Cython程序分析_2

2022-01-27

字数统计: 12.6k字 | 阅读时长≈ 69分

下面从一些python的基本操作开始进行分析。总体流程准备跟着菜鸟教程上教的顺序走。

Cython程序分析_2

样例代码

# test2.py

"""
229028
191980.0
True
(4+2j)
test
"""

def func_DataType():
    int_1 = 114514
    float_1 = 191981.0
    bool_1 = True
    complex_1 = 1 + 2j
    
    print(int_1 * 2)
    print(float_1 - 1)
    print(bool_1)
    print(complex_1 + 3)
    
def func_Str():
    str_1 = "teststr1"
    str_2 = "teststr2"
    str_3 = "1_2_3_4_5_"
    str_fmt = "{}.{}"
    print(str_1[0:4])
    print(str_1[-4:-1])
    print(str_1[0])
    print(str_1[6:])
    print(str_3[0:7:2])
    print(str_3 * 2)
    print(str_2 + str_1)
    print(str_2.index("str2"))
    print(str_fmt.format(str_1, str_2))
    print("No endl", end="")
    print('')
    
def func_ImportModule():
    import base64
    b64obj = base64.b64encode("testbase64".encode())
    print(b64obj)
    print(type(b64obj))
    
    import hashlib
    md5obj = hashlib.md5()
    md5obj.update("testmd5".encode())
    print(md5obj.hexdigest())
    
func_DataType()
func_Str()
func_ImportModule()

第一个函数是基本数据类型的操作

第二个是字符串操作

第三个是导入模块进行使用

同时函数被调用了，脚本可以直接运行

from setuptools import setup
from Cython.Build import cythonize

setup(
    name="test2",
    # 必须声明language_level，要不然就被当成默认python2对待了
    ext_modules=cythonize("./test2.py", annotate=True, language_level=3),
)

分析

这次C文件到达了惊人的5388行。离了个大谱。还是配合自动生成的html文件来分析比较好。

`__pyx_pymod_create()`

此函数毫无变化。以后可以不用去考虑这个函数了

`__pyx_pymod_exec_test2()`

这个函数自然是重头戏

// 相关联的片段 

/* "test2.py":9
 * """
 * 
 * def func_DataType():             # <<<<<<<<<<<<<<
 *     int_1 = 114514
 *     float_1 = 191981.0
 */
  __pyx_t_1 = __Pyx_CyFunction_New(&__pyx_mdef_5test2_1func_DataType, 0, __pyx_n_s_func_DataType, NULL, __pyx_n_s_test2, __pyx_d, ((PyObject *)__pyx_codeobj__7)); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 9, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  if (PyDict_SetItem(__pyx_d, __pyx_n_s_func_DataType, __pyx_t_1) < 0) __PYX_ERR(0, 9, __pyx_L1_error)
  __Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

  /* "test2.py":48
 *     print(md5obj.hexdigest())
 * 
 * func_DataType()             # <<<<<<<<<<<<<<
 * func_Str()
 * func_ImportModule()
 */
  __Pyx_GetModuleGlobalName(__pyx_t_1, __pyx_n_s_func_DataType); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 48, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  __pyx_t_2 = __Pyx_PyObject_CallNoArg(__pyx_t_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 48, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_2);
  __Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;
  __Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

在此Exec函数中，会将大致的模块流程给展现出来。

声明

会用一个__pyx_t_n的指针来获取，使用__Pyx_CyFunction_New()并向其中传入相应的PyModuleDef来构建。上次博客已经讲过。

补充

值得注意的锚点是PyDict_SetItem()，这个函数是外部API，不会内联；它会将__pyx_t_1函数指针存入到一个全局字典__pyx_d中去，紧接着__Pyx_DECREF(__pyx_t_1)指针后退一个单位，为承接下一个函数做准备。

1 2	__pyx_d = PyModule_GetDict(__pyx_m); if (unlikely(!__pyx_d)) __PYX_ERR(0, 1, __pyx_L1_error) Py_INCREF(__pyx_d);

调用

首先会__Pyx_GetModuleGlobalName(__pyx_t_1, __pyx_n_s_func_DataType)，__pyx_n_s_func_DataType是函数名，那么大概__pyx_t_1就将作为承接函数的指针。这个函数大概就是根据字符串返回对象索引（函数也是一种PyObject对象）

`__Pyx_GetModuleGlobalName(var, name)宏`

#define __Pyx_GetModuleGlobalName(var, name)  {\
    static PY_UINT64_T __pyx_dict_version = 0;\
    static PyObject *__pyx_dict_cached_value = NULL;\
    (var) = (likely(__pyx_dict_version == __PYX_GET_DICT_VERSION(__pyx_d))) ?\
        (likely(__pyx_dict_cached_value) ? __Pyx_NewRef(__pyx_dict_cached_value) : __Pyx_GetBuiltinName(name)) :\
        __Pyx__GetModuleGlobalName(name, &__pyx_dict_version, &__pyx_dict_cached_value);\
}

通过了一些判断，然后调用了__Pyx__GetModuleGlobalName()函数和__Pyx_GetBuiltinName()函数。前者是模块内自定义的函数，用全局字典维护；而后者Builtin函数则是内置的。

`PyxGetModuleGlobalName()`

/* GetModuleGlobalName */
#if CYTHON_USE_DICT_VERSIONS
static PyObject *__Pyx__GetModuleGlobalName(PyObject *name, PY_UINT64_T *dict_version, PyObject **dict_cached_value)
#else
static CYTHON_INLINE PyObject *__Pyx__GetModuleGlobalName(PyObject *name)
#endif
{
    PyObject *result;
#if !CYTHON_AVOID_BORROWED_REFS
#if CYTHON_COMPILING_IN_CPYTHON && PY_VERSION_HEX >= 0x030500A1
    result = _PyDict_GetItem_KnownHash(__pyx_d, name, ((PyASCIIObject *) name)->hash);
    __PYX_UPDATE_DICT_CACHE(__pyx_d, result, *dict_cached_value, *dict_version)
    if (likely(result)) {
        return __Pyx_NewRef(result);
    } else if (unlikely(PyErr_Occurred())) {
        return NULL;
    }
#else
    result = PyDict_GetItem(__pyx_d, name);
    __PYX_UPDATE_DICT_CACHE(__pyx_d, result, *dict_cached_value, *dict_version)
    if (likely(result)) {
        return __Pyx_NewRef(result);
    }
#endif
#else
    result = PyObject_GetItem(__pyx_d, name);
    __PYX_UPDATE_DICT_CACHE(__pyx_d, result, *dict_cached_value, *dict_version)
    if (likely(result)) {
        return __Pyx_NewRef(result);
    }
    PyErr_Clear();
#endif
    return __Pyx_GetBuiltinName(name);
}

这块函数是极有可能要被内联的。根据宏定义判别，我选取了最有可能的情况，即

#if CYTHON_COMPILING_IN_CPYTHON && PY_VERSION_HEX >= 0x030500A1
    result = _PyDict_GetItem_KnownHash(__pyx_d, name, ((PyASCIIObject *) name)->hash);	// 外部API不会内联
    __PYX_UPDATE_DICT_CACHE(__pyx_d, result, *dict_cached_value, *dict_version)
    if (likely(result)) {
        return __Pyx_NewRef(result);
    } else if (unlikely(PyErr_Occurred())) {
        return NULL;
    }
    
#endif
    return __Pyx_GetBuiltinName(name);

总结一下，核心就是通过 _PyDict_GetItem_KnownHash()来获取。

`__Pyx_GetBuiltin()`函数

/* GetBuiltinName */
static PyObject *__Pyx_GetBuiltinName(PyObject *name) {
    PyObject* result = __Pyx_PyObject_GetAttrStr(__pyx_b, name);
    if (unlikely(!result)) {
        PyErr_Format(PyExc_NameError,
#if PY_MAJOR_VERSION >= 3
            "name '%U' is not defined", name);
#else
            "name '%.200s' is not defined", PyString_AS_STRING(name));
#endif
    }
    return result;
}

核心就是个__Pyx_PyObject_GetAttrStr()宏

1	#define __Pyx_PyObject_GetAttrStr(o,n) PyObject_GetAttr(o,n)

还好这个是个外部API。

总结一下，就是对PyObject_GetAttr(o,n)的调用。

然后就是调用了。

1	__pyx_t_2 = __Pyx_PyObject_CallNoArg(__pyx_t_1);

无参调用方式

真离谱啥都是内联的

/* PyObjectCallNoArg */
#if CYTHON_COMPILING_IN_CPYTHON
static CYTHON_INLINE PyObject* __Pyx_PyObject_CallNoArg(PyObject *func) {
#if CYTHON_FAST_PYCALL
    if (PyFunction_Check(func)) {
        return __Pyx_PyFunction_FastCall(func, NULL, 0);
    }
#endif
#ifdef __Pyx_CyFunction_USED
    if (likely(PyCFunction_Check(func) || __Pyx_CyFunction_Check(func)))
#else
    if (likely(PyCFunction_Check(func)))
#endif
    {
        if (likely(PyCFunction_GET_FLAGS(func) & METH_NOARGS)) {
            return __Pyx_PyObject_CallMethO(func, NULL);
        }
    }
    return __Pyx_PyObject_Call(func, __pyx_empty_tuple, NULL);
}
#endif

二进制

__int64 __fastcall _pyx_pymod_exec_test2(_QWORD *a1)
{
  const char *v3; // rax
  unsigned int v4; // edi
  unsigned int v5; // ebp
  _QWORD *mod_cython_0_29_24; // rax
  _QWORD *v7; // rsi
  __int64 v8; // rax
  __int64 *v9; // rbx
  const char *v10; // rdx
  bool v11; // zf
  _QWORD *mod_builtin; // rax
  _QWORD *mod_runtime; // rax
  __int64 v14; // r8
  __int64 v15; // rcx
  char **v16; // rbx
  char *v17; // rcx
  __int64 v18; // rax
  char *v19; // r8
  __int64 v20; // rdx
  __int64 v21; // rax
  __int64 v22; // rbx
  __int64 v23; // rsi
  __int64 (__fastcall *v24)(__int64, __int64); // r8
  __int64 v25; // rax
  int v26; // edx
  int v27; // er9
  __int64 f_datatype; // rax
  _QWORD *__pyx_t1; // rbx
  int v30; // edx
  int v31; // er9
  __int64 func_Str; // rax
  int v33; // edx
  int v34; // er9
  __int64 func_ImportModule; // rax
  __int64 strp_func_DataType3; // rcx
  __int64 v37; // rsi
  _QWORD *v38; // rsi
  __int64 v39; // rcx
  __int64 v40; // rsi
  _QWORD *v41; // rsi
  __int64 strp_func_ImportModule_3; // rcx
  __int64 v43; // rsi
  _QWORD *v44; // rsi
  __int64 v45; // rax
  __int64 v46; // rcx
  int v47; // [rsp+20h] [rbp-118h]
  int v48; // [rsp+20h] [rbp-118h]
  int v49; // [rsp+20h] [rbp-118h]
  int v50; // [rsp+28h] [rbp-110h]
  int v51; // [rsp+28h] [rbp-110h]
  int v52; // [rsp+28h] [rbp-110h]
  char v53[4]; // [rsp+40h] [rbp-F8h] BYREF
  char v54[12]; // [rsp+44h] [rbp-F4h] BYREF
  char v55[208]; // [rsp+50h] [rbp-E8h] BYREF

