Pyc字节码分析 1

2022-02-09

字数统计: 6.8k字 | 阅读时长≈ 37分

Cython后再稍微整整Pyc字节码文件逆向，然后开始搞Go和Rust。

Pyc字节码分析 1

测试环境

不同版本，pyc文件的结构组织，opcode都有所不同。我准备多个大版本都分析一下。

3.10.2 win安装包+源码
3.9.10 win安装包+源码

3.8.12 源码（无安装包）
3.8.10 源码+安装包

3.7.11 源码
3.7.9  源码+安装包

同时下载安装包和源码进行分析。

python2就不管了，已经过时了。

总览

pyc文件结构分析
pyc虚拟机汇编指令分析
pyc字节码混淆与反混淆（可能）
pyinstaller程序解包
py脚本文件混淆

值得注意的是，GitHub上面有pyc反编译工具，但在我上次确认的时候，只支持3.8及以下版本，3.9以上不行。所以3.9以上版本的逆向需要着重注意。

网上查了一下其实有不少pyc逆向的深入解析，但是不少都是18，19年的干货了，版本也局限于python2，所以我准备稍微跟进一下时代，重新演绎一遍。

PyCodeObject

在Python中，一切都是对象，也就是PyObject的子类。代码也是如此。Pyc文件实际上就是PyCodeObject对象。因此我们先分析PyCodeObject对象的结构，随后再涉及Pyc文件的二进制结构。

3.7.9

// python3.7.9 Include/code.h

/* Bytecode object */
typedef struct {
    PyObject_HEAD
    int co_argcount;            /* #arguments, except *args */
    int co_kwonlyargcount;      /* #keyword only arguments */
    int co_nlocals;             /* #local variables */
    int co_stacksize;           /* #entries needed for evaluation stack */
    int co_flags;               /* CO_..., see below */
    int co_firstlineno;         /* first source line number */
    PyObject *co_code;          /* instruction opcodes */
    PyObject *co_consts;        /* list (constants used) */
    PyObject *co_names;         /* list of strings (names used) */
    PyObject *co_varnames;      /* tuple of strings (local variable names) */
    PyObject *co_freevars;      /* tuple of strings (free variable names) */
    PyObject *co_cellvars;      /* tuple of strings (cell variable names) */
    /* The rest aren't used in either hash or comparisons, except for co_name,
       used in both. This is done to preserve the name and line number
       for tracebacks and debuggers; otherwise, constant de-duplication
       would collapse identical functions/lambdas defined on different lines.
    */
    Py_ssize_t *co_cell2arg;    /* Maps cell vars which are arguments. */
    PyObject *co_filename;      /* unicode (where it was loaded from) */
    PyObject *co_name;          /* unicode (name, for reference) */
    PyObject *co_lnotab;        /* string (encoding addr<->lineno mapping) See
                                   Objects/lnotab_notes.txt for details. */
    void *co_zombieframe;       /* for optimization only (see frameobject.c) */
    PyObject *co_weakreflist;   /* to support weakrefs to code objects */
    /* Scratch space for extra data relating to the code object.
       Type is a void* to keep the format private in codeobject.c to force
       people to go through the proper APIs. */
    void *co_extra;
} PyCodeObject;

3.8.10

// python3.8.10 Include/code.h

/* Bytecode object */
typedef struct {
    PyObject_HEAD
    int co_argcount;            /* #arguments, except *args */
    int co_posonlyargcount;     /* #positional only arguments */
    int co_kwonlyargcount;      /* #keyword only arguments */
    int co_nlocals;             /* #local variables */
    int co_stacksize;           /* #entries needed for evaluation stack */
    int co_flags;               /* CO_..., see below */
    int co_firstlineno;         /* first source line number */
    PyObject *co_code;          /* instruction opcodes */
    PyObject *co_consts;        /* list (constants used) */
    PyObject *co_names;         /* list of strings (names used) */
    PyObject *co_varnames;      /* tuple of strings (local variable names) */
    PyObject *co_freevars;      /* tuple of strings (free variable names) */
    PyObject *co_cellvars;      /* tuple of strings (cell variable names) */
    /* The rest aren't used in either hash or comparisons, except for co_name,
       used in both. This is done to preserve the name and line number
       for tracebacks and debuggers; otherwise, constant de-duplication
       would collapse identical functions/lambdas defined on different lines.
    */
    Py_ssize_t *co_cell2arg;    /* Maps cell vars which are arguments. */
    PyObject *co_filename;      /* unicode (where it was loaded from) */
    PyObject *co_name;          /* unicode (name, for reference) */
    PyObject *co_lnotab;        /* string (encoding addr<->lineno mapping) See
                                   Objects/lnotab_notes.txt for details. */
    void *co_zombieframe;       /* for optimization only (see frameobject.c) */
    PyObject *co_weakreflist;   /* to support weakrefs to code objects */
    /* Scratch space for extra data relating to the code object.
       Type is a void* to keep the format private in codeobject.c to force
       people to go through the proper APIs. */
    void *co_extra;

    /* Per opcodes just-in-time cache
     *
     * To reduce cache size, we use indirect mapping from opcode index to
     * cache object:
     *   cache = co_opcache[co_opcache_map[next_instr - first_instr] - 1]
     */

    // co_opcache_map is indexed by (next_instr - first_instr).
    //  * 0 means there is no cache for this opcode.
    //  * n > 0 means there is cache in co_opcache[n-1].
    unsigned char *co_opcache_map;
    _PyOpcache *co_opcache;
    int co_opcache_flag;  // used to determine when create a cache.
    unsigned char co_opcache_size;  // length of co_opcache.
} PyCodeObject;

和3.7版本相比，多了几个成员。

3.9.10

3.9.10的结构体定义集成到了Include/cpython/code.h里面了。

和3.8似乎没有变化，略去。

3.10.2

和3.9没有区别，略去。

参数解释

`co_argcount`

除了*args以外的参数的个数（根据测试，实际上是不包括 *args 和 **kwargs 以及强制关键字参数。）

# 在 python3.8.10上测试

# 仅用于测试，此参数列表在实际编程中极容易混淆，不可能使用。
def test(a, b, c, d=1, e=2, *args, f=3, g, h=4, **kwargs):
    print(a, b, c, d, e, args, f, g, h, kwargs)
    
    
code_obj = test.__code__
# a, b, c, d, e都是一般参数，共5个，*args由于是未定长度的，所以后面的f, g等参数都必须强制关键字。
code_obj.co_argcount # 5

"""
>>> test(1,2,3,4,5,6,7,8,9,g=10,h=11,ttt=12)
1 2 3 4 5 (6, 7, 8, 9) 3 10 11 {'ttt': 12}
"""

