Reversing with IDA: Cross-references

Categories of Cross-references

  • Code cross-references
  • Data cross-references

Code Cross-references

CODE XREF shows the reference to the actual jump

Data Cross-references

DATA XREF shows several strings being referenced in functions

Listing Cross-references

Cross-references to the offset, ‘aCopySToSucces’
  • Direction: Whether the target reference is at a higher (Down) or lower (Up) address
  • Type: Type of the cross-reference
  • Address/Text: Address of the target reference and the actual code/text at that particular address
  • View xrefs from the identifier (where the reference ‘goes to’)
  • View xrefs to the identifier (where the reference ‘comes from’)
  • Use a custom xref chart with several customization options (this is particularly helpful in larger binaries and to filter out unhelpful identifiers)
Custom XREF chart in IDA

Types of Cross-references

  • O: Offset — Address is taken by the identifier selected by the cursor (there’s no read or write operation here)
  • R: Read access — Data is being read from the address
  • W: Write access — Data is being written at the address
  • J: Far (Inter-segment) jump — Code being jumped to is in a different code segment than the current segment
  • j: Near (Intra-segment) jump — Code being jumped to is in the same code segment as the identifier
  • P: Far (Inter-segment) call — Call is in a different code segment
  • p: Near (Intra-segment) call — Call is in the same code segment

Conclusion

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