Cython程序分析_4

2022-01-28

字数统计: 7.5k字 | 阅读时长≈ 44分

补充上次的元组等，同时继续往下。

Cython程序分析_4

代码1

继续使用博客3编译的文件来分析。

def func_Tuple():
    tuple1 = ( 'abcd', 786 , 2.23, 'runoob', 70.2  )
    tinytuple = (123, 'runoob')

    print (tuple1)             # 输出完整元组
    print (tuple1[0])          # 输出元组的第一个元素
    print (tuple1[1:3])        # 输出从第二个元素开始到第三个元素
    print (tuple1[2:])         # 输出从第三个元素开始的所有元素
    print (tinytuple * 2)     # 输出两次元组
    print (tuple1 + tinytuple) # 连接元组

def func_Set():
    sites = {'Google', 'Taobao', 'Runoob', 'Facebook', 'Zhihu', 'Baidu'}
    print(sites)   # 输出集合，重复的元素被自动去掉 

    # 成员测试
    if 'Runoob' in sites :
        print('Runoob In set')
    else :
        print('Runoob Not in set')


    # set可以进行集合运算
    a = set('abracadabra')
    b = set('alacazam')
    print(a)
    print(a - b)     # a 和 b 的差集
    print(a | b)     # a 和 b 的并集
    print(a & b)     # a 和 b 的交集
    print(a ^ b)     # a 和 b 中不同时存在的元素

def func_Dictionary():
    mydict = {}
    mydict['one'] = "1elem"
    mydict[2]     = "2elem"

    tinydict = {'name': 'runoob','code':1, 'site': 'www.runoob.com'}


    print (mydict['one'])       # 输出键为 'one' 的值
    print (mydict[2])           # 输出键为 2 的值
    print (tinydict)          # 输出完整的字典
    print (tinydict.keys())   # 输出所有键
    print (tinydict.values()) # 输出所有值
    
    
func_Tuple()
func_Set()
func_Dictionary()

`func_Tuple()`

C文件

+029: def func_Tuple():
+030:     tuple1 = ( 'abcd', 786 , 2.23, 'runoob', 70.2  )
  __pyx_v_tuple1 = __pyx_tuple__4;
// InitCachedConstants()
  __pyx_tuple__4 = PyTuple_Pack(5, __pyx_n_u_abcd, __pyx_int_786, __pyx_float_2_23, __pyx_n_u_runoob, __pyx_float_70_2);
+031:     tinytuple = (123, 'runoob')
  __pyx_v_tinytuple = __pyx_tuple__5;
// InitCachedConstants()
  __pyx_tuple__5 = PyTuple_Pack(2, __pyx_int_123, __pyx_n_u_runoob);
 032: 
+033:     print (tuple1)             # 输出完整元组
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_tuple1);
+034:     print (tuple1[0])          # 输出元组的第一个元素
  __pyx_t_1 = __Pyx_GetItemInt_Tuple(__pyx_v_tuple1, 0, long, 1, __Pyx_PyInt_From_long, 0, 0, 1);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);
+035:     print (tuple1[1:3])        # 输出从第二个元素开始到第三个元素
  __pyx_t_2 = __Pyx_PyTuple_GetSlice(__pyx_v_tuple1, 1, 3);
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2);
+036:     print (tuple1[2:])         # 输出从第三个元素开始的所有元素
  __pyx_t_1 = __Pyx_PyTuple_GetSlice(__pyx_v_tuple1, 2, PY_SSIZE_T_MAX);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);
+037:     print (tinytuple * 2)     # 输出两次元组
  __pyx_t_2 = PyNumber_Multiply(__pyx_v_tinytuple, __pyx_int_2);
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2); 
+038:     print (tuple1 + tinytuple) # 连接元组
  __pyx_t_1 = PyNumber_Add(__pyx_v_tuple1, __pyx_v_tinytuple);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

IDA

两个元组的初始化在InitCachedConstants()函数中

// InitCachedConstants()
  tuple1 = PyTuple_Pack(5i64, strp_abcd, int_786, double_2_23, strp_runoob, double_70_2);
  if ( !tuple1 )
    goto LABEL_23;
  tiny_tuple = PyTuple_Pack(2i64, int_123, strp_runoob);
  if ( !tiny_tuple )
    goto LABEL_23;

// write access to const memory has been detected, the output may be wrong!
__int64 func_Tuple_0()
{
  _QWORD *tiny_tuple_cp; // r15
  __int64 print; // rcx
  _QWORD *tuple1_cp2; // r14
  __int64 tuple1_cp; // rdx
  _QWORD *v4; // rax
  __int64 v5; // r12
  unsigned int v6; // edi
  unsigned int v7; // ebp
  bool v8; // zf
  _QWORD *__pyx_t; // rbx
  __int64 int0; // rax
  _QWORD *v11; // rdi
  __int64 ptuple1_0; // rax
  _QWORD *v13; // rdi
  __int64 end; // rdi
  __int64 length; // rdi
  __int64 tup2; // rax
  QWORD **dest; // rcx
  __int64 v19; // rdx
  QWORD *v20; // rax
  _QWORD *v21; // rdi
  __int64 end_1; // rcx
  __int64 v23; // rdi
  __int64 v24; // rax
  _QWORD *v25; // rcx
  __int64 v26; // rdx
  _QWORD *v27; // rax
  _QWORD *v28; // rdi
  __int64 v29; // rax
  _QWORD *v30; // rdi
  __int64 v31; // rax
  _QWORD *v32; // rdi

  tiny_tuple_cp = (_QWORD *)tiny_tuple;
  print = glob_func_print;
  tuple1_cp2 = (_QWORD *)tuple1;
  tuple1_cp = tuple1;
  ++*(_QWORD *)tuple1;
  ++*tiny_tuple_cp;
  v4 = (_QWORD *)PyObject_CallOneArg(print, tuple1_cp);// print(tuple1)
  v5 = 0i64;
  if ( !v4 )
  {
    v6 = 33;
    v7 = 2036;
LABEL_24:
    AddTraceback(aTest32FuncTupl, v7, v6, aTest32Py);
    goto LABEL_25;
  }

  v8 = (*v4)-- == 1i64;                         // __Pyx_GetItemInt_Tuple()宏的内联
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(v4[1] + 48i64))(v4);
  if ( tuple1_cp2[2] )
  {
    __pyx_t = (_QWORD *)tuple1_cp2[3];
    ++*__pyx_t;
  }
  else
  {
    int0 = PyLong_FromSsize_t(0i64);            // int(0)
    v11 = (_QWORD *)int0;
    if ( int0 )
    {
      ptuple1_0 = PyObject_GetItem(tuple1_cp2, int0);// tuple1[0]
      v8 = (*v11)-- == 1i64;
      __pyx_t = (_QWORD *)ptuple1_0;
      if ( v8 )
        (*(void (__fastcall **)(_QWORD *))(v11[1] + 48i64))(v11);
    }
    else
    {
      __pyx_t = 0i64;
    }
  }
  if ( !__pyx_t )
  {
    v6 = 34;
    v7 = 2047;
    goto LABEL_24;
  }
  v13 = (_QWORD *)PyObject_CallOneArg(glob_func_print, __pyx_t);// print(tuple1[0])
  if ( !v13 )
  {
    v6 = 34;
    v7 = 2049;
    goto LABEL_67;
  }

  v8 = (*__pyx_t)-- == 1i64;                    // __Pyx_PyTuple_GetSlice()的内联
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(__pyx_t[1] + 48i64))(__pyx_t);
  v8 = (*v13)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(v13[1] + 48i64))(v13);
  end = 3i64;
  if ( (__int64)tuple1_cp2[2] < 3 )
    end = tuple1_cp2[2];
  length = end - 1;                             // end = 3; start = 1
  if ( length > 0 )
  {
    tup2 = PyTuple_New(length);
    __pyx_t = (_QWORD *)tup2;
    if ( !tup2 )
      goto LABEL_23;
    dest = (QWORD **)(tup2 + 24);
    v19 = (__int64)tuple1_cp2 - tup2 + 8;       // 这里能够判别取了哪个tuple
    do                                          // do-while循环，是__Pyx_copy_object_array()宏
    {
      v20 = *(QWORD **)((char *)dest + v19);
      *dest++ = v20;
      ++*v20;
      --length;
    }
    while ( length );
  }
  else
  {
    __pyx_t = (_QWORD *)PyTuple_New(0i64);
    if ( !__pyx_t )
    {
LABEL_23:
      v6 = 35;
      v7 = 2061;
      goto LABEL_24;
    }
  }
  v21 = (_QWORD *)PyObject_CallOneArg(glob_func_print, __pyx_t);// print(tuple1[1:3])
  if ( !v21 )
  {
    v6 = 35;
    v7 = 2063;
    goto LABEL_67;
  }

  v8 = (*__pyx_t)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(__pyx_t[1] + 48i64))(__pyx_t);
  v8 = (*v21)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(v21[1] + 48i64))(v21);
  end_1 = 0x7FFFFFFFFFFFFFFFi64;
  if ( tuple1_cp2[2] != 0x7FFFFFFFFFFFFFFFi64 )
    end_1 = tuple1_cp2[2];
  v23 = end_1 - 2;
  if ( end_1 - 2 > 0 )
  {
    v24 = PyTuple_New(end_1 - 2);               // [2:]
    __pyx_t = (_QWORD *)v24;
    if ( !v24 )
      goto LABEL_45;
    v25 = (_QWORD *)(v24 + 24);
    v26 = (__int64)tuple1_cp2 - v24 + 16;
    do
    {
      v27 = *(_QWORD **)((char *)v25 + v26);
      *v25++ = v27;
      ++*v27;
      --v23;
    }
    while ( v23 );
  }
  else
  {
    __pyx_t = (_QWORD *)PyTuple_New(0i64);
    if ( !__pyx_t )
    {
LABEL_45:
      v6 = 36;
      v7 = 2075;
      goto LABEL_24;
    }
  }
  v28 = (_QWORD *)PyObject_CallOneArg(glob_func_print, __pyx_t);// print(tuple1[2:])
  if ( !v28 )
  {
    v6 = 36;
    v7 = 2077;
    goto LABEL_67;
  }