`co_kwonlyargcount`

仅能通过关键字传参的形参数量。

def test(a, b, c, d=1, e=2, *args, f=3, g, h=4, **kwargs):
    print(a, b, c, d, e, args, f, g, h, kwargs)

"""
>>> code_obj.co_kwonlyargcount
3
"""

f，g，h这三个是必须明确关键字的，因为在*args的后面。

>>> def a(a=1,b=2,c=3):
...     print(a,b,c)
...
>>> b = a.__code__
>>> b
<code object a at 0x7fa02b4402f0, file "<stdin>", line 1>
>>> b.co_kwonlyargcount
0

而如果没有*args的阻挡，即使像这样设置了一个默认传参，co_kwonlyargcount还是0。

>>> a()
1 2 3
>>> a(3,4,5)
3 4 5
>>> a(3)
3 2 3
>>> a(b=3)
1 3 3

`co_nlocals`

函数栈上的变量个数。

def a(a):
	b = 1
	c = 2
	
    
    
b = a.__code__
b.co_nlocals # 3

函数形参和内部声明的变量都算在栈上的变量，所以一共有3个。

`co_stacksize`

一个整数，代表函数会使用的最大栈空间。

`co_flags`

一些声明函数特征的宏信息，以CO_开头。

/* Masks for co_flags above */
#define CO_OPTIMIZED    0x0001
#define CO_NEWLOCALS    0x0002
#define CO_VARARGS      0x0004
#define CO_VARKEYWORDS  0x0008
#define CO_NESTED       0x0010
#define CO_GENERATOR    0x0020
/* The CO_NOFREE flag is set if there are no free or cell variables.
   This information is redundant, but it allows a single flag test
   to determine whether there is any extra work to be done when the
   call frame it setup.
*/
#define CO_NOFREE       0x0040

/* The CO_COROUTINE flag is set for coroutine functions (defined with
   ``async def`` keywords) */
#define CO_COROUTINE            0x0080
#define CO_ITERABLE_COROUTINE   0x0100
#define CO_ASYNC_GENERATOR      0x0200

/* These are no longer used. */
#if 0
#define CO_GENERATOR_ALLOWED    0x1000
#endif
#define CO_FUTURE_DIVISION      0x2000
#define CO_FUTURE_ABSOLUTE_IMPORT 0x4000 /* do absolute imports by default */
#define CO_FUTURE_WITH_STATEMENT  0x8000
#define CO_FUTURE_PRINT_FUNCTION  0x10000
#define CO_FUTURE_UNICODE_LITERALS 0x20000

#define CO_FUTURE_BARRY_AS_BDFL  0x40000
#define CO_FUTURE_GENERATOR_STOP  0x80000
#define CO_FUTURE_ANNOTATIONS    0x100000

/* This value is found in the co_cell2arg array when the associated cell
   variable does not correspond to an argument. */
#define CO_CELL_NOT_AN_ARG (-1)

/* This should be defined if a future statement modifies the syntax.
   For example, when a keyword is added.
*/
#define PY_PARSER_REQUIRES_FUTURE_KEYWORD

#define CO_MAXBLOCKS 20 /* Max static block nesting within a function */

了解即可。

`co_firstlineno`

代码对象的第一行位于所在文件的行号。

`co_code`

该函数的二进制字节码。

1 2	b.co_code b'd\x01}\x01d\x02}\x02d\x00S\x00'

`co_constants`

1 2	>>> b.co_consts (None, 1, 2)

用到的常量。

`co_names`

用到的函数名字符串。

def a(a="str1"):
	b = "str2"
	print(a, b)
    
"""
>>> c = a.__code__
>>> c.co_names
('print',)
"""

通过这个可以了解函数里面使用到的函数和方法。

`co_varnames`

局部变量名列表

>>> b.co_varnames
('a', 'b', 'c')

>>> code_obj.co_varnames
('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'args', 'kwargs')

`co_freevars`

元组里面存储着所有被函数使用的在闭包作用域中定义的变量名。

`co_cellvars`

元组里面存储着所有被嵌套函数用到的变量名。

def f(a, b):
    c = 3
    def g():
        return a + c
    return g

print(f.__code__.co_cellvars)
print(f.__code__.co_consts[2].co_freevars)
"""
('a', 'c')
('a', 'c')
"""

`co_filename`

函数所在文件名

`co_name`

函数名

区别于co_names。

`co_lnotab`

字节码指令和行号的对应关系

1 2	b.co_lnotab b'\x00\x01\x04\x01'

`co_posonlyargcount`（3.8及以上）

number of positional only arguments

序列化（python3.7.9）

PyCodeObject的序列化在Python/marshal.c中实现。

static void
w_object(PyObject *v, WFILE *p)
{
    char flag = '\0';

    p->depth++;

    if (p->depth > MAX_MARSHAL_STACK_DEPTH) {
        p->error = WFERR_NESTEDTOODEEP;
    }
    else if (v == NULL) {
        w_byte(TYPE_NULL, p);
    }
    else if (v == Py_None) {
        w_byte(TYPE_NONE, p);
    }
    else if (v == PyExc_StopIteration) {
        w_byte(TYPE_STOPITER, p);
    }
    else if (v == Py_Ellipsis) {
        w_byte(TYPE_ELLIPSIS, p);
    }
    else if (v == Py_False) {
        w_byte(TYPE_FALSE, p);
    }
    else if (v == Py_True) {
        w_byte(TYPE_TRUE, p);
    }
    else if (!w_ref(v, &flag, p))
        w_complex_object(v, flag, p);

    p->depth--;
}

static void
w_complex_object(PyObject *v, char flag, WFILE *p)
{
    Py_ssize_t i, n;