  if ( !qword_18000CD18 )
  {
    PyOS_snprintf(v54, 4i64, "%d.%d", 3i64, 7);
    v3 = (const char *)Py_GetVersion();
    PyOS_snprintf(v53, 4i64, "%s", v3);
    v4 = 1;
    if ( v54[0] != v53[0] || v54[2] != v53[2] )
    {
      PyOS_snprintf(
        v55,
        200i64,
        "compiletime version %s of module '%.100s' does not match runtime version %s",
        v54,
        aTest2,
        v53);
      if ( (int)PyErr_WarnEx(0i64, v55, 1i64) < 0 )
      {
        v5 = 2472;
        goto LABEL_151;
      }
    }
    qword_18000CC68 = PyFrame_Type[4] - 8i64;
    qword_18000CC78 = PyTuple_New(0i64);
    if ( !qword_18000CC78 )
    {
      v5 = 2476;
      goto LABEL_151;
    }
    qword_18000CD08 = PyBytes_FromStringAndSize(&unk_18000CD61, 0i64);
    if ( !qword_18000CD08 )
    {
      v5 = 2477;
      goto LABEL_151;
    }
    qword_18000CCD8 = PyUnicode_FromStringAndSize(&unk_18000CD60, 0i64);
    if ( !qword_18000CCD8 )
    {
      v5 = 2478;
      goto LABEL_151;
    }
    mod_cython_0_29_24 = (_QWORD *)PyImport_AddModule(aCython02924);
    v7 = mod_cython_0_29_24;
    if ( !mod_cython_0_29_24 )
    {
      qword_18000CCC0 = 0i64;
      v5 = 2480;
      goto LABEL_151;
    }
    ++*mod_cython_0_29_24;
    v8 = PyObject_GetAttrString(mod_cython_0_29_24, off_18000B5D8);
    v9 = (__int64 *)v8;
    if ( v8 )
    {
      if ( *(int *)(*(_QWORD *)(v8 + 8) + 168i64) < 0 )
      {
        if ( *(_QWORD *)(v8 + 32) == qword_18000B5E0 )
          goto LABEL_25;
        v10 = aSharedCythonTy_0;
      }
      else
      {
        v10 = aSharedCythonTy;
      }
      PyErr_Format(PyExc_TypeError, v10, off_18000B5D8);
      v11 = (*v9)-- == 1;
      if ( v11 )
        (*(void (__fastcall **)(__int64 *))(v9[1] + 48))(v9);
    }
    else if ( (unsigned int)PyErr_ExceptionMatches(PyExc_AttributeError) )
    {
      PyErr_Clear();
      v9 = &qword_18000B5C0;
      if ( (int)PyType_Ready(&qword_18000B5C0) >= 0
        && (int)PyObject_SetAttrString(v7, off_18000B5D8, &qword_18000B5C0) >= 0 )
      {
        ++qword_18000B5C0;
LABEL_25:
        v11 = (*v7)-- == 1i64;
        if ( v11 )
          (*(void (__fastcall **)(_QWORD *))(v7[1] + 48i64))(v7);
        qword_18000CCC0 = (__int64)v9;
        if ( !v9 )
        {
          v5 = 2480;
          goto LABEL_151;
        }
        ++*a1;
        qword_18000CD18 = (__int64)a1;
        _pyx_d = PyModule_GetDict(a1);
        if ( !_pyx_d )
        {
          v5 = 2514;
          goto LABEL_151;
        }
        ++*(_QWORD *)_pyx_d;
        mod_builtin = (_QWORD *)PyImport_AddModule(aBuiltins);
        glob_mod_builtin = (__int64)mod_builtin;
        if ( !mod_builtin )
        {
          v5 = 2516;
          goto LABEL_151;
        }
        ++*mod_builtin;
        mod_runtime = (_QWORD *)PyImport_AddModule(aCythonRuntime);
        glob_mod_runtime = (__int64)mod_runtime;
        if ( !mod_runtime )
        {
          v5 = 2518;
          goto LABEL_151;
        }
        v14 = glob_mod_builtin;
        v15 = qword_18000CD18;
        ++*mod_runtime;
        if ( (int)PyObject_SetAttrString(v15, aBuiltins_0, v14) < 0 )
        {
          v5 = 2520;
          goto LABEL_151;
        }
        qword_18000B798 = PyUnicode_Type;
        qword_18000B770 = PyUnicode_Type;
        if ( off_18000B830 )
        {
          v16 = &off_18000B838;
          do
          {
            v17 = *v16;
            if ( *((_WORD *)v16 + 12) )
            {
              if ( *((_BYTE *)v16 + 26) )
              {
                v18 = PyUnicode_InternFromString(v17);
              }
              else
              {
                v19 = v16[2];
                v20 = (__int64)(v16[1] - 1);
                v18 = v19 ? PyUnicode_Decode(v17, v20, v19, 0i64) : PyUnicode_FromStringAndSize(v17, v20);
              }
            }
            else
            {
              v18 = PyBytes_FromStringAndSize(v17, v16[1] - 1);
            }
            *(_QWORD *)*(v16 - 1) = v18;
            if ( !*(_QWORD *)*(v16 - 1) || PyObject_Hash() == -1 )
              goto LABEL_150;
            v16 += 5;
          }
          while ( *(v16 - 1) );
        }
        qword_18000CC88 = PyLong_FromLong(0i64);
        if ( !qword_18000CC88
          || (qword_18000CD38 = PyLong_FromLong(2i64)) == 0
          || (qword_18000CCD0 = PyLong_FromLong(3i64)) == 0
          || (qword_18000CD50 = PyLong_FromLong(7i64)) == 0
          || (qword_18000CD58 = PyLong_FromLong(114514i64)) == 0 )
        {
LABEL_150:
          v5 = 2522;
LABEL_151:
          if ( qword_18000CD18 )
          {
            if ( _pyx_d )
              sub_180002110(aInitTest2, v5, v4, aTest2Py);
            v46 = qword_18000CD18;
            if ( qword_18000CD18 )
            {
              v11 = (*(_QWORD *)qword_18000CD18)-- == 1i64;
              qword_18000CD18 = 0i64;
              if ( v11 )
                (*(void (**)(void))(*(_QWORD *)(v46 + 8) + 48i64))();
            }
          }
          else if ( !PyErr_Occurred() )
          {
            PyErr_SetString(PyExc_ImportError, aInitTest2_0);
          }
          return (unsigned int)(qword_18000CD18 != 0) - 1;
        }
        if ( dword_18000CC20 && (int)PyObject_SetAttr(qword_18000CD18, qword_18000CBC0, qword_18000CB88) < 0 )
        {
          v5 = 2527;
          goto LABEL_151;
        }
        v21 = PyImport_GetModuleDict();
        v22 = v21;
        if ( !v21 )
        {
          v5 = 2531;
          goto LABEL_151;
        }
        if ( !PyDict_GetItemString(v21, aTest2_0) && (int)PyDict_SetItemString(v22, aTest2_1, qword_18000CD18) < 0 )
        {
          v5 = 2533;
          goto LABEL_151;
        }
        v23 = qword_18000CB18;
        v24 = *(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)(glob_mod_builtin + 8) + 144i64);
        if ( v24 )
          v25 = v24(glob_mod_builtin, qword_18000CB18);
        else
          v25 = PyObject_GetAttr(glob_mod_builtin, qword_18000CB18);
        if ( !v25 )
        {
          PyErr_Format(PyExc_NameError, aNameUIsNotDefi, v23);
          qword_18000CD20 = 0i64;
          v5 = 2538;
          goto LABEL_151;
        }
        qword_18000CD20 = v25;
        if ( (int)sub_180006250() < 0 )
        {
          v5 = 2540;
          goto LABEL_151;
        }
        f_datatype = _Pyx_CyFunction_New((unsigned int)&moddef, v26, strp_func_DataType, v27, v47, v50, qword_18000CC60);// 
                                                // 有着鲜明的初始化特征，
                                                // 此函数便是__Pyx_CyFunction_New函数，
                                                // 但是这次并未内联
        __pyx_t1 = (_QWORD *)f_datatype;
        if ( !f_datatype )
        {
          v4 = 9;
          v5 = 2561;
          goto LABEL_151;
        }
        if ( (int)PyDict_SetItem(_pyx_d, strp_func_DataType, f_datatype) < 0 )
        {
          v4 = 9;
          v5 = 2563;
          goto LABEL_135;
        }
        v11 = (*__pyx_t1)-- == 1i64;
        if ( v11 )
          (*(void (__fastcall **)(_QWORD *))(__pyx_t1[1] + 48i64))(__pyx_t1);
        func_Str = _Pyx_CyFunction_New((unsigned int)&off_18000BE90, v30, strp_func_Str, v31, v48, v51, qword_18000CCE8);
        __pyx_t1 = (_QWORD *)func_Str;
        if ( !func_Str )
        {
          v4 = 20;
          v5 = 2573;
          goto LABEL_151;
        }
        if ( (int)PyDict_SetItem(_pyx_d, strp_func_Str, func_Str) < 0 )
        {
          v4 = 20;
          v5 = 2575;
          goto LABEL_135;
        }
        v11 = (*__pyx_t1)-- == 1i64;
        if ( v11 )
          (*(void (__fastcall **)(_QWORD *))(__pyx_t1[1] + 48i64))(__pyx_t1);
        func_ImportModule = _Pyx_CyFunction_New(
                              (unsigned int)&off_18000B750,
                              v33,
                              strp_func_ImportModule,
                              v34,
                              v49,
                              v52,
                              qword_18000CCE0);
        __pyx_t1 = (_QWORD *)func_ImportModule;
        if ( !func_ImportModule )
        {
          v4 = 37;
          v5 = 2585;
          goto LABEL_151;
        }
        if ( (int)PyDict_SetItem(_pyx_d, strp_func_ImportModule, func_ImportModule) < 0 )
        {
          v4 = 37;
          v5 = 2587;
          goto LABEL_135;
        }
        v11 = (*__pyx_t1)-- == 1i64;
        if ( v11 )
          (*(void (__fastcall **)(_QWORD *))(__pyx_t1[1] + 48i64))(__pyx_t1);
        if ( qword_18000CC50 == *(_QWORD *)(_pyx_d + 24) )
        {
          if ( qword_18000CD28 )
          {
            ++*(_QWORD *)qword_18000CD28;
            __pyx_t1 = (_QWORD *)qword_18000CD28;
            goto LABEL_100;
          }
          strp_func_DataType3 = strp_func_DataType;
        }
        else
        {
          v37 = strp_func_DataType;
          __pyx_t1 = (_QWORD *)PyDict_GetItem_KnownHash(
                                 _pyx_d,
                                 strp_func_DataType,
                                 *(_QWORD *)(strp_func_DataType + 24));
          qword_18000CC50 = *(_QWORD *)(_pyx_d + 24);
          qword_18000CD28 = (__int64)__pyx_t1;
          if ( __pyx_t1 )
          {
            ++*__pyx_t1;
            goto LABEL_101;
          }
          if ( PyErr_Occurred() )
          {
LABEL_149:
            v4 = 48;
            v5 = 2597;
            goto LABEL_151;
          }
          strp_func_DataType3 = v37;
        }
        __pyx_t1 = (_QWORD *)_Pyx_GetBuiltinName(strp_func_DataType3);
LABEL_100:
        if ( __pyx_t1 )
        {
LABEL_101:
          v38 = (_QWORD *)_Pyx_PyObject_CallNoArg(__pyx_t1);
          if ( !v38 )
          {
            v4 = 48;
            v5 = 2599;
            goto LABEL_135;
          }
          v11 = (*__pyx_t1)-- == 1i64;
          if ( v11 )
            (*(void (__fastcall **)(_QWORD *))(__pyx_t1[1] + 48i64))(__pyx_t1);
          v11 = (*v38)-- == 1i64;
          if ( v11 )
            (*(void (__fastcall **)(_QWORD *))(v38[1] + 48i64))(v38);
          if ( qword_18000CCB0 == *(_QWORD *)(_pyx_d + 24) )
          {
            if ( qword_18000CC70 )
            {
              ++*(_QWORD *)qword_18000CC70;
              __pyx_t1 = (_QWORD *)qword_18000CC70;
              goto LABEL_116;
            }
            v39 = strp_func_Str;
          }
          else
          {
            v40 = strp_func_Str;
            __pyx_t1 = (_QWORD *)PyDict_GetItem_KnownHash(_pyx_d, strp_func_Str, *(_QWORD *)(strp_func_Str + 24));
            qword_18000CCB0 = *(_QWORD *)(_pyx_d + 24);
            qword_18000CC70 = (__int64)__pyx_t1;
            if ( __pyx_t1 )
            {
              ++*__pyx_t1;
              goto LABEL_117;
            }
            if ( PyErr_Occurred() )
            {
LABEL_148:
              v4 = 49;
              v5 = 2610;
              goto LABEL_151;
            }
            v39 = v40;
          }
          __pyx_t1 = (_QWORD *)_Pyx_GetBuiltinName(v39);
LABEL_116:
          if ( __pyx_t1 )
          {
LABEL_117:
            v41 = (_QWORD *)_Pyx_PyObject_CallNoArg(__pyx_t1);
            if ( !v41 )
            {
              v4 = 49;
              v5 = 2612;
              goto LABEL_135;
            }
            v11 = (*__pyx_t1)-- == 1i64;
            if ( v11 )
              (*(void (__fastcall **)(_QWORD *))(__pyx_t1[1] + 48i64))(__pyx_t1);
            v11 = (*v41)-- == 1i64;
            if ( v11 )
              (*(void (__fastcall **)(_QWORD *))(v41[1] + 48i64))(v41);
            if ( qword_18000CC80 == *(_QWORD *)(_pyx_d + 24) )
            {
              if ( ::func_ImportModule )
              {
                ++*(_QWORD *)::func_ImportModule;
                __pyx_t1 = (_QWORD *)::func_ImportModule;
                goto LABEL_132;
              }
              strp_func_ImportModule_3 = strp_func_ImportModule;
            }
            else
            {
              v43 = strp_func_ImportModule;
              __pyx_t1 = (_QWORD *)PyDict_GetItem_KnownHash(
                                     _pyx_d,
                                     strp_func_ImportModule,
                                     *(_QWORD *)(strp_func_ImportModule + 24));
              qword_18000CC80 = *(_QWORD *)(_pyx_d + 24);
              ::func_ImportModule = (__int64)__pyx_t1;
              if ( __pyx_t1 )
              {
                ++*__pyx_t1;
                goto LABEL_133;
              }
              if ( PyErr_Occurred() )
              {
LABEL_147:
                v4 = 50;
                v5 = 2622;
                goto LABEL_151;
              }
              strp_func_ImportModule_3 = v43;
            }
            __pyx_t1 = (_QWORD *)_Pyx_GetBuiltinName(strp_func_ImportModule_3);
LABEL_132:
            if ( __pyx_t1 )
            {
LABEL_133:
              v44 = (_QWORD *)_Pyx_PyObject_CallNoArg(__pyx_t1);
              if ( v44 )
              {
                v11 = (*__pyx_t1)-- == 1i64;
                if ( v11 )
                  (*(void (__fastcall **)(_QWORD *))(__pyx_t1[1] + 48i64))(__pyx_t1);
                v11 = (*v44)-- == 1i64;
                if ( v11 )
                  (*(void (__fastcall **)(_QWORD *))(v44[1] + 48i64))(v44);
                v45 = PyDict_New();
                __pyx_t1 = (_QWORD *)v45;
                if ( !v45 )
                {
                  v5 = 2634;
                  goto LABEL_151;
                }
                if ( (int)PyDict_SetItem(_pyx_d, _test__, v45) >= 0 )
                {
                  v11 = (*__pyx_t1)-- == 1i64;
                  if ( v11 )
                    (*(void (__fastcall **)(_QWORD *))(__pyx_t1[1] + 48i64))(__pyx_t1);
                  return (unsigned int)(qword_18000CD18 != 0) - 1;
                }
                v5 = 2636;
              }
              else
              {
                v4 = 50;
                v5 = 2624;
              }
LABEL_135:
              v11 = (*__pyx_t1)-- == 1i64;
              if ( v11 )
                (*(void (__fastcall **)(_QWORD *))(__pyx_t1[1] + 48i64))(__pyx_t1);
              goto LABEL_151;
            }
            goto LABEL_147;
          }
          goto LABEL_148;
        }
        goto LABEL_149;
      }
    }
    v9 = 0i64;
    goto LABEL_25;
  }
  if ( (_QWORD *)qword_18000CD18 == a1 )
    return 0i64;
  PyErr_SetString(PyExc_RuntimeError, aModuleTest2Has);
  return 0xFFFFFFFFi64;
}

可以看出编译成二进制之后变得混乱了不少。关于如何辨识出函数声明和调用，在后面的经验总结出谈了一下。这里直接把代码块贴出来。

声明部分

f_datatype = _Pyx_CyFunction_New((unsigned int)&moddef, v26, strp_func_DataType, v27, v47, v50, qword_18000CC60);// 
                                        // 有着鲜明的初始化特征，
                                        // 此函数便是__Pyx_CyFunction_New函数，
                                        // 但是这次并未内联

调用部分

              __pyx_t1 = (_QWORD *)PyDict_GetItem_KnownHash(
                                     _pyx_d,
                                     strp_func_ImportModule,
                                     *(_QWORD *)(strp_func_ImportModule + 24));
              qword_18000CC80 = *(_QWORD *)(_pyx_d + 24);
              ::func_ImportModule = (__int64)__pyx_t1;
              if ( __pyx_t1 )
              {
                ++*__pyx_t1;
                goto LABEL_133;
              }
              if ( PyErr_Occurred() )
              {
LABEL_147:
                v4 = 50;
                v5 = 2622;
                goto LABEL_151;
              }
              strp_func_ImportModule_3 = v43;
            }
            __pyx_t1 = (_QWORD *)_Pyx_GetBuiltinName(strp_func_ImportModule_3);
LABEL_132:
            if ( __pyx_t1 )
            {
LABEL_133:
              v44 = (_QWORD *)_Pyx_PyObject_CallNoArg(__pyx_t1);

各函数解析

此部分将配合C文件和二进制文件一起来分析函数。

C文件中的逻辑其实应该是挺清晰的，但是编译后出现各种各样的内联操作，就会变复杂。

`func_DataType()`

def func_DataType():
    int_1 = 114514
    float_1 = 191981.0
    bool_1 = True
    complex_1 = 1 + 2j
    
    print(int_1 * 2)
    print(float_1 - 1)
    print(bool_1)
    print(complex_1 + 3)

C文件

/* Python wrapper */
static PyObject *__pyx_pw_5test2_1func_DataType(PyObject *__pyx_self, CYTHON_UNUSED PyObject *unused); /*proto*/
static PyMethodDef __pyx_mdef_5test2_1func_DataType = {"func_DataType", (PyCFunction)__pyx_pw_5test2_1func_DataType, METH_NOARGS, 0};
static PyObject *__pyx_pw_5test2_1func_DataType(PyObject *__pyx_self, CYTHON_UNUSED PyObject *unused) {
  PyObject *__pyx_r = 0;
  __Pyx_RefNannyDeclarations
  __Pyx_RefNannySetupContext("func_DataType (wrapper)", 0);
  __pyx_r = __pyx_pf_5test2_func_DataType(__pyx_self);

  /* function exit code */
  __Pyx_RefNannyFinishContext();
  return __pyx_r;
}

static PyObject *__pyx_pf_5test2_func_DataType(CYTHON_UNUSED PyObject *__pyx_self) {
  PyObject *__pyx_v_int_1 = NULL;
  double __pyx_v_float_1;
  int __pyx_v_bool_1;
  PyObject *__pyx_v_complex_1 = NULL;
  PyObject *__pyx_r = NULL;
  __Pyx_RefNannyDeclarations
  __pyx_t_double_complex __pyx_t_1;
  PyObject *__pyx_t_2 = NULL;
  PyObject *__pyx_t_3 = NULL;
  int __pyx_lineno = 0;
  const char *__pyx_filename = NULL;
  int __pyx_clineno = 0;
  __Pyx_RefNannySetupContext("func_DataType", 0);

  /* "test2.py":10
 * 
 * def func_DataType():
 *     int_1 = 114514             # <<<<<<<<<<<<<<
 *     float_1 = 191981.0
 *     bool_1 = True
 */
  __Pyx_INCREF(__pyx_int_114514);
  __pyx_v_int_1 = __pyx_int_114514;

  /* "test2.py":11
 * def func_DataType():
 *     int_1 = 114514
 *     float_1 = 191981.0             # <<<<<<<<<<<<<<
 *     bool_1 = True
 *     complex_1 = 1 + 2j
 */
  __pyx_v_float_1 = 191981.0;

  /* "test2.py":12
 *     int_1 = 114514
 *     float_1 = 191981.0
 *     bool_1 = True             # <<<<<<<<<<<<<<
 *     complex_1 = 1 + 2j
 * 
 */
  __pyx_v_bool_1 = 1;

