Cython程序分析_3

2022-01-27

字数统计: 5.5k字 | 阅读时长≈ 32分

模块导入，大整数，大浮点数等

Cython程序分析_3

先把上次留下来的疑问给解决了。

后面不无脑复制太多C文件代码了，直接提取纲要，反正html注释里面代码给的很详细

代码1

def func_ImportModule():
    import base64
    b64obj = base64.b64encode("testbase64".encode())
    print(b64obj)
    print(type(b64obj))
    
    import hashlib
    md5obj = hashlib.md5()
    md5obj.update("testmd5".encode())
    print(md5obj.hexdigest())

def func_BigInteger():
    bigint_1 = 123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789
    print(bigint_1)
    print(bigint_1 * 2)

def func_BigFloat():
    bigfloat = 1111111111111111111112222222222222222222222222222222222222222222222223333333333333333333333333333.9
    print(bigfloat)

func_ImportModule()
func_BigInteger()
func_BigFloat()

`func_ImportModule()`

`import base64`

  __pyx_t_1 = __Pyx_Import(__pyx_n_s_base64, 0, 0); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 2, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  __pyx_v_base64 = __pyx_t_1;
  __pyx_t_1 = 0;


/* Import */
static PyObject *__Pyx_Import(PyObject *name, PyObject *from_list, int level) {
    PyObject *empty_list = 0;
    PyObject *module = 0;
    PyObject *global_dict = 0;
    PyObject *empty_dict = 0;
    PyObject *list;
    #if PY_MAJOR_VERSION < 3
    PyObject *py_import;
    py_import = __Pyx_PyObject_GetAttrStr(__pyx_b, __pyx_n_s_import);
    if (!py_import)
        goto bad;
    #endif
    if (from_list)
        list = from_list;
    else {
        empty_list = PyList_New(0);
        if (!empty_list)
            goto bad;
        list = empty_list;
    }
    global_dict = PyModule_GetDict(__pyx_m);
    if (!global_dict)
        goto bad;
    empty_dict = PyDict_New();
    if (!empty_dict)
        goto bad;
    {
        #if PY_MAJOR_VERSION >= 3
        if (level == -1) {
            if ((1) && (strchr(__Pyx_MODULE_NAME, '.'))) {
                module = PyImport_ImportModuleLevelObject(
                    name, global_dict, empty_dict, list, 1);
                if (!module) {
                    if (!PyErr_ExceptionMatches(PyExc_ImportError))
                        goto bad;
                    PyErr_Clear();
                }
            }
            level = 0;
        }
        #endif
        if (!module) {
            #if PY_MAJOR_VERSION < 3
            PyObject *py_level = PyInt_FromLong(level);
            if (!py_level)
                goto bad;
            module = PyObject_CallFunctionObjArgs(py_import,
                name, global_dict, empty_dict, list, py_level, (PyObject *)NULL);
            Py_DECREF(py_level);
            #else
            module = PyImport_ImportModuleLevelObject(
                name, global_dict, empty_dict, list, level);
            #endif
        }
    }
bad:
    #if PY_MAJOR_VERSION < 3
    Py_XDECREF(py_import);
    #endif
    Py_XDECREF(empty_list);
    Py_XDECREF(empty_dict);
    return module;
}

这次函数并没有被内联。不过即使内联了，也可以关注PyImport_ImportModuleLevelObject()或者PyObject_CallFunctionObjArgs()函数。

// func_ImportModule()
  v4 = sub_180004160(strp_base64);

// 
__int64 __fastcall sub_180004160(__int64 a1)
{
  __int64 v2; // rsi
  _QWORD *v3; // rbx
  _QWORD *v4; // rdi
  __int64 v5; // rbp
  __int64 v6; // rax
  bool v7; // zf

  v2 = 0i64;
  v3 = 0i64;
  v4 = (_QWORD *)PyList_New(0i64);
  if ( !v4 )
    return v2;
  v5 = PyModule_GetDict(qword_18000A9C8);
  if ( v5 )
  {
    v6 = PyDict_New();
    v3 = (_QWORD *)v6;
    if ( v6 )
      v2 = PyImport_ImportModuleLevelObject(a1, v5, v6, v4, 0);
  }
  v7 = (*v4)-- == 1i64;
  if ( v7 )
    (*(void (__fastcall **)(_QWORD *))(v4[1] + 48i64))(v4);
  if ( !v3 )
    return v2;
  v7 = (*v3)-- == 1i64;
  if ( v7 )
    (*(void (__fastcall **)(_QWORD *))(v3[1] + 48i64))(v3);
  return v2;
}

`b64obj = base64.b64encode("testbase64".encode())`

// 纲要
// base64.b64encode
__pyx_t_2 = __Pyx_PyObject_GetAttrStr(__pyx_v_base64, __pyx_n_s_b64encode);
// "testbase64".encode()
__pyx_t_3 = PyUnicode_AsEncodedString(__pyx_n_u_testbase64, NULL, NULL);

// 
__pyx_t_4 = PyMethod_GET_SELF(__pyx_t_2);

// 调用
__pyx_t_1 = (__pyx_t_4) ? __Pyx_PyObject_Call2Args(__pyx_t_2, __pyx_t_4, __pyx_t_3) : __Pyx_PyObject_CallOneArg(__pyx_t_2, __pyx_t_3);

IDA中


  v14 = (*encodedstr)-- == 1i64;
  if ( v14 )
    (*(void (__fastcall **)(_QWORD *))(encodedstr[1] + 48i64))(encodedstr);
  if ( !b64edobj_cp )
  {
    v5 = 3;
    v6 = 1318;
    goto LABEL_86;
  }base64_b64encode = PyObject_GetAttr(mod_base64, strp_b64encode);
  base64_b64encode_cp = (__int64 *)base64_b64encode;
  if ( !base64_b64encode )
  {
    v5 = 3;
    v6 = 1301;
LABEL_95:
    v2 = v47;
LABEL_96:
    v45 = v48;
    AddTraceback(aTest31FuncImpo, v6, v5, aTest31Py);
    if ( !v2 )
      goto LABEL_105;
    goto LABEL_103;
  }
  encodedstr = (_QWORD *)PyUnicode_AsEncodedString(strp_testbase64, 0i64, 0i64);
  if ( !encodedstr )
  {
    v5 = 3;
    v6 = 1303;
LABEL_87:
    v14 = (*base64_b64encode_cp)-- == 1;
    if ( !v14 )
      goto LABEL_95;
    v41 = base64_b64encode_cp[1];
    v42 = base64_b64encode_cp;
LABEL_94:
    (*(void (__fastcall **)(__int64 *))(v41 + 48))(v42);
    goto LABEL_95;
  }
  if ( base64_b64encode_cp[1] == PyMethod_Type && (v11 = (_QWORD *)base64_b64encode_cp[3]) != 0i64 )
  {
    v12 = (__int64 *)base64_b64encode_cp[2];
    v13 = base64_b64encode_cp;
    ++*v11;
    base64_b64encode_cp = v12;
    ++*v12;
    v14 = (*v13)-- == 1;
    if ( v14 )
      (*(void (**)(void))(v13[1] + 48))();
    b64edobj = PyObject_Call2Args(v12, v11, encodedstr);
          v14 = (*v11)-- == 1i64;
    b64edobj_cp = b64edobj;
    if ( v14 )
      (*(void (__fastcall **)(_QWORD *))(v11[1] + 48i64))(v11);
  }
  else
  {
    b64edobj_cp = PyObject_CallOneArg(base64_b64encode_cp, encodedstr);
  }
  v14 = (*encodedstr)-- == 1i64;
  if ( v14 )
    (*(void (__fastcall **)(_QWORD *))(encodedstr[1] + 48i64))(encodedstr);
  if ( !b64edobj_cp )
  {
    v5 = 3;
    v6 = 1318;
    goto LABEL_86;
  }