    if (PyLong_CheckExact(v)) {
        long x = PyLong_AsLong(v);
        if ((x == -1)  && PyErr_Occurred()) {
            PyLongObject *ob = (PyLongObject *)v;
            PyErr_Clear();
            w_PyLong(ob, flag, p);
        }
        else {
#if SIZEOF_LONG > 4
            long y = Py_ARITHMETIC_RIGHT_SHIFT(long, x, 31);
            if (y && y != -1) {
                /* Too large for TYPE_INT */
                w_PyLong((PyLongObject*)v, flag, p);
            }
            else
#endif
            {
                W_TYPE(TYPE_INT, p);
                w_long(x, p);
            }
        }
    }
    else if (PyFloat_CheckExact(v)) {
        if (p->version > 1) {
            unsigned char buf[8];
            if (_PyFloat_Pack8(PyFloat_AsDouble(v),
                               buf, 1) < 0) {
                p->error = WFERR_UNMARSHALLABLE;
                return;
            }
            W_TYPE(TYPE_BINARY_FLOAT, p);
            w_string((char*)buf, 8, p);
        }
        else {
            char *buf = PyOS_double_to_string(PyFloat_AS_DOUBLE(v),
                                              'g', 17, 0, NULL);
            if (!buf) {
                p->error = WFERR_NOMEMORY;
                return;
            }
            n = strlen(buf);
            W_TYPE(TYPE_FLOAT, p);
            w_byte((int)n, p);
            w_string(buf, n, p);
            PyMem_Free(buf);
        }
    }
    else if (PyComplex_CheckExact(v)) {
        if (p->version > 1) {
            unsigned char buf[8];
            if (_PyFloat_Pack8(PyComplex_RealAsDouble(v),
                               buf, 1) < 0) {
                p->error = WFERR_UNMARSHALLABLE;
                return;
            }
            W_TYPE(TYPE_BINARY_COMPLEX, p);
            w_string((char*)buf, 8, p);
            if (_PyFloat_Pack8(PyComplex_ImagAsDouble(v),
                               buf, 1) < 0) {
                p->error = WFERR_UNMARSHALLABLE;
                return;
            }
            w_string((char*)buf, 8, p);
        }
        else {
            char *buf;
            W_TYPE(TYPE_COMPLEX, p);
            buf = PyOS_double_to_string(PyComplex_RealAsDouble(v),
                                        'g', 17, 0, NULL);
            if (!buf) {
                p->error = WFERR_NOMEMORY;
                return;
            }
            n = strlen(buf);
            w_byte((int)n, p);
            w_string(buf, n, p);
            PyMem_Free(buf);
            buf = PyOS_double_to_string(PyComplex_ImagAsDouble(v),
                                        'g', 17, 0, NULL);
            if (!buf) {
                p->error = WFERR_NOMEMORY;
                return;
            }
            n = strlen(buf);
            w_byte((int)n, p);
            w_string(buf, n, p);
            PyMem_Free(buf);
        }
    }
    else if (PyBytes_CheckExact(v)) {
        W_TYPE(TYPE_STRING, p);
        w_pstring(PyBytes_AS_STRING(v), PyBytes_GET_SIZE(v), p);
    }
    else if (PyUnicode_CheckExact(v)) {
        if (p->version >= 4 && PyUnicode_IS_ASCII(v)) {
            int is_short = PyUnicode_GET_LENGTH(v) < 256;
            if (is_short) {
                if (PyUnicode_CHECK_INTERNED(v))
                    W_TYPE(TYPE_SHORT_ASCII_INTERNED, p);
                else
                    W_TYPE(TYPE_SHORT_ASCII, p);
                w_short_pstring((char *) PyUnicode_1BYTE_DATA(v),
                                PyUnicode_GET_LENGTH(v), p);
            }
            else {
                if (PyUnicode_CHECK_INTERNED(v))
                    W_TYPE(TYPE_ASCII_INTERNED, p);
                else
                    W_TYPE(TYPE_ASCII, p);
                w_pstring((char *) PyUnicode_1BYTE_DATA(v),
                          PyUnicode_GET_LENGTH(v), p);
            }
        }
        else {
            PyObject *utf8;
            utf8 = PyUnicode_AsEncodedString(v, "utf8", "surrogatepass");
            if (utf8 == NULL) {
                p->depth--;
                p->error = WFERR_UNMARSHALLABLE;
                return;
            }
            if (p->version >= 3 &&  PyUnicode_CHECK_INTERNED(v))
                W_TYPE(TYPE_INTERNED, p);
            else
                W_TYPE(TYPE_UNICODE, p);
            w_pstring(PyBytes_AS_STRING(utf8), PyBytes_GET_SIZE(utf8), p);
            Py_DECREF(utf8);
        }
    }
    else if (PyTuple_CheckExact(v)) {
        n = PyTuple_Size(v);
        if (p->version >= 4 && n < 256) {
            W_TYPE(TYPE_SMALL_TUPLE, p);
            w_byte((unsigned char)n, p);
        }
        else {
            W_TYPE(TYPE_TUPLE, p);
            W_SIZE(n, p);
        }
        for (i = 0; i < n; i++) {
            w_object(PyTuple_GET_ITEM(v, i), p);
        }
    }
    else if (PyList_CheckExact(v)) {
        W_TYPE(TYPE_LIST, p);
        n = PyList_GET_SIZE(v);
        W_SIZE(n, p);
        for (i = 0; i < n; i++) {
            w_object(PyList_GET_ITEM(v, i), p);
        }
    }
    else if (PyDict_CheckExact(v)) {
        Py_ssize_t pos;
        PyObject *key, *value;
        W_TYPE(TYPE_DICT, p);
        /* This one is NULL object terminated! */
        pos = 0;
        while (PyDict_Next(v, &pos, &key, &value)) {
            w_object(key, p);
            w_object(value, p);
        }
        w_object((PyObject *)NULL, p);
    }
    else if (PyAnySet_CheckExact(v)) {
        PyObject *value, *it;

        if (PyObject_TypeCheck(v, &PySet_Type))
            W_TYPE(TYPE_SET, p);
        else
            W_TYPE(TYPE_FROZENSET, p);
        n = PyObject_Size(v);
        if (n == -1) {
            p->depth--;
            p->error = WFERR_UNMARSHALLABLE;
            return;
        }
        W_SIZE(n, p);
        it = PyObject_GetIter(v);
        if (it == NULL) {
            p->depth--;
            p->error = WFERR_UNMARSHALLABLE;
            return;
        }
        while ((value = PyIter_Next(it)) != NULL) {
            w_object(value, p);
            Py_DECREF(value);
        }
        Py_DECREF(it);
        if (PyErr_Occurred()) {
            p->depth--;
            p->error = WFERR_UNMARSHALLABLE;
            return;
        }
    }
    else if (PyCode_Check(v)) {
        PyCodeObject *co = (PyCodeObject *)v;
        W_TYPE(TYPE_CODE, p);
        w_long(co->co_argcount, p);
        w_long(co->co_kwonlyargcount, p);
        w_long(co->co_nlocals, p);
        w_long(co->co_stacksize, p);
        w_long(co->co_flags, p);
        w_object(co->co_code, p);
        w_object(co->co_consts, p);
        w_object(co->co_names, p);
        w_object(co->co_varnames, p);
        w_object(co->co_freevars, p);
        w_object(co->co_cellvars, p);
        w_object(co->co_filename, p);
        w_object(co->co_name, p);
        w_long(co->co_firstlineno, p);
        w_object(co->co_lnotab, p);
    }
    else if (PyObject_CheckBuffer(v)) {
        /* Write unknown bytes-like objects as a bytes object */
        Py_buffer view;
        if (PyObject_GetBuffer(v, &view, PyBUF_SIMPLE) != 0) {
            w_byte(TYPE_UNKNOWN, p);
            p->depth--;
            p->error = WFERR_UNMARSHALLABLE;
            return;
        }
        W_TYPE(TYPE_STRING, p);
        w_pstring(view.buf, view.len, p);
        PyBuffer_Release(&view);
    }
    else {
        W_TYPE(TYPE_UNKNOWN, p);
        p->error = WFERR_UNMARSHALLABLE;
    }
}

