pyc File structure

File format ：

03f3 0d0a magic Express python Version information for , here 03f30d0a yes python2.7 The logo of ;

6206 b160 Time stamp , Compiled time information

63 Blockde The beginning of

after 4 byte 0000 0000 ：argcount Number of parameters

after 4 byte 0000 0000： nlocals Number of local variables

after 4 byte 1b00 0000: stacksize Stack space size

after 4 byte 4000 0000：flags

73: type string

3501 0000 bytes （ The small end model ）

After that is opcode

Reference resources ：PYC File format analysis

  At present, we pay more attention to byte length , Because if you modify its source code , Then the length must change , Therefore, this value should also be modified , And note that it is a small end sequence storage .

Source code mixed dishes ：

It can be decompiled , But decompiled is difficult for people to understand . Well known are AST Grammar tree .

pyc Mixed dishes

For executable pyc, We can use pycdump Tool to dump , Check its bytecode form .

Corresponding pyc The file is kept in pycdump Under the folder , function python dump.py test.py

  This is a direct jump mixed dish ：

The first three jump There is no problem in operation logic , But it will cause decompilation failure Its bytecode is 0x71 0x**

We can insert many such instructions , Arbitrary illegal instructions （ In fact, random data can ）, Then use some JUMP Instructions to skip such illegal instructions , The purpose of making mixed dishes , And does not affect the normal operation of the program .

Treatment method ： We delete these three instructions , And will code_string Reduce the length of 6 Bytes . That's the top

3501 0000 bytes （ The small end model ）, Then save . Final use uncompyle6 Decompile , Analyze .

Overlapping instructions ：

#  example 1 Python Single overlap instruction 
0 JUMP_ABSOLUTE        [71 05 00]     5 
3 PRINT_ITEM           [47 -- --]
4 LOAD_CONST           [64 64 01]     356
7 STOP_CODE            [00 -- --]

#  example 1  Actually implement 
0 JUMP_ABSOLUTE        [71 05 00]     5 
5 LOAD_CONST           [64 01 00]     1

  Here we jump to the third line , But not all the code in the third line is executed , Instead, his operands are regarded as code execution .

uncompyle6 -o total.py .\test.pyc

Reference resources ： 

More bytecode obfuscation techniques  

Simple introduction python Bytecode confusion