Python逆向工程全面指南<\/h1>

Python运行原理与逆向基础<\/h2>

Python执行机制<\/h3>

Python是解释型语言，执行过程分为：<\/p>

将源代码编译为字节码（.pyc文件）<\/li>

字节码在Python虚拟机(PVM)中执行<\/li> <\/ol>

关键点：<\/p>

import语句会触发.pyc文件生成<\/li>
直接运行的代码通常不生成.pyc<\/li>

同时存在.py和.pyc时，优先使用.pyc（除非.py更新）<\/li> <\/ul>

Python分发文件类型<\/h3>

.pyc<\/strong>：字节码文件<\/p>

结构：Magic Number(4B) + 时间戳(4B) + PyCodeObject序列化数据<\/li>
不同Python版本的头部结构不同<\/li>
可通过py_compile<\/code>模块手动生成<\/li> <\/ul> <\/li>
.pyo<\/strong>：优化后的字节码（Python 3.5+已废弃）<\/p> <\/li>
.pyd<\/strong>：Windows动态链接库<\/p> 包含Python模块的二进制扩展<\/li> 通过Cython或C\/C++编译生成<\/li> <\/ul> <\/li> .pyz<\/strong>：可执行Python ZIP存档<\/p> 包含压缩的Python模块<\/li> <\/ul> <\/li> <\/ol> PyCodeObject结构分析<\/h2> typedef<\/span> struct<\/span> { <\/span><\/span> PyObject_HEAD <\/span><\/span> int<\/span> co_argcount; \/\/ 位置参数个数 <\/span><\/span><\/span><\/span> int<\/span> co_nlocals; \/\/ 局部变量个数 <\/span><\/span><\/span><\/span> int<\/span> co_stacksize; \/\/ 栈大小 <\/span><\/span><\/span><\/span> int<\/span> co_flags; <\/span><\/span> PyObject *<\/span>co_code; \/\/ 字节码指令序列 <\/span><\/span><\/span><\/span> PyObject *<\/span>co_consts; \/\/ 常量集合 <\/span><\/span><\/span><\/span> PyObject *<\/span>co_names; \/\/ 符号名称集合 <\/span><\/span><\/span><\/span> PyObject *<\/span>co_varnames; \/\/ 局部变量名称 <\/span><\/span><\/span><\/span> PyObject *<\/span>co_freevars; \/\/ 闭包变量名 <\/span><\/span><\/span><\/span> PyObject *<\/span>co_cellvars; \/\/ 嵌套函数引用变量 <\/span><\/span><\/span><\/span> PyObject *<\/span>co_filename; \/\/ 文件名 <\/span><\/span><\/span><\/span> PyObject *<\/span>co_name; \/\/ 模块\/函数\/类名 <\/span><\/span><\/span><\/span> int<\/span> co_firstlineno; \/\/ 起始行号 <\/span><\/span><\/span><\/span>} PyCodeObject; <\/span><\/span><\/code><\/pre>打包工具逆向分析<\/h2> PyInstaller原理<\/h3> 分析脚本依赖关系<\/li> 收集依赖模块： .pyd文件直接复制<\/li> .py文件编译为.pyc并压缩为ZIP<\/li> <\/ul> <\/li> 制作exe，包含Python解释器和运行时库<\/li> <\/ol> Nuitka原理<\/h3> 将Python代码转换为C代码<\/li> 调用gcc\/MSVC编译为.pyd文件<\/li> <\/ul> 反编译技术与工具<\/h2> 常用反编译工具<\/h3> uncompyle6<\/strong><\/p> 支持Python 1.0-3.8<\/li> 安装：pip install uncompyle6<\/code><\/li> 使用：uncompyle6 -o output.py input.pyc<\/code><\/li> <\/ul> <\/li> pycdc<\/strong><\/p> 支持Python 3.9+<\/li> 编译：cmake CMakeLists.txt && make<\/code><\/li> 使用：.