  /* "test2.py":13
 *     float_1 = 191981.0
 *     bool_1 = True
 *     complex_1 = 1 + 2j             # <<<<<<<<<<<<<<
 * 
 *     print(int_1 * 2)
 */
  __pyx_t_1 = __Pyx_c_sum_double(__pyx_t_double_complex_from_parts(1, 0), __pyx_t_double_complex_from_parts(0, 2.0));
  __pyx_t_2 = __pyx_PyComplex_FromComplex(__pyx_t_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 13, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_2);
  __pyx_v_complex_1 = __pyx_t_2;
  __pyx_t_2 = 0;

  /* "test2.py":15
 *     complex_1 = 1 + 2j
 * 
 *     print(int_1 * 2)             # <<<<<<<<<<<<<<
 *     print(float_1 - 1)
 *     print(bool_1)
 */
  __pyx_t_2 = PyNumber_Multiply(__pyx_v_int_1, __pyx_int_2); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 15, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_2);
  __pyx_t_3 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 15, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_3);
  __Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
  __Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;

  /* "test2.py":16
 * 
 *     print(int_1 * 2)
 *     print(float_1 - 1)             # <<<<<<<<<<<<<<
 *     print(bool_1)
 *     print(complex_1 + 3)
 */
  __pyx_t_3 = PyFloat_FromDouble((__pyx_v_float_1 - 1.0)); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 16, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_3);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_3); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 16, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_2);
  __Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;
  __Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

  /* "test2.py":17
 *     print(int_1 * 2)
 *     print(float_1 - 1)
 *     print(bool_1)             # <<<<<<<<<<<<<<
 *     print(complex_1 + 3)
 * 
 */
  __pyx_t_2 = __Pyx_PyBool_FromLong(__pyx_v_bool_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 17, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_2);
  __pyx_t_3 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 17, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_3);
  __Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
  __Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;

  /* "test2.py":18
 *     print(float_1 - 1)
 *     print(bool_1)
 *     print(complex_1 + 3)             # <<<<<<<<<<<<<<
 * 
 * def func_Str():
 */
  __pyx_t_3 = __Pyx_PyInt_AddObjC(__pyx_v_complex_1, __pyx_int_3, 3, 0, 0); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 18, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_3);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_3); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 18, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_2);
  __Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;
  __Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

  /* "test2.py":9
 * """
 * 
 * def func_DataType():             # <<<<<<<<<<<<<<
 *     int_1 = 114514
 *     float_1 = 191981.0
 */

  /* function exit code */
  __pyx_r = Py_None; __Pyx_INCREF(Py_None);
  goto __pyx_L0;
  __pyx_L1_error:;
  __Pyx_XDECREF(__pyx_t_2);
  __Pyx_XDECREF(__pyx_t_3);
  __Pyx_AddTraceback("test2.func_DataType", __pyx_clineno, __pyx_lineno, __pyx_filename);
  __pyx_r = NULL;
  __pyx_L0:;
  __Pyx_XDECREF(__pyx_v_int_1);
  __Pyx_XDECREF(__pyx_v_complex_1);
  __Pyx_XGIVEREF(__pyx_r);
  __Pyx_RefNannyFinishContext();
  return __pyx_r;
}

`int_1 = 114514`

1
2
3

PyObject *__pyx_v_int_1 = NULL;  
__Pyx_INCREF(__pyx_int_114514);
__pyx_v_int_1 = __pyx_int_114514;

这个特征其实不是很明显，因为并没有直接调用API进行操作。不过还好这里没有出现内联问题。

而__pyx_int_114514在__Pyx_InitGlobals()函数中被引用。此函数则在__pyx_pymod_exec_test2()函数的前部分被调用，用于初始化一些全局常量。

static CYTHON_SMALL_CODE int __Pyx_InitGlobals(void) {
  __pyx_umethod_PyUnicode_Type_format.type = (PyObject*)&PyUnicode_Type;
  __pyx_umethod_PyUnicode_Type_index.type = (PyObject*)&PyUnicode_Type;
  if (__Pyx_InitStrings(__pyx_string_tab) < 0) __PYX_ERR(0, 1, __pyx_L1_error);
  __pyx_int_0 = PyInt_FromLong(0); if (unlikely(!__pyx_int_0)) __PYX_ERR(0, 1, __pyx_L1_error)
  __pyx_int_2 = PyInt_FromLong(2); if (unlikely(!__pyx_int_2)) __PYX_ERR(0, 1, __pyx_L1_error)
  __pyx_int_3 = PyInt_FromLong(3); if (unlikely(!__pyx_int_3)) __PYX_ERR(0, 1, __pyx_L1_error)
  __pyx_int_7 = PyInt_FromLong(7); if (unlikely(!__pyx_int_7)) __PYX_ERR(0, 1, __pyx_L1_error)
  __pyx_int_114514 = PyInt_FromLong(114514L); if (unlikely(!__pyx_int_114514)) __PYX_ERR(0, 1, __pyx_L1_error)
  return 0;
  __pyx_L1_error:;
  return -1;
}

由于CYTHON_SMALL_CODE的声明，导致此函数会被内联。在IDA的exec函数中，我们会找到这个样子的代码：

}
qword_18000CC88 = PyLong_FromLong(0i64);
if ( !qword_18000CC88
  || (qword_18000CD38 = PyLong_FromLong(2i64)) == 0
  || (qword_18000CCD0 = PyLong_FromLong(3i64)) == 0
  || (qword_18000CD50 = PyLong_FromLong(7i64)) == 0
  || (qword_18000CD58 = PyLong_FromLong(114514i64)) == 0 )
{

不错的是PyLong_FromLong()等相似基本类型构造函数都是外部API，所以还是很明显的。

对着qword_18000CD58（后面重命名为int_114514了）交叉引用，便能够找到在func_DataType()中的相关代码。

1 2	v2 = (_QWORD )int_114514; ++(_QWORD *)int_114514;

`float_1 = 191981.0`

C文件中：

1 2	double __pyx_v_float_1; __pyx_v_float_1 = 191981.0;

被直接变成C风格的浮点类了。这种最容易被优化，所以基本没有直接找到的希望。

`bool_1 = True`

1 2	int __pyx_v_bool_1; __pyx_v_bool_1 = 1;

变成了C的整型。但是打印的时候还是得打印出True字符串而不是数字1，所以接着往后看。

`complex_1 = 1 + 2j`

__pyx_t_1 = __Pyx_c_sum_double(__pyx_t_double_complex_from_parts(1, 0), __pyx_t_double_complex_from_parts(0, 2.0));
__pyx_t_2 = __pyx_PyComplex_FromComplex(__pyx_t_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 13, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__pyx_v_complex_1 = __pyx_t_2;
__pyx_t_2 = 0;

三个函数，一个结构体

`__pyx_t_double_complex_from_parts()`

/* Declarations */
#if CYTHON_CCOMPLEX
  #ifdef __cplusplus
    static CYTHON_INLINE __pyx_t_double_complex __pyx_t_double_complex_from_parts(double x, double y) {
      return ::std::complex< double >(x, y);
    }
  #else
    static CYTHON_INLINE __pyx_t_double_complex __pyx_t_double_complex_from_parts(double x, double y) {
      return x + y*(__pyx_t_double_complex)_Complex_I;
    }
  #endif
#else
    static CYTHON_INLINE __pyx_t_double_complex __pyx_t_double_complex_from_parts(double x, double y) {
      __pyx_t_double_complex z;
      z.real = x;
      z.imag = y;
      return z;
    }
#endif

会被内联。暂时也不知道到底选择的是哪种模式。

`__pyx_t_double_complex`复数结构体

/* Declarations.proto */
#if CYTHON_CCOMPLEX
  #ifdef __cplusplus
    typedef ::std::complex< double > __pyx_t_double_complex;
  #else
    typedef double _Complex __pyx_t_double_complex;
  #endif
#else
    typedef struct { double real, imag; } __pyx_t_double_complex;
#endif
static CYTHON_INLINE __pyx_t_double_complex __pyx_t_double_complex_from_parts(double, double);

结构体其实挺麻烦的，因为IDA基本上是识别不出来的，必然会被拆分开来。

__Pyx_c_sum_double()

/* Arithmetic.proto */
#if CYTHON_CCOMPLEX
#define __Pyx_c_sum_double(a, b)  ((a)+(b))
#else
static CYTHON_INLINE __pyx_t_double_complex __Pyx_c_sum_double(__pyx_t_double_complex, __pyx_t_double_complex);

#if CYTHON_CCOMPLEX
static CYTHON_INLINE __pyx_t_double_complex __Pyx_c_sum_double(__pyx_t_double_complex a, __pyx_t_double_complex b) {
    __pyx_t_double_complex z;
    z.real = a.real + b.real;
    z.imag = a.imag + b.imag;
    return z;
}

也是被内联了。

__pyx_PyComplex_FromComplex()

/* RealImag.proto */
#if CYTHON_CCOMPLEX
  #ifdef __cplusplus
    #define __Pyx_CREAL(z) ((z).real())
    #define __Pyx_CIMAG(z) ((z).imag())
  #else
    #define __Pyx_CREAL(z) (__real__(z))
    #define __Pyx_CIMAG(z) (__imag__(z))
  #endif
#else
    #define __Pyx_CREAL(z) ((z).real)
    #define __Pyx_CIMAG(z) ((z).imag)
#endif

/* ToPy.proto */
#define __pyx_PyComplex_FromComplex(z)\
        PyComplex_FromDoubles((double)__Pyx_CREAL(z),\
                              (double)__Pyx_CIMAG(z))

总结一下，暂时没有什么好定位的特征点，这些函数基本由于内联，以及常量传递等方法已经被优化掉了。

`print(int_1 * 2)`

__pyx_t_2 = PyNumber_Multiply(__pyx_v_int_1, __pyx_int_2); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 15, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__pyx_t_3 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 15, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_3);
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
__Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;

特征很明显，PyNumber_Multiply()，后面调用的那个函数很明显也是__Pyx_PyObject_CallOneArg()。

`PyNumber_Multiply()`

int_114514_mult2 = PyNumber_Multiply(int_114514_, int_2);
v7 = (_QWORD *)int_114514_mult2;
if ( !int_114514_mult2 )
{
  v4 = 15;
  v5 = 1546;
  goto LABEL_48;
}
v8 = (_QWORD *)sub_180004B80(glob_func_print, int_114514_mult2);

`print(float_1 - 1)`

__pyx_t_3 = PyFloat_FromDouble((__pyx_v_float_1 - 1.0)); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 16, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_3);
__pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_3); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 16, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

关注两个点，

`PyFloat_FromDouble()`

1	v10 = PyFloat_FromDouble();

没传参？应该是反汇编界面错误。

1 2	movsd xmm0, cs:qword_1800086A8 call cs:PyFloat_FromDouble

把qword_1800086A8或者函数传参设置类型为浮点型。再次反编译后得到

1	v12 = (_QWORD *)PyFloat_FromDouble(191980.0);

后面就是打印

1	v11 = (_QWORD )__Pyx_PyObject_CallOneArg((_QWORD )glob_func_print, float_191980);

回想上一个博客的内容，上一次调用的是__Pyx_PrintOne()函数打印字符串的，且在二进制文件中被内联了，所以只能根据一些特征，和方法调用来观察。而这个函数在这次并没有被内联。

`print(bool_1)`

__pyx_t_2 = __Pyx_PyBool_FromLong(__pyx_v_bool_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 17, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__pyx_t_3 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 17, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_3);
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
__Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;

`__Pyx_PyBool_FromLong()`

#define __Pyx_NewRef(obj) (Py_INCREF(obj), obj)

static CYTHON_INLINE PyObject * __Pyx_PyBool_FromLong(long b) {
  return b ? __Pyx_NewRef(Py_True) : __Pyx_NewRef(Py_False);
}

又是个屑内联。

且__Pyx_NewRef()也是个指针操作，所以不算是什么好的锚点。

`Py_True`

这个倒是个有意思的元素。

在python/include/boolobject.h中定义。

/* Don't use these directly */
PyAPI_DATA(struct _longobject) _Py_FalseStruct, _Py_TrueStruct;

// pyport.h
#define PyAPI_DATA(RTYPE) extern __declspec(dllexport) RTYPE

#define Py_False ((PyObject *) &_Py_FalseStruct)
#define Py_True ((PyObject *) &_Py_TrueStruct)

// struct _longobject 在 longobject.h中
typedef struct _longobject PyLongObject; /* Revealed in longintrepr.h */
// 在 longinteger.h中
struct _longobject {
    PyObject_VAR_HEAD
    digit ob_digit[1];
};

#if PYLONG_BITS_IN_DIGIT == 30
typedef uint32_t digit;
#elif PYLONG_BITS_IN_DIGIT == 15
typedef unsigned short digit;

// object.h中
#define PyObject_VAR_HEAD      PyVarObject ob_base;

typedef struct {
    PyObject ob_base;
    Py_ssize_t ob_size; /* Number of items in variable part */
} PyVarObject;

// pyport.h
#ifdef HAVE_SSIZE_T
typedef ssize_t         Py_ssize_t;
#elif SIZEOF_VOID_P == SIZEOF_SIZE_T
typedef Py_intptr_t     Py_ssize_t;

typedef intptr_t        Py_intptr_t;

// object.h
typedef struct _object {
    _PyObject_HEAD_EXTRA
    Py_ssize_t ob_refcnt;
    struct _typeobject *ob_type;
} PyObject;

#define _PyObject_HEAD_EXTRA

#ifdef Py_LIMITED_API
typedef struct _typeobject PyTypeObject; /* opaque */
#else
typedef struct _typeobject {
	// 超级长的代码，别看了
} PyTypeObject;
#endif

这一个结构体是有够复杂的。不过看上去比较好的是，由于实际上这是一个extern对象（由PyAPI_DATA()宏定义），所以是保留了符号的。

v7 = (_QWORD *)++Py_TrueStruct[0];
if ( !Py_TrueStruct[0] )
{
  v4 = LODWORD(Py_TrueStruct[0]) + 17;
  v5 = 1574;
  goto LABEL_48;
}
v12 = (_QWORD *)__Pyx_PyObject_CallOneArg((_QWORD *)glob_func_print, (_QWORD *)Py_TrueStruct[0]);

直接就这样看吧。

`print(complex_1 + 3)`

__pyx_t_3 = __Pyx_PyInt_AddObjC(__pyx_v_complex_1, __pyx_int_3, 3, 0, 0); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 18, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_3);
__pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_3); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 18, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