通过这个核心函数，能够得知对象中哪些成员将会写入pyc文件。

Opcode（3.7.9）

在opcode.h中定义

版本越高，会出现更多的新opcode。后面再跟进。

#define POP_TOP                   1
#define ROT_TWO                   2
#define ROT_THREE                 3
#define DUP_TOP                   4
#define DUP_TOP_TWO               5
#define NOP                       9
#define UNARY_POSITIVE           10
#define UNARY_NEGATIVE           11
#define UNARY_NOT                12
#define UNARY_INVERT             15
#define BINARY_MATRIX_MULTIPLY   16
#define INPLACE_MATRIX_MULTIPLY  17
#define BINARY_POWER             19
#define BINARY_MULTIPLY          20
#define BINARY_MODULO            22
#define BINARY_ADD               23
#define BINARY_SUBTRACT          24
#define BINARY_SUBSCR            25
#define BINARY_FLOOR_DIVIDE      26
#define BINARY_TRUE_DIVIDE       27
#define INPLACE_FLOOR_DIVIDE     28
#define INPLACE_TRUE_DIVIDE      29
#define GET_AITER                50
#define GET_ANEXT                51
#define BEFORE_ASYNC_WITH        52
#define INPLACE_ADD              55
#define INPLACE_SUBTRACT         56
#define INPLACE_MULTIPLY         57
#define INPLACE_MODULO           59
#define STORE_SUBSCR             60
#define DELETE_SUBSCR            61
#define BINARY_LSHIFT            62
#define BINARY_RSHIFT            63
#define BINARY_AND               64
#define BINARY_XOR               65
#define BINARY_OR                66
#define INPLACE_POWER            67
#define GET_ITER                 68
#define GET_YIELD_FROM_ITER      69
#define PRINT_EXPR               70
#define LOAD_BUILD_CLASS         71
#define YIELD_FROM               72
#define GET_AWAITABLE            73
#define INPLACE_LSHIFT           75
#define INPLACE_RSHIFT           76
#define INPLACE_AND              77
#define INPLACE_XOR              78
#define INPLACE_OR               79
#define BREAK_LOOP               80
#define WITH_CLEANUP_START       81
#define WITH_CLEANUP_FINISH      82
#define RETURN_VALUE             83
#define IMPORT_STAR              84
#define SETUP_ANNOTATIONS        85
#define YIELD_VALUE              86
#define POP_BLOCK                87
#define END_FINALLY              88
#define POP_EXCEPT               89
#define HAVE_ARGUMENT            90
#define STORE_NAME               90
#define DELETE_NAME              91
#define UNPACK_SEQUENCE          92
#define FOR_ITER                 93
#define UNPACK_EX                94
#define STORE_ATTR               95
#define DELETE_ATTR              96
#define STORE_GLOBAL             97
#define DELETE_GLOBAL            98
#define LOAD_CONST              100
#define LOAD_NAME               101
#define BUILD_TUPLE             102
#define BUILD_LIST              103
#define BUILD_SET               104
#define BUILD_MAP               105
#define LOAD_ATTR               106
#define COMPARE_OP              107
#define IMPORT_NAME             108
#define IMPORT_FROM             109
#define JUMP_FORWARD            110
#define JUMP_IF_FALSE_OR_POP    111
#define JUMP_IF_TRUE_OR_POP     112
#define JUMP_ABSOLUTE           113
#define POP_JUMP_IF_FALSE       114
#define POP_JUMP_IF_TRUE        115
#define LOAD_GLOBAL             116
#define CONTINUE_LOOP           119
#define SETUP_LOOP              120
#define SETUP_EXCEPT            121
#define SETUP_FINALLY           122
#define LOAD_FAST               124
#define STORE_FAST              125
#define DELETE_FAST             126
#define RAISE_VARARGS           130
#define CALL_FUNCTION           131
#define MAKE_FUNCTION           132
#define BUILD_SLICE             133
#define LOAD_CLOSURE            135
#define LOAD_DEREF              136
#define STORE_DEREF             137
#define DELETE_DEREF            138
#define CALL_FUNCTION_KW        141
#define CALL_FUNCTION_EX        142
#define SETUP_WITH              143
#define EXTENDED_ARG            144
#define LIST_APPEND             145
#define SET_ADD                 146
#define MAP_ADD                 147
#define LOAD_CLASSDEREF         148
#define BUILD_LIST_UNPACK       149
#define BUILD_MAP_UNPACK        150
#define BUILD_MAP_UNPACK_WITH_CALL 151
#define BUILD_TUPLE_UNPACK      152
#define BUILD_SET_UNPACK        153
#define SETUP_ASYNC_WITH        154
#define FORMAT_VALUE            155
#define BUILD_CONST_KEY_MAP     156
#define BUILD_STRING            157
#define BUILD_TUPLE_UNPACK_WITH_CALL 158
#define LOAD_METHOD             160
#define CALL_METHOD             161

TYPE宏

在marshal.c中定义。这些宏在编译生成pyc文件的时候会用上，用于记录每种对象的类型。占用一个字节。

#define TYPE_NULL               '0'
#define TYPE_NONE               'N'
#define TYPE_FALSE              'F'
#define TYPE_TRUE               'T'
#define TYPE_STOPITER           'S'
#define TYPE_ELLIPSIS           '.'
#define TYPE_INT                'i'
/* TYPE_INT64 is not generated anymore.
   Supported for backward compatibility only. */
#define TYPE_INT64              'I'
#define TYPE_FLOAT              'f'
#define TYPE_BINARY_FLOAT       'g'
#define TYPE_COMPLEX            'x'
#define TYPE_BINARY_COMPLEX     'y'
#define TYPE_LONG               'l'
#define TYPE_STRING             's'
#define TYPE_INTERNED           't'
#define TYPE_REF                'r'
#define TYPE_TUPLE              '('
#define TYPE_LIST               '['
#define TYPE_DICT               '{'
#define TYPE_CODE               'c'
#define TYPE_UNICODE            'u'
#define TYPE_UNKNOWN            '?'
#define TYPE_SET                '<'
#define TYPE_FROZENSET          '>'
#define FLAG_REF                '\x80' /* with a type, add obj to index */

