What qualifies as a code reference versus a data reference?

[lwerdna]

Positioned at __libc_csu_init(), binja presents two code references:

Why does the first case lea rcx, [rel __libc_csu_init] qualify? I expected code references to an address to be calls or branches to that address.

In the second case, call qword [rel __libc_start_main] doesn't seem related to __libc_csu_init at all.

[lwerdna]

In the phrases "code reference" and "data reference", the words "code" and "data" refer to the location of the reference, not the kind of reference it is. So any references residing in functions are code references, even when those references are that kind that just get the address of the referent.

First case:

Expecting only calls or branches for code references is thinking incorrectly of perhaps an "execution reference". As explained above, we have code (the instruction lea rcx, [rel __libc_csu_init] referencing (getting the address of) __libc_csu_init into rcx, so it's a code reference.

EDIT: Peter has a nice compact way of stating it:

"code references don't have the distinction of "address taken" vs "address used"

Second case:

When an address is the argument to a function, binja considers it a reference. Here's the more of the code from _start:

00000530  int64_t _start(int64_t arg1, int64_t arg2, void (* arg3)()) __noreturn
00000530  31ed               xor     ebp, ebp  {0x0}
00000532  4989d1             mov     r9, rdx
00000535  5e                 pop     rsi {__return_addr}
00000536  4889e2             mov     rdx, rsp {arg_8}
00000539  4883e4f0           and     rsp, 0xfffffffffffffff0
0000053d  50                 push    rax {var_8}
0000053e  54                 push    rsp {var_8} {var_10}
0000053f  4c8d05ca020000     lea     r8, [rel __libc_csu_fini]
00000546  488d0d53020000     lea     rcx, [rel __libc_csu_init]     ; <---- arg3 is __libc_csu_init
0000054d  488d3d2b020000     lea     rdi, [rel main]
00000554  ff15860a2000       call    qword [rel __libc_start_main]  ; <---- __libc_csu_init is used in the call

With knowledge of the calling convention, Binja's dataflow detects the address loaded at 546 is used as an argument at 554 and lists it as a reference.

This is a pitfall if you are wanting to detect calls to a function by iterating over cross references and checking that a call exists at each location.