`print(b64obj)`

1	__pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_b64obj); if (unlikely(!__pyx_t_1))

v14 = (*base64_b64encode_cp)-- == 1;
if ( v14 )
  (*(void (__fastcall **)(__int64 *))(base64_b64encode_cp[1] + 48))(base64_b64encode_cp);
v48 = (_QWORD *)b64edobj_cp;
v17 = (_QWORD *)PyObject_CallOneArg((_QWORD *)glob_func_print, (_QWORD *)b64edobj_cp);
if ( !v17 )
{
  v5 = 4;
  v6 = 1331;
  goto LABEL_95;
}

`print(type(b64obj))`

1	__pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, ((PyObject *)Py_TYPE(__pyx_v_b64obj)))

// Py_TYPE()
v14 = (*v17)-- == 1i64;
if ( v14 )
    (*(void (__fastcall **)(_QWORD *))(v17[1] + 48i64))(v17);
v18 = (_QWORD *)PyObject_CallOneArg((_QWORD *)glob_func_print, *(_QWORD **)(b64edobj_cp + 8));
if ( !v18 )
{
    v5 = 5;
    v6 = 1342;
    goto LABEL_95;
}

这样我们便能知道Py_TYPE()的偏移是+8。

`import hashlib`

1	__pyx_t_1 = __Pyx_Import(__pyx_n_s_hashlib, 0, 0)

v14 = (*v18)-- == 1i64;
if ( v14 )
  (*(void (__fastcall **)(_QWORD *))(v18[1] + 48i64))(v18);
v19 = Import(strp_hashlib);
if ( !v19 )
{
  v5 = 7;
  v6 = 1353;
  goto LABEL_95;
}

`md5obj = hashlib.md5()`

和上面base64.b64encode(xxx)其实一样，不过那个是强制传入字节码来构建对象，这个可以后面再update()上去。

__pyx_t_2 = __Pyx_PyObject_GetAttrStr(__pyx_v_hashlib, __pyx_n_s_md5);
__pyx_t_3 = PyMethod_GET_SELF(__pyx_t_2);
__pyx_t_1 = (__pyx_t_3) ? __Pyx_PyObject_CallOneArg(__pyx_t_2, __pyx_t_3) : __Pyx_PyObject_CallNoArg(__pyx_t_2);
__pyx_v_md5obj = __pyx_t_1;

IDA中

v3 = (_QWORD *)mod_hashlib;
v20 = *(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)(mod_hashlib + 8) + 144i64);
if ( v20 )
  hashlib_md5 = (__int64 *)v20(mod_hashlib, strp_md5);
else
  hashlib_md5 = (__int64 *)PyObject_GetAttr(mod_hashlib, strp_md5);
v4 = hashlib_md5;
if ( !hashlib_md5 )
{
  v5 = 8;
  v6 = 1365;
  goto LABEL_95;
}
if ( hashlib_md5[1] == PyMethod_Type && (v22 = (_QWORD *)hashlib_md5[3]) != 0i64 )
{
  v23 = (__int64 *)hashlib_md5[2];
  ++*v22;
  v4 = v23;
  ++*v23;
  v14 = (*hashlib_md5)-- == 1;
  if ( v14 )
    (*(void (**)(void))(hashlib_md5[1] + 48))();
  v24 = PyObject_CallOneArg(v23, v22);
  v14 = (*v22)-- == 1i64;
  v25 = v24;
  if ( v14 )
    (*(void (__fastcall **)(_QWORD *))(v22[1] + 48i64))(v22);
}
else
{
  v25 = PyObject_CallNoArg(hashlib_md5);
}
if ( !v25 )
{
  v5 = 8;
  v6 = 1379;
  goto LABEL_86;
}

`md5obj.update("testmd5".encode())`

__pyx_t_2 = __Pyx_PyObject_GetAttrStr(__pyx_v_md5obj, __pyx_n_s_update);
__pyx_t_3 = PyUnicode_AsEncodedString(__pyx_n_u_testmd5, NULL, NULL);
__pyx_t_4 = PyMethod_GET_SELF(__pyx_t_2);
__pyx_t_1 = (__pyx_t_4) ? __Pyx_PyObject_Call2Args(__pyx_t_2, __pyx_t_4, __pyx_t_3) : __Pyx_PyObject_CallOneArg(__pyx_t_2, __pyx_t_3);

IDA中

v14 = (*v4)-- == 1;
if ( v14 )
  (*(void (__fastcall **)(__int64 *))(v4[1] + 48))(v4);
v1 = (_QWORD *)md5obj;
v26 = *(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)(md5obj + 8) + 144i64);
if ( v26 )
  md5obj_update = v26(md5obj, strp_update);
else
  md5obj_update = PyObject_GetAttr(md5obj, strp_update);
v4 = (__int64 *)md5obj_update;
if ( !md5obj_update )
{
  v5 = 9;
  v6 = 1392;
  goto LABEL_95;
}
encodedstr2 = (_QWORD *)PyUnicode_AsEncodedString(strp_testmd5, 0i64, 0i64);
if ( !encodedstr2 )
{
  v5 = 9;
  v6 = 1394;
  goto LABEL_87;
}
if ( v4[1] == PyMethod_Type && (v29 = (_QWORD *)v4[3]) != 0i64 )
{
  v30 = (__int64 *)v4[2];
  v31 = v4;
  ++*v29;
  v4 = v30;
  ++*v30;
  v14 = (*v31)-- == 1;
  if ( v14 )
    (*(void (**)(void))(v31[1] + 48))();
  v32 = PyObject_Call2Args(v30, v29, encodedstr2);
  v14 = (*v29)-- == 1i64;
  v33 = (_QWORD *)v32;
  if ( v14 )
    (*(void (__fastcall **)(_QWORD *))(v29[1] + 48i64))(v29);
}
else
{
  v33 = (_QWORD *)PyObject_CallOneArg(v4, encodedstr2);
}
v14 = (*encodedstr2)-- == 1i64;
if ( v14 )
  (*(void (__fastcall **)(_QWORD *))(encodedstr2[1] + 48i64))(encodedstr2);
if ( !v33 )
{
  v5 = 9;
  v6 = 1409;
  goto LABEL_86;
}

`print(md5obj.hexdigest())`

// md5obj.hexdigest
__pyx_t_2 = __Pyx_PyObject_GetAttrStr(__pyx_v_md5obj, __pyx_n_s_hexdigest);
__pyx_t_3 = PyMethod_GET_SELF(__pyx_t_2);
// md5obj.hexdigest()
__pyx_t_1 = (__pyx_t_3) ? __Pyx_PyObject_CallOneArg(__pyx_t_2, __pyx_t_3) : __Pyx_PyObject_CallNoArg(__pyx_t_2);
// print(md5obj.hexdigest())
__pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