  v8 = (*__pyx_t)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(__pyx_t[1] + 48i64))(__pyx_t);
  v8 = (*v28)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(v28[1] + 48i64))(v28);
  v29 = PyNumber_Multiply(tiny_tuple_cp, int_2);
  __pyx_t = (_QWORD *)v29;
  if ( !v29 )
  {
    v6 = 37;
    v7 = 2089;
    goto LABEL_24;
  }
  v30 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v29);// print(tuple1 * 2)
  if ( !v30 )
  {
    v6 = 37;
    v7 = 2091;
    goto LABEL_67;
  }

  v8 = (*__pyx_t)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(__pyx_t[1] + 48i64))(__pyx_t);
  v8 = (*v30)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(v30[1] + 48i64))(v30);
  v31 = PyNumber_Add(tuple1_cp2, tiny_tuple_cp);
  __pyx_t = (_QWORD *)v31;
  if ( !v31 )
  {
    v6 = 38;
    v7 = 2103;
    goto LABEL_24;
  }
  v32 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v31);// print(tuple1 + tiny_tuple)
  if ( !v32 )
  {
    v6 = 38;
    v7 = 2105;
LABEL_67:
    v8 = (*__pyx_t)-- == 1i64;
    if ( v8 )
      (*(void (__fastcall **)(_QWORD *))(__pyx_t[1] + 48i64))(__pyx_t);
    goto LABEL_24;
  }

    // 结束代码
  v8 = (*__pyx_t)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(__pyx_t[1] + 48i64))(__pyx_t);
  v8 = (*v32)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(v32[1] + 48i64))(v32);
  v5 = Py_NoneStruct++;
LABEL_25:
  if ( tuple1_cp2 )
  {
    v8 = (*tuple1_cp2)-- == 1i64;
    if ( v8 )
      (*(void (__fastcall **)(_QWORD *))(tuple1_cp2[1] + 48i64))(tuple1_cp2);
  }
  if ( !tiny_tuple_cp )
    return v5;
  v8 = (*tiny_tuple_cp)-- == 1i64;
  if ( v8 )
    (*(void (__fastcall **)(_QWORD *))(tiny_tuple_cp[1] + 48i64))(tiny_tuple_cp);
  return v5;
}

补充

`__Pyx_PyTuple_GetSlice()`

元组的slice调用的是__Pyx_PyTuple_GetSlice()宏。

static CYTHON_INLINE PyObject* __Pyx_PyTuple_GetSlice(
            PyObject* src, Py_ssize_t start, Py_ssize_t stop
) {
    PyObject* dest;
    Py_ssize_t length = PyTuple_GET_SIZE(src);
    __Pyx_crop_slice(&start, &stop, &length);
    if (unlikely(length <= 0))
        return PyTuple_New(0);
    dest = PyTuple_New(length);	// 特征点，能知道长度
    if (unlikely(!dest))
        return NULL;
    __Pyx_copy_object_array(
        ((PyTupleObject*)src)->ob_item + start,
        ((PyTupleObject*)dest)->ob_item,
        length);
    return dest;
}
#endif

/* SliceTupleAndList */
  #if CYTHON_COMPILING_IN_CPYTHON
static CYTHON_INLINE void __Pyx_crop_slice(Py_ssize_t* _start, Py_ssize_t* _stop, Py_ssize_t* _length) {
    Py_ssize_t start = *_start, stop = *_stop, length = *_length;
    if (start < 0) {
        start += length;
        if (start < 0)
            start = 0;
    }
    if (stop < 0)
        stop += length;
    else if (stop > length)
        stop = length;
    *_length = stop - start;	// 特征点，内敛后会与PyTuple_New()有直接关系，可以知道start和stop
    *_start = start;
    *_stop = stop;
}

static CYTHON_INLINE void __Pyx_copy_object_array(PyObject** CYTHON_RESTRICT src, PyObject** CYTHON_RESTRICT dest, Py_ssize_t length) {
    PyObject *v;
    Py_ssize_t i;
    for (i = 0; i < length; i++) {	// 优化成do-while(length)了
        v = dest[i] = src[i];
        Py_INCREF(v);
    }
}

`tuple1[0:5:2]`

上面试了两个是默认步长为1的。

+1: def func():
+2:     tuple1 = ('abcd', 786 , 2.23, 'runoob', 70.2)
+3:     print(tuple1[0:5:2])
  __pyx_t_1 = __Pyx_PyObject_GetItem(__pyx_v_tuple1, __pyx_slice__2);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);
// InitCachedConstants()
  __pyx_slice__2 = PySlice_New(__pyx_int_0, __pyx_int_5, __pyx_int_2);

步长不为1后立刻变成了PySlice_New()了，反而更容易辨识了。

// write access to const memory has been detected, the output may be wrong!
__int64 func()
{
  _QWORD *tup; // rdi
  __int64 v1; // rax
  __int64 (__fastcall *v2)(_QWORD *, __int64); // rax
  __int64 *sliced_tuple; // rax
  _QWORD *v4; // rcx
  __int64 *v5; // rbx
  unsigned int v6; // ebp
  _QWORD *v7; // rsi
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rbx
  __int64 v11; // rax
  bool v12; // zf

  tup = (_QWORD *)tuple1;
  ++*(_QWORD *)tuple1;
  v1 = *(_QWORD *)(tup[1] + 112i64);
  if ( v1 && (v2 = *(__int64 (__fastcall **)(_QWORD *, __int64))(v1 + 8)) != 0i64 )
    sliced_tuple = (__int64 *)v2(tup, slice);
  else
    sliced_tuple = GetItem(tup, slice);
  v5 = sliced_tuple;
  if ( !sliced_tuple )
  {
    v6 = 1262;
LABEL_10:
    AddTraceback(aTest4Func, v6, 3i64, aTest4Py);
    v10 = 0i64;
    goto LABEL_16;
  }
  v7 = (_QWORD *)PyObject_CallOneArg_print(v4, sliced_tuple);// print指针已经内联进去了
  v8 = *v5;
  if ( !v7 )
  {
    v6 = 1264;
    v9 = v8 - 1;
    *v5 = v9;
    if ( !v9 )
      (*(void (__fastcall **)(__int64 *))(v5[1] + 48))(v5);
    goto LABEL_10;
  }

  v11 = v8 - 1;
  *v5 = v11;
  if ( !v11 )
    (*(void (__fastcall **)(__int64 *))(v5[1] + 48))(v5);
  v12 = (*v7)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v7[1] + 48i64))(v7);
  v10 = Py_NoneStruct++;
LABEL_16:
  v12 = (*tup)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(tup[1] + 48i64))(tup);
  return v10;
}

`func_Set()`

+040: def func_Set():
	// 一个一个Add进去
+041:     sites = {'Google', 'Taobao', 'Runoob', 'Facebook', 'Zhihu', 'Baidu'}
  __pyx_t_1 = PySet_New(0);

  if (PySet_Add(__pyx_t_1, __pyx_n_u_Google) < 0) __PYX_ERR(0, 41, __pyx_L1_error)
  if (PySet_Add(__pyx_t_1, __pyx_n_u_Taobao) < 0) __PYX_ERR(0, 41, __pyx_L1_error)
  if (PySet_Add(__pyx_t_1, __pyx_n_u_Runoob) < 0) __PYX_ERR(0, 41, __pyx_L1_error)
  if (PySet_Add(__pyx_t_1, __pyx_n_u_Facebook) < 0) __PYX_ERR(0, 41, __pyx_L1_error)
  if (PySet_Add(__pyx_t_1, __pyx_n_u_Zhihu) < 0) __PYX_ERR(0, 41, __pyx_L1_error)
  if (PySet_Add(__pyx_t_1, __pyx_n_u_Baidu) < 0) __PYX_ERR(0, 41, __pyx_L1_error)
  __pyx_v_sites = ((PyObject*)__pyx_t_1);

+042:     print(sites)   # 输出集合，重复的元素被自动去掉 
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_sites);

 043: 
 044:     # 成员测试
+045:     if 'Runoob' in sites :
// 内联后调用`PySet_Contains()`
  __pyx_t_2 = (__Pyx_PySet_ContainsTF(__pyx_n_u_Runoob, __pyx_v_sites, Py_EQ));

  if (__pyx_t_3) {
/* … */
    goto __pyx_L3;
  }
+046:         print('Runoob In set')
 047:     else :
+048:         print('Runoob Not in set')
 049: 
 050: 
 051:     # set可以进行集合运算
+052:     a = set('abracadabra')
  __pyx_t_1 = PySet_New(__pyx_n_u_abracadabra);
  __pyx_v_a = ((PyObject*)__pyx_t_1);

+053:     b = set('alacazam')
  __pyx_t_1 = PySet_New(__pyx_n_u_alacazam);
  __pyx_v_b = ((PyObject*)__pyx_t_1);

+054:     print(a)
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_a);

+055:     print(a - b)     # a 和 b 的差集
  __pyx_t_1 = PyNumber_Subtract(__pyx_v_a, __pyx_v_b);
  __pyx_t_4 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

+056:     print(a | b)     # a 和 b 的并集
  __pyx_t_4 = PyNumber_Or(__pyx_v_a, __pyx_v_b);
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_4);

+057:     print(a & b)     # a 和 b 的交集
  __pyx_t_1 = PyNumber_And(__pyx_v_a, __pyx_v_b);
  __pyx_t_4 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

+058:     print(a ^ b)     # a 和 b 中不同时存在的元素
  __pyx_t_4 = PyNumber_Xor(__pyx_v_a, __pyx_v_b);
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_4);

