版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_19683651/article/details/73467334
由于ctf最近遇到反编译pyc文件,所以写了个pyc的010editor 模版。暂时先写成这样供大家参考。
//--------------------------------------
//--- 010 Editor v6.0.2 Binary Template
//
// File:
// Author: qian qian pai huai
// Revision: v1.0.0
// Purpose:
//--------------------------------------
typedef enum<uchar>{
TYPE_NULL ='0',
TYPE_NONE ='N',
TYPE_FALSE ='F',
TYPE_TRUE ='T',
TYPE_STOPITER ='S',
TYPE_ELLIPSIS ='.',
TYPE_INT ='i',
TYPE_INT64 ='I',
TYPE_FLOAT ='f',
TYPE_BINARY_FLOAT ='g',
TYPE_COMPLEX ='x',
TYPE_BINARY_COMPLEX ='y',
TYPE_LONG ='l',
TYPE_STRING ='s',
TYPE_INTERNED ='t',
TYPE_STRINGREF ='R',
TYPE_TUPLE ='(',
TYPE_LIST ='[',
TYPE_DICT ='{',
TYPE_CODE ='c',
TYPE_UNICODE ='u',
TYPE_UNKNOWN ='?',
TYPE_SET ='<',
TYPE_FROZENSET ='>'
}PY_TYPE;
typedef enum<uchar>{
STOP_CODE =0,
POP_TOP =1,
ROT_TWO =2,
ROT_THREE =3,
DUP_TOP =4,
ROT_FOUR =5,
NOP =9,
UNARY_POSITIVE =10,
UNARY_NEGATIVE =11,
UNARY_NOT =12,
UNARY_CONVERT =13,
UNARY_INVERT =15,
BINARY_POWER =19,
BINARY_MULTIPLY =20,
BINARY_DIVIDE =21,
BINARY_MODULO =22,
BINARY_ADD =23,
BINARY_SUBTRACT =24,
BINARY_SUBSCR =25,
BINARY_FLOOR_DIVIDE =26,
BINARY_TRUE_DIVIDE =27,
INPLACE_FLOOR_DIVIDE =28,
INPLACE_TRUE_DIVIDE =29,
SLICE =30,
SLICE_1 =31,
SLICE_2 =32,
SLICE_3 =33,
STORE_SLICE =40,
STORE_SLICE_1 =41,
STORE_SLICE_2 =42,
STORE_SLICE_3 =43,
DELETE_SLICE =50,
DELETE_SLICE_1 =51,
DELETE_SLICE_2 =52,
DELETE_SLICE_3 =53,
STORE_MAP =54,
INPLACE_ADD =55,
INPLACE_SUBTRACT =56,
INPLACE_MULTIPLY =57,
INPLACE_DIVIDE =58,
INPLACE_MODULO =59,
STORE_SUBSCR =60,
DELETE_SUBSCR =61,
BINARY_LSHIFT =62,
BINARY_RSHIFT =63,
BINARY_AND =64,
BINARY_XOR =65,
BINARY_OR =66,
INPLACE_POWER =67,
GET_ITER =68,
PRINT_EXPR =70,
PRINT_ITEM =71,
PRINT_NEWLINE =72,
PRINT_ITEM_TO =73,
PRINT_NEWLINE_TO =74,
INPLACE_LSHIFT =75,
INPLACE_RSHIFT =76,
INPLACE_AND =77,
INPLACE_XOR =78,
INPLACE_OR =79,
BREAK_LOOP =80,
WITH_CLEANUP =81,
LOAD_LOCALS =82,
RETURN_VALUE =83,
IMPORT_STAR =84,
EXEC_STMT =85,
YIELD_VALUE =86,
POP_BLOCK =87,
END_FINALLY =88,
BUILD_CLASS =89,
HAVE_ARGUMENT =90,
STORE_NAME =90,
DELETE_NAME =91,
UNPACK_SEQUENCE =92,
FOR_ITER =93,
LIST_APPEND =94,
STORE_ATTR =95,
DELETE_ATTR =96,
STORE_GLOBAL =97,
DELETE_GLOBAL =98,
DUP_TOPX =99,
LOAD_CONST =100,
LOAD_NAME =101,
BUILD_TUPLE =102,
BUILD_LIST =103,
BUILD_SET =104,
BUILD_MAP =105,
LOAD_ATTR =106,
COMPARE_OP =107,
IMPORT_NAME =108,
IMPORT_FROM =109,
JUMP_FORWARD =110,
JUMP_IF_FALSE_OR_POP =111,
JUMP_IF_TRUE_OR_POP =112,
JUMP_ABSOLUTE =113,
POP_JUMP_IF_FALSE =114,
POP_JUMP_IF_TRUE =115,
LOAD_GLOBAL =116,
CONTINUE_LOOP =119,
SETUP_LOOP =120,
SETUP_EXCEPT =121,
SETUP_FINALLY =122,
LOAD_FAST =124,
STORE_FAST =125,
DELETE_FAST =126,
RAISE_VARARGS =130,
CALL_FUNCTION =131,
MAKE_FUNCTION =132,
BUILD_SLICE =133,
MAKE_CLOSURE =134,
LOAD_CLOSURE =135,
LOAD_DEREF =136,
STORE_DEREF =137,
CALL_FUNCTION_VAR =140,
CALL_FUNCTION_KW =141,
CALL_FUNCTION_VAR_KW =142,
SETUP_WITH =143,
EXTENDED_ARG =145,
SET_ADD =146,
MAP_ADD =147
}OPCODE;
struct PyObject;
typedef struct{
int number;
}IntType;
typedef struct{
uint size;
local int i;
for(i=0;i<size;i++){
char command;
}
}StrType;
typedef struct{
uint index;
}StrgrefType;
typedef struct{
}NoneType;
typedef struct{
int size;
if(size>0){
local int i=0;
for(i=0;i<size;i++){
PyObject object;
}
}
}TupleType;
typedef struct{
int co_argcount;
int co_nlocals;
int co_stacksize;
int co_flags;
PyObject code;
PyObject co_consts;
PyObject co_names;
PyObject co_varnames;
PyObject co_freevars;
PyObject co_cellvars;
PyObject co_filename;
PyObject co_name;
int co_firstlineno;
PyObject co_lnotab;
}CodeBlock;
typedef struct{
PY_TYPE type;
switch(type){
case TYPE_STRING: StrType str; break;
case TYPE_STRINGREF: StrgrefType str; break;
case TYPE_INT: IntType number; break;
case TYPE_NONE: ; break;
case TYPE_INTERNED: StrType str; break;
case TYPE_CODE: CodeBlock code;break;
case TYPE_TUPLE:TupleType code;break;
default: Printf("[offset 0x%x] unknown type\n",FTell()); Exit(-1);
}
}PyObject;
typedef struct {
int magic <format=hex>;
int mtime <format=hex>;
PyObject codeblock;
} PyCodeObject;
PyCodeObject object;