#define TYPE_ASCII              'a'
#define TYPE_ASCII_INTERNED     'A'
#define TYPE_SMALL_TUPLE        ')'
#define TYPE_SHORT_ASCII        'z'
#define TYPE_SHORT_ASCII_INTERNED 'Z'

Pyc文件结构

魔数，对应相应python版本
修改时间
文件大小
PyCodeObject字节码

但这是老早以前的分析文章得出的结论了。

下面准备找几个例子，从不同版本进行分析。

示例

# test.py
s = "Hello"

def func(a, b=3, *args):
	c = 114514
	print(a, b)
	print(args)

使用代码

1	python3 -m py_compile .\test.py

进行编译。

再使用pydisasm反汇编。

3.7.9分析（x64解释器）

给出编译后字节码：

b'B\r\r\n\x00\x00\x00\x00I\xa6\x04b[\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00@\x00\x00\x00s\x12\x00\x00\x00d\x00Z\x00d\x05d\x02d\x03\x84\x01Z\x01d\x04S\x00)\x06Z\x05Hello\xe9\x03\x00\x00\x00c\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x03\x00\x00\x00G\x00\x00\x00s\x1a\x00\x00\x00d\x01}\x03t\x00|\x00|\x01\x83\x02\x01\x00t\x00|\x02\x83\x01\x01\x00d\x00S\x00)\x02NiR\xbf\x01\x00)\x01\xda\x05print)\x04\xda\x01a\xda\x01b\xda\x04args\xda\x01c\xa9\x00r\x07\x00\x00\x00\xfa\t.\\test.py\xda\x04func\x04\x00\x00\x00s\x06\x00\x00\x00\x00\x01\x04\x01\n\x01r\t\x00\x00\x00N)\x01r\x01\x00\x00\x00)\x02\xda\x01sr\t\x00\x00\x00r\x07\x00\x00\x00r\x07\x00\x00\x00r\x07\x00\x00\x00r\x08\x00\x00\x00\xda\x08<module>\x02\x00\x00\x00s\x02\x00\x00\x00\x04\x02'

根据https://nowave.it/python-bytecode-analysis-1.html所述，一般pyc3.7结构体如下

结构


魔数	0-3
位域	4-7
时间戳	8-11
文件大小	12-15
Marshalled code object	16-

魔数

前4字节是

420D0D0A

0D0A似乎不用管，420D是小端序，实际上是0x0D42，即十进制的3394。根据pydisasm得到的信息，3394对应3.7版本。

1	# Python bytecode 3.7 (3394)

由此可以发现小版本是无法得知的，只能知道大版本是python37。

在解释其中得知魔数：

1 2	import importlib importlib.util.MAGIC_NUMBER.hex()

https://github.com/google/pytype/blob/main/pytype/pyc/magic.py

这个google的脚本给出了到现在所有的的python魔数。

# These constants are from Python-3.x.x/Lib/importlib/_bootstrap_external.py
PYTHON_MAGIC = {
    # Python 1
    20121: (1, 5),
    50428: (1, 6),

    # Python 2
    50823: (2, 0),
    60202: (2, 1),
    60717: (2, 2),
    62011: (2, 3),  # a0
    62021: (2, 3),  # a0
    62041: (2, 4),  # a0
    62051: (2, 4),  # a3
    62061: (2, 4),  # b1
    62071: (2, 5),  # a0
    62081: (2, 5),  # a0
    62091: (2, 5),  # a0
    62092: (2, 5),  # a0
    62101: (2, 5),  # b3
    62111: (2, 5),  # b3
    62121: (2, 5),  # c1
    62131: (2, 5),  # c2
    62151: (2, 6),  # a0
    62161: (2, 6),  # a1
    62171: (2, 7),  # a0
    62181: (2, 7),  # a0
    62191: (2, 7),  # a0
    62201: (2, 7),  # a0
    62211: (2, 7),  # a0

    # Python 3
    3000: (3, 0),
    3010: (3, 0),
    3020: (3, 0),
    3030: (3, 0),
    3040: (3, 0),
    3050: (3, 0),
    3060: (3, 0),
    3061: (3, 0),
    3071: (3, 0),
    3081: (3, 0),
    3091: (3, 0),
    3101: (3, 0),
    3103: (3, 0),
    3111: (3, 0),  # a4
    3131: (3, 0),  # a5

    # Python 3.1
    3141: (3, 1),  # a0
    3151: (3, 1),  # a0

    # Python 3.2
    3160: (3, 2),  # a0
    3170: (3, 2),  # a1
    3180: (3, 2),  # a2

    # Python 3.3
    3190: (3, 3),  # a0
    3200: (3, 3),  # a0
    3220: (3, 3),  # a1
    3230: (3, 3),  # a4

    # Python 3.4
    3250: (3, 4),  # a1
    3260: (3, 4),  # a1
    3270: (3, 4),  # a1
    3280: (3, 4),  # a1
    3290: (3, 4),  # a4
    3300: (3, 4),  # a4
    3310: (3, 4),  # rc2

    # Python 3.5
    3320: (3, 5),  # a0
    3330: (3, 5),  # b1
    3340: (3, 5),  # b2
    3350: (3, 5),  # b2
    3351: (3, 5),  # 3.5.2

    # Python 3.6
    3360: (3, 6),  # a0
    3361: (3, 6),  # a0
    3370: (3, 6),  # a1
    3371: (3, 6),  # a1
    3372: (3, 6),  # a1
    3373: (3, 6),  # b1
    3375: (3, 6),  # b1
    3376: (3, 6),  # b1
    3377: (3, 6),  # b1
    3378: (3, 6),  # b2
    3379: (3, 6),  # rc1

    # Python 3.7
    3390: (3, 7),  # a1
    3391: (3, 7),  # a2
    3392: (3, 7),  # a4
    3393: (3, 7),  # b1
    3394: (3, 7),  # b5

    # Python 3.8
    3400: (3, 8),  # a1
    3401: (3, 8),  # a1
    3410: (3, 8),  # a1
    3411: (3, 8),  # b2
    3412: (3, 8),  # b2
    3413: (3, 8),  # b4

    # Python 3.9
    3420: (3, 9),  # a0
    3421: (3, 9),  # a0
    3422: (3, 9),  # a0
    3423: (3, 9),  # a2
    3424: (3, 9),  # a2
    3425: (3, 9),  # a2

    # Python 3.10
    3430: (3, 10),  # a1
    3431: (3, 10),  # a1
    3432: (3, 10),  # a2
    3433: (3, 10),  # a2
    3434: (3, 10),  # a6
    3435: (3, 10),  # a7
    3436: (3, 10),  # b1
    3437: (3, 10),  # b1
    3438: (3, 10),  # b1
    3439: (3, 10),  # b1
}