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 func_Set_0()
{
  __int64 v0; // r12
  _QWORD *v1; // r15
  _QWORD *tuple_cp; // r13
  _QWORD *v3; // r14
  __int64 v4; // rax
  _QWORD *tuple; // rdi
  unsigned int v6; // ebx
  unsigned int v7; // ebp
  _QWORD *v8; // rax
  bool v9; // zf
  _QWORD *v10; // rbx
  int bool_0; // edi
  _QWORD *v12; // rax
  int v13; // eax
  _QWORD *v14; // rax
  _QWORD *v15; // rcx
  __int64 v16; // rax
  __int64 v17; // rax
  _QWORD *v18; // rax
  __int64 v19; // rax
  _QWORD *v20; // rbx
  __int64 v21; // rax
  _QWORD *v22; // rbx
  __int64 v23; // rax
  _QWORD *v24; // rbx
  __int64 v25; // rax
  _QWORD *v26; // rbx

  v0 = 0i64;
  v1 = 0i64;
  tuple_cp = 0i64;
  v3 = 0i64;
  v4 = PySet_New(0i64);
  tuple = (_QWORD *)v4;
  if ( !v4 )
  {
    v6 = 41;
    v7 = 2178;
    goto LABEL_80;
  }
  if ( (int)PySet_Add(v4, qword_18000EF58) < 0 )
  {
    v6 = 41;
    v7 = 2180;
    goto LABEL_78;
  }
  if ( (int)PySet_Add(tuple, qword_18000EE98) < 0 )
  {
    v6 = 41;
    v7 = 2181;
    goto LABEL_78;
  }
  if ( (int)PySet_Add(tuple, strp_runoob_1) < 0 )
  {
    v6 = 41;
    v7 = 2182;
    goto LABEL_78;
  }
  if ( (int)PySet_Add(tuple, qword_18000EFA8) < 0 )
  {
    v6 = 41;
    v7 = 2183;
    goto LABEL_78;
  }
  if ( (int)PySet_Add(tuple, qword_18000F030) < 0 )
  {
    v6 = 41;
    v7 = 2184;
    goto LABEL_78;
  }
  if ( (int)PySet_Add(tuple, qword_18000EEC8) < 0 )
  {
    v6 = 41;
    v7 = 2185;
    goto LABEL_78;
  }
  tuple_cp = tuple;
  v8 = (_QWORD *)PyObject_CallOneArg(glob_func_print, tuple);// 
                                                // sites = {'Google', 'Taobao', 'Runoob', 'Facebook', 'Zhihu', 'Baidu'}
                                                // print(sites)   # 输出集合，重复的元素被自动去掉 
  if ( !v8 )
  {
    v6 = 42;
    v7 = 2196;
    goto LABEL_80;
  }


  v9 = (*v8)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v8[1] + 48i64))(v8);
  v10 = (_QWORD *)strp_runoob_1;
  bool_0 = PySet_Contains(tuple, strp_runoob_1);
  if ( bool_0 >= 0 )
    goto LABEL_35;
  bool_0 = -1;
  if ( (v10[1] == PySet_Type || (unsigned int)PyType_IsSubtype())
    && (unsigned int)PyErr_ExceptionMatches(PyExc_TypeError) )
  {
    PyErr_Clear();
    if ( v10[1] == PyFrozenSet_Type[0] )
    {
      ++*v10;
    }
    else
    {
      v12 = (_QWORD *)PyFrozenSet_New(v10);
      v10 = v12;
      if ( !v12 )
      {
ERR:
        v6 = 45;
        v7 = 2207;
        goto LABEL_80;
      }
      if ( v12[3] )
      {
LABEL_31:
        v13 = PySet_Contains(tuple_cp, v10);
        v9 = (*v10)-- == 1i64;
        bool_0 = v13;
        if ( v9 )
          (*(void (__fastcall **)(_QWORD *))(v10[1] + 48i64))(v10);
        goto LABEL_33;
      }
      v9 = (*v12)-- == 1i64;
      if ( v9 )
        (*(void (__fastcall **)(_QWORD *))(v12[1] + 48i64))(v12);
      v10 = (_QWORD *)((__int64 (__fastcall *)(_QWORD, __int64, _QWORD))PyFrozenSet_Type[39])(
                        PyFrozenSet_Type[0],
                        qword_18000F090,
                        0i64);
    }
    if ( !v10 )
      goto LABEL_33;
    goto LABEL_31;
  }
LABEL_33:
  if ( bool_0 < 0 )
    goto ERR;
LABEL_35:
  if ( bool_0 == 1 )                            // if "Runoob" in set
  {
    v14 = (_QWORD *)PyObject_Call_0(glob_func_print, tup_in);// "Runoob" in set
    v15 = v14;
    if ( !v14 )
    {
      v6 = 46;
      v7 = 2218;
      goto LABEL_80;
    }
  }
  else                                          // else:
  {
    v14 = (_QWORD *)PyObject_Call_0(glob_func_print, tup_not_in);// not in set
    v15 = v14;
    if ( !v14 )
    {
      v6 = 48;
      v7 = 2240;
      goto LABEL_80;
    }
  }

  v9 = (*v14)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v14[1] + 48i64))(v15);
  v16 = PySet_New(strp_abracadabra);            // a = set("abracadabra")
  if ( !v16 )
  {
    v6 = 52;
    v7 = 2253;
    goto LABEL_80;
  }
  v3 = (_QWORD *)v16;
  v17 = PySet_New(qword_18000F008);             // b = set('alacazam')
  if ( !v17 )
  {
    v6 = 53;
    v7 = 2265;
    goto LABEL_80;
  }
  v1 = (_QWORD *)v17;
  v18 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v3);// print(a)
  if ( !v18 )
  {
    v6 = 54;
    v7 = 2277;
    goto LABEL_80;
  }
  v9 = (*v18)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v18[1] + 48i64))(v18);
  v19 = PyNumber_Subtract(v3, v1);              // print(a - b)
  tuple = (_QWORD *)v19;
  if ( !v19 )
  {
    v6 = 55;
    v7 = 2288;
    goto LABEL_80;
  }
  v20 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v19);
  if ( !v20 )
  {
    v6 = 55;
    v7 = 2290;
    goto LABEL_78;
  }
  v9 = (*tuple)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(tuple[1] + 48i64))(tuple);
  v9 = (*v20)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v20[1] + 48i64))(v20);
  v21 = PyNumber_Or(v3, v1);                    // print(a | b) 
  tuple = (_QWORD *)v21;
  if ( !v21 )
  {
    v6 = 56;
    v7 = 2302;
    goto LABEL_80;
  }
  v22 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v21);
  if ( !v22 )
  {
    v6 = 56;
    v7 = 2304;
    goto LABEL_78;
  }
  v9 = (*tuple)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(tuple[1] + 48i64))(tuple);
  v9 = (*v22)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v22[1] + 48i64))(v22);
  v23 = PyNumber_And(v3, v1);                   // print(a & b) 
  tuple = (_QWORD *)v23;
  if ( !v23 )
  {
    v6 = 57;
    v7 = 2316;
    goto LABEL_80;
  }
  v24 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v23);
  if ( !v24 )
  {
    v6 = 57;
    v7 = 2318;
    goto LABEL_78;
  }
  v9 = (*tuple)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(tuple[1] + 48i64))(tuple);
  v9 = (*v24)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v24[1] + 48i64))(v24);
  v25 = PyNumber_Xor(v3, v1);                   // print(a ^ b) 
  tuple = (_QWORD *)v25;
  if ( !v25 )
  {
    v6 = 58;
    v7 = 2330;
    goto LABEL_80;
  }
  v26 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v25);
  if ( !v26 )
  {
    v6 = 58;
    v7 = 2332;
LABEL_78:
    v9 = (*tuple)-- == 1i64;
    if ( v9 )
      (*(void (__fastcall **)(_QWORD *))(tuple[1] + 48i64))(tuple);
LABEL_80:
    AddTraceback(aTest32FuncSet, v7, v6, aTest32Py);
    if ( !tuple_cp )
      goto LABEL_89;
    goto LABEL_87;
  }


  v9 = (*tuple)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(tuple[1] + 48i64))(tuple);
  v9 = (*v26)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v26[1] + 48i64))(v26);
  v0 = Py_NoneStruct++;
LABEL_87:
  v9 = (*tuple_cp)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(tuple_cp[1] + 48i64))(tuple_cp);
LABEL_89:
  if ( v3 )
  {
    v9 = (*v3)-- == 1i64;
    if ( v9 )
      (*(void (__fastcall **)(_QWORD *))(v3[1] + 48i64))(v3);
  }
  if ( !v1 )
    return v0;
  v9 = (*v1)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v1[1] + 48i64))(v1);
  return v0;
}

`func_Dictionary()`

在exec函数中遇到过不少次了，很多重要全局变量都是在字典中维护的。

+060: def func_Dictionary():
+061:     mydict = {}
  __pyx_t_1 = __Pyx_PyDict_NewPresized(0);
  __pyx_v_mydict = ((PyObject*)__pyx_t_1);

+062:     mydict['one'] = "1elem"
  if (unlikely(PyDict_SetItem(__pyx_v_mydict, __pyx_n_u_one, __pyx_kp_u_1elem) < 0)) __PYX_ERR(0, 62, __pyx_L1_error)
      
+063:     mydict[2]     = "2elem"
  if (unlikely(PyDict_SetItem(__pyx_v_mydict, __pyx_int_2, __pyx_kp_u_2elem) < 0)) __PYX_ERR(0, 63, __pyx_L1_error)
      
