OllyDbg 2.01 - Finding a command referencing a static string
Asked Answered
C

1

7

I've taken up cracking and reverse-engineering recently with the help of OllyDbg 2.01 and crackmes executables.

So in this particular crackme, I was scrolling through the commands and noticed a PUSH with an ASCII string "&File" (it's a menu string) :

1

So I thought : "If I can find this information by simply scrolling, surely there must be an automatic way to find a command referencing a particular string".

So I get to the top of the program, hit CTRL+B and search for ASCII "File" to hopefully find it again :

2

After hitting OK, OllyDbg doesn't find the earlier PUSH. Instead, I get this :

3

Mmmh.. Okay, that's not what I expected, but let's see what's in there. so I right click => Follow in Dump, and I get this :

4

So yeah, we found our string in the dump. However, I still haven't found my original PUSH. You can also notice that the string's address is the same as the PUSH's argument (40512C).

As a last try, I right click on the letter at address 40512C, select "Find References", but nope : no reference found.

So TL ; DR question : how do I automatically find a command referencing a string ? Because obviously I'm not gonna scroll the whole command stack everytime I want to find a string.

PS : the string doesn't appear in "referenced text strings" either.

Thanks in advance for your help.

EDIT : okay so I found a solution. I searched the code for "2C 51 40 00" which is the address backward, and i found my PUSH again. It's a bit hacky, anyone with a more efficient solution is welcome to share.

Choking answered 3/7, 2014 at 12:48 Comment(0)
T
4

So, there are multiple ways to do this. What I prefer is the following : Ctrl+G and go to your string in the dump. (0x0040512C) Select the first byte and hit Ctrl+R. This will give you a list where the particular string is referenced. You could also place a hardware breakpoint on the first byte of the string "&" and then you will break every time something accesses it. You could also search for constants (the address or the ascii characters themselves).

By the way there is a subsite dedicated for reverseengineering :)

Talc answered 4/7, 2014 at 12:9 Comment(1)
I tried Ctrl+R as stated in my post (right-clicking on the first byte and selecting "find references") but it didn't yield any result. About memory breakpoints : yeah I've recently discovered them and they're awesome :) . thanks for the tip about the reverseengineering subsite, I'll check it out.Choking

© 2022 - 2024 — McMap. All rights reserved.