Igor’s tip of the week #34: Dummy names

In IDA’s disassembly, you may have often observed names that may look strange and cryptic on first sight: sub_73906D75, loc_40721B, off_40A27C and more. In IDA’s terminology, they’re called dummy names. They are use when a name is required by the assembly syntax but there is nothing suitable available, for example the input file has no debug information (i.e. it has been stripped), or when referring to a location not present in the debug info. These names are not actually stored in the database but are generated by IDA on the fly, when printing the listing.

Dummy name prefixes

The dummy name consists of a type-dependent prefix and a unique suffix which is usually address-dependent. The following prefixes are used in IDA:

  • sub_ instruction, subroutine(function) start
  • locret_ a return instruction
  • loc_ other kind of instruction
  • off_ data, contains an offset(pointer) value
  • seg_ data, contains a segment address value
  • asc_ data, start of a string literal
  • byte_ data, byte
  • word_ data, 16-bit
  • dword_ data, 32-bit
  • qword_ data, 64-bit
  • byte3_ data, 3-byte
  • xmmword_ data, 128-bit
  • ymmword_ data, 256-bit
  • packreal_ data, packed real
  • flt_ floating point data, 32-bit
  • dbl_ floating point data, 64-bit
  • tbyte_ floating point data, 80-bit
  • stru_ structure
  • custdata_ custom data type
  • algn_ alignment directive
  • unk_ unexplored (undefined, unknown) byte

Because the prefixes are treated in a special way by IDA, they’re reserved and cannot be used in user-defined names. If you try to use such a name, you’ll get an error from IDA:

Warning 328: can't rename byte as 'sub_x' because the name has a reserved prefix.

Warning: can’t rename byte because the name has a reserved prefix

A possible workaround is to add an underscore at the start so the prefix is different. But if you want to get rid of an existing name and have IDA use a dummy name again, just delete it (rename to an empty string).

Name suffixes

The default suffix is the linear (aka effective) address of the item to which the dummy name is attached. However, this is not the only possibility. By using the Options > Name representation… dialog, you can choose something different.

Dummy name representation dialog

The options from the first half can be especially useful when dealing with segmented programs such as 16-bit DOS software; instead of a global linear address you can see the segment and the offset inside it so, for example, it is evident when the destination is in another segment.

DOS program when using “segment name & offset from the segment base” representation

Other prefixes

In addition to dummy names, there are two other kinds of autogenerated names that are used in IDA:

  1. Stack variables (var_) and arguments  (arg_). 
  2. String literal names generated from their text (e.g. aException for “exception”)

The stack prefixes are hardcoded and not configurable but the latter can be configured in Options > General…, Strings tab.

Strings options

Unlike the dummy names, these names are stored in the database marked as autogenerated so their prefixes are not considered reserved and you can use them in custom names.

Article Link: https://www.hex-rays.com/blog/igors-tip-of-the-week-34-dummy-names/