位域

00000000

https://www.python.org/dev/peps/pep-0552/

python37及以下的位域似乎一直保持是0。以后可能会用上。

时间戳

4字节

49A60462

小端序，实际上是0x6204A649，即十进制的1644471881，这个是秒数。使用

1 2	import time time.localtime(1644471881)

可以得到具体的年月日时分秒。

pydisasm信息

1	# Timestamp in code: 1644471881 (2022-02-10 13:44:41)

源码大小

1	5B00000000

小端序，即0x5B，91字节大小。

是源码文件大小，不是编译后大小!

pydisasm信息

1	# Source code size mod 2**32: 91 bytes

PyCodeObject

剩下的就是Marshalled Code Object了。使用以下代码加载。

import marshal
import dis

f = open("xxx.pyc", "rb")
magic = f.read(4)
bitfield = f.read(4)
timestamp = f.read(4)
filesize = f.read(4)

fobj = marshal.load(f)

有意思的是，即使一个py文件里面其实有各种各样的PyObject，比如数组，字符串，函数等，但是在序列化的时候，这整个文件（也就是一个默认模块）都会被序列化成一个PyCodeObject，也就是代码对象。

尝试着打印一下这个对象的一些数据。

看一下Code Object里面写了啥。

else if (PyCode_Check(v)) {
    PyCodeObject *co = (PyCodeObject *)v;
    W_TYPE(TYPE_CODE, p);	// 单字节，'c'
    w_long(co->co_argcount, p);	// 4
    w_long(co->co_kwonlyargcount, p); // 4
    w_long(co->co_nlocals, p); // 4
    w_long(co->co_stacksize, p); // 4
    w_long(co->co_flags, p); // 4
    w_object(co->co_code, p); // 
    w_object(co->co_consts, p); // 
    w_object(co->co_names, p); // 
    w_object(co->co_varnames, p); // 
    w_object(co->co_freevars, p); // 
    w_object(co->co_cellvars, p); // 
    w_object(co->co_filename, p); // 
    w_object(co->co_name, p); // 
    w_long(co->co_firstlineno, p); // 4
    w_object(co->co_lnotab, p); // 
}

然后看一下二进制文件：

（通过分析pycdas反汇编器的逻辑来得到具体结构体，后面补充会谈）

42 0d 0d 0a 	// 版本魔数
00 00 00 00 	// 位域（暂时没用）
49 a6 04 62 	// 时间戳
5b 00 00 00		// 文件大小

// ===============主PyCodeObject===================

e3 				// TYPE_CODE | FLAG_REF 0
00 00 00 00 	// co_argcount
00 00 00 00 	// co_kwonlyargcount
00 00 00 00 	// co_nlocals
03 00 00 00 	// co_stacksize
40 00 00 00 	// co_flags（CO_NOFREE）

// co_code(作为TYPE_STRING存在)
73              // TYPE_STRING，字符串对象（其实通常是字节码对象）
12 00 00 00 	// 长度12
64 00 5a 00 64 05 64 02 64 03 84 01 5a 01 64 04 53 00 

// co_consts
29			   // TYPE_SMALLTUPLE，PyTupleObject : PySequenceObject
06			   // size
	// value[0]
	5a			   // TYPE_SHORT_ASCII_INTERNED = 'Z',
	05			   // length
	48 65 6c 6c 6f 
	// value[1]
	e9 			   // TYPE_INT'i' | FLAG_REF 1
	03 00 00 00     // 4字节int
	// value[2]
	63			   // TYPE_CODE
	02 00 00 00	    // co_argcount
	00 00 00 00     // co_kwonlyargcount
	04 00 00 00     // co_nlocals
	03 00 00 00     // co_stacksize
	47 00 00 00     // co_flags (NOFREE | VARARGS | NEWLOCALS | OPTIMIZED)
        // co_code
        73              // TYPE_STRING
        1a 00 00 00     // 长度
        64 01 7d 03 74 00 7c 00 7c 01 83 02 01 00 74 00 7c 02 83 01 01 00 64 00 53 00 
        // co_consts
        29			   // TYPE_SMALLTUPLE
        02			   // size
        	// value[0]
   		    4e		   // TYPE_NONE = 'N',
   		    // value[1]
   		    69		   // TYPE_INT
   		    52 bf 01 00 // 114514
        // co_names
        29              // TYPE_SMALLTUPLE
        01              // size
        	da              // TYPE_SHORT_ASCII_INTERNED | FLAG_REF 2
        	05              // length
        	70 72 69 6e 74 // 'print'
        	
        // co_varnames
        29              // TYPE_SMALLTUPLE
        04              // size 
        	// value[0]
        	da              // TYPE_SHORT_ASCII_INTERNED | FLAG_REF  3
        	01              // length 
        	61              // 'a' 
        	// value[1]
        	da              // TYPE_SHORT_ASCII_INTERNED | FLAG_REF  4
        	01              // length 
        	62              // 'b'
        	// value[2]
        	da              // TYPE_SHORT_ASCII_INTERNED | FLAG_REF  5
        	04              // length 
        	61 72 67 73	    // 'args'
        	// value[3]
        	da              // TYPE_SHORT_ASCII_INTERNED | FLAG_REF  6
        	01              // length 
        	63              // 'c'
        // co_freevars
        a9              // TYPE_SMALLTUPLE | FLAG_REF 	7
        00 
        // co_cellvars
        72              // TYPE_OBREF = 'r',
        07 00 00 00 	// 指向上面的co_freevars，是空的。
        // co_filename
        fa              // TYPE_SHORT_ASCII | FLAG_REF 8
        09 
        2e 5c 74 65 73 74 2e 70 79 	// r".\test.py"
        // co_name
        da              // TYPE_SHORT_ASCII_INTERNED | FLAG_REF 9
        04              // length 
        66 75 6e 63     // "func"
        // co_firstlineno
        04 00 00 00     // 4
        // co_lnotab
        73              // TYPE_STRING 
        06 00 00 00 
        00 01 04 01 0a 01 
	// value[3] -> "func"
	72 			   // TYPE_OBREF = 'r'
	09 00 00 00     // index
	// value[4]
	4e 			   // TYPE_NONE = 'N'
	// value[5]
	29 			   // TYPE_SMALLTUPLE
	01 			   // size
	    // value[0] -> 3
        72	       // TYPE_OBREF = 'r'
        01 00 00 00 	// index
// co_names
29         // TYPE_SMALLTUPLE
02         // size 
    // value[0]
    da    // TYPE_SHORT_ASCII_INTERNED | FLAG_REF 10 
    01    // length
    73    // 's'
    // value[1] -> "func"
    72 			   // TYPE_OBREF = 'r' 
    09 00 00 00     // index = 9 
// co_varnames
72 			       // TYPE_OBREF = 'r'
07 00 00 00         // index
// co_freevars -> None
72 			       // TYPE_OBREF = 'r' 
07 00 00 00         // index 
// co_cellvars -> None
72 			       // TYPE_OBREF = 'r' 
07 00 00 00         // index 
// co_filename -> r".\test.py"
72 			       // TYPE_OBREF = 'r'
08 00 00 00         // index 
// co_name
da              // TYPE_SHORT_ASCII_INTERNED | FLAG_REF  
08              // length
3c 6d 6f 64 75 6c 65 3e // "<module>"
// co_firstlineno
02 00 00 00
// co_lnotab
73              // TYPE_STRING 
02 00 00 00 
04 02