`__Pyx_PyInt_AddObjC`

/* PyIntBinop */
#if !CYTHON_COMPILING_IN_PYPY
static PyObject* __Pyx_PyInt_AddObjC(PyObject *op1, PyObject *op2, CYTHON_UNUSED long intval, int inplace, int zerodivision_check) {
    (void)inplace;
    (void)zerodivision_check;
    #if PY_MAJOR_VERSION < 3
    if (likely(PyInt_CheckExact(op1))) {
        const long b = intval;
        long x;
        long a = PyInt_AS_LONG(op1);
            x = (long)((unsigned long)a + b);
            if (likely((x^a) >= 0 || (x^b) >= 0))
                return PyInt_FromLong(x);
            return PyLong_Type.tp_as_number->nb_add(op1, op2);
    }
    #endif
    #if CYTHON_USE_PYLONG_INTERNALS
    if (likely(PyLong_CheckExact(op1))) {
        const long b = intval;
        long a, x;
#ifdef HAVE_LONG_LONG
        const PY_LONG_LONG llb = intval;
        PY_LONG_LONG lla, llx;
#endif
        const digit* digits = ((PyLongObject*)op1)->ob_digit;
        const Py_ssize_t size = Py_SIZE(op1);
        if (likely(__Pyx_sst_abs(size) <= 1)) {
            a = likely(size) ? digits[0] : 0;
            if (size == -1) a = -a;
        } else {
            switch (size) {
                case -2:
                    if (8 * sizeof(long) - 1 > 2 * PyLong_SHIFT) {
                        a = -(long) (((((unsigned long)digits[1]) << PyLong_SHIFT) | (unsigned long)digits[0]));
                        break;
#ifdef HAVE_LONG_LONG
                    } else if (8 * sizeof(PY_LONG_LONG) - 1 > 2 * PyLong_SHIFT) {
                        lla = -(PY_LONG_LONG) (((((unsigned PY_LONG_LONG)digits[1]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[0]));
                        goto long_long;
#endif
                    }
                    CYTHON_FALLTHROUGH;
                case 2:
                    if (8 * sizeof(long) - 1 > 2 * PyLong_SHIFT) {
                        a = (long) (((((unsigned long)digits[1]) << PyLong_SHIFT) | (unsigned long)digits[0]));
                        break;
#ifdef HAVE_LONG_LONG
                    } else if (8 * sizeof(PY_LONG_LONG) - 1 > 2 * PyLong_SHIFT) {
                        lla = (PY_LONG_LONG) (((((unsigned PY_LONG_LONG)digits[1]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[0]));
                        goto long_long;
#endif
                    }
                    CYTHON_FALLTHROUGH;
                case -3:
                    if (8 * sizeof(long) - 1 > 3 * PyLong_SHIFT) {
                        a = -(long) (((((((unsigned long)digits[2]) << PyLong_SHIFT) | (unsigned long)digits[1]) << PyLong_SHIFT) | (unsigned long)digits[0]));
                        break;
#ifdef HAVE_LONG_LONG
                    } else if (8 * sizeof(PY_LONG_LONG) - 1 > 3 * PyLong_SHIFT) {
                        lla = -(PY_LONG_LONG) (((((((unsigned PY_LONG_LONG)digits[2]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[1]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[0]));
                        goto long_long;
#endif
                    }
                    CYTHON_FALLTHROUGH;
                case 3:
                    if (8 * sizeof(long) - 1 > 3 * PyLong_SHIFT) {
                        a = (long) (((((((unsigned long)digits[2]) << PyLong_SHIFT) | (unsigned long)digits[1]) << PyLong_SHIFT) | (unsigned long)digits[0]));
                        break;
#ifdef HAVE_LONG_LONG
                    } else if (8 * sizeof(PY_LONG_LONG) - 1 > 3 * PyLong_SHIFT) {
                        lla = (PY_LONG_LONG) (((((((unsigned PY_LONG_LONG)digits[2]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[1]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[0]));
                        goto long_long;
#endif
                    }
                    CYTHON_FALLTHROUGH;
                case -4:
                    if (8 * sizeof(long) - 1 > 4 * PyLong_SHIFT) {
                        a = -(long) (((((((((unsigned long)digits[3]) << PyLong_SHIFT) | (unsigned long)digits[2]) << PyLong_SHIFT) | (unsigned long)digits[1]) << PyLong_SHIFT) | (unsigned long)digits[0]));
                        break;
#ifdef HAVE_LONG_LONG
                    } else if (8 * sizeof(PY_LONG_LONG) - 1 > 4 * PyLong_SHIFT) {
                        lla = -(PY_LONG_LONG) (((((((((unsigned PY_LONG_LONG)digits[3]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[2]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[1]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[0]));
                        goto long_long;
#endif
                    }
                    CYTHON_FALLTHROUGH;
                case 4:
                    if (8 * sizeof(long) - 1 > 4 * PyLong_SHIFT) {
                        a = (long) (((((((((unsigned long)digits[3]) << PyLong_SHIFT) | (unsigned long)digits[2]) << PyLong_SHIFT) | (unsigned long)digits[1]) << PyLong_SHIFT) | (unsigned long)digits[0]));
                        break;
#ifdef HAVE_LONG_LONG
                    } else if (8 * sizeof(PY_LONG_LONG) - 1 > 4 * PyLong_SHIFT) {
                        lla = (PY_LONG_LONG) (((((((((unsigned PY_LONG_LONG)digits[3]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[2]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[1]) << PyLong_SHIFT) | (unsigned PY_LONG_LONG)digits[0]));
                        goto long_long;
#endif
                    }
                    CYTHON_FALLTHROUGH;
                default: return PyLong_Type.tp_as_number->nb_add(op1, op2);
            }
        }
                x = a + b;
            return PyLong_FromLong(x);
#ifdef HAVE_LONG_LONG
        long_long:
                llx = lla + llb;
            return PyLong_FromLongLong(llx);
#endif
        
        
    }
    #endif
    if (PyFloat_CheckExact(op1)) {
        const long b = intval;
        double a = PyFloat_AS_DOUBLE(op1);
            double result;
            PyFPE_START_PROTECT("add", return NULL)
            result = ((double)a) + (double)b;
            PyFPE_END_PROTECT(result)
            return PyFloat_FromDouble(result);
    }
    return (inplace ? PyNumber_InPlaceAdd : PyNumber_Add)(op1, op2);
}
#endif

其特征就是有个switch-case和多个if-else判断。此函数会被内联。

IDA中

if ( v9 )
   (*(void (__fastcall **)(_QWORD *))(v12[1] + 48i64))(v12);
 v13 = *(_QWORD *)(v1 + 8);
 if ( v13 == PyLong_Type )
 {
   v14 = *(_QWORD *)(v1 + 16);
   if ( (__int64)abs64(v14) > 1 )
   {
     switch ( v14 )
     {
       case -2i64:
         v17 = (_QWORD *)PyLong_FromLongLong(3 - (*(unsigned int *)(v1 + 24) | ((unsigned __int64)*(unsigned int *)(v1 + 28) << 30)));
         break;
       case 2i64:
         v17 = (_QWORD *)PyLong_FromLongLong((*(unsigned int *)(v1 + 24) | ((unsigned __int64)*(unsigned int *)(v1 + 28) << 30)) + 3);
         break;
       default:
         v17 = (_QWORD *)(**((__int64 (__fastcall ***)(__int64, __int64))&PyLong_Type + 12))(v1, int_3);
         break;
     }
   }
   else
   {
     if ( v14 )
       v15 = *(_DWORD *)(v1 + 24);
     else
       v15 = 0;
     v16 = -v15;
     if ( v14 != -1 )
       v16 = v15;
     v17 = (_QWORD *)PyLong_FromLong((unsigned int)(v16 + 3));	// 和下面2个一样都是+3
   }
 }
 else if ( v13 == PyFloat_Type )
 {
   v17 = (_QWORD *)PyFloat_FromDouble(*(double *)(v1 + 16) + 3.0);
 }
 else
 {
   v17 = (_QWORD *)PyNumber_Add(v1, int_3);	
 }
 v7 = v17;
 if ( !v17 )
 {
   v4 = 18;
   v5 = 1588;
   goto LABEL_48;
 }
 v18 = (_QWORD *)__Pyx_PyObject_CallOneArg((_QWORD *)glob_func_print, v17);

后半部分的＋3倒是挺清晰的，但是初始化部分还是很乱。

注意到v1的使用，且伴有偏移，极有可能是结构体。

往上翻相关引用。

v1 = 0i64;
v3 = PyComplex_FromDoubles(1.0);
if ( !v3 )
{
	v4 = 13;
	v5 = 1534;
LABEL_48:
	AddTraceBack(aTest2FuncDatat, v5, v4, aTest2Py);
	goto LABEL_54;
}
v1 = v3;

这里调用了

PyComplex_FromDoubles()函数

根据python/include/complexobject.h定义

1	PyAPI_FUNC(PyObject *) PyComplex_FromDoubles(double real, double imag);

在IDA里面调整类型，得到

1	v3 = PyComplex_FromDoubles(1.0, 2.0);

汇编

.text:0000000180007548                 movsd   xmm1, cs:qword_180008698 ; double	
; ...
.text:0000000180007553                 movsd   xmm0, cs:qword_180008690 ; double
; ...
.text:0000000180007581                 call    cs:PyComplex_FromDoubles

`func_Str()`

`str_1 = "teststr1"` 等

 /* "test2.py":21
* 
* def func_Str():
*     str_1 = "teststr1"             # <<<<<<<<<<<<<<
*     str_2 = "teststr2"
*     str_3 = "1_2_3_4_5_"
*/
 __Pyx_INCREF(__pyx_n_u_teststr1);
 __pyx_v_str_1 = __pyx_n_u_teststr1;

后面几个初始化都是一样的。上个博客已经写过了。

IDA中

++*(_QWORD *)::str_1;
str_1 = ::str_1;
++*(_QWORD *)::str_2;
str_2 = (_QWORD *)::str_2;
++*(_QWORD *)::str_3;
str_3 = (_QWORD *)::str_3;
v58 = (_QWORD *)::str_3;
++*(_QWORD *)::str_fmt;
str_fmt = (_QWORD *)::str_fmt;

`print(str_1[0:4])`

__pyx_t_1 = __Pyx_PyUnicode_Substring(__pyx_v_str_1, 0, 4); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 25, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_1);
__pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 25, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

`__Pyx_PyUnicode_Substring()`

会被内联

/* PyUnicode_Substring */
static CYTHON_INLINE PyObject* __Pyx_PyUnicode_Substring( 
    PyObject* text, 
    Py_ssize_t start, 
    Py_ssize_t stop
) {
    Py_ssize_t length;
    if (unlikely(__Pyx_PyUnicode_READY(text) == -1)) return NULL;
    length = __Pyx_PyUnicode_GET_LENGTH(text);
    if (start < 0) {
        start += length;
        if (start < 0)
            start = 0;
    }
    if (stop < 0)
        stop += length;
    else if (stop > length)
        stop = length;
    if (stop <= start)
        return __Pyx_NewRef(__pyx_empty_unicode);
#if CYTHON_PEP393_ENABLED
    return PyUnicode_FromKindAndData(PyUnicode_KIND(text),
        PyUnicode_1BYTE_DATA(text) + start*PyUnicode_KIND(text), stop-start);
#else
    return PyUnicode_FromUnicode(PyUnicode_AS_UNICODE(text)+start, stop-start);
#endif
}

PyUnicode_FromUnicode()或PyUnicode_FromKindAndData()是特征。

PyUnicode_Ready()外部API也有可能是特征。

1 2	#define __Pyx_PyUnicode_READY(op) (likely(PyUnicode_IS_READY(op)) ?\ 0 : _PyUnicode_Ready((PyObject *)(op)))

意思就是从Unicode字符串中根据长度和偏移再返回一个Unicode字符串。

二进制下

if ( *(char *)(str_1 + 32) >= 0 && (unsigned int)PyUnicode_Ready(str_1) == -1 )
  goto LABEL_13;
v7 = *(_QWORD *)(str_1 + 16);		// 长度length
if ( v7 >= 4 || (v2 = *(_QWORD *)(str_1 + 16), v7 > 0) )	// [0:4]
{
  v9 = *(_DWORD *)(str_1 + 32);
  if ( (v9 & 0x20) != 0 )
  {
    v10 = 48i64;
    if ( (v9 & 0x40) == 0 )
      v10 = 72i64;
    v11 = str_1 + v10;
  }
  else
  {
    v11 = *(_QWORD *)(str_1 + 72);
  }
  v8 = (_QWORD *)PyUnicode_FromKindAndData((v9 >> 2) & 7, v11, v2);
}

`__Pyx_PyObject_CallOneArg()`

/* PyObjectCallOneArg */
#if CYTHON_COMPILING_IN_CPYTHON
static PyObject* __Pyx__PyObject_CallOneArg(PyObject *func, PyObject *arg) {
    PyObject *result;
    PyObject *args = PyTuple_New(1);
    if (unlikely(!args)) return NULL;
    Py_INCREF(arg);
    PyTuple_SET_ITEM(args, 0, arg);
    result = __Pyx_PyObject_Call(func, args, NULL);
    Py_DECREF(args);
    return result;
}

static CYTHON_INLINE PyObject* __Pyx_PyObject_CallOneArg(PyObject *func, PyObject *arg) {
#if CYTHON_FAST_PYCALL
    if (PyFunction_Check(func)) {
        return __Pyx_PyFunction_FastCall(func, &arg, 1);
    }
#endif
    if (likely(PyCFunction_Check(func))) {
        if (likely(PyCFunction_GET_FLAGS(func) & METH_O)) {
            return __Pyx_PyObject_CallMethO(func, arg);
#if CYTHON_FAST_PYCCALL
        } else if (__Pyx_PyFastCFunction_Check(func)) {
            return __Pyx_PyCFunction_FastCall(func, &arg, 1);
#endif
        }
    }
    return __Pyx__PyObject_CallOneArg(func, arg);
}
#else
static CYTHON_INLINE PyObject* __Pyx_PyObject_CallOneArg(PyObject *func, PyObject *arg) {
    PyObject *result;
    PyObject *args = PyTuple_Pack(1, arg);
    if (unlikely(!args)) return NULL;
    result = __Pyx_PyObject_Call(func, args, NULL);
    Py_DECREF(args);
    return result;
}
#endif

有意思的是虽然明确了要内联，但这里却没有。可能是因为我的测试样本中print()函数调用了太多次，导致编译器认为内联了也没有优化作用。

不过要是内联的话，关注__Pyx_PyObject_Call()里面调用的函数和参数是啥就好了。

`print(str_1[-4:-1])`

__pyx_t_2 = __Pyx_PyUnicode_Substring(__pyx_v_str_1, -4L, -1L); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 26, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 26, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_1);
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
__Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

没有本质上的区别，不过在长度判断上，即if块那边反编译器整理出来的结果要稍微混乱一点。

 v15 = (*substr)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(substr[1] + 48i64))(substr);
  v15 = (*v14)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(v14[1] + 48i64))(v14);
  if ( *(char *)(str_1 + 32) >= 0 && (unsigned int)PyUnicode_Ready(str_1) == -1 )
    goto LABEL_33;
  len_1 = *(_QWORD *)(str_1 + 16);		// 长度
  v17 = 0i64;
  v18 = len_1 - 1;
  if ( len_1 - 4 >= 0 )
    v17 = len_1 - 4;
  if ( v18 > v17 )	// len - 4 > len - 1; 	str_1[-4:-1]
  {
    v19 = *(unsigned int *)(str_1 + 32);
    if ( (v19 & 0x20) != 0 )
      v20 = (v19 & 0x40) != 0 ? str_1 + 48 : str_1 + 72;
    else
      v20 = *(_QWORD *)(str_1 + 72);
    substr = (_QWORD *)PyUnicode_FromKindAndData(((unsigned int)v19 >> 2) & 7, v20 + v17 * ((v19 >> 2) & 7), v18 - v17);
  }
  else
  {
    substr = a2;
    ++*a2;
  }
  if ( !substr )
  {
LABEL_33:
    v12 = 26;
    v13 = 1717;
    goto LABEL_176;
  }
  v21 = (_QWORD *)_Pyx_CallOneArg(glob_func_print, substr);
  if ( !v21 )
  {
    v12 = 26;
    v13 = 1719;
    goto LABEL_152;
  }

`print(str_1[0])`

__pyx_t_3 = __Pyx_GetItemInt_Unicode(__pyx_v_str_1, 0, long, 1, __Pyx_PyInt_From_long, 0, 0, 1); if (unlikely(__pyx_t_3 == (Py_UCS4)-1)) __PYX_ERR(0, 27, __pyx_L1_error)
__pyx_t_1 = PyUnicode_FromOrdinal(__pyx_t_3); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 27, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_1);
__pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 27, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

单独取这一个值，结果调用的函数又不一样了。

表达的意思跟

1	print(chr(ord(str_1[0])))

一样。

`__Pyx_GetItemInt_Unicode()`

应该是获得Unicode字符的数字形式，相当于ord()。

/* GetItemIntUnicode.proto */
#define __Pyx_GetItemInt_Unicode(o, i, type, is_signed, to_py_func, is_list, wraparound, boundscheck)\
    (__Pyx_fits_Py_ssize_t(i, type, is_signed) ?\
    __Pyx_GetItemInt_Unicode_Fast(o, (Py_ssize_t)i, wraparound, boundscheck) :\
    (PyErr_SetString(PyExc_IndexError, "string index out of range"), (Py_UCS4)-1))
static CYTHON_INLINE Py_UCS4 __Pyx_GetItemInt_Unicode_Fast(PyObject* ustring, Py_ssize_t i,
                                                           int wraparound, int boundscheck);
// __Pyx_fits_Py_ssize_t() 全是判断与比较，不好作为特征。
#define __Pyx_fits_Py_ssize_t(v, type, is_signed)  (\
    (sizeof(type) < sizeof(Py_ssize_t))  ||\
    (sizeof(type) > sizeof(Py_ssize_t) &&\
          likely(v < (type)PY_SSIZE_T_MAX ||\
                 v == (type)PY_SSIZE_T_MAX)  &&\
          (!is_signed || likely(v > (type)PY_SSIZE_T_MIN ||\
                                v == (type)PY_SSIZE_T_MIN)))  ||\
    (sizeof(type) == sizeof(Py_ssize_t) &&\
          (is_signed || likely(v < (type)PY_SSIZE_T_MAX ||\
                               v == (type)PY_SSIZE_T_MAX)))  )

