10

In Ghidra, the decompiler prepends various prefixes to variable names. For instance, iVar1 is an integer. However, there are a lot of prefixes that aren't immediately obvious, find some below, but I'm looking for a complete dictionary if anyone knows where it is:

  • local_31
  • auStack8320
  • uStack4
  • DAT_<addr>
Axel Persinger
  • 201
  • 2
  • 4

1 Answers1

9

This is annoyingly hard to find the answer to. This is a good starting point, but I don't think I found everything yet.

  1. Variable names
    1. From Function.java:
      1. param_
      2. local_
      3. local_res
      4. temp_
    2. From database.cc <-- this function has most (maybe all?) of the variable naming logic. There are multiple pieces of this function that I don't yet understand; I'm pretty confident there are additional variable naming conventions hiding in there.
      1. unaff_retaddr
      2. unaff_
      3. in_
      4. param_
        1. While also referenced in Function.java, I believe this is where the name is actually generated.
      5. extraout_
      6. Var
        1. Seems to usually be prefixed by something else (like i in your example)
    3. I think this function in varmap.cc is the one that creates stack variables, but I haven't yet confirmed.
  2. Label names (from SymbolUtilities.java):
    1. SUB_
    2. LAB_
    3. DAT_
    4. UNK_
    5. EXT_
    6. FUN_
    7. OFF_

Also useful, the FindPotentialDecompilerProblems.java script has some explanations for what some of these mean. Namely, some of the variants of extraout, in_, and unaff_.

hairlessbear
  • 925
  • 6
  • 18