Reversing with IDA: Cross-references

Categories of Cross-references

Cross-references can be categorized as follows:

  • Data cross-references

Code Cross-references

Code cross-references are used to identify relationships between function calls, declarations, or jumps. Let’s take a look at an example.

CODE XREF shows the reference to the actual jump

Data Cross-references

Much like code cross-references, data cross-references can help us keep track of data being accessed or written throughout the binary. For example, you might find an IP address being referenced in a few functions; using xrefs, you can identify all those functions easily.

DATA XREF shows several strings being referenced in functions

Listing Cross-references

If you’ve identified an offset or a function and would like to list all cross-references, you can simply do so by selecting the label and pressing ‘X’ to list all cross-references to that particular label (or identifier).

Cross-references to the offset, ‘aCopySToSucces’
  • Type: Type of the cross-reference
  • Address/Text: Address of the target reference and the actual code/text at that particular address
  • View xrefs to the identifier (where the reference ‘comes from’)
  • Use a custom xref chart with several customization options (this is particularly helpful in larger binaries and to filter out unhelpful identifiers)
Custom XREF chart in IDA

Types of Cross-references

From the official Hex-Rays documentation [2], we can find 13 types of cross-references. A few of these cross-reference types are listed below:

  • R: Read access — Data is being read from the address
  • W: Write access — Data is being written at the address
  • J: Far (Inter-segment) jump — Code being jumped to is in a different code segment than the current segment
  • j: Near (Intra-segment) jump — Code being jumped to is in the same code segment as the identifier
  • P: Far (Inter-segment) call — Call is in a different code segment
  • p: Near (Intra-segment) call — Call is in the same code segment

Conclusion

Cross-references can be really helpful when reversing binaries. You can quickly identify the purpose of a function by identifying its calls or look for interesting code by the data it references. Hopefully, this guide was a quick hands-on to getting started with cross-references.

References

[1] Hex-Rays’ Tip of the Week by Igor

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store