// __Pyx_GetItemInt_Unicode_Fast
// PyUnicode_Read()和PyErr_SetString()是一个特征，但是不足以让人了解到底取得是哪个值。
// 
static CYTHON_INLINE Py_UCS4 __Pyx_GetItemInt_Unicode_Fast(PyObject* ustring, Py_ssize_t i,
                                                           int wraparound, int boundscheck) {
    Py_ssize_t length;
    if (unlikely(__Pyx_PyUnicode_READY(ustring) < 0)) return (Py_UCS4)-1;
    if (wraparound | boundscheck) {
        length = __Pyx_PyUnicode_GET_LENGTH(ustring);	// 偏移16
        if (wraparound & unlikely(i < 0)) i += length;
        if ((!boundscheck) || likely(__Pyx_is_valid_index(i, length))) {
            return __Pyx_PyUnicode_READ_CHAR(ustring, i);
        } else {
            PyErr_SetString(PyExc_IndexError, "string index out of range");
            return (Py_UCS4)-1;
        }
    } else {
        return __Pyx_PyUnicode_READ_CHAR(ustring, i);
    }
}

#define __Pyx_PyUnicode_READ_CHAR(u, i) ((Py_UCS4)(PyUnicode_AS_UNICODE(u)[i]))
// unicodeobject.h
typedef uint32_t Py_UCS4;
#define PyUnicode_AS_UNICODE(op) \
    (assert(PyUnicode_Check(op)), \
     (((PyASCIIObject *)(op))->wstr) ? (((PyASCIIObject *)(op))->wstr) : \
      PyUnicode_AsUnicode((PyObject *)(op)))
    /* Py_DEPRECATED(3.3) */

`PyUnicode_FromOrdinal()`

输入一个数字，返回其表示的Unicode字符，相当于chr()函数。

是外部API。

IDA中

  v15 = (*substr)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(substr[1] + 48i64))(substr);
  v15 = (*v21)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(v21[1] + 48i64))(v21);
  if ( *(char *)(str_1 + 32) >= 0 && (int)PyUnicode_Ready(str_1) < 0 )
    goto LABEL_174;
  if ( !*(_QWORD *)(str_1 + 16) )
  {
    PyErr_SetString(PyExc_IndexError, aStringIndexOut);
LABEL_174:
    v13 = 1731;
    goto LABEL_175;
  }
  v22 = *(_DWORD *)(str_1 + 32);
  if ( (v22 & 0x1C) == 4 )
  {
    if ( (v22 & 0x20) != 0 )
    {
      if ( (v22 & 0x40) != 0 )
        v23 = (_QWORD *)*(unsigned __int8 *)(str_1 + 48);
      else
        v23 = (_QWORD *)*(unsigned __int8 *)(str_1 + 72);
    }
    else
    {
      v23 = (_QWORD *)**(unsigned __int8 **)(str_1 + 72);
    }
  }
  else if ( (v22 & 0x1C) == 8 )
  {
    if ( (v22 & 0x20) != 0 )
    {
      if ( (v22 & 0x40) != 0 )
        v23 = (_QWORD *)*(unsigned __int16 *)(str_1 + 48);
      else
        v23 = (_QWORD *)*(unsigned __int16 *)(str_1 + 72);
    }
    else
    {
      v23 = (_QWORD *)**(unsigned __int16 **)(str_1 + 72);
    }
  }
  else
  {
    if ( (v22 & 0x20) != 0 )
    {
      if ( (v22 & 0x40) != 0 )
        v24 = (unsigned int *)(str_1 + 48);
      else
        v24 = (unsigned int *)(str_1 + 72);
    }
    else
    {
      v24 = *(unsigned int **)(str_1 + 72);
    }
    v23 = (_QWORD *)*v24;
  }
  if ( (_DWORD)v23 == -1 )
    goto LABEL_174;
  v25 = (_QWORD *)PyUnicode_FromOrdinal(v23);
  substr = v25;
  if ( !v25 )
  {
    v13 = 1732;
LABEL_175:
    v12 = 27;
    goto LABEL_176;
  }
  v26 = (_QWORD *)_Pyx_CallOneArg(glob_func_print, v25);
  if ( !v26 )
  {
    v12 = 27;
    v13 = 1734;
    goto LABEL_152;
  }

通过这个没啥特征的玩意来判别到底取了哪个值确实很麻烦。于是我又编译了一个例子来比对。

def func_Str2():
    str1 = "123456"
    print(str1[3])

func_Str2()

// write access to const memory has been detected, the output may be wrong!
__int64 __fastcall func_Str2(__int64 a1)
{
  __int64 v1; // rbp
  __int64 str_123456; // rbx
  int v3; // ecx
  __int64 v4; // rax
  _QWORD *t; // rcx
  __int64 v6; // rax
  __int64 v7; // rax
  _QWORD *v8; // rdi
  unsigned int v9; // er14
  __int64 v10; // rsi
  __int64 v11; // rax
  _QWORD *v12; // rsi
  __int64 v13; // rdx
  int v14; // ecx
  __int64 (__fastcall *v15)(__int64, __int64 *, __int64); // r10
  __int64 v16; // rax
  __int64 v17; // rax
  _QWORD *v18; // r14
  __int64 v19; // rax
  bool v20; // zf
  __int64 v21; // rax
  __int64 v23; // [rsp+40h] [rbp+8h] BYREF

  v23 = a1;
  v1 = 0i64;
  ++*(_QWORD *)::str_123456;
  str_123456 = ::str_123456;
  if ( *(char *)(::str_123456 + 32) >= 0 && (int)PyUnicode_Ready(::str_123456) < 0 )
    goto LABEL_49;
  if ( *(_QWORD *)(str_123456 + 16) <= 3ui64 )
  {
    PyErr_SetString(PyExc_IndexError, aStringIndexOut);
LABEL_49:
    v9 = 1263;
    goto LABEL_50;
  }
  v3 = *(_DWORD *)(str_123456 + 32);
  if ( (v3 & 0x1C) == 4 )
  {
    if ( (v3 & 0x20) != 0 )
    {
      v4 = 48i64;
      if ( (v3 & 0x40) == 0 )
        v4 = 72i64;
      t = (_QWORD *)*(unsigned __int8 *)(str_123456 + v4 + 3);// str[3]
    }
    else
    {
      t = (_QWORD *)*(unsigned __int8 *)(*(_QWORD *)(str_123456 + 72) + 3i64);
    }
  }
  else if ( (v3 & 0x1C) == 8 )
  {
    if ( (v3 & 0x20) != 0 )
    {
      if ( (v3 & 0x40) != 0 )
        t = (_QWORD *)*(unsigned __int16 *)(str_123456 + 54);
      else
        t = (_QWORD *)*(unsigned __int16 *)(str_123456 + 78);
    }
    else
    {
      t = (_QWORD *)*(unsigned __int16 *)(*(_QWORD *)(str_123456 + 72) + 6i64);
    }
  }
  else
  {
    if ( (v3 & 0x20) != 0 )
    {
      if ( (v3 & 0x40) != 0 )
        v6 = str_123456 + 48;
      else
        v6 = str_123456 + 72;
    }
    else
    {
      v6 = *(_QWORD *)(str_123456 + 72);
    }
    t = (_QWORD *)*(unsigned int *)(v6 + 12);
  }
  if ( (_DWORD)t == -1 )
    goto LABEL_49;
  v7 = PyUnicode_FromOrdinal(t);
  v8 = (_QWORD *)v7;
  if ( !v7 )
  {
    v9 = 1264;
LABEL_50:
    AddTraceback(aTest2plusFuncS, v9, 3i64, aTest2plusPy);
    goto LABEL_51;
  }                                             // 以上是str[3]

  v10 = glob_func_print;                        // 以下是__Pyx_PyObject_CallOneArg()
                                                // 显然print少了以后又被内联优化了。
  v23 = v7;
  v11 = *(_QWORD *)(glob_func_print + 8);
  if ( v11 == PyFunction_Type )
  {
    v12 = (_QWORD *)_Pyx_PyFunction_FastCall(glob_func_print, &v23, 1i64);
    goto LABEL_40;
  }
  if ( v11 != PyCFunction_Type )
    goto LABEL_36;
  v13 = *(_QWORD *)(glob_func_print + 16);
  v14 = *(_DWORD *)(v13 + 16);
  if ( (v14 & 8) != 0 )
  {
    v12 = (_QWORD *)PyObject_Call_0(glob_func_print, v8);
    goto LABEL_40;
  }
  if ( (v14 & 0xFFFFFF8D) == 128 )
  {
    v15 = *(__int64 (__fastcall **)(__int64, __int64 *, __int64))(v13 + 8);
    v16 = 0i64;
    if ( (v14 & 0x20) == 0 )
      v16 = *(_QWORD *)(glob_func_print + 24);
    if ( (v14 & 2) != 0 )
      v12 = (_QWORD *)((__int64 (__fastcall *)(__int64, __int64 *, __int64, _QWORD))v15)(v16, &v23, 1i64, 0i64);
    else
      v12 = (_QWORD *)v15(v16, &v23, 1i64);
  }
  else
  {
LABEL_36:
    v17 = PyTuple_New(1i64);
    v18 = (_QWORD *)v17;
    if ( v17 )
    {
      ++*v8;
      *(_QWORD *)(v17 + 24) = v8;
      v19 = sub_180003CC0(v10, v17);
      v20 = (*v18)-- == 1i64;
      v12 = (_QWORD *)v19;
      if ( v20 )
        (*(void (__fastcall **)(_QWORD *))(v18[1] + 48i64))(v18);
    }
    else
    {
      v12 = 0i64;
    }
  }
LABEL_40:
  v21 = *v8 - 1i64;
  *v8 = v21;
  if ( !v12 )
  {
    v9 = 1266;
    if ( !v21 )
      (*(void (__fastcall **)(_QWORD *))(v8[1] + 48i64))(v8);
    goto LABEL_50;
  }
  if ( !v21 )
    (*(void (__fastcall **)(_QWORD *))(v8[1] + 48i64))(v8);
  v20 = (*v12)-- == 1i64;
  if ( v20 )
    (*(void (__fastcall **)(_QWORD *))(v12[1] + 48i64))(v12);
  v1 = Py_NoneStruct++;
LABEL_51:
  v20 = (*(_QWORD *)str_123456)-- == 1i64;
  if ( v20 )
    (*(void (__fastcall **)(__int64))(*(_QWORD *)(str_123456 + 8) + 48i64))(str_123456);
  return v1;
}

可以清楚的看到

1	t = (_QWORD )(unsigned __int8 *)(str_123456 + v4 + 3);// str[3]

有个＋3的偏移。这样就能够知道取值了。

`print(str_1[6:])`

__pyx_t_2 = __Pyx_PyUnicode_Substring(__pyx_v_str_1, 6, PY_SSIZE_T_MAX); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 28, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 28, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_1);
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
__Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

v15 = (*substr)-- == 1i64;
if ( v15 )
  (*(void (__fastcall **)(_QWORD *))(substr[1] + 48i64))(substr);
v15 = (*v26)-- == 1i64;
if ( v15 )
  (*(void (__fastcall **)(_QWORD *))(v26[1] + 48i64))(v26);
v27 = (_QWORD *)_Pyx_PyUnicode_Substring(str_1, 6i64, 0x7FFFFFFFFFFFFFFFi64);
substr = v27;
if ( !v27 )
{
  v12 = 28;
  v13 = 1746;
  goto LABEL_176;
}
v28 = (_QWORD *)_Pyx_CallOneArg(glob_func_print, v27);
if ( !v28 )
{
  v12 = 28;
  v13 = 1748;
  goto LABEL_152;
}

这里又不内联了。

函数右侧设置了一个很大的值。

`print(str_3[0:7:2])`

  __pyx_t_1 = __Pyx_PyObject_GetItem(__pyx_v_str_3, __pyx_slice__2); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 29, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 29, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_2);
  __Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;
  __Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
/* … */
  __pyx_slice__2 = PySlice_New(__pyx_int_0, __pyx_int_7, __pyx_int_2); if (unlikely(!__pyx_slice__2)) __PYX_ERR(0, 29, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_slice__2);
  __Pyx_GIVEREF(__pyx_slice__2);

这次使用的是__Pyx_PyObject_GetItem函数配合__pyx_slice__2来获取。

__pyx_slice__2的初始化在__Pyx_InitCachedConstants()中

`__Pyx_InitCachedConstants`

static CYTHON_SMALL_CODE int __Pyx_InitCachedConstants(void) {
  __Pyx_RefNannyDeclarations
  __Pyx_RefNannySetupContext("__Pyx_InitCachedConstants", 0);

  /* "test2.py":29
 *     print(str_1[0])
 *     print(str_1[6:])
 *     print(str_3[0:7:2])             # <<<<<<<<<<<<<<
 *     print(str_3 * 2)
 *     print(str_2 + str_1)
 */
  __pyx_slice__2 = PySlice_New(__pyx_int_0, __pyx_int_7, __pyx_int_2); if (unlikely(!__pyx_slice__2)) __PYX_ERR(0, 29, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_slice__2);
  __Pyx_GIVEREF(__pyx_slice__2);

  /* "test2.py":34
 *     print(str_2.index("str2"))
 *     print(str_fmt.format(str_1, str_2))
 *     print("No endl", end="")             # <<<<<<<<<<<<<<
 *     print('')
 * 
 */
  __pyx_tuple__3 = PyTuple_Pack(1, __pyx_kp_u_No_endl); if (unlikely(!__pyx_tuple__3)) __PYX_ERR(0, 34, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple__3);
  __Pyx_GIVEREF(__pyx_tuple__3);

  /* "test2.py":35
 *     print(str_fmt.format(str_1, str_2))
 *     print("No endl", end="")
 *     print('')             # <<<<<<<<<<<<<<
 * 
 * def func_ImportModule():
 */
  __pyx_tuple__5 = PyTuple_Pack(1, __pyx_kp_u__4); if (unlikely(!__pyx_tuple__5)) __PYX_ERR(0, 35, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple__5);
  __Pyx_GIVEREF(__pyx_tuple__5);

  /* "test2.py":9
 * """
 * 
 * def func_DataType():             # <<<<<<<<<<<<<<
 *     int_1 = 114514
 *     float_1 = 191981.0
 */
  __pyx_tuple__6 = PyTuple_Pack(4, __pyx_n_s_int_1, __pyx_n_s_float_1, __pyx_n_s_bool_1, __pyx_n_s_complex_1); if (unlikely(!__pyx_tuple__6)) __PYX_ERR(0, 9, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple__6);
  __Pyx_GIVEREF(__pyx_tuple__6);
  __pyx_codeobj__7 = (PyObject*)__Pyx_PyCode_New(0, 0, 4, 0, CO_OPTIMIZED|CO_NEWLOCALS, __pyx_empty_bytes, __pyx_empty_tuple, __pyx_empty_tuple, __pyx_tuple__6, __pyx_empty_tuple, __pyx_empty_tuple, __pyx_kp_s_test2_py, __pyx_n_s_func_DataType, 9, __pyx_empty_bytes); if (unlikely(!__pyx_codeobj__7)) __PYX_ERR(0, 9, __pyx_L1_error)

  /* "test2.py":20
 *     print(complex_1 + 3)
 * 
 * def func_Str():             # <<<<<<<<<<<<<<
 *     str_1 = "teststr1"
 *     str_2 = "teststr2"
 */
  __pyx_tuple__8 = PyTuple_Pack(4, __pyx_n_s_str_1, __pyx_n_s_str_2, __pyx_n_s_str_3, __pyx_n_s_str_fmt); if (unlikely(!__pyx_tuple__8)) __PYX_ERR(0, 20, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple__8);
  __Pyx_GIVEREF(__pyx_tuple__8);
  __pyx_codeobj__9 = (PyObject*)__Pyx_PyCode_New(0, 0, 4, 0, CO_OPTIMIZED|CO_NEWLOCALS, __pyx_empty_bytes, __pyx_empty_tuple, __pyx_empty_tuple, __pyx_tuple__8, __pyx_empty_tuple, __pyx_empty_tuple, __pyx_kp_s_test2_py, __pyx_n_s_func_Str, 20, __pyx_empty_bytes); if (unlikely(!__pyx_codeobj__9)) __PYX_ERR(0, 20, __pyx_L1_error)

