Finding a command referencing a static string

I've taken up cracking and reverse-engineering recently with the help of OllyDbg 2.01 and crackmes executables.

So in this particular crackme, I was scrolling through the commands and noticed a PUSH with an ASCII string "&File" (it's a menu string) :

So I thought : "If I can find this information by simply scrolling, surely there must be an automatic way to find a command referencing a particular string".

So I get to the top of the program, hit CTRL+B and search for ASCII "File" to hopefully find it again :

2

After hitting OK, OllyDbg doesn't find the earlier PUSH. Instead, I get this :

Mmmh.. Okay, that's not what I expected, but let's see what's in there. so I right click => Follow in Dump, and I get this :

So yeah, we found our string in the dump. However, I still haven't found my original PUSH. You can also notice that the string's address is the same as the PUSH's argument (40512C).

As a last try, I right click on the letter at address 40512C, select "Find References", but nope : no reference found.

So TL ; DR question : how do I automatically find a command referencing a string ? Because obviously I'm not gonna scroll the whole command stack everytime I want to find a string.

PS : the string doesn't appear in "referenced text strings" either.

Thanks in advance for your help.

EDIT : okay so I found a solution. I searched the code for "2C 51 40 00" which is the address backward, and i found my PUSH again. It's a bit hacky, anyone with a more efficient solution is welcome to share.


So, there are multiple ways to do this. What I prefer is the following : Ctrl+G and go to your string in the dump. (0x0040512C) Select the first byte and hit Ctrl+R . This will give you a list where the particular string is referenced. You could also place a hardware breakpoint on the first byte of the string "&" and then you will break every time something accesses it. You could also search for constants (the address or the ascii characters themselves).

By the way there is a subsite dedicated for reverseengineering :)

链接地址: http://www.djcxy.com/p/80318.html

上一篇: 如何解决Worklight项目找不到MBean?

下一篇: 查找引用静态字符串的命令