  v14 = (*v4)-- == 1;
  if ( v14 )
    (*(v4[1] + 48))(v4);
  v14 = (*v33)-- == 1i64;
  if ( v14 )
    (*(v33[1] + 48i64))(v33);
  v34 = *(md5obj_cp[1] + 144i64);
  if ( v34 )
    v35 = v34(md5obj_cp, strp_hexdigest);
  else
    v35 = PyObject_GetAttr(md5obj_cp, strp_hexdigest);
  v4 = v35;
  if ( !v35 )
  {
    v5 = 10;
    v6 = 1421;
    goto LABEL_95;
  }
  if ( v35[1] == PyMethod_Type && (v36 = v35[3]) != 0i64 )
  {
    v37 = v35[2];
    ++*v36;
    v4 = v37;
    ++*v37;
    v14 = (*v35)-- == 1;
    if ( v14 )
      (*(v35[1] + 48))();
    v38 = PyObject_CallOneArg(v37, v36);
    v14 = (*v36)-- == 1i64;
    v39 = v38;
    if ( v14 )
      (*(v36[1] + 48i64))(v36);
    v40 = v39;
  }
  else
  {
    v40 = PyObject_CallNoArg(v35);
    v39 = v40;
  }
  if ( !v40 )
  {
    v5 = 10;
    v6 = 1435;
LABEL_86:
    if ( !v4 )
      goto LABEL_95;
    goto LABEL_87;
  }
  v14 = (*v4)-- == 1;
  if ( v14 )
    (*(v4[1] + 48))(v4);
  v43 = PyObject_CallOneArg(glob_func_print, v40);
  v44 = *v39 - 1;
  *v40 = v44;
  if ( !v43 )
  {
    v5 = 10;
    v6 = 1438;
    if ( v44 )
      goto LABEL_95;
    v41 = v40[1];
    v42 = v40;
    goto LABEL_94;
  }

`func_BigInteger()`

`bigint_1 = .....（一个很大的数字）`

1
2

__Pyx_INCREF(__pyx_int_123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789);
  __pyx_v_bigint_1 = __pyx_int_123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789;

而__pyx_int_一个大数的初始化则在InitGlobals()中实现。当然此函数被内联了。

1	int_verylong = PyLong_FromString(a12345678912345, 0i64, 0i64)

调用了PyLong_FromString()方法。所以说这个大数字会被搞成字符串存储。

.data:000000018000A180 a12345678912345 db '12345678912345678912345678912345678912345678912345678912345678912'
.data:000000018000A180                                         ; DATA XREF: Exec+41A↑o
.data:000000018000A180                                         ; sub_180005330+AE↑o
.data:000000018000A180                 db '34567891234567891234567891234567891234567891234567891234567891234'
.data:000000018000A180                 db '56789',0

`print(bigint_1)`

1	__pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_bigint_1);

IDA

1
2
3

v1 = glob_func_print;
v2 = int_verylong;
v3 = PyObject_CallOneArg(v1, v2);

`print(bigint_1 * 2)`

1 2	__pyx_t_1 = PyNumber_Multiply(__pyx_v_bigint_1, __pyx_int_2); __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

IDA

v6 = (*v3)-- == 1i64;
 if ( v6 )
   (*(v3[1] + 48i64))(v3);
 v7 = PyNumber_Multiply(v0, int_2);
 v8 = v7;
 if ( !v7 )
 {
   v4 = 15;
   v5 = 1530;
   goto LABEL_10;
 }
 v9 = PyObject_CallOneArg(glob_func_print, v7);
 v10 = *v8;
 if ( !v9 )
 {
   v4 = 15;
   v5 = 1532;
   v11 = v10 - 1;
   *v8 = v11;
   if ( !v11 )
     (*(v8[1] + 48))(v8);
   goto LABEL_10;
 }

`func_BigFloat()`

高估了python的浮点精度，发现实际上也就是一般的IEEE浮点精度。

`bigfloat = 1111111111111111111112222222222222222222222222222222222222222222222223333333333333333333333333333.9`

1	__pyx_v_bigfloat = 1111111111111111111112222222222222222222222222222222222222222222222223333333333333333333333333333.9;

IDA中

这是一个固定数据。

1 2	.rdata:0000000180007548 qword_180007548 dq 53E0A55DA8B14737h ; DATA XREF: sub_1800056C0+F↑r .rdata:0000000180007548 ; func_BigFloat+F↑r

`print(bigfloat)`

1 2	__pyx_t_1 = PyFloat_FromDouble(__pyx_v_bigfloat); __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

1 2	v0 = PyFloat_FromDouble(1.111111111111111e96); v3 = PyObject_CallOneArg(glob_func_print, v0);

代码2

这个比较激进了。

python语法糖，算术表达式，转义字符串，元组，字典，集合

def test3_2():
    a = b = c = 123321
    d, e, f = 114514, 1919810, "runoob"
    print(isinstance(a, int))

# 传入一个输入是为了防止被优化
def func_Calculation(input):
    a = input + 4
    b = a + 0.3
    c = b * 7
    d = c / 3
    e = d // 2
    f = e % 17
    g = f ** 5
    h = int(g)
    i = h << 3
    print(i, type(i), isinstance(i, int))

# 试一下转义字符
def func_Str():
    print(r"Ru\nnoob")

def reverseWords(input):
    inputWords = input.split(" ")
    inputWords=inputWords[-1::-1]
    output = ' '.join(inputWords)
    print(output)

def func_Tuple():
    tuple1 = ( 'abcd', 786 , 2.23, 'runoob', 70.2  )
    tinytuple = (123, 'runoob')

    print (tuple1)             # 输出完整元组
    print (tuple1[0])          # 输出元组的第一个元素
    print (tuple1[1:3])        # 输出从第二个元素开始到第三个元素
    print (tuple1[2:])         # 输出从第三个元素开始的所有元素
    print (tinytuple * 2)     # 输出两次元组
    print (tuple1 + tinytuple) # 连接元组

def func_Set():
    sites = {'Google', 'Taobao', 'Runoob', 'Facebook', 'Zhihu', 'Baidu'}
    print(sites)   # 输出集合，重复的元素被自动去掉 

    # 成员测试
    if 'Runoob' in sites :
        print('Runoob In set')
    else :
        print('Runoob Not in set')


    # set可以进行集合运算
    a = set('abracadabra')
    b = set('alacazam')
    print(a)
    print(a - b)     # a 和 b 的差集
    print(a | b)     # a 和 b 的并集
    print(a & b)     # a 和 b 的交集
    print(a ^ b)     # a 和 b 中不同时存在的元素

def func_Dictionary():
    mydict = {}
    mydict['one'] = "1elem"
    mydict[2]     = "2elem"

    tinydict = {'name': 'runoob','code':1, 'site': 'www.runoob.com'}


    print (mydict['one'])       # 输出键为 'one' 的值
    print (mydict[2])           # 输出键为 2 的值
    print (tinydict)          # 输出完整的字典
    print (tinydict.keys())   # 输出所有键
    print (tinydict.values()) # 输出所有值
"""
True
8 <class 'int'> True
Ru\nnoob
runoob like I
('abcd', 786, 2.23, 'runoob', 70.2)
abcd
(786, 2.23)
(2.23, 'runoob', 70.2)
(123, 'runoob', 123, 'runoob')
('abcd', 786, 2.23, 'runoob', 70.2, 123, 'runoob')
{'Google', 'Runoob', 'Facebook', 'Zhihu', 'Baidu', 'Taobao'}
Runoob In set
{'r', 'c', 'd', 'a', 'b'}
{'r', 'd', 'b'}
{'z', 'r', 'c', 'd', 'a', 'l', 'm', 'b'}
{'a', 'c'}
{'z', 'd', 'b', 'r', 'm', 'l'}
1elem
2elem
{'name': 'runoob', 'code': 1, 'site': 'www.runoob.com'}
dict_keys(['name', 'code', 'site'])
dict_values(['runoob', 1, 'www.runoob.com'])
"""
test3_2()
func_Calculation(114514)
func_Str()
reverseWords("I like runoob")
func_Tuple()
func_Set()
func_Dictionary()

方便起见，直接在IDA函数里面注释，不逐行拆开来分析了。

`test3_2()`

// 简化版
+002:     a = b = c = 123321
    // 拆开来变成一般的赋值。很有可能被优化忽略掉了。
    // 不过应该能在InitGlobals()或者InitCachedConstants()中找到。
  __pyx_v_a = 0x1E1B9;
  __pyx_v_b = 0x1E1B9;
  __pyx_v_c = 0x1E1B9;
+003:     d, e, f = 114514, 1919810, "runoob"
  	// 编译器的语法糖，二进制文件中还是一样的。
  __pyx_t_1 = 0x1BF52;
  __pyx_t_2 = 0x1D4B42;
  __pyx_t_3 = __pyx_n_u_runoob;
  __Pyx_INCREF(__pyx_t_3);
  __pyx_v_d = __pyx_t_1;
  __pyx_v_e = __pyx_t_2;
  __pyx_v_f = ((PyObject*)__pyx_t_3);
  __pyx_t_3 = 0;
+004:     print(isinstance(a, int))
    // PyLong_From_Long()
  __pyx_t_3 = __Pyx_PyInt_From_long(__pyx_v_a);
	// PyInt_Check()没找到
  __pyx_t_4 = PyInt_Check(__pyx_t_3); 
  __Pyx_DECREF(__pyx_t_3); __pyx_t_3 = 0;
	// Py_TrueStruct和Py_FalseSturct对象
  __pyx_t_3 = __Pyx_PyBool_FromLong(__pyx_t_4);
  __pyx_t_5 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_3);

补充

#define PyInt_Check(op)              PyLong_Check(op)

// longobject.h
#define PyLong_Check(op) \
        PyType_FastSubclass(Py_TYPE(op), Py_TPFLAGS_LONG_SUBCLASS)
// object.h
#define PyType_FastSubclass(t,f)  PyType_HasFeature(t,f)
#define PyType_HasFeature(t,f)  ((PyType_GetFlags(t) & (f)) != 0)
// 然而PyType_GetFlags()没有具体定义，那按理应该是外部API，但是并没有找到调用，直接内联了。
// 这条路断了

并没有给予任何线索。

IDA中

// write access to const memory has been detected, the output may be wrong!
__int64 test3_2()
{
  _QWORD *v0; // rdi
  _QWORD *int_123321; // rax
  unsigned int v2; // ebp
  __int64 v3; // rdx
  int v4; // ebx
  bool v5; // zf
  __int64 *v6; // rbx
  _QWORD *v7; // rsi
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rbx
  __int64 v11; // rax

  v0 = (_QWORD *)strp_runoob;
  ++*(_QWORD *)strp_runoob;
  int_123321 = (_QWORD *)PyLong_FromLong(123321i64);// a = 123321
  if ( !int_123321 )
  {
    v2 = 1551;
LABEL_13:
    sub_1800020F0(aTest32Test32, v2, 4i64, aTest32Py);
    v10 = 0i64;
    goto LABEL_19;
  }


  v3 = int_123321[1];                           // bool = isinstance(a, int)
  v4 = *(_DWORD *)(v3 + 168);
  v5 = (*int_123321)-- == 1i64;
  if ( v5 )
    (*(void (__fastcall **)(_QWORD *))(v3 + 48))(int_123321);
  if ( _bittest(&v4, 0x18u) )                   // 这里bittest用于检查PyObject其中的子元素，
                                                // 应该就代表了isinstance(a, int)
                                                // 等另一个博客分析PyObject后再具体解答
                                                // 
    v6 = (__int64 *)++Py_TrueStruct;            // bool获得True或者False
  else
    v6 = (__int64 *)++Py_FalseStruct;
  if ( !v6 )
  {
    v2 = 1555;
    goto LABEL_13;
  }


  v7 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v6);// print(bool)
  v8 = *v6;
  if ( !v7 )
  {
    v2 = 1557;
    v9 = v8 - 1;
    *v6 = v9;
    if ( !v9 )
      (*(void (__fastcall **)(__int64 *))(v6[1] + 48))(v6);
    goto LABEL_13;
  }


  v11 = v8 - 1;                                 // 结束代码
  *v6 = v11;
  if ( !v11 )
    (*(void (__fastcall **)(__int64 *))(v6[1] + 48))(v6);
  v5 = (*v7)-- == 1i64;
  if ( v5 )
    (*(void (__fastcall **)(_QWORD *))(v7[1] + 48i64))(v7);
  v10 = Py_NoneStruct++;
LABEL_19:
  if ( !v0 )
    return v10;
  v5 = (*v0)-- == 1i64;
  if ( v5 )
    (*(void (__fastcall **)(_QWORD *))(v0[1] + 48i64))(v0);
  return v10;
}

`func_Calculation(input)`

// 简化
+008:     a = input + 4
  __pyx_t_1 = __Pyx_PyInt_AddObjC(__pyx_v_input, __pyx_int_4, 4, 0, 0);
  __pyx_v_a = __pyx_t_1;
+009:     b = a + 0.3
  __pyx_t_1 = __Pyx_PyFloat_AddObjC(__pyx_v_a, __pyx_float_0_3, 0.3, 0, 0);
  __pyx_v_b = __pyx_t_1;
+010:     c = b * 7
  __pyx_t_1 = PyNumber_Multiply(__pyx_v_b, __pyx_int_7);
  __pyx_v_c = __pyx_t_1;
+011:     d = c / 3
  __pyx_t_1 = __Pyx_PyInt_TrueDivideObjC(__pyx_v_c, __pyx_int_3, 3, 0, 0);
  __pyx_v_d = __pyx_t_1;
+012:     e = d // 2
  __pyx_t_1 = __Pyx_PyInt_FloorDivideObjC(__pyx_v_d, __pyx_int_2, 2, 0, 0);
  __pyx_v_e = __pyx_t_1;
+013:     f = e % 17
  __pyx_t_1 = __Pyx_PyInt_RemainderObjC(__pyx_v_e, __pyx_int_17, 17, 0, 0);
  __pyx_v_f = __pyx_t_1;
+014:     g = f ** 5
  __pyx_t_1 = PyNumber_Power(__pyx_v_f, __pyx_int_5, Py_None);
  __pyx_v_g = __pyx_t_1;
+015:     h = int(g)
  __pyx_t_1 = __Pyx_PyNumber_Int(__pyx_v_g);
  __pyx_v_h = __pyx_t_1;
+016:     i = h << 3
  __pyx_t_1 = __Pyx_PyInt_LshiftObjC(__pyx_v_h, __pyx_int_3, 3, 0, 0);
  __pyx_v_i = __pyx_t_1;

+017:     print(i, type(i), isinstance(i, int))
  __pyx_t_2 = PyInt_Check(__pyx_v_i); 
  __pyx_t_1 = __Pyx_PyBool_FromLong(__pyx_t_2);

  __pyx_t_3 = PyTuple_New(3);

  PyTuple_SET_ITEM(__pyx_t_3, 0, __pyx_v_i);

  PyTuple_SET_ITEM(__pyx_t_3, 1, ((PyObject *)Py_TYPE(__pyx_v_i)));

  PyTuple_SET_ITEM(__pyx_t_3, 2, __pyx_t_1);
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_print, __pyx_t_3, NULL);