  /* "test2.py":37
 *     print('')
 * 
 * def func_ImportModule():             # <<<<<<<<<<<<<<
 *     import base64
 *     b64obj = base64.b64encode("testbase64".encode())
 */
  __pyx_tuple__10 = PyTuple_Pack(4, __pyx_n_s_base64, __pyx_n_s_b64obj, __pyx_n_s_hashlib, __pyx_n_s_md5obj); if (unlikely(!__pyx_tuple__10)) __PYX_ERR(0, 37, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple__10);
  __Pyx_GIVEREF(__pyx_tuple__10);
  __pyx_codeobj__11 = (PyObject*)__Pyx_PyCode_New(0, 0, 4, 0, CO_OPTIMIZED|CO_NEWLOCALS, __pyx_empty_bytes, __pyx_empty_tuple, __pyx_empty_tuple, __pyx_tuple__10, __pyx_empty_tuple, __pyx_empty_tuple, __pyx_kp_s_test2_py, __pyx_n_s_func_ImportModule, 37, __pyx_empty_bytes); if (unlikely(!__pyx_codeobj__11)) __PYX_ERR(0, 37, __pyx_L1_error)
  __Pyx_RefNannyFinishContext();
  return 0;
  __pyx_L1_error:;
  __Pyx_RefNannyFinishContext();
  return -1;
}

`__Pyx_PyObject_GetItem`

static PyObject *__Pyx_PyObject_GetItem(PyObject *obj, PyObject* key) {
    PyMappingMethods *m = Py_TYPE(obj)->tp_as_mapping;
    if (likely(m && m->mp_subscript)) {
        return m->mp_subscript(obj, key);
    }
    return __Pyx_PyObject_GetIndex(obj, key);
}
#endif

IDA中

v15 = (*substr)-- == 1i64;
 if ( v15 )
   (*(void (__fastcall **)(_QWORD *))(substr[1] + 48i64))(substr);
 v15 = (*v28)-- == 1i64;
 if ( v15 )
   (*(void (__fastcall **)(_QWORD *))(v28[1] + 48i64))(v28);
 v29 = *(_QWORD *)(str_3[1] + 112i64);
 if ( v29 && (v30 = *(__int64 (__fastcall **)(_QWORD *, __int64))(v29 + 8)) != 0i64 )
   v31 = (_QWORD *)v30(str_3, qword_18000CCA8);
 else
   v31 = (_QWORD *)sub_1800043E0(str_3, qword_18000CCA8);
 substr = v31;
 if ( !v31 )
 {
   v12 = 29;
   v13 = 1760;
   goto LABEL_176;
 }
 v32 = (_QWORD *)_Pyx_CallOneArg(glob_func_print, v31);
 if ( !v32 )
 {
   v12 = 29;
   v13 = 1762;
   goto LABEL_152;
 }

qword_18000CCA8能发现被另一个函数引用

// InitCachedConstants
__int64 sub_180006250()
{
  __int64 result; // rax

  qword_18000CCA8 = PySlice_New(int_0, int_7, int_2);
  if ( !qword_18000CCA8 )
    goto LABEL_11;
  qword_18000CD30 = PyTuple_Pack(1i64, qword_18000CB58);
  if ( !qword_18000CD30 )
    goto LABEL_11;
  qword_18000CD10 = PyTuple_Pack(1i64, qword_18000CBB0);
  if ( qword_18000CD10
    && (qword_18000CC58 = PyTuple_Pack(4i64, qword_18000CC40)) != 0
    && (qword_18000CC60 = PyCode_New(0i64, 0i64, 4i64)) != 0
    && (qword_18000CCF8 = PyTuple_Pack(4i64, qword_18000CBC8)) != 0
    && (qword_18000CCE8 = PyCode_New(0i64, 0i64, 4i64)) != 0
    && (qword_18000CD48 = PyTuple_Pack(4i64, qword_18000CBD0)) != 0
    && (qword_18000CCE0 = PyCode_New(0i64, 0i64, 4i64)) != 0 )
  {
    result = 0i64;
  }
  else
  {
LABEL_11:
    result = 0xFFFFFFFFi64;
  }
  return result;
}

而

// PyObject_GetItem
_QWORD *__fastcall sub_1800043E0(_QWORD *a1, __int64 a2)
{
  __int64 v2; // r8
  __int64 v5; // rax
  __int64 v6; // rdi
  __int64 v7; // rcx
  signed __int64 v8; // rbx
  __int64 v9; // rax
  _QWORD *v10; // r14
  __int64 v11; // rax
  bool v12; // zf
  __int64 v13; // rax
  _QWORD *result; // rax
  __int64 v15; // r14
  unsigned __int64 v16; // rax
  unsigned __int64 v17; // rcx
  unsigned __int64 v18; // rcx
  unsigned __int64 v19; // rax
  __int64 v20; // r14
  __int64 v21; // rax
  __int64 v22; // rax
  _QWORD *v23; // rbx
  __int64 v24; // rax

  v2 = a1[1];
  v5 = *(_QWORD *)(v2 + 104);
  if ( !v5 || !*(_QWORD *)(v5 + 24) )
  {
    PyErr_Format(PyExc_TypeError, "'%.200s' object is not subscriptable", *(const char **)(v2 + 24));
    return 0i64;
  }
  v6 = 0i64;
  if ( *(_QWORD *)(a2 + 8) == PyLong_Type )
  {
    v7 = *(_QWORD *)(a2 + 16);
    if ( (__int64)abs64(v7) > 1 )
    {
      switch ( v7 )
      {
        case -2i64:
          v8 = -(__int64)(*(unsigned int *)(a2 + 24) | ((unsigned __int64)*(unsigned int *)(a2 + 28) << 30));
          break;
        case 2i64:
          v8 = *(unsigned int *)(a2 + 24) | ((unsigned __int64)*(unsigned int *)(a2 + 28) << 30);
          break;
        default:
          v8 = PyLong_AsSsize_t(a2);
          break;
      }
    }
    else if ( v7 )
    {
      v8 = -(__int64)*(unsigned int *)(a2 + 24);
      if ( v7 != -1 )
        v8 = *(unsigned int *)(a2 + 24);
    }
    else
    {
      v8 = 0i64;
    }
  }
  else
  {
    v9 = PyNumber_Index(a2);
    v10 = (_QWORD *)v9;
    if ( !v9 )
    {
      v8 = -1i64;
      goto LABEL_19;
    }
    v11 = PyLong_AsSsize_t(v9);
    v12 = (*v10)-- == 1i64;
    v8 = v11;
    if ( v12 )
      (*(void (__fastcall **)(_QWORD *))(v10[1] + 48i64))(v10);
  }
  if ( v8 != -1 )
    goto LABEL_24;
LABEL_19:
  v13 = PyErr_Occurred();
  if ( !v13 )
  {
LABEL_24:
    v15 = a1[1];
    if ( v15 == PyList_Type )
    {
      v16 = a1[2];
      v17 = v8;
      if ( v8 < 0 )
        v17 = v16 + v8;
      if ( v17 < v16 )
      {
        result = *(_QWORD **)(a1[3] + 8 * v17);
        ++*result;
        return result;
      }
    }
    else if ( v15 == PyTuple_Type )
    {
      v18 = a1[2];
      v19 = v8;
      if ( v8 < 0 )
        v19 = v18 + v8;
      if ( v19 < v18 )
      {
        result = (_QWORD *)a1[v19 + 3];
        ++*result;
        return result;
      }
    }
    else
    {
      v20 = *(_QWORD *)(v15 + 104);
      if ( v20 && *(_QWORD *)(v20 + 24) )
      {
        if ( v8 >= 0 || !*(_QWORD *)v20 )
          return (_QWORD *)(*(__int64 (__fastcall **)(_QWORD *, signed __int64))(v20 + 24))(a1, v8);
        v21 = (*(__int64 (__fastcall **)(_QWORD *))v20)(a1);
        if ( v21 >= 0 )
          return (_QWORD *)(*(__int64 (__fastcall **)(_QWORD *, __int64))(v20 + 24))(a1, v21 + v8);
        if ( !(unsigned int)PyErr_ExceptionMatches(PyExc_OverflowError) )
          return (_QWORD *)v6;
        PyErr_Clear();
        return (_QWORD *)(*(__int64 (__fastcall **)(_QWORD *, signed __int64))(v20 + 24))(a1, v8);
      }
    }
    v22 = PyLong_FromSsize_t(v8);
    v23 = (_QWORD *)v22;
    if ( !v22 )
      return (_QWORD *)v6;
    v24 = PyObject_GetItem(a1, v22);
    v12 = (*v23)-- == 1i64;
    v6 = v24;
    if ( v12 )
      (*(void (__fastcall **)(_QWORD *))(v23[1] + 48i64))(v23);
    return (_QWORD *)v6;
  }
  if ( !(unsigned int)PyErr_GivenExceptionMatches(v13, PyExc_OverflowError) )
    return 0i64;
  PyErr_Clear();
  PyErr_Format(
    PyExc_IndexError,
    "cannot fit '%.200s' into an index-sized integer",
    *(const char **)(*(_QWORD *)(a2 + 8) + 24i64));
  return 0i64;
}

不管这个多层内联的函数了。知道了slice，这里我们直接合理推测是GetItem()函数。

`print(str_3 * 2)`

__pyx_t_2 = PyNumber_Multiply(__pyx_v_str_3, __pyx_int_2); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 30, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 30, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_1);
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
__Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

直接调用PyNumber_Multiply()我是真没想到的。这个是个外部API，很好辨识。

v15 = (*substr)-- == 1i64;
if ( v15 )
  (*(void (__fastcall **)(_QWORD *))(substr[1] + 48i64))(substr);
v15 = (*v32)-- == 1i64;
if ( v15 )
  (*(void (__fastcall **)(_QWORD *))(v32[1] + 48i64))(v32);
v33 = (_QWORD *)PyNumber_Multiply(str_3, int_2);
substr = v33;
if ( !v33 )
{
  v12 = 30;
  v13 = 1774;
  goto LABEL_176;
}
v34 = (_QWORD *)_Pyx_CallOneArg(glob_func_print, v33);
if ( !v34 )
{
  v12 = 30;
  v13 = 1776;
  goto LABEL_152;
}

`print(str_2 + str_1)`

__pyx_t_1 = __Pyx_PyUnicode_Concat(__pyx_v_str_2, __pyx_v_str_1); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 31, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_1);
__pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 31, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

`__Pyx_PyUnicode_Concat()`

#if CYTHON_COMPILING_IN_PYPY
  #define __Pyx_PyUnicode_Concat(a, b)      PyNumber_Add(a, b)
  #define __Pyx_PyUnicode_ConcatSafe(a, b)  PyNumber_Add(a, b)
#else
  #define __Pyx_PyUnicode_Concat(a, b)      PyUnicode_Concat(a, b)
  #define __Pyx_PyUnicode_ConcatSafe(a, b)  ((unlikely((a) == Py_None) || unlikely((b) == Py_None)) ?\
      PyNumber_Add(a, b) : __Pyx_PyUnicode_Concat(a, b))
#endif

所以是PyUnicode_Concat()，直接外部API。

v15 = (*substr)-- == 1i64;
if ( v15 )
  (*(void (__fastcall **)(_QWORD *))(substr[1] + 48i64))(substr);
v15 = (*v34)-- == 1i64;
if ( v15 )
  (*(void (__fastcall **)(_QWORD *))(v34[1] + 48i64))(v34);
v35 = (_QWORD *)PyUnicode_Concat(str_2, str_1);
substr = v35;
if ( !v35 )
{
  v12 = 31;
  v13 = 1788;
  goto LABEL_176;
}
v36 = (_QWORD *)_Pyx_CallOneArg(glob_func_print, v35);
if ( !v36 )
{
  v12 = 31;
  v13 = 1790;
  goto LABEL_152;
}

`print(str_2.index("str2"))`

__pyx_t_2 = __Pyx_CallUnboundCMethod1(&__pyx_umethod_PyUnicode_Type_index, __pyx_v_str_2, __pyx_n_u_str2); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 32, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 32, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_1);
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
__Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

`__Pyx_CallUnboundCMethod1()`

这个函数被狠狠的内联了。

/* CallUnboundCMethod1 */
#if CYTHON_COMPILING_IN_CPYTHON
static CYTHON_INLINE PyObject* __Pyx_CallUnboundCMethod1(__Pyx_CachedCFunction* cfunc, PyObject* self, PyObject* arg) {
    if (likely(cfunc->func)) {
        int flag = cfunc->flag;
        if (flag == METH_O) {
            return (*(cfunc->func))(self, arg);
        } else if (PY_VERSION_HEX >= 0x030600B1 && flag == METH_FASTCALL) {
            if (PY_VERSION_HEX >= 0x030700A0) {	// 很多函数指针调用，也就是间接调用
                return (*(__Pyx_PyCFunctionFast)(void*)(PyCFunction)cfunc->func)(self, &arg, 1);
            } else {
                return (*(__Pyx_PyCFunctionFastWithKeywords)(void*)(PyCFunction)cfunc->func)(self, &arg, 1, NULL);
            }
        } else if (PY_VERSION_HEX >= 0x030700A0 && flag == (METH_FASTCALL | METH_KEYWORDS)) {
            return (*(__Pyx_PyCFunctionFastWithKeywords)(void*)(PyCFunction)cfunc->func)(self, &arg, 1, NULL);
        }
    }
    return __Pyx__CallUnboundCMethod1(cfunc, self, arg);
}
#endif
static PyObject* __Pyx__CallUnboundCMethod1(__Pyx_CachedCFunction* cfunc, PyObject* self, PyObject* arg){
    PyObject *args, *result = NULL;
    if (unlikely(!cfunc->func && !cfunc->method) && unlikely(__Pyx_TryUnpackUnboundCMethod(cfunc) < 0)) return NULL;
#if CYTHON_COMPILING_IN_CPYTHON
    if (cfunc->func && (cfunc->flag & METH_VARARGS)) {
        args = PyTuple_New(1);
        if (unlikely(!args)) goto bad;
        Py_INCREF(arg);
        PyTuple_SET_ITEM(args, 0, arg);
        if (cfunc->flag & METH_KEYWORDS)
            result = (*(PyCFunctionWithKeywords)(void*)(PyCFunction)cfunc->func)(self, args, NULL);
        else
            result = (*cfunc->func)(self, args);
    } else {
        args = PyTuple_New(2);
        if (unlikely(!args)) goto bad;
        Py_INCREF(self);
        PyTuple_SET_ITEM(args, 0, self);
        Py_INCREF(arg);
        PyTuple_SET_ITEM(args, 1, arg);
        result = __Pyx_PyObject_Call(cfunc->method, args, NULL);
    }
#else
    args = PyTuple_Pack(2, self, arg);
    if (unlikely(!args)) goto bad;
    result = __Pyx_PyObject_Call(cfunc->method, args, NULL);
#endif
bad:
    Py_XDECREF(args);
    return result;
}

特征：

函数指针调用

PyTuple_Pack(2, self, arg);

__Pyx_PyObject_Call(cfunc->method, args, NULL);

C文件

/* UnpackUnboundCMethod.proto */
typedef struct {
    PyObject *type;	// 8
    PyObject **method_name;	// 8
    PyCFunction func; // 8
    PyObject *method; // 8
    int flag; // 8
} __Pyx_CachedCFunction;
// methodobject.h
typedef PyObject *(*PyCFunction)(PyObject *, PyObject *);

/* CallUnboundCMethod1.proto */
static PyObject* __Pyx__CallUnboundCMethod1(__Pyx_CachedCFunction* cfunc, PyObject* self, PyObject* arg);

