6

In the IDA view I see (glb_SomeVar is a byte array):

cmp al, glb_SomeVar+22h

But when I hit x to find the cross references of glb_SomeVar, I only find two other matches in the same function:

cmp al, glb_SomeVar+0Ah
cmp al, glb_SomeVar+0Bh

Is there a way to fix this, like making IDA re-analyze the selected function or even the whole code? I guess at other places, there are cross references missing too.

heinrich5991
  • 627
  • 11
  • 21

2 Answers2

10

Edit -> Global -> Cross-references -> Cross reference depth. Increase as applicable.

From the documentation:

    This value "how many bytes of an object to look at to collect
    cross references". For example we have an array:
            A       db 100 dup(0)
    If some instruction refers to the 5-th element of the array:
            mov     al,A+5
     with TD=3      we'll have no xrefs displayed
     with TD=10     we'll have this xref

   IDA.CFG parameter: MAX_TAIL

"TD" here refers to "tail depth" (old name of the setting)

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
1

I think the default in IDA 6.8 is a Cross reference depth of 16. I increased this first to 32 and then to 1024 and then to 65535 (because why not). None of this led to my xref working as desired so I must not understand something.

I'm analyzing an ARM ELF shared object file. The function I'm looking at is called by a function referenced by an offset in the .init_array segment (not sure if that's relevant). The offset I want to see all references of is:

.bss:00424778 ; void *dword_424778
.bss:00424778 dword_424778    % 4

It was originally identified as unk_424778 but I pressed Y and set the type was "void *".

Hex Rays shows this assignment:

    dword_424778 = &_sF;

Using HexRaysCodeXplorer I press J to jump back to disassembly from Hex Rays. It put me on line 0026D69C:

...
.text:0026D668                 LDR             R5, [R4,R2] ; unk_424758
.text:0026D66C                 ADD             R0, R5, #0x1C
.text:0026D670                 STMIA           R5, {R3,R7}
.text:0026D674                 STR             R7, [R5,#8]
.text:0026D678                 STR             R7, [R5,#0xC]
.text:0026D67C                 STR             R7, [R5,#0x10]
.text:0026D680                 STR             R7, [R5,#0x14]
.text:0026D684                 STR             R7, [R5,#0x18]
.text:0026D688                 BL              sub_26F42C
.text:0026D68C                 LDR             R2, =(off_374A30 - 0x374C20)
.text:0026D690                 LDR             R3, [SP,#0x38+var_34]
.text:0026D694                 STR             R9, [R5]
.text:0026D698                 STR             R8, [R5,#0x24]
.text:0026D69C                 STR             R11, [R5,#0x20]
...

I don't know ARM very well but I read that the STMIA R5, {R3,R7} will result in unpredictable behavior due to the reglist ({R3,R7}) starting with a lower-number register than Rn (R5).

Could the problem be related to dword_424778 being in the .bss section?

Jeffrey LeCours
  • 111
  • 3