 064: 
+065:     tinydict = {'name': 'runoob','code':1, 'site': 'www.runoob.com'}
  __pyx_t_1 = __Pyx_PyDict_NewPresized(3); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 65, __pyx_L1_error)

  if (PyDict_SetItem(__pyx_t_1, __pyx_n_u_name, __pyx_n_u_runoob) < 0) __PYX_ERR(0, 65, __pyx_L1_error)
  if (PyDict_SetItem(__pyx_t_1, __pyx_n_u_code, __pyx_int_1) < 0) __PYX_ERR(0, 65, __pyx_L1_error)
  if (PyDict_SetItem(__pyx_t_1, __pyx_n_u_site, __pyx_kp_u_www_runoob_com) < 0) __PYX_ERR(0, 65, __pyx_L1_error)
  __pyx_v_tinydict = ((PyObject*)__pyx_t_1);

 066: 
 067: 
+068:     print (mydict['one'])       # 输出键为 'one' 的值
  __pyx_t_1 = __Pyx_PyDict_GetItem(__pyx_v_mydict, __pyx_n_u_one);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

+069:     print (mydict[2])           # 输出键为 2 的值
  __pyx_t_2 = __Pyx_PyDict_GetItem(__pyx_v_mydict, __pyx_int_2);
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2);

+070:     print (tinydict)          # 输出完整的字典
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_tinydict);

+071:     print (tinydict.keys())   # 输出所有键
  __pyx_t_1 = __Pyx_PyDict_Keys(__pyx_v_tinydict);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

+072:     print (tinydict.values()) # 输出所有值
  __pyx_t_2 = __Pyx_PyDict_Values(__pyx_v_tinydict);
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2);

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 func_Dictionary()
{
  __int64 v0; // r12
  _QWORD *tiny_dict_1; // rsi
  _QWORD *dict1_cp; // r15
  __int64 dict1; // rax
  unsigned int v4; // ebx
  unsigned int v5; // er14
  __int64 v6; // rax
  _QWORD *tiny_dict; // rdi
  _QWORD *v8; // rax
  _QWORD *v9; // rbx
  bool v10; // zf
  _QWORD *v11; // rax
  _QWORD *v12; // rbx
  _QWORD *v13; // rax
  __int64 v14; // rax
  _QWORD *v15; // rbx
  __int64 v16; // rax
  _QWORD *v17; // rbx

  v0 = 0i64;
  tiny_dict_1 = 0i64;
  dict1_cp = 0i64;
  dict1 = PyDict_New();                         // mydict = {}
  if ( !dict1 )
  {
    v4 = 61;
    v5 = 2403;
    goto LABEL_69;
  }
  dict1_cp = (_QWORD *)dict1;
  if ( (int)PyDict_SetItem(dict1, strp_one, strp_1elem) < 0 )// mydict['one'] = "1elem"
  {
    v4 = 62;
    v5 = 2415;
    goto LABEL_69;
  }
  if ( (int)PyDict_SetItem(dict1_cp, int_2, strp_2elem) < 0 )// mydict[2]     = "2elem"
  {
    v4 = 63;
    v5 = 2424;
    goto LABEL_69;
  }

  v6 = PyDict_New();
  tiny_dict = (_QWORD *)v6;
  if ( !v6 )
  {
    v4 = 65;
    v5 = 2433;
    goto LABEL_69;
  }
  if ( (int)PyDict_SetItem(v6, strp_name, strp_runoob) < 0 )
  {
    v4 = 65;
    v5 = 2435;
    goto LABEL_67;
  }
  if ( (int)PyDict_SetItem(tiny_dict, qword_18000EEF0, int_1) < 0 )
  {
    v4 = 65;
    v5 = 2436;
    goto LABEL_67;
  }
  if ( (int)PyDict_SetItem(tiny_dict, qword_18000F010, qword_18000EF18) < 0 )// tinydict = {'name': 'runoob','code':1, 'site': 'www.runoob.com'}
  {
    v4 = 65;
    v5 = 2437;
    goto LABEL_67;
  }

  tiny_dict_1 = tiny_dict;
  v8 = PyDict_GetItem((__int64)dict1_cp, strp_one);// mydict['one']
  tiny_dict = v8;
  if ( !v8 )
  {
    v4 = 68;
    v5 = 2448;
    goto LABEL_69;
  }
  v9 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v8);// print (mydict['one'])
  if ( !v9 )
  {
    v4 = 68;
    v5 = 2450;
    goto LABEL_67;
  }

  v10 = (*tiny_dict)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(tiny_dict[1] + 48i64))(tiny_dict);
  v10 = (*v9)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(v9[1] + 48i64))(v9);
  v11 = PyDict_GetItem((__int64)dict1_cp, int_2);// mydict[2]
  tiny_dict = v11;
  if ( !v11 )
  {
    v4 = 69;
    v5 = 2462;
    goto LABEL_69;
  }
  v12 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v11);// print (mydict[2])  
  if ( !v12 )
  {
    v4 = 69;
    v5 = 2464;
    goto LABEL_67;
  }

  v10 = (*tiny_dict)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(tiny_dict[1] + 48i64))(tiny_dict);
  v10 = (*v12)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(v12[1] + 48i64))(v12);
  v13 = (_QWORD *)PyObject_CallOneArg(glob_func_print, tiny_dict_1);// print(tinydict)
  if ( !v13 )
  {
    v4 = 70;
    v5 = 2476;
    goto LABEL_69;
  }

  v10 = (*v13)-- == 1i64;                       // __Pyx_PyDict_Keys()的内联
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(v13[1] + 48i64))(v13);
  if ( !qword_18000D838 )
    goto LABEL_44;
  if ( dword_18000D848 != 4 )
  {
    if ( dword_18000D848 == 128 || dword_18000D848 == 130 )
    {
      v14 = qword_18000D838(tiny_dict_1, &qword_18000F090);
      goto LABEL_45;
    }
    if ( dword_18000D848 == 3 || dword_18000D848 == 1 )
    {
      v14 = qword_18000D838(tiny_dict_1, qword_18000F090);
      goto LABEL_45;
    }
LABEL_44:
    v14 = sub_180003CB0(&Dict_Type, tiny_dict_1);
    goto LABEL_45;
  }
  v14 = qword_18000D838(tiny_dict_1, 0i64);
LABEL_45:
  tiny_dict = (_QWORD *)v14;
  if ( !v14 )
  {
    v4 = 71;
    v5 = 2487;
    goto LABEL_69;
  }
  v15 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v14);// print (tinydict.keys())
  if ( !v15 )
  {
    v4 = 71;
    v5 = 2489;
    goto LABEL_67;
  }

  v10 = (*tiny_dict)-- == 1i64;                 // __Pyx_PyDict_Values()
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(tiny_dict[1] + 48i64))(tiny_dict);
  v10 = (*v15)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(v15[1] + 48i64))(v15);
  if ( !Dict_Type_0.func )
    goto LABEL_62;
  switch ( LODWORD(Dict_Type_0.flag) )
  {
    case 4:
      v16 = Dict_Type_0.func(tiny_dict_1, 0i64);
      break;
    case 0x80:
    case 0x82:
      v16 = Dict_Type_0.func(tiny_dict_1, &qword_18000F090);
      break;
    case 3:
    case 1:
      v16 = Dict_Type_0.func(tiny_dict_1, qword_18000F090);
      break;
    default:
LABEL_62:
      v16 = sub_180003CB0((__int64 *)&Dict_Type_0, tiny_dict_1);
      break;
  }
  tiny_dict = (_QWORD *)v16;
  if ( !v16 )
  {
    v4 = 72;
    v5 = 2501;
    goto LABEL_69;
  }
  v17 = (_QWORD *)PyObject_CallOneArg(glob_func_print, v16);// print (tinydict.values())
  if ( !v17 )
  {
    v4 = 72;
    v5 = 2503;
LABEL_67:
    v10 = (*tiny_dict)-- == 1i64;
    if ( v10 )
      (*(void (__fastcall **)(_QWORD *))(tiny_dict[1] + 48i64))(tiny_dict);
LABEL_69:
    AddTraceback(aTest32FuncDict, v5, v4, aTest32Py);
    if ( !dict1_cp )
      goto LABEL_78;
    goto LABEL_76;
  }


  v10 = (*tiny_dict)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(tiny_dict[1] + 48i64))(tiny_dict);
  v10 = (*v17)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(v17[1] + 48i64))(v17);
  v0 = Py_NoneStruct++;
LABEL_76:
  v10 = (*dict1_cp)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(dict1_cp[1] + 48i64))(dict1_cp);
LABEL_78:
  if ( !tiny_dict_1 )
    return v0;
  v10 = (*tiny_dict_1)-- == 1i64;
  if ( v10 )
    (*(void (__fastcall **)(_QWORD *))(tiny_dict_1[1] + 48i64))(tiny_dict_1);
  return v0;
}

补充

关于方法的调用

/* py_dict_keys */
  static CYTHON_INLINE PyObject* __Pyx_PyDict_Keys(PyObject* d) {
    if (PY_MAJOR_VERSION >= 3)	// 通常都是3
        return __Pyx_CallUnboundCMethod0(&__pyx_umethod_PyDict_Type_keys, d);
    else
        return PyDict_Keys(d);
}

从这个函数来看，现在的方法调用基本都是通过__Pyx_CallUnboundCMethodn()这种函数。关于恢复，在博客2已经讲过了，主要是要恢复结构体。

代码2

有关基本类型转换函数。

def dict_plus():
    d = {x: x**2 for x in (2, 4, 6)}
    print(d)

def to_int():
    x = int(1)   # x 输出果为 1
    y = int(2.8) # y 输出果为 2
    z = int("3") # z 输出果为 3
    w = int("0x16", 16) # 22

def to_float():
    x = float(1)     # x 输出果为 1.0
    y = float(2.8)   # y 输出果为 2.8
    z = float("3")   # z 输出果为 3.0
    w = float("4.2") # w 输出果为 4.2

def to_str():
    x = str("s1") # x 输出果为 's1'
    y = str(2)    # y 输出果为 '2'
    z = str(3.0)  # z 输出果为 '3.0'

def test_repr_and_list():
    d = [1, 2, 3, 4]
    print(d)
    print(d[0])
    print(d[2:])
    print(d[0:4:2])
    print(repr(d))

def test_eval():
    order_str = "print('Hello')"
    print(eval(order_str))

def test_hex_oct():
    a = hex(114514)
    b = oct(1919810)

def test_ord_chr():
    a = ord('b')
    b = chr(0x31)

