2.3.6 Cross-References

Another way to navigate is by using cross-references (also referred to as Xrefs). The cross-references link relates addresses together. Cross-references can be either data cross-references or code cross-references.

A data cross-reference specifies how the data is accessed within a binary. An example of a data cross-reference is shown at ➐, ➑, and ➒, in the preceding listing. For example, the data cross-references at ➑ tell us that this data is referenced by the instruction which is at the offset 0x6, from the start of the _main function (in other words, the instruction at ➋). The character w indicates a write cross-reference; this tells us that the instruction writes content into this memory location (note that 29h is written to this memory location at ➋). The character r at ➒ indicates a read cross-reference, which tells us that the instruction _main+17 (in other words, the instruction at ➍) reads the content from this memory location. The ellipsis (...) at ➒ indicates that there are more cross-references, but they could not be displayed because of the display limit. Another type of data cross-reference is an offset cross-reference (indicated by character o), which indicates that the address of a location is being used, rather than the content. The arrays and strings (character arrays) are accessed using their start addresses, because of which the string data at ➐ is marked as an offset cross-reference.

A code cross-reference indicates the control flow from one instruction to an another (such as jump or function call). The following displays a simple if statement in C:

int x = 0;
if (x == 0)
{
    x = 5;
}
x = 2;

The program disassembles to the following listing. At ➊, note how the equal to (==) condition from the C code is reversed to jnz (which is an alias for jne or jump, if not equal); this is done to implement the branching from ➊ to ➋. You can read it as if var_4 is not equal to 0; then, the jump is taken to loc_401018 (which is outside of the if block). The jump cross-reference comment is shown at the jump target ➌ in the following listing, to indicate that the control is transferred from an instruction, which is at the offset 0xF from the start of the main function (in other words, ➊). The character j at the end signifies that the control was transferred as a result of the jump. You can simply double-click the cross-reference comment (_Main+Fj) to change the display to the referencing instruction at ➊:

.text:00401004    mov [ebp+var_4], 0
.text:0040100B    cmp [ebp+var_4], 0
.text:0040100F    jnz short loc_401018 ➊
.text:00401011    mov [ebp+var_4], 5
.text:00401018
.text:00401018    loc_401018:  ➌; CODE XREF: _main+Fj
.text:00401018    ➋ mov [ebp+var_4], 2

The preceding listing can be viewed in the graph view mode by pressing the spacebar key. The graph view is especially useful to get a visual representation of branching/looping statements. As mentioned before, the green arrow indicates that the jump is taken (the condition is satisfied), the red arrow indicates that the jump is not taken, and the blue arrow indicates the normal path:

Now, to understand the function cross-reference, consider the following C code, which calls the test() function within main():

void test() { }
void main() {
    test();
}

The following is the disassembly listing of the main function. The sub_401000 at  represents the test function. IDA automatically named the function address with the sub_ prefix, to indicate a subroutine ( Or function). For example, when you see sub_401000, you can read it as a subroutine at the address 0x401000 (you can also rename it to a more meaningful name). If you wish, you can navigate to the function by double-clicking on the function name:

.text:00401010    push ebp
.text:00401011    mov ebp, esp
.text:00401013    call sub_401000 ➊
.text:00401018    xor eax, eax

At the start of the sub_401000 (test function), a code cross-reference comment was added by IDA, ➋, to indicate that this function, sub_401000, was called from an instruction which is at the offset 3 from the start of the _main function (that is called from ➊). You can navigate to the _main function simply by double-clicking _main+3p. The p suffix signifies that the control is transferred to the address 0x401000 as a result of the function (procedure) call:

.text:00401000    sub_401000    proc near ➋; CODE XREF: _main+3p
.text:00401000                  push ebp
.text:00401001                  mov ebp, esp
.text:00401003                  pop ebp
.text:00401004                  retn
.text:00401004    sub_401000    endp
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset