpeakBegin() { 
    Log.d(background.this.TAG, "speakcheck"); } @Override // com.iflytek.cloud.SynthesizerListener public void onSpeakPaused() { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onSpeakProgress(int percent, int beginPos, int endPos) { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onSpeakResumed() { 
    } @Override // com.iflytek.cloud.SynthesizerListener public void onEvent(int arg0, int arg1, int arg2, Bundle arg3) { 
    } }; private RecognizerListener recognizerListener = new RecognizerListener() { 
    // from class: xyz.konso.testsrtp.background.4 @Override // com.iflytek.cloud.RecognizerListener public void onBeginOfSpeech() { 
    } @Override // com.iflytek.cloud.RecognizerListener public void onError(SpeechError error) { 
    } @Override // com.iflytek.cloud.RecognizerListener public void onEndOfSpeech() { 
    } @Override // com.iflytek.cloud.RecognizerListener public void onResult(RecognizerResult results, boolean isLast) { 
    Log.d(background.this.TAG, results.getResultString()); try { 
    JSONObject res = new JSONObject(results.getResultString()).getJSONArray("ws").getJSONObject(0).getJSONArray("cw").getJSONObject(0); background.this.ss = res.getString("w"); } catch (Exception e) { 
    Log.d(background.this.TAG, "catch Excepetion"); } background.this.getsna(background.this.ss); Log.d(background.this.TAG, background.this.ss); } @Override // com.iflytek.cloud.RecognizerListener public void onVolumeChanged(int volume, byte[] var2) { 
    } @Override // com.iflytek.cloud.RecognizerListener public void onEvent(int eventType, int arg1, int arg2, Bundle obj) { 
    } }; private circle[][] matrix = (circle[][]) Array.newInstance(circle.class, 10, 10); public boolean check() { 
    return this.matrix[1][1].getStatus() == 1 && this.matrix[1][2].getStatus() == 1 && this.matrix[1][7].getStatus() == 1 && this.matrix[1][8].getStatus() == 1 && this.matrix[2][0].getStatus() == 1 && this.matrix[2][3].getStatus() == 1 && this.matrix[2][6].getStatus() == 1 && this.matrix[2][9].getStatus() == 1 && this.matrix[3][0].getStatus() == 1 && this.matrix[3][4].getStatus() == 1 && this.matrix[3][5].getStatus() == 1 && this.matrix[3][9].getStatus() == 1 && this.matrix[4][0].getStatus() == 1 && this.matrix[4][9].getStatus() == 1 && this.matrix[5][1].getStatus() == 1 && this.matrix[5][8].getStatus() == 1 && this.matrix[6][2].getStatus() == 1 && this.matrix[6][7].getStatus() == 1 && this.matrix[7][3].getStatus() == 1 && this.matrix[7][6].getStatus() == 1 && this.matrix[8][4].getStatus() == 1 && this.matrix[8][5].getStatus() == 1; } public background(Context context) { 
    super(context); getHolder().addCallback(this.c); for (int i = 0; i < 10; i++) { 
    for (int j = 0; j < 10; j++) { 
    this.matrix[i][j] = new circle(j, i); } } setOnTouchListener(this); initGame(); SpeechUtility.createUtility(getContext(), "appid=561e6833"); this.mIat = SpeechRecognizer.createRecognizer(getContext(), this.mInitListener); this.mTts = SpeechSynthesizer.createSynthesizer(getContext(), null); } private circle getcircle(int x, int y) { 
    return this.matrix[y][x]; } public void getsna(String flag) { 
    if (flag.length() == 4) { 
    int[] as = new int[flag.length()]; for (int i = 0; i < flag.length(); i++) { 
    as[i] = flag.charAt(i) & 65535; } for (int j = 0; j < 4; j++) { 
    for (int k = j + 1; k < 4; k++) { 
    if (as[j] > as[k]) { 
    int temp = as[j]; as[j] = as[k]; as[k] = temp; } } } if (as[0] == 20667 && as[1] == 25105 && as[2] == 26159 && as[3] == 36924) { 
    Toast.makeText(getContext(), "You get the sorted flag：20667 25105 26159 36924", 0).show(); } else { 
    Toast.makeText(getContext(), "wrong input", 0).show(); } } } /* JADX INFO: Access modifiers changed from: private */ public void redraw() { 
    Bitmap bmp = BitmapFactory.decodeResource(getResources(), R.drawable.pic1); Canvas c = getHolder().lockCanvas(); c.drawBitmap(bmp, 0.0f, 0.0f, (Paint) null); Paint paint = new Paint(); for (int i = 0; i < 10; i++) { 
    for (int j = 0; j < 10; j++) { 
    circle one = getcircle(j, i); switch (one.getStatus()) { 
    case 0: paint.setColor(-); break; case 1: paint.setColor(-20807); break; } c.drawOval(new RectF((float) (one.getx() * 106), (float) ((one.gety() + 7) * 106), (float) ((one.getx() + 1) * 106), (float) ((one.gety() + 8) * 106)), paint); } } getHolder().unlockCanvasAndPost(c); } private void initGame() { 
    for (int i = 0; i < 10; i++) { 
    for (int j = 0; j < 10; j++) { 
    this.matrix[i][j].setStatus(0); } } } @Override // android.view.View.OnTouchListener public boolean onTouch(View arg0, MotionEvent e) { 
    if (e.getAction() == 1) { 
    if (e.getY() < 815.0f) { 
    this.mTts.setParameter(SpeechConstant.VOICE_NAME, "xiaoyan"); this.mTts.setParameter(SpeechConstant.SPEED, "50"); this.mTts.setParameter(SpeechConstant.VOLUME, "80"); this.mTts.setParameter(SpeechConstant.ENGINE_TYPE, SpeechConstant.TYPE_CLOUD); this.mTts.setParameter(SpeechConstant.TTS_AUDIO_PATH, "./sdcard/iflytek.pcm"); if (!check()) { 
    this.mTts.startSpeaking("你是个好人，但是我们不适合。 ", this.mSynListener); Toast.makeText(getContext(), "你根本不知道什么叫做爱", 0).show(); } else { 
    setParam(); Log.d(this.TAG, "startListening ret:" + this.mIat.startListening(this.recognizerListener)); Toast.makeText(getContext(), "通过爱的验证", 0).show(); } } else { 
    int y = (int) ((e.getY() / 106.0f) - 7.0f); int x = (int) (e.getX() / 106.0f); getcircle(x, y).setStatus(getcircle(x, y).getStatus() ^ 1); redraw(); if (check()) { 
    Toast.makeText(getContext(), "Right design", 0).show(); } } } return true; } public void setParam() { 
    this.mIat.setParameter(SpeechConstant.DOMAIN, "iat"); this.mIat.setParameter(SpeechConstant.LANGUAGE, "zh_cn"); this.mIat.setParameter(SpeechConstant.ACCENT, "mandarin"); } } 

发现flag：You get the sorted flag：20667 25105 26159 36924

把20667 25105 26159 36924转成中文是傻我是逼

傻我是逼变成我是傻逼

得到flag：flag{25105 26159 20667 36924}

总结

提示：这里对文章进行总结：
例如：以上就是今天要讲的内容，本文仅仅简单介绍了pandas的使用，而pandas提供了大量能使我们快速便捷地处理数据的函数和方法。

今天的分享到此就结束了，感谢您的阅读，如果确实帮到您，您可以动动手指转发给其他人。