`dict_plus()`

+01: def dict_plus():
+02:     d = {x: x**2 for x in (2, 4, 6)}
  { /* enter inner scope */
    __pyx_t_1 = PyDict_New();
    __pyx_t_2 = __pyx_tuple_;
    for (;;) {	
      if (__pyx_t_3 >= 3) break;
      #if CYTHON_ASSUME_SAFE_MACROS && !CYTHON_AVOID_BORROWED_REFS
      __pyx_t_4 = PyTuple_GET_ITEM(__pyx_t_2, __pyx_t_3); __Pyx_INCREF(__pyx_t_4); __pyx_t_3++;
      #else
      __pyx_t_4 = PySequence_ITEM(__pyx_t_2, __pyx_t_3); __pyx_t_3++;
      #endif
      __Pyx_XDECREF_SET(__pyx_7genexpr__pyx_v_x, __pyx_t_4);
      __pyx_t_4 = PyNumber_Power(__pyx_7genexpr__pyx_v_x, __pyx_int_2, Py_None);
      __Pyx_GOTREF(__pyx_t_4);
      if (unlikely(PyDict_SetItem(__pyx_t_1, (PyObject*)__pyx_7genexpr__pyx_v_x, (PyObject*)__pyx_t_4))) __PYX_ERR(0, 2, __pyx_L5_error)

    }
    goto __pyx_L8_exit_scope;
    goto __pyx_L1_error;
    __pyx_L8_exit_scope:;
  } /* exit inner scope */
  __pyx_v_d = ((PyObject*)__pyx_t_1);

// InitCachedConstants
  __pyx_tuple_ = PyTuple_Pack(3, __pyx_int_2, __pyx_int_4, __pyx_int_6);
+03:     print(d)
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_d);

可以看出列表推导式的逻辑真的完整的显现了一遍。

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 dict_plus()
{
  __int64 v0; // r15
  _QWORD *v1; // r12
  _QWORD *x; // rdi
  _QWORD *t; // r13
  unsigned int v4; // edi
  unsigned int v5; // er14
  _QWORD *v6; // rsi
  __int64 length; // rbp
  _QWORD **v8; // r14
  _QWORD *v9; // rbx
  _QWORD *v10; // rcx
  bool v11; // zf
  __int64 x2; // rax
  _QWORD *v13; // rbx
  __int64 v14; // rcx
  _QWORD *v15; // rax

  v0 = 0i64;
  v1 = 0i64;
  x = 0i64;
  t = (_QWORD *)PyDict_New();                   // 字典d
  if ( t )
  {
    v6 = (_QWORD *)tup_2_4_6;
    length = 0i64;
    ++*(_QWORD *)tup_2_4_6;
    v8 = (_QWORD **)(v6 + 3);
    while ( 1 )
    {
      v9 = *v8++;
      v10 = x;
      ++length;
      x = v9;
      ++*v9;
      if ( v10 )
      {
        v11 = (*v10)-- == 1i64;
        if ( v11 )
          (*(void (**)(void))(v10[1] + 48i64))();
      }
      x2 = PyNumber_Power(v9, int_2, Py_NoneStruct);// x ** 2
      v13 = (_QWORD *)x2;
      if ( !x2 )
        break;
      if ( (unsigned int)PyDict_SetItem(t, x, x2) )// x : x**2
      {
        v5 = 1382;
        goto LABEL_24;
      }
      v11 = (*v13)-- == 1i64;
      if ( v11 )
        (*(void (__fastcall **)(_QWORD *))(v13[1] + 48i64))(v13);
      if ( length >= 3 )                        // 循环长度3
      {
        v11 = (*v6)-- == 1i64;
        if ( v11 )
          (*(void (__fastcall **)(_QWORD *))(v6[1] + 48i64))(v6);
        if ( x )
        {
          v11 = (*x)-- == 1i64;
          if ( v11 )
            (*(void (__fastcall **)(_QWORD *))(x[1] + 48i64))(x);
        }
        v1 = t;
        v15 = (_QWORD *)print_0(v14, t);        // print(d)
        if ( !v15 )
        {
          v4 = 3;
          v5 = 1403;
          goto LABEL_35;
        }

        v11 = (*v15)-- == 1i64;
        if ( v11 )
          (*(void (__fastcall **)(_QWORD *))(v15[1] + 48i64))(v15);
        v0 = Py_NoneStruct++;
        goto LABEL_36;
      }
    }
    v5 = 1380;
LABEL_24:
    if ( x )
    {
      v11 = (*x)-- == 1i64;
      if ( v11 )
        (*(void (__fastcall **)(_QWORD *))(x[1] + 48i64))(x);
    }
    v11 = (*t)-- == 1i64;
    if ( v11 )
      (*(void (__fastcall **)(_QWORD *))(t[1] + 48i64))(t);
    if ( v6 )
    {
      v11 = (*v6)-- == 1i64;
      if ( v11 )
        (*(void (__fastcall **)(_QWORD *))(v6[1] + 48i64))(v6);
    }
    v4 = 2;
    if ( v13 )
    {
      v11 = (*v13)-- == 1i64;
      if ( v11 )
        (*(void (__fastcall **)(_QWORD *))(v13[1] + 48i64))(v13);
    }
    goto LABEL_35;
  }
  v4 = 2;
  v5 = 1367;
LABEL_35:
  AddTraceback(aTest4plusDictP, v5, v4, aTest4plusPy);
  if ( !v1 )
    return v0;
LABEL_36:
  v11 = (*v1)-- == 1i64;
  if ( v11 )
    (*(void (__fastcall **)(_QWORD *))(v1[1] + 48i64))(v1);
  return v0;
}

`to_int()`

+05: def to_int():
+06:     x = int(1)   # x 输出果为 1
  __pyx_t_1 = __Pyx_PyNumber_Int(__pyx_int_1);
  __pyx_v_x = __pyx_t_1;

+07:     y = int(2.8) # y 输出果为 2
  __pyx_t_1 = __Pyx_PyNumber_Int(__pyx_float_2_8);
  __pyx_v_y = __pyx_t_1;

+08:     z = int("3") # z 输出果为 3
  __pyx_t_1 = __Pyx_PyNumber_Int(__pyx_kp_u_3);
  __pyx_v_z = __pyx_t_1;

+09:     w = int("0x16", 16) # 22
  __pyx_t_1 = __Pyx_PyObject_Call(((PyObject *)(&PyInt_Type)), __pyx_tuple__2, NULL);
  __pyx_v_w = __pyx_t_1;

/* … */
  __pyx_tuple__2 = PyTuple_Pack(2, __pyx_kp_u_0x16, __pyx_int_16);

前几个调用的函数都是一样的，最后多了一个关于基数的参数，就变了。

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 to_int()
{
  __int64 v0; // rcx
  _QWORD *v1; // rbx
  _QWORD *v2; // rbp
  _QWORD *v3; // rsi
  _QWORD *v4; // rdi
  __int64 v5; // rdx
  __int64 v6; // r8
  __int64 v7; // rcx
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // r14
  bool v11; // zf

  v0 = int1;
  v1 = 0i64;
  v2 = 0i64;
  v3 = 0i64;
  v4 = 0i64;
  if ( *(_QWORD *)(int1 + 8) == PyLong_Type )
    ++*(_QWORD *)int1;
  else
    v0 = PyNumber_Long(int1);
  if ( !v0 )
  {
    v5 = 1472i64;
    v6 = 6i64;
    goto LABEL_18;
  }

  v2 = (_QWORD *)v0;
  v7 = float_2_8;
  if ( *(_QWORD *)(float_2_8 + 8) == PyLong_Type )
    ++*(_QWORD *)float_2_8;
  else
    v7 = PyNumber_Long(float_2_8);
  if ( !v7 )
  {
    v5 = 1484i64;
    v6 = 7i64;
    goto LABEL_18;
  }

  v3 = (_QWORD *)v7;
  if ( *(_QWORD *)(strp_3 + 8) == PyLong_Type )
  {
    ++*(_QWORD *)strp_3;
    v8 = strp_3;
  }
  else
  {
    v8 = PyNumber_Long(strp_3);
  }
  if ( !v8 )
  {
    v5 = 1496i64;
    v6 = 8i64;
    goto LABEL_18;
  }

  v4 = (_QWORD *)v8;
  v9 = PyObject_Call_0(PyLong_Type, tup_0x16_16);
  if ( !v9 )
  {
    v5 = 1508i64;
    v6 = 9i64;
LABEL_18:
    AddTraceback(aTest4plusToInt, v5, v6, aTest4plusPy);
    v10 = 0i64;
    if ( !v2 )
      goto LABEL_23;
    goto LABEL_21;
  }


  v10 = Py_NoneStruct;
  v1 = (_QWORD *)v9;
  ++Py_NoneStruct;
LABEL_21:
  v11 = (*v2)-- == 1i64;
  if ( v11 )
    (*(void (__fastcall **)(_QWORD *))(v2[1] + 48i64))(v2);
LABEL_23:
  if ( v3 )
  {
    v11 = (*v3)-- == 1i64;
    if ( v11 )
      (*(void (__fastcall **)(_QWORD *))(v3[1] + 48i64))(v3);
  }
  if ( v4 )
  {
    v11 = (*v4)-- == 1i64;
    if ( v11 )
      (*(void (__fastcall **)(_QWORD *))(v4[1] + 48i64))(v4);
  }
  if ( !v1 )
    return v10;
  v11 = (*v1)-- == 1i64;
  if ( v11 )
    (*(void (__fastcall **)(_QWORD *))(v1[1] + 48i64))(v1);
  return v10;
}