其中部分相关的代码

// marshal.c

#if SIZEOF_SIZE_T > 4
# define W_SIZE(n, p)  do {                     \
        if ((n) > SIZE32_MAX) {                 \
            (p)->depth--;                       \
            (p)->error = WFERR_UNMARSHALLABLE;  \
            return;                             \
        }                                       \
        w_long((long)(n), p);                   \
    } while(0)
#else
# define W_SIZE  w_long
#endif

static void
w_pstring(const char *s, Py_ssize_t n, WFILE *p)
{
        W_SIZE(n, p);	// 4字节
        w_string(s, n, p);
}
// ...
else if (PyBytes_CheckExact(v)) {
    W_TYPE(TYPE_STRING, p);
    w_pstring(PyBytes_AS_STRING(v), PyBytes_GET_SIZE(v), p);
}
// ...

由于分析marshal.c代码和py_compile.py有些复杂，所以最后选择直接分析pycdc反汇编工具的源码。在后面补充部分谈到了。

二进制文件已经被我手动排版了。网上的几个反汇编工具和python原生的pydisasm都能完美的反汇编，但是和二进制文件的对应关系还不是很清晰。

补充

学习了一下pycdc的思路。

https://github.com/zrax/pycdc

其中的pycdas是反汇编器。

pyc文件结构

void PycModule::loadFromFile(const char* filename)
{
    PycFile in(filename);
    if (!in.isOpen()) {
        fprintf(stderr, "Error opening file %s\n", filename);
        return;
    }
    setVersion(in.get32()); // 读取4字节
    if (!isValid()) {
        fputs("Bad MAGIC!\n", stderr);
        return;
    }

    int flags = 0;  // 位域
    if (verCompare(3, 7) >= 0)
        flags = in.get32();

    if (flags & 0x1) {
        // Optional checksum added in Python 3.7
        in.get32();
        in.get32();
    } else {    // 4字节
        in.get32(); // Timestamp -- who cares?

        if (verCompare(3, 3) >= 0)
            in.get32(); // Size parameter added in Python 3.3
    }

    m_code = LoadObject(&in, this).require_cast<PycCode>();
}

由此可以看出：

位域是python3.7往上出现的
如果位域第一位为1，则会多4个字节的checksum
文件大小在python3.3以上添加。

关于魔数0xE3

PycRef<PycObject> LoadObject(PycData* stream, PycModule* mod)
{
    int type = stream->getByte();
    puts("type:");
    PycRef<PycObject> obj;

    if (type == PycObject::TYPE_OBREF) {
        int index = stream->get32();
        obj = mod->getRef(index);
    } else {
        obj = CreateObject(type & 0x7F);
        if (obj != NULL) {
            if (type & 0x80)
                mod->refObject(obj);
            obj->load(stream, mod);
        }
    }

    return obj;
}

0xE3和0x7F相与得到0x63，即’c’，是TYPE_CODE

同时0xE3 == 0x80 | 0x63，所以还有FLAG_REF

于是便会mod->refObject(obj);

1	void refObject(PycRef<PycObject> str) { m_refs.push_back(str); }

PyCodeObject结构

上文调用了obj->load(stream, mod);即这个函数。

void PycCode::load(PycData* stream, PycModule* mod)
{
    // 低版本不看了
    if (mod->verCompare(1, 3) >= 0 && mod->verCompare(2, 3) < 0)
        m_argCount = stream->get16();
    else if (mod->verCompare(2, 3) >= 0)	// 
        m_argCount = stream->get32();	// 4字节的co_argcounnt

    // 3.8以上新增co_posonlyargcount
    if (mod->verCompare(3, 8) >= 0)
        m_posOnlyArgCount = stream->get32();
    else
        m_posOnlyArgCount = 0;

    // co_kwOnlyArgCount
    if (mod->majorVer() >= 3)
        m_kwOnlyArgCount = stream->get32();
    else
        m_kwOnlyArgCount = 0;

    if (mod->verCompare(1, 3) >= 0 && mod->verCompare(2, 3) < 0)
        m_numLocals = stream->get16();
    else if (mod->verCompare(2, 3) >= 0)
        m_numLocals = stream->get32();	// co_nlocals
    else
        m_numLocals = 0;

    if (mod->verCompare(1, 5) >= 0 && mod->verCompare(2, 3) < 0)
        m_stackSize = stream->get16();
    else if (mod->verCompare(2, 3) >= 0)
        m_stackSize = stream->get32();	// co_stacksize
    else
        m_stackSize = 0;

    if (mod->verCompare(1, 3) >= 0 && mod->verCompare(2, 3) < 0)
        m_flags = stream->get16();
    else if (mod->verCompare(2, 3) >= 0)
        m_flags = stream->get32();		// co_flags
    else
        m_flags = 0;

    m_code = LoadObject(stream, mod).require_cast<PycString>();	// code, String
    m_consts = LoadObject(stream, mod).require_cast<PycSequence>();	// consts, Sequence
    m_names = LoadObject(stream, mod).require_cast<PycSequence>();	// names, Sequence

    if (mod->verCompare(1, 3) >= 0)
        m_varNames = LoadObject(stream, mod).require_cast<PycSequence>();	// co_varnames
    else
        m_varNames = new PycTuple;

    if (mod->verCompare(2, 1) >= 0)
        m_freeVars = LoadObject(stream, mod).require_cast<PycSequence>();	// co_freevars
    else
        m_freeVars = new PycTuple;

    if (mod->verCompare(2, 1) >= 0)
        m_cellVars = LoadObject(stream, mod).require_cast<PycSequence>();	// co_cellvars
    else
        m_cellVars = new PycTuple;

    m_fileName = LoadObject(stream, mod).require_cast<PycString>();	// co_filename, String
    m_name = LoadObject(stream, mod).require_cast<PycString>();	// co_name

    if (mod->verCompare(1, 5) >= 0 && mod->verCompare(2, 3) < 0)
        m_firstLine = stream->get16();
    else if (mod->verCompare(2, 3) >= 0)
        m_firstLine = stream->get32();	// co_firstlineno

    if (mod->verCompare(1, 5) >= 0)
        m_lnTable = LoadObject(stream, mod).require_cast<PycString>();	// co_lnotab
    else
        m_lnTable = new PycString;
}