PyXXX_AddObjC()函数我在博客2里面分析复数的时候遇到过。

// write access to const memory has been detected, the output may be wrong!
__int64 __fastcall func_Calculation_0(__int64 a1, __int64 input)
{
  __int64 v2; // r14
  _QWORD *v3; // rbp
  _QWORD *v4; // r12
  __int64 v5; // rax
  _QWORD *v6; // r15
  _QWORD *v7; // r13
  __int64 v8; // r9
  int v9; // eax
  int v10; // ecx
  __int64 a; // rax
  __int64 v12; // rcx
  unsigned int v13; // ebx
  _QWORD *v14; // rax
  unsigned int v15; // esi
  _QWORD *v16; // rcx
  _QWORD *v17; // rdx
  __int64 v18; // rax
  _QWORD *v19; // rdi
  double v20; // xmm6_8
  __int64 v21; // rax
  __int64 v22; // rax
  __int64 v23; // rcx
  __int64 v24; // rax
  __int64 v25; // r8
  int v26; // edx
  int v27; // eax
  __int64 v28; // rax
  __int64 v29; // r9
  int v30; // eax
  int v31; // er8
  unsigned int v32; // edx
  int v33; // eax
  unsigned int v34; // er8
  __int64 v35; // rax
  signed __int64 v36; // r8
  unsigned __int64 v37; // rdx
  __int64 v38; // rax
  unsigned __int64 v39; // r8
  __int64 v40; // r9
  int v41; // eax
  int v42; // er8
  unsigned int v43; // er8
  unsigned int v44; // eax
  __int64 v45; // rax
  signed __int64 v46; // r8
  unsigned __int64 v47; // r8
  unsigned __int64 v48; // rax
  __int64 g; // rcx
  __int64 v50; // r8
  unsigned __int64 v51; // rdx
  unsigned int v52; // er8
  __int64 i; // rax
  __int64 v54; // rbx
  _QWORD *isinstance_i; // r15
  _QWORD *tup_3item; // rax
  _QWORD *tup3_cp; // rbp
  bool v58; // zf
  __int64 print; // rcx
  _QWORD *v60; // rbx
  _QWORD *v62; // [rsp+20h] [rbp-A8h]
  _QWORD *v63; // [rsp+28h] [rbp-A0h]
  _QWORD *v64; // [rsp+30h] [rbp-98h]
  _QWORD *v65; // [rsp+38h] [rbp-90h]
  _QWORD *v66; // [rsp+40h] [rbp-88h]
  _QWORD *v67; // [rsp+48h] [rbp-80h]
  __int64 v68; // [rsp+50h] [rbp-78h]
  __int64 v69; // [rsp+58h] [rbp-70h]
  __int64 v70; // [rsp+60h] [rbp-68h]
  _QWORD *v71; // [rsp+68h] [rbp-60h]
  _QWORD *v72; // [rsp+D0h] [rbp+8h]
  _QWORD *v73; // [rsp+D8h] [rbp+10h]
  _QWORD *v74; // [rsp+E0h] [rbp+18h]
  _QWORD *v75; // [rsp+E8h] [rbp+20h]

  v2 = 0i64;
  v3 = 0i64;
  v4 = 0i64;
  v5 = *(_QWORD *)(input + 8);
  v6 = 0i64;
  v62 = 0i64;
  v7 = 0i64;
  v63 = 0i64;
  if ( v5 == PyLong_Type )
  {
    v8 = *(_QWORD *)(input + 16);
    if ( (__int64)abs64(v8) > 1 )
    {
      switch ( v8 )
      {
        case -2i64:
          a = PyLong_FromLongLong(4 - (*(unsigned int *)(input + 24) | ((unsigned __int64)*(unsigned int *)(input + 28) << 30)));
          break;
        case 2i64:
          a = PyLong_FromLongLong((*(unsigned int *)(input + 24) | ((unsigned __int64)*(unsigned int *)(input + 28) << 30)) + 4);
          break;
        default:
          a = (**((__int64 (__fastcall ***)(__int64, __int64))&PyLong_Type + 12))(input, int_4);
          break;
      }
    }
    else
    {
      if ( v8 )
        v9 = *(_DWORD *)(input + 24);
      else
        v9 = 0;
      v10 = -v9;
      if ( v8 != -1 )
        v10 = v9;
      a = PyLong_FromLong((unsigned int)(v10 + 4));
    }
  }
  else if ( v5 == PyFloat_Type )
  {
    a = PyFloat_FromDouble(*(double *)(input + 16) + 4.0);
  }
  else
  {
    a = PyNumber_Add(input, int_4);
  }                                             // a = input + 4

  v12 = a;
  if ( !a )
  {
    v13 = 8;
    v14 = 0i64;
    v15 = 1632;
    v16 = 0i64;
    v17 = 0i64;
    goto LABEL_124;
  }
  v18 = *(_QWORD *)(a + 8);
  v19 = (_QWORD *)v12;
  v72 = (_QWORD *)v12;
  if ( v18 == PyFloat_Type )
  {
    v20 = *(double *)(v12 + 16);
LABEL_27:
    v21 = PyFloat_FromDouble(v20 + 0.3);        // 这里要修改类型为double
  }
  else
  {
    if ( v18 == PyLong_Type )
    {
      switch ( *(_QWORD *)(v12 + 16) )
      {
        case 0xFFFFFFFFFFFFFFFFi64:
          v20 = -(double)*(int *)(v12 + 24);
          goto LABEL_27;
        case 0i64:
          v20 = 0.0;
          goto LABEL_27;
        case 1i64:
          v20 = (double)*(int *)(v12 + 24);
          goto LABEL_27;
        default:
          v20 = PyLong_AsDouble();
          if ( v20 != -1.0 || !PyErr_Occurred() )
            goto LABEL_27;
          goto LABEL_30;
      }
    }
    v21 = PyNumber_Add(v12, double_0_3);
  }
  if ( !v21 )
  {
LABEL_30:
    v13 = 9;
    v15 = 1644;
    v14 = 0i64;
    v16 = 0i64;
    v17 = 0i64;
LABEL_123:
    v4 = v72;
LABEL_124:
    v73 = v14;
    v75 = v17;
    v74 = v16;
    AddTraceback(aTest32FuncCalc, v15, v13, aTest32Py);
    v19 = v4;
    if ( !v4 )
      goto LABEL_133;
    goto LABEL_131;
  }                                             // b = a + 0.3


  v62 = (_QWORD *)v21;
  v66 = (_QWORD *)v21;
  v22 = PyNumber_Multiply(v21, int_7);
  v23 = v22;
  if ( !v22 )
  {
    v13 = 10;
    v14 = 0i64;
    v15 = 1656;
    v16 = 0i64;
    v17 = 0i64;
    goto LABEL_123;
  }                                             // c = b * 7

  v24 = *(_QWORD *)(v22 + 8);
  v63 = (_QWORD *)v23;
  v67 = (_QWORD *)v23;
  if ( v24 == PyLong_Type )
  {
    v25 = *(_QWORD *)(v23 + 16);
    if ( (__int64)abs64(v25) > 1 )
    {
      v28 = (*(__int64 (__fastcall **)(__int64, __int64))(*((_QWORD *)&PyLong_Type + 12) + 240i64))(v23, int_3);
    }
    else
    {
      if ( v25 )
        v26 = *(_DWORD *)(v23 + 24);
      else
        v26 = 0;
      v27 = -v26;
      if ( v25 != -1 )
        v27 = v26;
      v28 = PyFloat_FromDouble((double)v27 / 3.0);
    }
  }
  else if ( v24 == PyFloat_Type )
  {
    v28 = PyFloat_FromDouble(*(double *)(v23 + 16) / 3.0);
  }
  else
  {
    v28 = PyNumber_TrueDivide(v23, int_3);
  }
  if ( !v28 )
  {
    v13 = 11;
    v14 = 0i64;
    v15 = 1668;
    v16 = 0i64;
    v17 = 0i64;
    goto LABEL_123;
  }                                             // PyNumber_TrueDivide()
                                                // d = c / 3.0