`to_float()`

+11: def to_float():
+12:     x = float(1)     # x 输出果为 1.0
  __pyx_t_1 = __Pyx_PyObject_AsDouble(__pyx_int_1); if (unlikely(__pyx_t_1 == ((double)((double)-1)) && PyErr_Occurred())) __PYX_ERR(0, 12, __pyx_L1_error)
  __pyx_v_x = __pyx_t_1;

+13:     y = float(2.8)   # y 输出果为 2.8
  __pyx_v_y = 2.8;

+14:     z = float("3")   # z 输出果为 3.0
  __pyx_t_1 = __Pyx_PyObject_AsDouble(__pyx_kp_u_3); if (unlikely(__pyx_t_1 == ((double)((double)-1)) && PyErr_Occurred())) __PYX_ERR(0, 14, __pyx_L1_error)
  __pyx_v_z = __pyx_t_1;

+15:     w = float("4.2") # w 输出果为 4.2
  __pyx_t_1 = __Pyx_PyObject_AsDouble(__pyx_kp_u_4_2); if (unlikely(__pyx_t_1 == ((double)((double)-1)) && PyErr_Occurred())) __PYX_ERR(0, 15, __pyx_L1_error)
  __pyx_v_w = __pyx_t_1;

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 __fastcall to_float(double a1)
{
  __int64 v1; // rdx
  __int64 v2; // r8

  if ( *(_QWORD *)(int1 + 8) == PyFloat_Type )
    a1 = *(double *)(int1 + 16);
  else
    PyObject_AsDouble((_QWORD *)int1);          // float(1)
                                                // PyObject_AsDouble()函数内有
                                                // PyObject_Call(PyFloat, xxx)，可以作为特征
  if ( a1 == -1.0 && PyErr_Occurred() )
  {
    v1 = 1580i64;
    v2 = 12i64;
LABEL_19:
    AddTraceback(aTest4plusToFlo, v1, v2, aTest4plusPy);
    return 0i64;
  }

  if ( *(_QWORD *)(strp_3 + 8) == PyFloat_Type )
    a1 = *(double *)(strp_3 + 16);
  else
    PyObject_AsDouble((_QWORD *)strp_3);        // float("3")
  if ( a1 == -1.0 && PyErr_Occurred() )
  {
    v1 = 1599i64;
    v2 = 14i64;
    goto LABEL_19;
  }

  if ( *(_QWORD *)(strp_4_2 + 8) == PyFloat_Type )
    a1 = *(double *)(strp_4_2 + 16);
  else
    PyObject_AsDouble((_QWORD *)strp_4_2);      // float("4.2")
  if ( a1 != -1.0 || !PyErr_Occurred() )
    return Py_NoneStruct++;
  v1 = 1609i64;
  v2 = 15i64;
  goto LABEL_19;
}

`to_str()`

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 to_str()
{
  _QWORD *v0; // rbx
  _QWORD *v1; // rsi
  _QWORD *v2; // rdi
  __int64 v3; // rax
  __int64 v4; // rdx
  __int64 v5; // r8
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rbp
  bool v9; // zf

  v0 = 0i64;
  v1 = 0i64;
  v2 = 0i64;
  v3 = PyObject_Call_0(PyUnicode_Type, qword_18000CDB8);
  if ( !v3 )
  {
    v4 = 1673i64;
    v5 = 18i64;
    goto LABEL_7;
  }

  v1 = (_QWORD *)v3;
  v6 = PyObject_Call_0(PyUnicode_Type, qword_18000CD20);
  if ( !v6 )
  {
    v4 = 1685i64;
    v5 = 19i64;
    goto LABEL_7;
  }

  v2 = (_QWORD *)v6;
  v7 = PyObject_Call_0(PyUnicode_Type, qword_18000CD98);
  if ( !v7 )
  {
    v4 = 1697i64;
    v5 = 20i64;
LABEL_7:
    AddTraceback(aTest4plusToStr, v4, v5, aTest4plusPy);
    v8 = 0i64;
    if ( !v1 )
      goto LABEL_12;
    goto LABEL_10;
  }

  v8 = Py_NoneStruct;
  v0 = (_QWORD *)v7;
  ++Py_NoneStruct;
LABEL_10:
  v9 = (*v1)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v1[1] + 48i64))(v1);
LABEL_12:
  if ( v2 )
  {
    v9 = (*v2)-- == 1i64;
    if ( v9 )
      (*(void (__fastcall **)(_QWORD *))(v2[1] + 48i64))(v2);
  }
  if ( !v0 )
    return v8;
  v9 = (*v0)-- == 1i64;
  if ( v9 )
    (*(void (__fastcall **)(_QWORD *))(v0[1] + 48i64))(v0);
  return v8;
}

全部使用PyObject_Call(PyUnicode_Type, xxxx)的手法来调用。

`test_repr_and_list()`

+22: def test_repr_and_list():
+23:     d = [1, 2, 3, 4]
  __pyx_t_1 = PyList_New(4);
  PyList_SET_ITEM(__pyx_t_1, 0, __pyx_int_1);
  PyList_SET_ITEM(__pyx_t_1, 1, __pyx_int_2);
  PyList_SET_ITEM(__pyx_t_1, 2, __pyx_int_3);
  PyList_SET_ITEM(__pyx_t_1, 3, __pyx_int_4);
  __pyx_v_d = ((PyObject*)__pyx_t_1);

+24:     print(d)
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_v_d);

+25:     print(d[0])
  __pyx_t_1 = __Pyx_GetItemInt_List(__pyx_v_d, 0, long, 1, __Pyx_PyInt_From_long, 1, 0, 1);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);

+26:     print(d[2:])
  __pyx_t_2 = __Pyx_PyList_GetSlice(__pyx_v_d, 2, PY_SSIZE_T_MAX);
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2);

+27:     print(d[0:4:2])
  __pyx_t_1 = __Pyx_PyObject_GetItem(__pyx_v_d, __pyx_slice__6);
  __pyx_t_2 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_1);
/* … */
  __pyx_slice__6 = PySlice_New(__pyx_int_0, __pyx_int_4, __pyx_int_2);

+28:     print(repr(d))
  __pyx_t_2 = PyObject_Repr(__pyx_v_d);
  __pyx_t_1 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2);

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 sub_180006870()
{
  __int64 v0; // r15
  _QWORD *v1; // rsi
  __int64 tup; // rax
  __int64 v3; // rbx
  unsigned int v4; // edi
  unsigned int v5; // er14
  __int64 v6; // rcx
  __int64 v7; // rcx
  __int64 v8; // rcx
  __int64 v9; // rcx
  _QWORD *v10; // rax
  __int64 v11; // rcx
  bool v12; // zf
  _QWORD **v13; // rax
  _QWORD *v14; // rbx
  __int64 v15; // rax
  _QWORD *v16; // rdi
  __int64 v17; // rax
  _QWORD *v18; // rdi
  __int64 v19; // rcx
  __int64 v20; // rdi
  _QWORD *v21; // rcx
  __int64 v23; // rax
  __int64 v24; // rdx
  _QWORD *v25; // rax
  _QWORD *v26; // rdi
  __int64 v27; // rcx
  __int64 (__fastcall *v28)(_QWORD *, __int64); // rax
  _QWORD *v29; // rax
  __int64 v30; // rcx
  _QWORD *v31; // rdi
  _QWORD *v32; // rax
  __int64 v33; // rcx
  _QWORD *v34; // rdi

  v0 = 0i64;
  v1 = 0i64;
  tup = PyList_New(4i64);
  v3 = tup;
  if ( !tup )
  {
    v4 = 23;
    v5 = 1766;
    goto LABEL_26;
  }
  v6 = int1;
  v1 = (_QWORD *)tup;                           // 这一块是PyList_SET_ITEM()
                                                // 这玩意是个宏
                                                // #define PyList_SET_ITEM(op, i, v) (((PyListObject *)(op))->ob_item[i] = (v))
  ++*(_QWORD *)int1;
  **(_QWORD **)(tup + 24) = v6;
  v7 = int_2;
  ++*(_QWORD *)int_2;
  *(_QWORD *)(*(_QWORD *)(tup + 24) + 8i64) = v7;
  v8 = int3;
  ++*(_QWORD *)int3;
  *(_QWORD *)(*(_QWORD *)(tup + 24) + 16i64) = v8;
  v9 = int4;
  ++*(_QWORD *)int4;
  *(_QWORD *)(*(_QWORD *)(tup + 24) + 24i64) = v9;// d = [1, 2, 3, 4]

  v10 = (_QWORD *)print_0(v9, (_QWORD *)tup);   // print(d)
  v11 = (__int64)v10;
  if ( !v10 )
  {
    v4 = 24;
    v5 = 1790;
    goto LABEL_26;
  }

  v12 = (*v10)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v10[1] + 48i64))(v10);
  if ( *(_QWORD *)(v3 + 16) )
  {
    v13 = *(_QWORD ***)(v3 + 24);
    v14 = *v13;
    ++**v13;
  }
  else
  {
    v15 = PyLong_FromSsize_t(0i64);
    v16 = (_QWORD *)v15;
    if ( v15 )
    {
      v17 = PyObject_GetItem(v3, v15);          // list[0]
      v12 = (*v16)-- == 1i64;
      v14 = (_QWORD *)v17;
      if ( v12 )
        (*(void (__fastcall **)(_QWORD *))(v16[1] + 48i64))(v16);
    }
    else
    {
      v14 = 0i64;
    }
  }
  if ( !v14 )
  {
    v4 = 25;
    v5 = 1801;
    goto LABEL_26;
  }
  v18 = (_QWORD *)print_0(v11, v14);            // print(d[0])
  if ( !v18 )
  {
    v4 = 25;
    v5 = 1803;
    goto LABEL_47;
  }