\/pycdc input.pyc<\/code><\/li> <\/ul> <\/li> pyinstxtractor<\/strong><\/p> 解包PyInstaller生成的exe<\/li> 使用：python pyinstxtractor.py target.exe<\/code><\/li> <\/ul> <\/li> pyi-archive_viewer<\/strong><\/p> PyInstaller自带工具<\/li> 查看exe内部结构<\/li> <\/ul> <\/li> <\/ol> 反编译流程<\/h3> 提取.pyc文件<\/li> 补全文件头（Magic Number等）<\/li> 使用工具反编译<\/li> <\/ol> 保护与混淆技术<\/h2> .pyd文件保护<\/h3> 使用Cython编译：<\/p> from<\/span> distutils.core import<\/span> setup <\/span><\/span>from<\/span> Cython.Build import<\/span> cythonize <\/span><\/span>setup(ext_modules=<\/span>cythonize("module.py"<\/span>)) <\/span><\/span><\/code><\/pre><\/li> Visual Studio创建Python扩展模块<\/p> <\/li> <\/ol> 常见混淆方法<\/h3> Oxyry Python Obfuscator<\/strong>：源码混淆<\/li> PyArmor<\/strong>：脚本混淆和绑定<\/li> pyminifier<\/strong>：重命名和常量扰乱<\/li> pyc_obscure<\/strong>：向co_code插入垃圾数据<\/li> <\/ol> 花指令处理<\/h3> 识别JUMP_ABSOLUTE等跳转指令<\/li> 修改co_code长度匹配实际内容<\/li> 示例花指令：710471067102<\/code>（需删除）<\/li> <\/ol> 字节码分析<\/h2> dis模块使用<\/h3> import<\/span> dis <\/span><\/span>import<\/span> marshal <\/span><\/span> <\/span><\/span>with<\/span> open("file.pyc"<\/span>, "rb"<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>seek(8<\/span>) # Python3跳过16字节头<\/span> <\/span><\/span> code =<\/span> marshal.<\/span>load(f) <\/span><\/span> dis.<\/span>dis(code) <\/span><\/span><\/code><\/pre>字节码结构<\/h3> 源码行号 | 指令偏移 | 指令符号 | 指令参数 | 实际参数值 <\/code><\/pre> 实战案例解析<\/h2> [watevrCTF 2019]Repyc<\/h3> 识别VM结构<\/li> 分析opcode： 1: MOV<\/li> 2: READ<\/li> 3: ADD<\/li> 4: MUL<\/li> 7: XOR<\/li> 8: SUB<\/li> <\/ul> <\/li> 解密算法： for<\/span> i in<\/span> range(len(cipher)): <\/span><\/span> flag +=<\/span> chr((ord(cipher[i])+<\/span>15<\/span>)^<\/span>135<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ol> [VNCTF2022] BabyMaze<\/h3> 去除花指令（JUMP_ABSOLUTE）<\/li> 修正co_code长度<\/li> 分析迷宫算法<\/li> <\/ol> 虚拟环境搭建<\/h2> virtualenvwrapper-win<\/h3> 安装：pip install virtualenvwrapper-win<\/code><\/li> 创建环境：mkvirtualenv -p python_path env_name<\/code><\/li> 管理命令： workon<\/code>：列出环境<\/li> deactivate<\/code>：退出环境<\/li> rmvirtualenv<\/code>：删除环境<\/li> <\/ul> <\/li> <\/ol> 直接使用virtualenv<\/h3> virtualenv --python=<\/span>python3.8 venv <\/span><\/span>source venv\/bin\/activate # Linux<\/span> <\/span><\/span>venv\S<\/span>cripts\a<\/span>ctivate # Windows<\/span> <\/span><\/span><\/code><\/pre>附录：关键资源<\/h2> Python opcode.h：定义字节码指令<\/li> marshal.c：序列化实现<\/li> import.c：Magic Number定义<\/li> 在线工具：https:\/\/tool.lu\/pyc\/<\/li> <\/ul> 本指南涵盖了Python逆向工程的核心技术，从基础原理到高级技巧，结合实战案例，为安全研究人员提供全面的逆向分析参考。<\/p>