  v73 = (_QWORD *)v28;
  v68 = v28;
  if ( *(_QWORD *)(v28 + 8) == PyLong_Type )
  {
    v29 = *(_QWORD *)(v28 + 16);
    if ( (__int64)abs64(v29) > 1 )
    {
      switch ( v29 )
      {
        case -2i64:
          v36 = -(__int64)(*(unsigned int *)(v28 + 24) | ((unsigned __int64)*(unsigned int *)(v28 + 28) << 30));
          goto LABEL_60;
        case 2i64:
          v36 = *(unsigned int *)(v28 + 24) | ((unsigned __int64)*(unsigned int *)(v28 + 28) << 30);
LABEL_60:
          v37 = 0i64;
          v38 = v36 / 2;
          v39 = v36 % 2;
          if ( v39 )
            v37 = v39 >> 63;
          v35 = PyLong_FromLongLong(v38 - v37);
          break;
        default:
          v35 = (*(__int64 (__fastcall **)(__int64, __int64))(*((_QWORD *)&PyLong_Type + 12) + 232i64))(v28, int_2);
          break;
      }
    }
    else
    {
      if ( v29 )
        v30 = *(_DWORD *)(v28 + 24);
      else
        v30 = 0;
      v31 = -v30;
      if ( v29 != -1 )
        v31 = v30;
      v32 = 0;
      v33 = v31 / 2;
      v34 = v31 % 2;
      if ( v34 )
        v32 = v34 >> 31;
      v35 = PyLong_FromLong(v33 - v32);
    }
  }
  else
  {
    v35 = PyNumber_FloorDivide(v28, int_2);
  }
  if ( !v35 )
  {
    v13 = 12;
    v14 = v73;
    v15 = 1680;
    v16 = 0i64;
    v17 = 0i64;
    goto LABEL_123;
  }                                             // PyNumber_FloorDivide()
                                                // e = d // 2

  v74 = (_QWORD *)v35;
  v69 = v35;
  if ( *(_QWORD *)(v35 + 8) == PyLong_Type )
  {
    v40 = *(_QWORD *)(v35 + 16);
    if ( (__int64)abs64(v40) > 1 )
    {
      switch ( v40 )
      {
        case -2i64:
          v46 = -(__int64)(*(unsigned int *)(v35 + 24) | ((unsigned __int64)*(unsigned int *)(v35 + 28) << 30));
          goto LABEL_80;
        case 2i64:
          v46 = *(unsigned int *)(v35 + 24) | ((unsigned __int64)*(unsigned int *)(v35 + 28) << 30);
LABEL_80:
          v47 = v46 % 17;
          v48 = 0i64;
          if ( v47 )
            v48 = v47 >> 63;
          v45 = PyLong_FromLongLong(v47 + 17 * v48);
          break;
        default:
          v45 = (*(__int64 (__fastcall **)(__int64, __int64))(*((_QWORD *)&PyLong_Type + 12) + 24i64))(v35, int_17);
          break;
      }
    }
    else
    {
      if ( v40 )
        v41 = *(_DWORD *)(v35 + 24);
      else
        v41 = 0;
      v42 = -v41;
      if ( v40 != -1 )
        v42 = v41;
      v43 = v42 % 17;
      v44 = 0;
      if ( v43 )
        v44 = v43 >> 31;
      v45 = PyLong_FromLong(v43 + 17 * v44);
    }
  }
  else
  {
    v45 = PyNumber_Remainder(v35, int_17);
  }
  if ( !v45 )
  {
    v13 = 13;
    v14 = v73;
    v15 = 1692;
    v16 = v74;
    v17 = 0i64;
    goto LABEL_123;
  }                                             // PyNumber_Remainder()
                                                // f = e % 17

  v75 = (_QWORD *)v45;
  v70 = v45;
  g = PyNumber_Power(v45, int_5, Py_NoneStruct);
  if ( !g )
  {
    v13 = 14;
    v14 = v73;
    v15 = 1704;
    v16 = v74;
    v17 = v75;
    goto LABEL_123;
  }                                             // PyNumber_Power()
                                                // g = f ** 5

  v6 = (_QWORD *)g;
  v64 = (_QWORD *)g;
  v71 = (_QWORD *)g;
  if ( *(_QWORD *)(g + 8) == PyLong_Type )
  {
    ++*(_QWORD *)g;
  }
  else
  {
    g = PyNumber_Long(g);
    if ( !g )
    {
      v13 = 15;
      v14 = v73;
      v15 = 1716;
      v16 = v74;
      v17 = v75;
      goto LABEL_123;
    }
  }                                             // PyNumber_Long()
                                                // h = int(g)

  v3 = (_QWORD *)g;
  v65 = (_QWORD *)g;
  if ( *(_QWORD *)(g + 8) != PyLong_Type )
  {
LABEL_109:
    i = PyNumber_Lshift(g, int_3);
    goto LABEL_110;
  }
  v50 = *(_QWORD *)(g + 16);
  if ( (__int64)abs64(v50) <= 1 )
  {
    if ( v50 )
    {
      LODWORD(v51) = -*(_DWORD *)(g + 24);
      if ( v50 != -1 )
        LODWORD(v51) = *(_DWORD *)(g + 24);
      v52 = 8 * v51;
      if ( (_DWORD)v51 != (8 * (int)v51) >> 3 && (_DWORD)v51 )
      {
        v51 = (int)v51;
LABEL_106:
        if ( v51 == (__int64)(8 * v51) >> 3 )
        {
          i = PyLong_FromLongLong(8 * v51);
          goto LABEL_110;
        }
        goto LABEL_109;
      }
    }
    else
    {
      v52 = 0;
    }
    i = PyLong_FromLong(v52);
    goto LABEL_110;
  }
  switch ( v50 )
  {
    case -2i64:
      v51 = -(__int64)(*(unsigned int *)(g + 24) | ((unsigned __int64)*(unsigned int *)(g + 28) << 30));
      goto LABEL_106;
    case 2i64:
      v51 = *(unsigned int *)(g + 24) | ((unsigned __int64)*(unsigned int *)(g + 28) << 30);
      goto LABEL_106;
    default:
      i = (*(__int64 (__fastcall **)(__int64, __int64))(*((_QWORD *)&PyLong_Type + 12) + 88i64))(g, int_3);
      break;
  }
LABEL_110:
  v54 = i;
  if ( !i )
  {
    v13 = 16;
    v14 = v73;
    v15 = 1728;
    v16 = v74;
    v17 = v75;
    goto LABEL_123;
  }                                             // PyNumber_Lshift()
                                                // i = h << 3 （或者变成 8 * h）

  v7 = (_QWORD *)i;
  isinstance_i = (_QWORD *)isinstance(*(_BYTE *)(*(_QWORD *)(i + 8) + 171i64) & 1);// 暂时还对这个偏移不是很了解，但是这里确实在判断是不是int
  if ( !isinstance_i )
  {
    v13 = 17;
    v15 = 1741;
LABEL_114:
    v14 = v73;
    v6 = v64;
    v16 = v74;
    v17 = v75;
    goto LABEL_123;
  }