  v12 = (*v14)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v14[1] + 48i64))(v14);
  v12 = (*v18)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v18[1] + 48i64))(v18);
  v19 = 0x7FFFFFFFFFFFFFFFi64;
  if ( v1[2] != 0x7FFFFFFFFFFFFFFFi64 )
    v19 = v1[2];
  v20 = v19 - 2;
  if ( v19 - 2 > 0 )
  {
    v23 = PyList_New(v19 - 2);                  // [2:]
    v14 = (_QWORD *)v23;
    if ( !v23 )
      goto LABEL_25;
    v21 = *(_QWORD **)(v23 + 24);
    v24 = v1[3] + 16i64 - (_QWORD)v21;
    do
    {
      v25 = *(_QWORD **)((char *)v21 + v24);
      *v21++ = v25;
      ++*v25;
      --v20;
    }
    while ( v20 );
  }
  else
  {
    v14 = (_QWORD *)PyList_New(0i64);
    if ( !v14 )
    {
LABEL_25:
      v4 = 26;
      v5 = 1815;
      goto LABEL_26;
    }
  }
  v26 = (_QWORD *)print_0((__int64)v21, v14);   // print(d[2:])
  if ( !v26 )
  {
    v4 = 26;
    v5 = 1817;
    goto LABEL_47;
  }

  v12 = (*v14)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v14[1] + 48i64))(v14);
  v12 = (*v26)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v26[1] + 48i64))(v26);
  v27 = *(_QWORD *)(v1[1] + 112i64);
  if ( v27 && (v28 = *(__int64 (__fastcall **)(_QWORD *, __int64))(v27 + 8)) != 0i64 )
    v29 = (_QWORD *)v28(v1, slice_0_4_2);
  else
    v29 = (_QWORD *)GetItem(v1, slice_0_4_2);
  v14 = v29;
  if ( !v29 )
  {
    v4 = 27;
    v5 = 1829;
    goto LABEL_26;
  }
  v31 = (_QWORD *)print_0(v30, v29);            // print(d[0:4:2])
  if ( !v31 )
  {
    v4 = 27;
    v5 = 1831;
    goto LABEL_47;
  }

  v12 = (*v14)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v14[1] + 48i64))(v14);
  v12 = (*v31)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v31[1] + 48i64))(v31);
  v32 = (_QWORD *)PyObject_Repr(v1);            // PyObject_Repr()就是repr()
  v14 = v32;
  if ( !v32 )
  {
    v4 = 28;
    v5 = 1843;
    goto LABEL_26;
  }
  v34 = (_QWORD *)print_0(v33, v32);            // print(repr(d))
  if ( !v34 )
  {
    v4 = 28;
    v5 = 1845;
LABEL_47:
    v12 = (*v14)-- == 1i64;
    if ( v12 )
      (*(void (__fastcall **)(_QWORD *))(v14[1] + 48i64))(v14);
LABEL_26:
    AddTraceback(aTest4plusTestR, v5, v4, aTest4plusPy);
    if ( !v1 )
      return v0;
    goto LABEL_27;
  }

  v12 = (*v14)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v14[1] + 48i64))(v14);
  v12 = (*v34)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v34[1] + 48i64))(v34);
  v0 = Py_NoneStruct++;
LABEL_27:
  v12 = (*v1)-- == 1i64;
  if ( v12 )
    (*(void (__fastcall **)(_QWORD *))(v1[1] + 48i64))(v1);
  return v0;
}

里面有些内联函数和元组的一样。就是初始化列表没有元组要美观，因为PyList_SET_ITEM()是个会被内联的宏。

补充

1	#define PyList_SET_ITEM(op, i, v) (((PyListObject *)(op))->ob_item[i] = (v))

`test_eval()`

+30: def test_eval():
+31:     order_str = "print('Hello')"
  __Pyx_INCREF(__pyx_kp_u_print_Hello);
  __pyx_v_order_str = __pyx_kp_u_print_Hello;

+32:     print(eval(order_str))
  __pyx_t_1 = __Pyx_Globals(); 
  __pyx_t_2 = __Pyx_PyDict_NewPresized(1); 
  if (__pyx_v_order_str) {
    if (PyDict_SetItem(__pyx_t_2, __pyx_n_s_order_str, __pyx_v_order_str) < 0) __PYX_ERR(0, 32, __pyx_L1_error)
  }	// Dict["order_str"] = "print('Hello')";
  __pyx_t_3 = PyTuple_New(3);
  PyTuple_SET_ITEM(__pyx_t_3, 0, __pyx_v_order_str);
  PyTuple_SET_ITEM(__pyx_t_3, 1, __pyx_t_1);
  PyTuple_SET_ITEM(__pyx_t_3, 2, __pyx_t_2);	// (globals(), Dict, "print('Hello')")

  __pyx_t_2 = __Pyx_PyObject_Call(__pyx_builtin_eval, __pyx_t_3, NULL);
  __pyx_t_3 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2);

不少内联函数。

`__Pyx_Globals()`

使用这个函数来

/* Globals */
static PyObject* __Pyx_Globals(void) {
    Py_ssize_t i;
    PyObject *names;
    PyObject *globals = __pyx_d;	// 获得全局字典
    Py_INCREF(globals);
    names = PyObject_Dir(__pyx_m);	// 特征API
    	// 在exec函数中，__pyx_m会获得函数的传参__pyx_pyinit_module
    	// 所以如果发现exec函数中有个值获得了a1，那它就是__pyx_m
    
    if (!names)
        goto bad;
    for (i = PyList_GET_SIZE(names)-1; i >= 0; i--) {
        PyObject* name = PyList_GET_ITEM(names, i);	// 宏

        if (!PyDict_Contains(globals, name)) {
            PyObject* value = __Pyx_GetAttr(__pyx_m, name);	// PyObject_GetAttr() API
            if (!value) {
                goto bad;
            }
            if (PyDict_SetItem(globals, name, value) < 0) {
                Py_DECREF(value);
                goto bad;
            }
        }
    }
    Py_DECREF(names);
    return globals;
bad:
    Py_XDECREF(names);
    Py_XDECREF(globals);
    return NULL;
}

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 test_eval()
{
  _QWORD *dict; // rsi
  __int64 v1; // rcx
  _QWORD *strp_order; // r15
  __int64 v3; // rax
  _QWORD *v4; // rbp
  __int64 v5; // r14
  __int64 v6; // rdi
  __int64 (__fastcall *v7)(__int64, __int64); // r8
  __int64 v8; // rax
  _QWORD *v9; // rbx
  bool v10; // zf
  __int64 newdict; // rax
  _QWORD *pnew_dict; // rbx
  unsigned int v13; // er14
  __int64 v14; // rbx
  _QWORD *arg3_tuple; // rax
  _QWORD *v17; // rdi
  __int64 eval; // rcx
  __int64 v19; // rcx
  _QWORD *v20; // rdi

  dict = qword_18000CCD0;
  v1 = _pyx_m;
  ++*::strp_order;
  strp_order = ::strp_order;
  ++*dict;
  v3 = PyObject_Dir(v1);
  v4 = v3;
  if ( !v3 )
  {
ERR:
    v10 = (*dict)-- == 1i64;
    if ( v10 )
      (*(dict[1] + 48i64))(dict);
    v13 = 1924;
ERR2:
    AddTraceback(aTest4plusTestE, v13, 32i64, aTest4plusPy);
    v14 = 0i64;
    if ( !strp_order )
      return v14;
    goto LABEL_23;
  }

  v5 = *(v3 + 16) - 1i64;
  if ( v5 >= 0 )
  {
    while ( 1 )
    {
      v6 = *(v4[3] + 8 * v5);
      if ( !PyDict_Contains(dict, v6) )
      {
        if ( (*(*(v6 + 8) + 168i64) & 0x10000000) != 0 && (v7 = *(*(_pyx_m + 8) + 144i64)) != 0i64 )
          v8 = v7(_pyx_m, v6);
        else
          v8 = PyObject_GetAttr(_pyx_m, v6);
        v9 = v8;
        if ( !v8 )
          goto LABEL_17;
        if ( PyDict_SetItem(dict, v6, v8) < 0 )
          break;
      }
      if ( --v5 < 0 )
        goto LABEL_11;
    }                                           // __Pyx_Globals()
    v10 = (*v9)-- == 1i64;
    if ( v10 )
      (*(v9[1] + 48i64))(v9);
LABEL_17:
    v10 = (*v4)-- == 1i64;
    if ( v10 )
      (*(v4[1] + 48i64))(v4);
    goto ERR;
  }
LABEL_11:

  v10 = (*v4)-- == 1i64;
  if ( v10 )
    (*(v4[1] + 48i64))(v4);
  newdict = PyDict_New();                       // __pyx_t_2 = __Pyx_PyDict_NewPresized(1); 
  pnew_dict = newdict;
  if ( !newdict )
  {
    v13 = 1926;
    goto LABEL_31;
  }

  if ( strp_order && PyDict_SetItem(newdict, strp_order_str, strp_order) < 0 )// 
                                                // NewDict["order_str"] = "print('Hello')";
                                                // 
  {
    v13 = 1929;
    goto LABEL_31;
  }

  arg3_tuple = PyTuple_New(3i64);
  v17 = arg3_tuple;
  if ( !arg3_tuple )
  {
    v13 = 1931;
LABEL_31:
    v10 = (*dict)-- == 1i64;
    if ( v10 )
      (*(dict[1] + 48i64))(dict);
    if ( !pnew_dict )
      goto ERR2;
LABEL_42:
    v10 = (*pnew_dict)-- == 1i64;
    if ( v10 )
      (*(pnew_dict[1] + 48i64))(pnew_dict);
    goto ERR2;
  }
  ++*strp_order;
  eval = ::eval;
  arg3_tuple[3] = strp_order;
  arg3_tuple[4] = dict;
  arg3_tuple[5] = pnew_dict;
  pnew_dict = PyObject_Call_0(eval, arg3_tuple);// 
                                                // eval((globals(), Dict, "print('Hello')"))
  if ( !pnew_dict )
  {
    v10 = (*v17)-- == 1i64;
    v13 = 1942;
    if ( v10 )
      (*(v17[1] + 48i64))(v17);
    goto ERR2;
  }
  v10 = (*v17)-- == 1i64;
  if ( v10 )
    (*(v17[1] + 48i64))(v17);
  v20 = print_0(v19, pnew_dict);                // eval((globals(), Dict, "print('Hello')"))
  if ( !v20 )
  {
    v13 = 1945;
    goto LABEL_42;
  }

  v10 = (*pnew_dict)-- == 1i64;
  if ( v10 )
    (*(pnew_dict[1] + 48i64))(pnew_dict);
  v10 = (*v20)-- == 1i64;
  if ( v10 )
    (*(v20[1] + 48i64))(v20);
  v14 = Py_NoneStruct++;
LABEL_23:
  v10 = (*strp_order)-- == 1i64;
  if ( v10 )
    (*(strp_order[1] + 48i64))(strp_order);
  return v14;
}