成员	大小	注意
co_argcounnt	4
co_posonlyargcount	4	>=3.8
co_kwonlyargcount	4
co_nlocals	4
co_stacksize	4
co_flags	4

co_code	String
co_consts	Sequence
co_names	Sequence

co_varnames	Sequence
co_freevars	Sequence
co_cellvars	(obref)Sequence	示例中是TYPE_OBREF，应该是一个对Sequence的引用，类似指针
co_filename	String
co_name	String

co_firstlineno	4
co_lnotab	String

注意：

co_code也作为TYPE_STRING类型存在，因为本质上属于是字节码。

PyStringObject结构

先给出pycdas的源码

/* PycString */
void PycString::load(PycData* stream, PycModule* mod)
{
    if (type() == TYPE_STRINGREF) {
        PycRef<PycString> str = mod->getIntern(stream->get32());
        m_value.resize(str->length());

        if (str->length())
            std::char_traits<char>::copy(&m_value.front(), str->value(), str->length());
    } else {
        int length;
        if (type() == TYPE_SHORT_ASCII || type() == TYPE_SHORT_ASCII_INTERNED)
            length = stream->getByte();
        else
            length = stream->get32();	// TYPE_STRING, 4字节

        if (length < 0)
            throw std::bad_alloc();

        m_value.resize(length);
        if (length) {
            stream->getBuffer(length, &m_value.front());
            if (type() == TYPE_ASCII || type() == TYPE_ASCII_INTERNED ||
                    type() == TYPE_SHORT_ASCII || type() == TYPE_SHORT_ASCII_INTERNED)
                ascii_to_utf8(&m_value);
        }

        if (type() == TYPE_INTERNED || type() == TYPE_ASCII_INTERNED ||
                type() == TYPE_SHORT_ASCII_INTERNED)
            mod->intern(this);
    }
}

TYPE_STRING

's'

通常用于字节码对象

	大小
TYPE_STRING(‘s’)	1
length	4
buffer	length（或者length*2，取决于是不是utf8，通过&0x80判断）

TYPE_SHORT_ASCII_INTERNED

'Z'


TYPE_SHORT_ASCII_INTERNED(‘Z’)
length	1
buffer	length or length*2(utf8)

TYPE_SHORT_ASCII


TYPE_SHORT_ASCII(‘z’)	1
length	1
buffer	length or length*2(utf8)

PyTupleObject（Small Tuple）

/* PycTuple */
void PycTuple::load(PycData* stream, PycModule* mod)
{
    if (type() == TYPE_SMALL_TUPLE)
        m_size = stream->getByte();	// 1
    else
        m_size = stream->get32();

    m_values.resize(m_size);
    for (int i=0; i<m_size; i++)
        m_values[i] = LoadObject(stream, mod);
}


TYPE_SMALL_TUPLE(‘)’)
size	1	Small Tuple，所以是1
values[]	序列内每个对象的大小之和

PyIntObject

32位

/* PycInt */
void PycInt::load(PycData* stream, PycModule*)
{
    m_value = stream->get32();
}

TYPE_OBREF

PycRef<PycObject> LoadObject(PycData* stream, PycModule* mod)
{
    int type = stream->getByte();
    puts("type:");
    PycRef<PycObject> obj;

    if (type == PycObject::TYPE_OBREF) {
        int index = stream->get32();
        obj = mod->getRef(index);
    } else {
        // ....
    }


TYPE_OBREF(‘r’)	1
index	4

上面有FLAG_REF标识的对象都会在PycModule对象下的m_ref列表中留下引用。

1	void refObject(PycRef<PycObject> str) { m_refs.push_back(str); }

PycRef<PycObject> PycModule::getRef(int ref) const
{
    if (ref < 0)
        throw std::out_of_range("Ref index out of range");

    auto it = m_refs.cbegin();
    while (ref-- && it != m_refs.cend())
        ++it;
    if (it == m_refs.cend())
        throw std::out_of_range("Ref index out of range");
    return *it;
}

getRef函数则会通过索引来取出对象引用。

总结

这个博客是便分析便写的，所以中途遭遇了不少挫折，尤其是一个字节一个字节分析二进制文件的时候，对于每个字节意思的理解。最后正向看python编译源码的路子还是失败了，选择了走别人的老路——也就是看pycdc反汇编器的代码。

下一个博客，开始谈谈python汇编指令。

参考

Python 中的代码对象 code object 与 code 属性_团子大圆帅的博客-CSDN博客___code__

https://nowave.it/python-bytecode-analysis-1.html

https://www.cnblogs.com/lanzhi/p/6468567.html

https://github.com/zrax/pycdc

本文作者： Taardis
本文链接： https://taardisaa.github.io/2022/02/09/Pyc Reverse 1/
版权声明： 本博客所有文章除特别声明外，均采用 Apache License 2.0 许可协议。转载请注明出处！

Pyc字节码分析 1

测试环境

总览

PyCodeObject

3.7.9

3.8.10

3.9.10

3.10.2

参数解释

co_argcount

co_kwonlyargcount

co_nlocals

co_stacksize

co_flags

co_firstlineno

co_code

co_constants

co_names

co_varnames

co_freevars

co_cellvars

co_filename

co_name

co_lnotab

co_posonlyargcount（3.8及以上）

序列化（python3.7.9）

Opcode（3.7.9）

TYPE宏

Pyc文件结构

示例

3.7.9分析（x64解释器）

结构

魔数

位域

时间戳

源码大小

PyCodeObject

补充

pyc文件结构

关于魔数0xE3

PyCodeObject结构

PyStringObject结构

TYPE_STRING

TYPE_SHORT_ASCII_INTERNED

TYPE_SHORT_ASCII

PyTupleObject（Small Tuple）

PyIntObject

TYPE_OBREF

总结

参考

`co_argcount`

`co_kwonlyargcount`

`co_nlocals`

`co_stacksize`

`co_flags`

`co_firstlineno`

`co_code`

`co_constants`

`co_names`

`co_varnames`

`co_freevars`

`co_cellvars`

`co_filename`

`co_name`

`co_lnotab`

`co_posonlyargcount`（3.8及以上）