  tup_3item = (_QWORD *)PyTuple_New(3i64);
  tup3_cp = tup_3item;
  if ( !tup_3item )
  {
    v13 = 17;
    v15 = 1743;
    v58 = (*isinstance_i)-- == 1i64;
    v16 = (_QWORD *)v69;
    v17 = (_QWORD *)v70;
    v3 = v65;
    v62 = v66;
    v63 = v67;
    v14 = (_QWORD *)v68;
    if ( v58 )
    {
      (*(void (__fastcall **)(_QWORD *, __int64, _QWORD *))(isinstance_i[1] + 48i64))(isinstance_i, v70, v71);
      v16 = (_QWORD *)v69;
      v17 = (_QWORD *)v70;
      v6 = v71;
      v62 = v66;
      v63 = v67;
      v14 = (_QWORD *)v68;
    }
    else
    {
      v6 = v71;
    }
    goto LABEL_123;
  }
  ++*(_QWORD *)v54;
  print = glob_func_print;
  tup_3item[3] = v54;                           // i
  ++**(_QWORD **)(v54 + 8);
  tup_3item[4] = *(_QWORD *)(v54 + 8);          // +8偏移是type，上次博客有写过
  tup_3item[5] = isinstance_i;                  // isinstance(i, int)
  v60 = (_QWORD *)PyObject_Call_0(print, (__int64)tup_3item);// print(i, type(i), isinstance(i, int))
  if ( !v60 )
  {
    v58 = (*tup3_cp)-- == 1i64;
    v13 = 17;
    v15 = 1754;
    if ( v58 )
      (*(void (__fastcall **)(_QWORD *))(tup3_cp[1] + 48i64))(tup3_cp);
    v3 = v65;
    goto LABEL_114;
  }
  v58 = (*tup3_cp)-- == 1i64;
  if ( v58 )
    (*(void (__fastcall **)(_QWORD *))(tup3_cp[1] + 48i64))(tup3_cp);
  v58 = (*v60)-- == 1i64;
  if ( v58 )
    (*(void (__fastcall **)(_QWORD *))(v60[1] + 48i64))(v60);
  v2 = Py_NoneStruct;
  v3 = v65;
  v6 = v64;
  ++Py_NoneStruct;
LABEL_131:
  v58 = (*v19)-- == 1i64;
  if ( v58 )
    (*(void (__fastcall **)(_QWORD *))(v19[1] + 48i64))(v19);
LABEL_133:
  if ( v62 )
  {
    v58 = (*v62)-- == 1i64;
    if ( v58 )
      (*(void (**)(void))(v62[1] + 48i64))();
  }
  if ( v63 )
  {
    v58 = (*v63)-- == 1i64;
    if ( v58 )
      (*(void (**)(void))(v63[1] + 48i64))();
  }
  if ( v73 )
  {
    v58 = (*v73)-- == 1i64;
    if ( v58 )
      (*(void (**)(void))(v73[1] + 48i64))();
  }
  if ( v74 )
  {
    v58 = (*v74)-- == 1i64;
    if ( v58 )
      (*(void (**)(void))(v74[1] + 48i64))();
  }
  if ( v75 )
  {
    v58 = (*v75)-- == 1i64;
    if ( v58 )
      (*(void (**)(void))(v75[1] + 48i64))();
  }
  if ( v6 )
  {
    v58 = (*v6)-- == 1i64;
    if ( v58 )
      (*(void (__fastcall **)(_QWORD *))(v6[1] + 48i64))(v6);
  }
  if ( v3 )
  {
    v58 = (*v3)-- == 1i64;
    if ( v58 )
      (*(void (__fastcall **)(_QWORD *))(v3[1] + 48i64))(v3);
  }
  if ( !v7 )
    return v2;
  v58 = (*v7)-- == 1i64;
  if ( v58 )
    (*(void (__fastcall **)(_QWORD *))(v7[1] + 48i64))(v7);
  return v2;
}

`func_Str()`

  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_print, __pyx_tuple_, NULL);
// 在InitCachedConstants()
// C文件中：static const char __pyx_k_Ru_nnoob[] = "Ru\\nnoob";
// 翻译成二进制文件后：'Ru\nnoob'
// 这样反而是对的，因为如果没有转义的话，那么编译过来之后，`\n`就变成0xa这个ASCII里面的回车记号了。而现在变成了两个字符，一个`\`一个`n`
  __pyx_tuple_ = PyTuple_Pack(1, __pyx_kp_u_Ru_nnoob);

// write access to const memory has been detected, the output may be wrong!
__int64 func_Str()
{
  _QWORD *v0; // rax
  __int64 result; // rax

  v0 = (_QWORD *)PyObject_Call_0(glob_func_print, tup_strp_runoob);
  if ( v0 )
  {
    if ( (*v0)-- == 1i64 )
      (*(void (__fastcall **)(_QWORD *))(v0[1] + 48i64))(v0);
    result = Py_NoneStruct++;
  }
  else
  {
    AddTraceback(aTest32FuncStr, 1828i64, 21i64, aTest32Py);
    result = 0i64;
  }
  return result;
}

字符串是'Ru\nnoob'，已经被转义了，然后被print()函数调用。

`func_reverseWords()`

+024:     inputWords = input.split(" ")
    // GetAttrStr来获取对象的方法函数
  __pyx_t_2 = __Pyx_PyObject_GetAttrStr(__pyx_v_input, __pyx_n_s_split);
  if (CYTHON_UNPACK_METHODS && likely(PyMethod_Check(__pyx_t_2))) {
    // 用到了
    __pyx_t_3 = PyMethod_GET_SELF(__pyx_t_2);
    if (likely(__pyx_t_3)) {
      PyObject* function = PyMethod_GET_FUNCTION(__pyx_t_2);
      __Pyx_INCREF(__pyx_t_3);
      __Pyx_INCREF(function);
      __Pyx_DECREF_SET(__pyx_t_2, function);
    }
  }
	// Call2Args
  __pyx_t_1 = (__pyx_t_3) ? __Pyx_PyObject_Call2Args(__pyx_t_2, __pyx_t_3, __pyx_kp_u__2) : __Pyx_PyObject_CallOneArg(__pyx_t_2, __pyx_kp_u__2);
  __pyx_v_inputWords = __pyx_t_1;
+025:     inputWords=inputWords[-1::-1]
  __pyx_t_1 = __Pyx_PyObject_GetItem(__pyx_v_inputWords, __pyx_slice__3);
//在InitCachedConstants()中
  __pyx_slice__3 = PySlice_New(__pyx_int_neg_1, Py_None, __pyx_int_neg_1);
+026:     output = ' '.join(inputWords)
    // 直接调用join函数
    // Join(" ", __pyx_v_inputWords)
  __pyx_t_1 = PyUnicode_Join(__pyx_kp_u__2, __pyx_v_inputWords);
  __pyx_v_output = ((PyObject*)__pyx_t_1);

+027:     print(output)
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_output);