// 相邻5个QWORD是一个结构体，其中一个应该会被当作函数指针调用，那个就是method元素
static __Pyx_CachedCFunction __pyx_umethod_PyUnicode_Type_format = {0, &__pyx_n_s_format, 0, 0, 0};
static __Pyx_CachedCFunction __pyx_umethod_PyUnicode_Type_index = {0, &__pyx_n_s_index, 0, 0, 0};

// 在InitGlobals()中也对其type元素进行了初始化
// 此函数被内联到了exec函数中
// 但是这两个元素项可以根据extern对象`PyUnicode_Type`找到
static CYTHON_SMALL_CODE int __Pyx_InitGlobals(void) {
  __pyx_umethod_PyUnicode_Type_format.type = (PyObject*)&PyUnicode_Type;
  __pyx_umethod_PyUnicode_Type_index.type = (PyObject*)&PyUnicode_Type;
  if (__Pyx_InitStrings(__pyx_string_tab) < 0) __PYX_ERR(0, 1, __pyx_L1_error);
  __pyx_int_0 = PyInt_FromLong(0); if (unlikely(!__pyx_int_0)) __PYX_ERR(0, 1, __pyx_L1_error)
  __pyx_int_2 = PyInt_FromLong(2); if (unlikely(!__pyx_int_2)) __PYX_ERR(0, 1, __pyx_L1_error)
  __pyx_int_3 = PyInt_FromLong(3); if (unlikely(!__pyx_int_3)) __PYX_ERR(0, 1, __pyx_L1_error)
  __pyx_int_7 = PyInt_FromLong(7); if (unlikely(!__pyx_int_7)) __PYX_ERR(0, 1, __pyx_L1_error)
  __pyx_int_114514 = PyInt_FromLong(114514L); if (unlikely(!__pyx_int_114514)) __PYX_ERR(0, 1, __pyx_L1_error)
  return 0;
  __pyx_L1_error:;
  return -1;
}

// 值得一提的是method的初始化
// 见上面的`__Pyx__CallUnboundCMethod1()`函数
// 里面调用了__Pyx_TryUnpackUnboundCMethod()函数
// 此函数使用GetAttr来获取method
/* UnpackUnboundCMethod */
static int __Pyx_TryUnpackUnboundCMethod(__Pyx_CachedCFunction* target) {
    PyObject *method;
    method = __Pyx_PyObject_GetAttrStr(target->type, *target->method_name);
    if (unlikely(!method))
        return -1;
    target->method = method;
#if CYTHON_COMPILING_IN_CPYTHON
    #if PY_MAJOR_VERSION >= 3
    if (likely(__Pyx_TypeCheck(method, &PyMethodDescr_Type)))
    #endif
    {
        PyMethodDescrObject *descr = (PyMethodDescrObject*) method;
        target->func = descr->d_method->ml_meth;
        target->flag = descr->d_method->ml_flags & ~(METH_CLASS | METH_STATIC | METH_COEXIST | METH_STACKLESS);
    }
#endif
    return 0;
}

如何在IDA中恢复

先把结构体在IDA中简单申明一下。指针用QWORD*和QWORD**，QWORD *(__stdcall *PyCFunction)(QWORD *, QWORD *)即可。

然后，可以尝试在exec函数的InitGlobals()部分找一下被PyUnicode_Type等类似对象赋值的qword_xxxxxx，这个就是结构体的type元素。就可以顺藤摸瓜恢复结构体。
或者，查找字符串，寻找与方法有关的字符串，比如”index”，然后交叉引用，找到字符串的PyObject*对象指针，然后再对这个对象指针进行交叉引用，便能找到另外的被引用的地方，若下面一个QWORD正好被注释为一个函数指针，那么基本就对到所在结构体了（交叉引用会发现不少垃圾代码，具体的在其他部分介绍了）

恢复结构体确实是个很正确的举措，现在看看代码

  v15 = (*substr)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(substr[1] + 48i64))(substr);
  v15 = (*v36)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(v36[1] + 48i64))(v36);
  strp_str2 = (_QWORD *)str2;
  v38 = _pyx_umethod_PyUnicode_Type_index.flag;
  v57 = str2;
  if ( _pyx_umethod_PyUnicode_Type_index.PyCFunction )
  {
    if ( LODWORD(_pyx_umethod_PyUnicode_Type_index.flag) == 8 )
    {
      substr = (_QWORD *)((__int64 (__fastcall *)(_QWORD, _QWORD))_pyx_umethod_PyUnicode_Type_index.PyCFunction)(
                           str_2,
                           str2);
      goto LABEL_124;
    }
    if ( LODWORD(_pyx_umethod_PyUnicode_Type_index.flag) == 128
      || LODWORD(_pyx_umethod_PyUnicode_Type_index.flag) == 130 )
    {
      substr = (_QWORD *)((__int64 (__fastcall *)(_QWORD, _QWORD))_pyx_umethod_PyUnicode_Type_index.PyCFunction)(
                           str_2,
                           &v57);
      goto LABEL_124;
    }
  }
  substr = 0i64;
  if ( !_pyx_umethod_PyUnicode_Type_index.PyCFunction )
  {
    if ( _pyx_umethod_PyUnicode_Type_index.method )
      goto LABEL_120;
    if ( (int)sub_1800042C0((__int64 *)&_pyx_umethod_PyUnicode_Type_index) < 0 )
      goto LABEL_124;
    if ( !_pyx_umethod_PyUnicode_Type_index.PyCFunction )
      goto LABEL_120;
    v38 = _pyx_umethod_PyUnicode_Type_index.flag;
  }
  if ( (v38 & 1) != 0 )
  {
    v39 = PyTuple_New(1i64);
    v40 = (_QWORD *)v39;
    if ( !v39 )
      goto LABEL_124;
    ++*strp_str2;
    *(_QWORD *)(v39 + 24) = strp_str2;
    v41 = ((__int64 (__fastcall *)(_QWORD, _QWORD))_pyx_umethod_PyUnicode_Type_index.PyCFunction)(str_2, v39);
    goto LABEL_122;
  }
LABEL_120:
  v42 = PyTuple_New(2i64);
  v40 = (_QWORD *)v42;
  if ( !v42 )
    goto LABEL_124;
  ++*str_2;
  *(_QWORD *)(v42 + 24) = str_2;
  ++*strp_str2;
  *(_QWORD *)(v42 + 32) = strp_str2;
  v41 = PyObject_Call_1((__int64)_pyx_umethod_PyUnicode_Type_index.method, v42, 0i64);

可读性已经十分强了，再配合存留的垃圾函数，就能直接确定是str_2.index("str2")了。

`print(str_fmt.format(str_1, str_2))`

__pyx_t_1 = __Pyx_CallUnboundCMethod2(&__pyx_umethod_PyUnicode_Type_format, __pyx_v_str_fmt, __pyx_v_str_1, __pyx_v_str_2); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 33, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_1);
__pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 33, __pyx_L1_error)
__Pyx_GOTREF(__pyx_t_2);
__Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;
__Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;

和上面的基本一样操作，不过是CallUnboundCMethod2()因为传入了两个参数。

  v15 = (*substr)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(substr[1] + 48i64))(substr);
  v15 = (*v43)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(v43[1] + 48i64))(v43);
  v44 = _pyx_umethod_PyUnicode_Type_format.flag;
  if ( _pyx_umethod_PyUnicode_Type_format.PyCFunction )
  {
    v56[0] = str_1;
    v56[1] = (__int64)str_2;
    if ( LODWORD(_pyx_umethod_PyUnicode_Type_format.flag) == 128
      || LODWORD(_pyx_umethod_PyUnicode_Type_format.flag) == 130 )
    {
      substr = (_QWORD *)((__int64 (__fastcall *)(_QWORD, _QWORD))_pyx_umethod_PyUnicode_Type_format.PyCFunction)(
                           str_fmt,
                           v56);
      goto LABEL_148;
    }
  }
  substr = 0i64;
  if ( !_pyx_umethod_PyUnicode_Type_format.PyCFunction )
  {
    if ( _pyx_umethod_PyUnicode_Type_format.method )
      goto LABEL_144;
    if ( (int)sub_1800042C0((__int64 *)&_pyx_umethod_PyUnicode_Type_format) < 0 )
      goto LABEL_148;
    if ( !_pyx_umethod_PyUnicode_Type_format.PyCFunction )
      goto LABEL_144;
    v44 = _pyx_umethod_PyUnicode_Type_format.flag;
  }
  if ( (v44 & 1) != 0 )
  {
    v45 = PyTuple_New(2i64);
    v46 = (_QWORD *)v45;
    if ( !v45 )
      goto LABEL_148;
    ++*(_QWORD *)str_1;
    *(_QWORD *)(v45 + 24) = str_1;
    ++*str_2;
    *(_QWORD *)(v45 + 32) = str_2;
    v47 = ((__int64 (__fastcall *)(_QWORD, _QWORD))_pyx_umethod_PyUnicode_Type_format.PyCFunction)(str_fmt, v45);
    goto LABEL_146;
  }
LABEL_144:
  v48 = (_QWORD *)PyTuple_New(3i64);
  v46 = v48;
  if ( !v48 )
    goto LABEL_148;
  ++*str_fmt;
  v48[3] = str_fmt;
  ++*(_QWORD *)str_1;
  v48[4] = str_1;
  ++*str_2;
  v48[5] = str_2;
  v47 = PyObject_Call_1((__int64)_pyx_umethod_PyUnicode_Type_format.method, (__int64)v48, 0i64);
LABEL_146:
  substr = (_QWORD *)v47;
  v15 = (*v46)-- == 1i64;
  if ( v15 )
    (*(void (__fastcall **)(_QWORD *))(v46[1] + 48i64))(v46);
LABEL_148:
  if ( !substr )
  {
    v12 = 33;
    v13 = 1816;
    goto LABEL_176;
  }
  v51 = (_QWORD *)_Pyx_CallOneArg(glob_func_print, substr);
  if ( !v51 )
  {
    v12 = 33;
    v13 = 1818;
    goto LABEL_152;
  }

基本一样的操作，不过是PyTuple_Pack(2)了，三个思路一致的函数调用操作，也能证实。

`print("No endl", end="")`

// __Pyx_PyDict_NewPresized(n)
#if CYTHON_COMPILING_IN_CPYTHON || defined(_PyDict_NewPresized)
#define __Pyx_PyDict_NewPresized(n)  ((n <= 8) ? PyDict_New() : _PyDict_NewPresized(n))
#else
#define __Pyx_PyDict_NewPresized(n)  PyDict_New()
#endif	

// PyDict_SetItem是外部API
  __pyx_t_2 = __Pyx_PyDict_NewPresized(1); if (unlikely(!__pyx_t_2)) __PYX_ERR(0, 34, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_2);
// __pyx_t_2 = ("end", "")
  if (PyDict_SetItem(__pyx_t_2, __pyx_n_s_end, __pyx_kp_u__4) < 0) __PYX_ERR(0, 34, __pyx_L1_error)
// print(("No endl", )，("end", "")) （仅为表示法，python中这样输入打印结果是不对的）
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_print, __pyx_tuple__3, __pyx_t_2); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 34, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  __Pyx_DECREF(__pyx_t_2); __pyx_t_2 = 0;
  __Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

// 在InitCachedConstants中，前面slice的生成也在这里
// __pxy_tuple__3 = ("No endl", )
  __pyx_tuple__3 = PyTuple_Pack(1, __pyx_kp_u_No_endl); if (unlikely(!__pyx_tuple__3)) __PYX_ERR(0, 34, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple__3);
  __Pyx_GIVEREF(__pyx_tuple__3);

总结一下，打印字符串打包成元组，传入参数变成了键值对，打包成元组然后传入。

IDA的还原应该也不难，稍微对着几个QWORD溯源查一下字符串即可。

  v15 = (*substr)-- == 1i64;
  if ( v15 )
    (*(substr[1] + 48i64))(substr);
  v15 = (*v49)-- == 1i64;
  if ( v15 )
    (*(v49[1] + 48i64))(v49);
  tuple_option = PyDict_New();
  substr = tuple_option;
  if ( !tuple_option )
  {
    v12 = 34;
    v13 = 1830;
    goto LABEL_176;
  }
  if ( PyDict_SetItem(tuple_option, strp_end, strp_null) < 0 )
  {
    v13 = 1832;
    v12 = 34;
    goto LABEL_152;
  }
  v51 = PyObject_Call_1(glob_func_print, tuple_print_no_endl, substr);
  if ( !v51 )
  {
    v13 = 1833;
    v12 = 34;
LABEL_152:
    v15 = (*substr)-- == 1i64;
    if ( v15 )
      (*(substr[1] + 48i64))(substr);
    goto LABEL_176;
  }

`print('')`

// print(("", ))
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_print, __pyx_tuple__5, NULL); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 35, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  __Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

// InitCachedConstants
// ("", )
  __pyx_tuple__5 = PyTuple_Pack(1, __pyx_kp_u__4); if (unlikely(!__pyx_tuple__5)) __PYX_ERR(0, 35, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple__5);
  __Pyx_GIVEREF(__pyx_tuple__5);

也是直接PyTuple_Pack()，然后传进去。

一个小区别

我在思考，是不是

1 2	def func_a(): print("aaa")

和

1
2
3

def func_b():
    m = "bbb"
    print(m)

编译出来不一样

上面那种将会直接打包成元组，且字符串初始化，元组打包在InitCachedConstants()函数中进行；而下面一种的元组打包则在其他函数调用中实现了。

编译了一下，结果如下：

+1: def func_a():
+2:     print("aaa")
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_print, __pyx_tuple_, NULL); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 2, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  __Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

// InitCachedConstants()
  __pyx_tuple_ = PyTuple_Pack(1, __pyx_n_u_aaa); if (unlikely(!__pyx_tuple_)) __PYX_ERR(0, 2, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple_);
  __Pyx_GIVEREF(__pyx_tuple_);
 3: 
+4: def func_b():
+5:     m = "bbb"
  __Pyx_INCREF(__pyx_n_u_bbb);
  __pyx_v_m = __pyx_n_u_bbb;
+6:     print(m)
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_m); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 6, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  __Pyx_DECREF(__pyx_t_1); __pyx_t_1 = 0;

区别确实是有的，但不是很大

// write access to const memory has been detected, the output may be wrong!
__int64 func_a()
{
  _QWORD *v0; // rax
  __int64 result; // rax

  v0 = (_QWORD *)PyObject_Call_0(func_print, tup_aaa);
  if ( v0 )
  {
    if ( (*v0)-- == 1i64 )
      (*(void (__fastcall **)(_QWORD *))(v0[1] + 48i64))(v0);
    result = Py_NoneStruct++;
  }
  else
  {
    AddTraceback(aTest2plusplusp_5, 1221i64, 2i64, aTest2plusplusp_6);
    result = 0i64;
  }
  return result;
}

// write access to const memory has been detected, the output may be wrong!
__int64 __fastcall func_b(__int64 a1)
{
  _QWORD *v1; // rdi
  _QWORD *v2; // rax
  __int64 v3; // rbx
  bool v4; // zf

  ++*(_QWORD *)strp_bbb;
  v1 = (_QWORD *)strp_bbb;
  v2 = (_QWORD *)PyObject_CallOneArg(a1, strp_bbb);
  if ( v2 )
  {
    v4 = (*v2)-- == 1i64;
    if ( v4 )
      (*(void (__fastcall **)(_QWORD *))(v2[1] + 48i64))(v2);
    v3 = Py_NoneStruct++;
  }
  else
  {
    AddTraceback(aTest2plusplusp_4, 1290i64, 6i64, aTest2plusplusp_6);
    v3 = 0i64;
  }
  if ( !v1 )
    return v3;
  v4 = (*v1)-- == 1i64;
  if ( v4 )
    (*(void (__fastcall **)(_QWORD *))(v1[1] + 48i64))(v1);
  return v3;
}