`test_hex_oct()`

+34: def test_hex_oct():
+35:     a = hex(114514)
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_hex, __pyx_tuple__7, NULL);
  __pyx_v_a = __pyx_t_1;

// InitCachedConstants()
  __pyx_tuple__7 = PyTuple_Pack(1, __pyx_int_114514);

+36:     b = oct(1919810)
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_oct, __pyx_tuple__8, NULL);
  __pyx_v_b = __pyx_t_1;

// InitCachedConstants()
  __pyx_tuple__8 = PyTuple_Pack(1, __pyx_int_1919810);

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 test_hex_oct()
{
  _QWORD *v0; // rbx
  _QWORD *v1; // rsi
  __int64 v2; // rax
  __int64 v3; // rdx
  __int64 v4; // r8
  __int64 v5; // rax
  __int64 v6; // rdi
  bool v8; // zf

  v0 = 0i64;
  v1 = 0i64;
  v2 = PyObject_Call_0(hex, tup_int114514);     // a = hex(114514)
  if ( v2 )
  {
    v1 = v2;
    v5 = PyObject_Call_0(oct, tup_int1919810);  // b = oct(1919810)
    if ( v5 )
    {
      v6 = Py_NoneStruct;
      v0 = v5;
      ++Py_NoneStruct;
      goto LABEL_8;
    }
    v3 = 2026i64;
    v4 = 36i64;
  }
  else
  {
    v3 = 2014i64;
    v4 = 35i64;
  }
  AddTraceback(aTest4plusTestH, v3, v4, aTest4plusPy);
  v6 = 0i64;
  if ( !v1 )
    return 0i64;
LABEL_8:
  v8 = (*v1)-- == 1i64;
  if ( v8 )
    (*(v1[1] + 48i64))(v1);
  if ( !v0 )
    return v6;
  v8 = (*v0)-- == 1i64;
  if ( v8 )
    (*(v0[1] + 48i64))(v0);
  return v6;
}

`test_ord_chr()`

+39:     a = ord('b')
  __pyx_v_a = 98;
+40:     b = chr(0x31)
  __pyx_t_1 = __Pyx_PyObject_Call(__pyx_builtin_chr, __pyx_tuple__9, NULL); if (unlikely(!__pyx_t_1)) __PYX_ERR(0, 40, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_t_1);
  __pyx_v_b = __pyx_t_1;
  __pyx_t_1 = 0;
/* … */
  __pyx_tuple__9 = PyTuple_Pack(1, __pyx_int_49); if (unlikely(!__pyx_tuple__9)) __PYX_ERR(0, 40, __pyx_L1_error)
  __Pyx_GOTREF(__pyx_tuple__9);
  __Pyx_GIVEREF(__pyx_tuple__9);

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 test_ord_chr()
{
  _QWORD *v0; // rax
  __int64 result; // rax

  v0 = PyObject_Call_0(chr, int49_0);           // b = chr(0x31)
  if ( v0 )
  {
    ++Py_NoneStruct;
    if ( (*v0)-- == 1i64 )
      (*(v0[1] + 48i64))(v0);
    result = Py_NoneStruct;
  }
  else
  {
    AddTraceback(aTest4plusTestO, 2100i64, 40i64, aTest4plusPy);
    result = 0i64;
  }
  return result;
}

由此可见ord()如果传入的是常量，最后有可能会被直接优化成具体值。

补充

1
2
3

def test_ord(input):
	a = ord(input)
    print(a)

+1: def test_ord(input):
+2: 	a = ord(input)
  __pyx_t_1 = __Pyx_PyObject_Ord(__pyx_v_input);
  __pyx_v_a = __pyx_t_1;

+3: 	print(a)
  __pyx_t_2 = __Pyx_PyInt_From_long(__pyx_v_a);
  __pyx_t_3 = __Pyx_PyObject_CallOneArg(__pyx_builtin_print, __pyx_t_2);

IDA

// write access to const memory has been detected, the output may be wrong!
__int64 __fastcall test_ord(__int64 a1, __int64 a2)
{
  __int64 v2; // rcx
  int v4; // eax
  __int64 v5; // r8
  int v6; // edx
  int v7; // ecx
  __int64 v8; // rax
  unsigned __int8 *v9; // rax
  __int64 v10; // rax
  __int64 __pyx_v_a; // rcx
  __int64 v12; // rax
  __int64 v13; // r8
  __int64 a; // rax
  __int64 v15; // rcx
  _QWORD *v16; // rbx
  unsigned int v17; // edi
  unsigned int v18; // ebp
  _QWORD *v19; // rdi
  __int64 v20; // rax

  v2 = *(_QWORD *)(a2 + 8);
  v4 = *(_DWORD *)(v2 + 168);
  if ( !_bittest(&v4, 0x1Cu) )
  {
    if ( _bittest(&v4, 0x1Bu) )
    {
      v13 = *(_QWORD *)(a2 + 16);
      if ( v13 == 1 )
      {
        __pyx_v_a = *(unsigned __int8 *)(a2 + 32);
        goto LABEL_30;
      }
    }
    else
    {
      if ( v2 != PyByteArray_Type && !(unsigned int)PyType_IsSubtype() )
      {
        PyErr_Format(
          PyExc_TypeError,
          "ord() expected string of length 1, but %.200s found",
          *(_QWORD *)(*(_QWORD *)(a2 + 8) + 24i64));
LABEL_42:
        v17 = 2;
        v18 = 1228;
        goto LABEL_43;
      }
      v13 = *(_QWORD *)(a2 + 16);
      if ( v13 == 1 )
      {
        v9 = *(unsigned __int8 **)(a2 + 40);
LABEL_29:
        __pyx_v_a = *v9;
        goto LABEL_30;
      }
    }
    PyErr_Format(PyExc_TypeError, "ord() expected a character, but string of length %zd found", v13);// 错误提示暗示了这一块是ord()
    goto LABEL_42;
  }
  v5 = *(_QWORD *)(a2 + 16);
  if ( v5 != 1 )
  {
    PyErr_Format(
      PyExc_ValueError,
      "only single character unicode strings can be converted to Py_UCS4, got length %zd",
      v5);
    __pyx_v_a = 0xFFFFFFFFi64;
    goto LABEL_30;
  }
  v6 = *(_DWORD *)(a2 + 32);
  v7 = v6 & 0x1C;
  if ( v7 == 4 )
  {
    if ( (v6 & 0x20) != 0 )
    {
      v8 = 48i64;
      if ( (v6 & 0x40) == 0 )
        v8 = 72i64;
      v9 = (unsigned __int8 *)(a2 + v8);
    }
    else
    {
      v9 = *(unsigned __int8 **)(a2 + 72);
    }
    goto LABEL_29;
  }
  if ( v7 == 8 )
  {
    if ( (v6 & 0x20) != 0 )
    {
      v10 = 48i64;
      if ( (v6 & 0x40) == 0 )
        v10 = 72i64;
      __pyx_v_a = *(unsigned __int16 *)(a2 + v10);
    }
    else
    {
      __pyx_v_a = **(unsigned __int16 **)(a2 + 72);
    }
  }
  else if ( (v6 & 0x20) != 0 )
  {
    v12 = 48i64;
    if ( (v6 & 0x40) == 0 )
      v12 = 72i64;
    __pyx_v_a = *(unsigned int *)(a2 + v12);
  }
  else
  {
    __pyx_v_a = **(unsigned int **)(a2 + 72);
  }
LABEL_30:
  if ( (_DWORD)__pyx_v_a == -1 )
    goto LABEL_42;
  a = PyLong_FromLong(__pyx_v_a);               // __pyx_t_2 = __Pyx_PyInt_From_long(__pyx_v_a);
  v16 = (_QWORD *)a;
  if ( !a )
  {
    v17 = 3;
    v18 = 1236;
LABEL_43:
    AddTraceback(aTest4plusplusT, v18, v17, aTest4plusplusP);
    return 0i64;
  }
  v19 = (_QWORD *)print(v15, a);                // print(a)
  v20 = *v16 - 1i64;
  *v16 = v20;
  if ( !v19 )
  {
    v17 = 3;
    v18 = 1238;
    if ( !v20 )
      (*(void (__fastcall **)(_QWORD *))(v16[1] + 48i64))(v16);
    goto LABEL_43;
  }
  if ( !v20 )
    (*(void (__fastcall **)(_QWORD *))(v16[1] + 48i64))(v16);
  if ( (*v19)-- == 1i64 )
    (*(void (__fastcall **)(_QWORD *))(v19[1] + 48i64))(v19);
  return Py_NoneStruct++;
}

本文作者： Taardis
本文链接： https://taardisaa.github.io/2022/01/28/Cython Reverse 4/
版权声明： 本博客所有文章除特别声明外，均采用 Apache License 2.0 许可协议。转载请注明出处！