// write access to const memory has been detected, the output may be wrong!
__int64 __fastcall func_reverseWords_0(__int64 a1, __int64 input)
{
  __int64 v2; // r14
  _QWORD *v3; // r13
  __int64 (__fastcall *v4)(__int64, __int64); // r9
  _QWORD *v5; // r15
  _QWORD *input_split; // rax
  _QWORD *v7; // rbx
  unsigned int v8; // edi
  unsigned int v9; // ebp
  _QWORD *v10; // r12
  _QWORD *v11; // rsi
  _QWORD *v12; // rdi
  bool v13; // zf
  __int64 v14; // rax
  _QWORD *inputWords; // rbp
  __int64 v16; // r8
  int v17; // edx
  __int64 v18; // rcx
  __int64 (__fastcall *v19)(_QWORD, _QWORD); // rax
  __int64 v20; // rax
  _QWORD *v21; // r12
  __int64 v22; // rax
  __int64 v23; // rcx
  __int64 (__fastcall *v24)(_QWORD *, __int64); // rax
  __int64 v25; // rax
  __int64 v26; // rbx
  __int64 v27; // rax
  _QWORD *v28; // rax
  _QWORD *v30; // [rsp+20h] [rbp-58h] BYREF
  __int64 v31; // [rsp+28h] [rbp-50h]
  __int64 v32[2]; // [rsp+30h] [rbp-48h] BYREF
  _QWORD *v33; // [rsp+88h] [rbp+10h]

  v2 = 0i64;
  v3 = 0i64;
  v4 = *(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)(input + 8) + 144i64);
  v5 = 0i64;
  if ( v4 )
    input_split = (_QWORD *)v4(input, strp_split);
  else
    input_split = (_QWORD *)PyObject_GetAttr(input, strp_split);
  v7 = input_split;
  if ( !input_split )
  {
    v8 = 24;
    v9 = 1895;
    goto LABEL_46;
  }                                             // input.split

  v10 = input_split + 1;
  if ( input_split[1] == PyMethod_Type && (v11 = (_QWORD *)input_split[3]) != 0i64 )
  {
    v12 = (_QWORD *)input_split[2];
    ++*v11;
    v7 = v12;
    ++*v12;
    v13 = (*input_split)-- == 1i64;
    if ( v13 )
      (*(void (**)(void))(input_split[1] + 48i64))();
    v14 = v12[1];
    v10 = v12 + 1;
    inputWords = 0i64;
    v33 = (_QWORD *)strp___;
    if ( v14 == PyFunction_Type )
    {
      v32[1] = strp___;
      v32[0] = (__int64)v11;
      inputWords = (_QWORD *)sub_1800053C0(v12, (__int64)v32, 2i64);
    }
    else if ( v14 == PyCFunction_Type && (v16 = v12[2], v17 = *(_DWORD *)(v16 + 16), (v17 & 0xFFFFFF8D) == 128) )
    {
      v31 = strp___;
      v18 = 0i64;
      v30 = v11;
      v19 = *(__int64 (__fastcall **)(_QWORD, _QWORD))(v16 + 8);
      if ( (v17 & 0x20) == 0 )
        v18 = v12[3];
      if ( (v17 & 2) != 0 )
        inputWords = (_QWORD *)((__int64 (__fastcall *)(__int64, _QWORD **, __int64, _QWORD, _QWORD *, __int64))v19)(
                                 v18,
                                 &v30,
                                 2i64,
                                 0i64,
                                 v30,
                                 v31);
      else
        inputWords = (_QWORD *)v19(v18, &v30);
    }
    else
    {
      v20 = PyTuple_New(2i64);
      v21 = (_QWORD *)v20;
      if ( v20 )
      {
        ++*v11;
        *(_QWORD *)(v20 + 24) = v11;
        ++*v33;
        *(_QWORD *)(v20 + 32) = v33;
        ++*v12;
        v22 = PyObject_Call_0((__int64)v12, v20);
        v13 = (*v21)-- == 1i64;
        inputWords = (_QWORD *)v22;
        if ( v13 )
          (*(void (__fastcall **)(_QWORD *))(v21[1] + 48i64))(v21);
        v13 = (*v12)-- == 1i64;
        if ( v13 )
          (*(void (__fastcall **)(_QWORD *))(v12[1] + 48i64))(v12);
      }
      v10 = v12 + 1;
    }
    v13 = (*v11)-- == 1i64;
    if ( v13 )
      (*(void (__fastcall **)(_QWORD *))(v11[1] + 48i64))(v11);
  }
  else
  {
    inputWords = (_QWORD *)PyObject_CallOneArg(input_split, strp___);
  }
  if ( !inputWords )
  {
    v8 = 24;
    v9 = 1909;
    if ( v7 )
    {
      v13 = (*v7)-- == 1i64;
      if ( v13 )
        (*(void (__fastcall **)(_QWORD *))(*v10 + 48i64))(v7);
    }
LABEL_46:
    AddTraceback(aTest32Reversew, v9, v8, aTest32Py);
    if ( !v5 )
      goto LABEL_53;
    goto LABEL_51;
  }                                             // inputWors = input.split(" ")

  v13 = (*v7)-- == 1i64;
  if ( v13 )
    (*(void (__fastcall **)(_QWORD *))(*v10 + 48i64))(v7);
  v5 = inputWords;
  v23 = *(_QWORD *)(inputWords[1] + 112i64);
  if ( v23 && (v24 = *(__int64 (__fastcall **)(_QWORD *, __int64))(v23 + 8)) != 0i64 )
    v25 = v24(inputWords, slice_m_n_m);
  else
    v25 = _Pyx_PyObject_GetIndex(inputWords, slice_m_n_m);// 在GetItem里面被调用的函数
  v26 = v25;
  if ( !v25 )
  {
    v8 = 25;
    v9 = 1922;
    goto LABEL_46;
  }                                             // PyObject_GetItem()
                                                // inputWords=inputWords[-1::-1]

  v13 = (*inputWords)-- == 1i64;
  v5 = (_QWORD *)v25;
  if ( v13 )
    (*(void (__fastcall **)(_QWORD *))(inputWords[1] + 48i64))(inputWords);
  v27 = PyUnicode_Join(strp___, v26);           // " ".join(inputWords)
  if ( !v27 )
  {
    v8 = 26;
    v9 = 1934;
    goto LABEL_46;
  }

  v3 = (_QWORD *)v27;
  v28 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v27);// print()
  if ( !v28 )
  {
    v8 = 27;
    v9 = 1946;
    goto LABEL_46;
  }

  v13 = (*v28)-- == 1i64;                       // 结束代码
  if ( v13 )
    (*(void (__fastcall **)(_QWORD *))(v28[1] + 48i64))(v28);
  v2 = Py_NoneStruct++;
LABEL_51:
  v13 = (*v5)-- == 1i64;
  if ( v13 )
    (*(void (__fastcall **)(_QWORD *))(v5[1] + 48i64))(v5);
LABEL_53:
  if ( !v3 )
    return v2;
  v13 = (*v3)-- == 1i64;
  if ( v13 )
    (*(void (__fastcall **)(_QWORD *))(v3[1] + 48i64))(v3);
  return v2;
}

算了就到这里吧。元组啥的下次再看。

补充

转义字符串

def f1():
	print("Ru\nnoob")

def f2():
	print(r"Ru\nnoob")

C文件中

static const char __pyx_k_Ru_noob[] = "Ru\nnoob";
static const char __pyx_k_Ru_nnoob[] = "Ru\\nnoob";

+1: def f1():
+2: 	print("Ru\nnoob")
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_print, __pyx_tuple_, NULL);
// InitCachedConstants()
  __pyx_tuple_ = PyTuple_Pack(1, __pyx_kp_u_Ru_noob);
 3: 
+4: def f2():
+5: 	print(r"Ru\nnoob")
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_print, __pyx_tuple__2, NULL);
// InitCachedConstants()
  __pyx_tuple__2 = PyTuple_Pack(1, __pyx_kp_u_Ru_nnoob);

这样确实证明了是会提前转义的。

二进制文件中

.rdata:00000001800053F0 aRuNoob         db 'Ru',0Ah             ; DATA XREF: .data:00000001800077C0↓o
.rdata:00000001800053F0                 db 'noob',0

.rdata:00000001800053C8 aRuNnoob        db 'Ru\nnoob',0         ; DATA XREF: .data:off_180007798↓o

本文作者： Taardis
本文链接： https://taardisaa.github.io/2022/01/27/Cython Reverse 3/
版权声明： 本博客所有文章除特别声明外，均采用 Apache License 2.0 许可协议。转载请注明出处！