__int64 InitCachedConstants()  //本函数已被内联，这是垃圾代码副本
{
  __int64 tup_m; // rax
  __int64 result; // rax

  tup_aaa = PyTuple_Pack(1i64, strp_aaa);
    // ("aaa",)元组在这里创建
  if ( tup_aaa
    && (qword_1800096F8 = PyCode_New(
                            0i64,
                            0i64,
                            0i64,
                            0i64,
                            3,
                            qword_180009708,
                            qword_1800096B0,
                            qword_1800096B0,
                            qword_1800096B0,
                            qword_1800096B0,
                            qword_1800096B0,
                            qword_180009620,
                            qword_180009648,
                            1,
                            qword_180009708)) != 0
    && (tup_m = PyTuple_Pack(1i64, strp_m), (qword_180009720 = tup_m) != 0)
    && (qword_180009730 = PyCode_New(
                            0i64,
                            0i64,
                            1i64,
                            0i64,
                            3,
                            qword_180009708,
                            qword_1800096B0,
                            qword_1800096B0,
                            tup_m,
                            qword_1800096B0,
                            qword_1800096B0,
                            qword_180009620,
                            qword_180009628,
                            4,
                            qword_180009708)) != 0 )
  {
    result = 0i64;
  }
  else
  {
    result = 0xFFFFFFFFi64;
  }
  return result;
}

`func_ImportModule()`

这个博客写的有点多了，留到下面一个，配合出现的一些疑问一起解答。

经验总结

在exec函数中分析声明和调用流程

这一部分其实是先写的，是IDA分析后的总结。

全局变量初始化部分

在__pyx_pymod_exec_test2()函数的前半段都是检查和初始化。这里可以搜索到初始化的Python int型变量（PyLong_FromLong）。

声明部分

从导出界面快速定位初始化函数，然后通过其传入的结构体来定位__pyx_pymod_create()和__pyx_pymod_exec()函数。

在exec函数中寻找函数定义（def），从而找到函数位置：有两种可能性，小代码情况下可能会内敛__Pyx_CyFunction_New()函数，此时就是上次blog所讲的，查找鲜明的初始化特征；没有内敛也一样，点开来函数看看。

或者从函数对象结构体分析也行。

调用部分

内联情况下，定位_PyDict_GetItem_KnownHash()外部API，因为这是__Pyx_GetModuleGlobalName(var, name)宏内联出现的。

然后其下面应该又有一个函数，通过其中的逻辑可以判定是_Pyx_GetBuiltinName()函数

__int64 __fastcall _Pyx_GetBuiltinName(__int64 a1)
{
  __int64 (__fastcall *v2)(__int64, __int64); // r8
  __int64 v3; // rax
  __int64 v4; // rbx

  v2 = *(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)(glob_mod_builtin + 8) + 144i64);
  if ( v2 )
    v3 = v2(glob_mod_builtin, a1);
  else
    v3 = PyObject_GetAttr(glob_mod_builtin, a1);
  v4 = v3;
  if ( !v3 )
    PyErr_Format(PyExc_NameError, aNameUIsNotDefi, a1);
  return v4;
}

逻辑就是它会尝试从全局的builtin模块中根据传参获取相应对象。

然后往下就有可能会有一个函数调用了其返回值，这个函数就是Call函数。这就是未内敛情况，不过这个调用函数比较复杂，通常应该不会被内联，没什么意义。

__int64 __fastcall _Pyx_PyObject_CallNoArg(__int64 a1)
{
  __int64 v1; // rax
  __int64 v4; // r10
  __int64 v5; // r8
  __int64 v6; // rcx
  _QWORD *i; // rax

  v1 = *(_QWORD *)(a1 + 8);
  if ( v1 == PyFunction_Type )
    return sub_180004F10(a1, 0i64, 0i64, a1);
  if ( v1 != PyCFunction_Type && v1 != qword_18000CCC0 )
  {
    v4 = *(_QWORD *)(v1 + 344);
    if ( v4 )
    {
      v5 = *(_QWORD *)(v4 + 16);
      v6 = 0i64;
      if ( v5 <= 0 )
        return _Pyx_PyObject_CallMethO(a1, qword_18000CC78, 0i64);
      for ( i = (_QWORD *)(v4 + 24); *i != qword_18000CCC0; ++i )
      {
        if ( ++v6 >= v5 )
          return _Pyx_PyObject_CallMethO(a1, qword_18000CC78, 0i64);
      }
    }
    else
    {
      while ( 1 )
      {
        v1 = *(_QWORD *)(v1 + 256);
        if ( v1 == qword_18000CCC0 )
          break;
        if ( !v1 )
        {
          if ( qword_18000CCC0 != PyBaseObject_Type )
            return _Pyx_PyObject_CallMethO(a1, qword_18000CC78, 0i64);
          break;
        }
      }
    }
  }
  if ( (*(_BYTE *)(*(_QWORD *)(a1 + 16) + 16i64) & 4) == 0 )
    return _Pyx_PyObject_CallMethO(a1, qword_18000CC78, 0i64);
  return PyObject_Call_0(a1, 0i64);
}

其中的子函数

__int64 __fastcall PyObject_Call_0(__int64 a1, __int64 a2)
{
  __int64 v2; // rax
  __int64 (__fastcall *v4)(__int64, __int64); // rsi
  __int64 v5; // rbx
  __int64 v6; // rax
  __int64 v8; // rbx
  int v9; // edi
  __int64 v10; // rax

  v2 = *(_QWORD *)(a1 + 16);
  v4 = *(__int64 (__fastcall **)(__int64, __int64))(v2 + 8);
  if ( (*(_BYTE *)(v2 + 16) & 0x20) != 0 )
    v5 = 0i64;
  else
    v5 = *(_QWORD *)(a1 + 24);
  v6 = PyThreadState_Get();
  if ( ++*(_DWORD *)(v6 + 32) > Py_CheckRecursionLimit && (unsigned int)Py_CheckRecursiveCall(aWhileCallingAP) )
    return 0i64;
  v8 = v4(v5, a2);
  if ( Py_CheckRecursionLimit <= 200 )
    v9 = 3 * ((int)Py_CheckRecursionLimit >> 2);
  else
    v9 = Py_CheckRecursionLimit - 50;
  v10 = PyThreadState_Get();
  if ( --*(_DWORD *)(v10 + 32) < v9 )
    *(_BYTE *)(PyThreadState_Get() + 36) = 0;
  if ( !v8 && !PyErr_Occurred() )
    PyErr_SetString(PyExc_SystemError, aNullResultWith);
  return v8;
}

__int64 __fastcall _Pyx_PyObject_CallMethO(__int64 a1, __int64 a2, __int64 a3)
{
  __int64 (__fastcall *v6)(__int64, __int64, __int64); // rbp
  __int64 v8; // rax
  __int64 v9; // rdi
  int v10; // ebx
  __int64 v11; // rax

  v6 = *(__int64 (__fastcall **)(__int64, __int64, __int64))(*(_QWORD *)(a1 + 8) + 128i64);
  if ( !v6 )
    return PyObject_Call();
  v8 = PyThreadState_Get();
  if ( ++*(_DWORD *)(v8 + 32) > Py_CheckRecursionLimit && (unsigned int)Py_CheckRecursiveCall(aWhileCallingAP_0) )
    return 0i64;
  v9 = v6(a1, a2, a3);
  if ( Py_CheckRecursionLimit <= 200 )
    v10 = 3 * ((int)Py_CheckRecursionLimit >> 2);
  else
    v10 = Py_CheckRecursionLimit - 50;
  v11 = PyThreadState_Get();
  if ( --*(_DWORD *)(v11 + 32) < v10 )
    *(_BYTE *)(PyThreadState_Get() + 36) = 0;
  if ( !v9 && !PyErr_Occurred() )
    PyErr_SetString(PyExc_SystemError, aNullResultWith_0);
  return v9;
}

后两个函数都是后来重命名的。可以通过错误抛出来很轻松的识别出所在函数。这种函数大抵不会被内联，否则错误抛出都没意义了。

待办

小浮点数会被转义成C浮点类型，那么只能由python承载的大浮点数呢
尝试大整数

其他

有意思的是，即使有的函数被内联了，但似乎其原本形式还是会以一个副本形式保留下来，比如下面的函数，很明显就是InitGlobals()函数，然而这个函数并未被调用，exec函数中已经有了其内联版本，此函数完全是垃圾代码。

__int64 InitGlobals()
{
  char **v0; // rbx
  char *v1; // rcx
  __int64 v2; // rax
  char *v3; // r8
  __int64 v4; // rdx

  _pyx_umethod_PyUnicode_Type_format.type = (QWORD *)PyUnicode_Type;
  _pyx_umethod_PyUnicode_Type_index.type = (QWORD *)PyUnicode_Type;
  if ( off_18000B830 )
  {
    v0 = &off_18000B838;
    while ( 1 )
    {
      v1 = *v0;
      if ( *((_WORD *)v0 + 12) )
      {
        if ( *((_BYTE *)v0 + 26) )
        {
          v2 = PyUnicode_InternFromString(v1);
        }
        else
        {
          v3 = v0[2];
          v4 = (__int64)(v0[1] - 1);
          v2 = v3 ? PyUnicode_Decode(v1, v4, v3, 0i64) : PyUnicode_FromStringAndSize(v1, v4);
        }
      }
      else
      {
        v2 = PyBytes_FromStringAndSize(v1, v0[1] - 1);
      }
      *(_QWORD *)*(v0 - 1) = v2;
      if ( !*(_QWORD *)*(v0 - 1) || PyObject_Hash() == -1 )
        break;
      v0 += 5;
      if ( !*(v0 - 1) )
        goto LABEL_13;
    }
  }
  else
  {
LABEL_13:
    int_0 = PyLong_FromLong(0i64);
    if ( int_0 )
    {
      int_2 = PyLong_FromLong(2i64);
      if ( int_2 )
      {
        int_3 = PyLong_FromLong(3i64);
        if ( int_3 )
        {
          int_7 = PyLong_FromLong(7i64);
          if ( int_7 )
          {
            int_114514 = PyLong_FromLong(114514i64);
            if ( int_114514 )
              return 0i64;
          }
        }
      }
    }
  }
  return 0xFFFFFFFFi64;
}

还有这一个，应该是CallUnboundCMethod1()函数的副本

__int64 __fastcall sub_180004150(__int64 a1, _QWORD *a2)
{
  _QWORD *v3; // rdi
  char v4; // al
  __int64 v6; // rsi
  __int64 v7; // rax
  _QWORD *v8; // rbx
  __int64 v9; // rax
  __int64 v10; // rax
  __int64 v12[3]; // [rsp+20h] [rbp-18h] BYREF

  v3 = (_QWORD *)str2;
  v4 = _pyx_umethod_PyUnicode_Type_index.flag;
  v12[0] = str2;
  if ( _pyx_umethod_PyUnicode_Type_index.PyCFunction )
  {
    if ( LODWORD(_pyx_umethod_PyUnicode_Type_index.flag) == 8 )
      return ((__int64 (__fastcall *)(_QWORD, _QWORD))_pyx_umethod_PyUnicode_Type_index.PyCFunction)(a2, str2);
    if ( LODWORD(_pyx_umethod_PyUnicode_Type_index.flag) == 128
      || LODWORD(_pyx_umethod_PyUnicode_Type_index.flag) == 130 )
    {
      return ((__int64 (__fastcall *)(_QWORD, _QWORD))_pyx_umethod_PyUnicode_Type_index.PyCFunction)(a2, v12);
    }
  }
  v6 = 0i64;
  if ( !_pyx_umethod_PyUnicode_Type_index.PyCFunction )
  {
    if ( _pyx_umethod_PyUnicode_Type_index.method )
      goto LABEL_15;
    if ( (int)sub_1800042C0(&_pyx_umethod_PyUnicode_Type_index) < 0 )
      return v6;
    if ( !_pyx_umethod_PyUnicode_Type_index.PyCFunction )
      goto LABEL_15;
    v4 = _pyx_umethod_PyUnicode_Type_index.flag;
  }
  if ( (v4 & 1) != 0 )
  {
    v7 = PyTuple_New(1i64);
    v8 = (_QWORD *)v7;
    if ( !v7 )
      return v6;
    ++*v3;
    *(_QWORD *)(v7 + 24) = v3;
    v9 = ((__int64 (__fastcall *)(_QWORD, _QWORD))_pyx_umethod_PyUnicode_Type_index.PyCFunction)(a2, v7);
    goto LABEL_17;
  }
LABEL_15:
  v10 = PyTuple_New(2i64);
  v8 = (_QWORD *)v10;
  if ( !v10 )
    return v6;
  ++*a2;
  *(_QWORD *)(v10 + 24) = a2;
  ++*v3;
  *(_QWORD *)(v10 + 32) = v3;
  v9 = PyObject_Call_1((__int64)_pyx_umethod_PyUnicode_Type_index.method, v10, 0i64);
LABEL_17:
  v6 = v9;
  if ( (*v8)-- == 1i64 )
    (*(void (__fastcall **)(_QWORD *))(v8[1] + 48i64))(v8);
  return v6;
}

以上函数都是在对_pyx_umethod_PyUnicode_Type_index结构体交叉引用时遇到的。

本文作者： Taardis
本文链接： https://taardisaa.github.io/2022/01/27/Cython Reverse 2/
版权声明： 本博客所有文章除特别声明外，均采用 Apache License 2.0 许可协议。转载请注明出处！

Cython程序分析_2

样例代码

分析

__pyx_pymod_create()

__pyx_pymod_exec_test2()

声明

补充

调用

__Pyx_GetModuleGlobalName(var, name)宏

__Pyx__GetModuleGlobalName()

__Pyx_GetBuiltin()函数

二进制

声明部分

调用部分

各函数解析

func_DataType()

int_1 = 114514

float_1 = 191981.0

bool_1 = True

complex_1 = 1 + 2j

__pyx_t_double_complex_from_parts()

__pyx_t_double_complex复数结构体

print(int_1 * 2)

PyNumber_Multiply()

print(float_1 - 1)

PyFloat_FromDouble()

print(bool_1)

__Pyx_PyBool_FromLong()

Py_True

print(complex_1 + 3)

__Pyx_PyInt_AddObjC

func_Str()

str_1 = "teststr1" 等

print(str_1[0:4])

__Pyx_PyUnicode_Substring()

__Pyx_PyObject_CallOneArg()

print(str_1[-4:-1])

print(str_1[0])

__Pyx_GetItemInt_Unicode()

PyUnicode_FromOrdinal()

print(str_1[6:])

print(str_3[0:7:2])

__Pyx_InitCachedConstants

__Pyx_PyObject_GetItem

IDA中

print(str_3 * 2)

print(str_2 + str_1)

__Pyx_PyUnicode_Concat()

print(str_2.index("str2"))

__Pyx_CallUnboundCMethod1()

C文件

如何在IDA中恢复

print(str_fmt.format(str_1, str_2))

print("No endl", end="")

print('')

一个小区别

func_ImportModule()

经验总结

在exec函数中分析声明和调用流程

全局变量初始化部分

声明部分

调用部分

待办

其他

`__pyx_pymod_create()`

`__pyx_pymod_exec_test2()`

`__Pyx_GetModuleGlobalName(var, name)宏`

`PyxGetModuleGlobalName()`

`__Pyx_GetBuiltin()`函数

`func_DataType()`

`int_1 = 114514`

`float_1 = 191981.0`

`bool_1 = True`

`complex_1 = 1 + 2j`

`__pyx_t_double_complex_from_parts()`

`__pyx_t_double_complex`复数结构体

`print(int_1 * 2)`

`PyNumber_Multiply()`

`print(float_1 - 1)`

`PyFloat_FromDouble()`

`print(bool_1)`

`__Pyx_PyBool_FromLong()`

`Py_True`

`print(complex_1 + 3)`

`__Pyx_PyInt_AddObjC`

`func_Str()`

`str_1 = "teststr1"` 等

`print(str_1[0:4])`

`__Pyx_PyUnicode_Substring()`

`__Pyx_PyObject_CallOneArg()`

`print(str_1[-4:-1])`

`print(str_1[0])`

`__Pyx_GetItemInt_Unicode()`

`PyUnicode_FromOrdinal()`

`print(str_1[6:])`

`print(str_3[0:7:2])`

`__Pyx_InitCachedConstants`

`__Pyx_PyObject_GetItem`

`print(str_3 * 2)`

`print(str_2 + str_1)`

`__Pyx_PyUnicode_Concat()`

`print(str_2.index("str2"))`

`__Pyx_CallUnboundCMethod1()`

`print(str_fmt.format(str_1, str_2))`

`print("No endl", end="")`

`print('')`

`func_ImportModule()`