OllyDbg 2.01 - Finding a command referencing a static string

Ely picture Ely · Jul 3, 2014 · Viewed 8.8k times · Source

I've taken up cracking and reverse-engineering recently with the help of OllyDbg 2.01 and crackmes executables.

So in this particular crackme, I was scrolling through the commands and noticed a PUSH with an ASCII string "&File" (it's a menu string) :

1

So I thought : "If I can find this information by simply scrolling, surely there must be an automatic way to find a command referencing a particular string".

So I get to the top of the program, hit CTRL+B and search for ASCII "File" to hopefully find it again :

2

After hitting OK, OllyDbg doesn't find the earlier PUSH. Instead, I get this :

3

Mmmh.. Okay, that's not what I expected, but let's see what's in there. so I right click => Follow in Dump, and I get this :

4

So yeah, we found our string in the dump. However, I still haven't found my original PUSH. You can also notice that the string's address is the same as the PUSH's argument (40512C).

As a last try, I right click on the letter at address 40512C, select "Find References", but nope : no reference found.

So TL ; DR question : how do I automatically find a command referencing a string ? Because obviously I'm not gonna scroll the whole command stack everytime I want to find a string.

PS : the string doesn't appear in "referenced text strings" either.

Thanks in advance for your help.

EDIT : okay so I found a solution. I searched the code for "2C 51 40 00" which is the address backward, and i found my PUSH again. It's a bit hacky, anyone with a more efficient solution is welcome to share.

Answer

Dominik Antal picture Dominik Antal · Jul 4, 2014

So, there are multiple ways to do this. What I prefer is the following : Ctrl+G and go to your string in the dump. (0x0040512C) Select the first byte and hit Ctrl+R. This will give you a list where the particular string is referenced. You could also place a hardware breakpoint on the first byte of the string "&" and then you will break every time something accesses it. You could also search for constants (the address or the ascii characters themselves).

By the way there is a subsite dedicated for reverseengineering :)