What are _loc_ variables when swfs are decompiled into AS3?

StackOverflow https://stackoverflow.com/questions/20980374

Question

When running swfs through decompilers (my own swfs, not somebody else's), I've noticed a lot of mention of certain variables:

_loc_1
_loc_2
_loc_3
.
.
.
_loc_n

As in the following example:

private function templateFilterFunction(param1) : Boolean
{
    var _loc_2:* = false;
    if (filterFunction != null)
    {
        _loc_2 = filterFunction(param1, typedText);
    }
    return _loc_2;
}

Alright, so these are apparently just normal variables then, right? And they may have had more descriptive names in the original AS3 code, but that's been lost in the bytecode, and now we have the same variables as before, just with non-descript names, right?

Not exactly. For instance:

package
{

    public class SomeClass extends Object
    {
        public var var1:Number;
        public var var2:Number;
        public var var3:Number;

        public function SomeClass(param1:Number, param2:Number, param3:Number)
        {
            if (!_loc_5)
            {
                if (!_loc_4)
                {
                    var3 = param1;
                    if (!_loc_4)
                    {
                        var1 = param2;
                    }
                }
            }
            var2 = param3;
            return;
        }// end function

    }
}

These aren't declared. But they're not exactly members of Object either, and I've never seen them outside of a swf decompilation. What are they then? Thanks.

Was it helpful?

Solution

Not sure about that particular piece of code, but the decompilers I've used (as far as I remember) all call the local variables loc_n, local_n or something like that.

I think you already know why. Local variables are created and pushed onto the execution stack; they are not referenced from outside the local scope and since they are not callable by name, their names are just whipped off the bytecode. (The object pointed by the variable could be allocated on the heap and live outside the scope of the function, however, but that's not the point here).

Now, another thing you might be aware of is that some bytecode generated by the compiler just doesn't traslate to actionscript code. There are things that can be done in bytecode that are not really possible in AS code; an example, off the top of my head: the "dup" opcode (duplicates a value and pushes it onto the stack). There are others (jumps, noops, etc). Reversing this to the original source code is sometimes not possible.

There are other interesting cases such as loops. You may notice that a particular decompiler tends to generate "for loops" (or "while loops") regardless of whether the source code had a for or a while. That's because loops are a higher level construct that are usually implemented in bytcode as conditional jumps. If you want to reverse the bytecode to AS code, you just have to pick a flavor because the loop (as an AS construct) is just not there.

That said, I've seen some decompilers (can't remember which one now) generating invalid or non-sensical source code. To me, that's the case in the example you post. I may be wrong but it seems like the _loc_5 and _loc_4 vars are just gibberish and the original code must be something like:

public function SomeClass(param1:Number, param2:Number, param3:Number):void
{
    var var3:Number = param1;
    var var1:Number = param2;
    var var2:Number = param3;
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top