I've taken up cracking and reverse-engineering recently with the help of OllyDbg 2.01 and crackmes executables.
So in this particular crackme, I was scrolling through the commands and noticed a PUSH with an ASCII string "&File" (it's a menu string) :
So I thought : "If I can find this information by simply scrolling, surely there must be an automatic way to find a command referencing a particular string".
So I get to the top of the program, hit CTRL+B and search for ASCII "File" to hopefully find it again :
After hitting OK, OllyDbg doesn't find the earlier PUSH. Instead, I get this :
Mmmh.. Okay, that's not what I expected, but let's see what's in there. so I right click => Follow in Dump, and I get this :
So yeah, we found our string in the dump. However, I still haven't found my original PUSH. You can also notice that the string's address is the same as the PUSH's argument (40512C).
As a last try, I right click on the letter at address 40512C, select "Find References", but nope : no reference found.
So TL ; DR question : how do I automatically find a command referencing a string ? Because obviously I'm not gonna scroll the whole command stack everytime I want to find a string.
PS : the string doesn't appear in "referenced text strings" either.
Thanks in advance for your help.
EDIT : okay so I found a solution. I searched the code for "2C 51 40 00" which is the address backward, and i found my PUSH again. It's a bit hacky, anyone with a more efficient solution is welcome to share.
So, there are multiple ways to do this. What I prefer is the following :
Ctrl+G
and go to your string in the dump. (0x0040512C) Select the first byte and hit Ctrl+R
. This will give you a list where the particular string is referenced. You could also place a hardware breakpoint on the first byte of the string "&" and then you will break every time something accesses it. You could also search for constants (the address or the ascii characters themselves).
By the way there is a subsite dedicated for reverseengineering :)