PDA

View Full Version : Question about "Find references to "

MathewMickle
November 29th, 2009, 21:40
CPU pane 's the context menu in ollydbg has an item: "Find references to ".
"Find references to " contains 2 the subitems: "selected command" and "selected address" .

However,I feel the feature of the subitems is same, but why does ollydbg name them different names?

When I looked up ollydbg's help, an explanation about the items is "first select address ". oh! I consider the explanation is confusing. what does it mean?

Could someone tell me which differences are between "selected command" and "selected address" ?

Thanks!
Kayaker
November 30th, 2009, 20:28
Hi

I believe I have an explanation for that, but I think it would be more fun to pose it as a little challenge for anyone who wants to try it, since it will expose a bit of how Olly works and maybe as a useful tidbit for writing plugins.

Start with disassembling Olly in IDA and search for those 2 commands (View/Open subviews/Strings). As you surmised they are very similar, but only 1 menu item will be shown at any one time, depending on a previous condition.

The previous condition(s) that will produce one or the other menu items is easily discerned from the disassembly as an absolute value (constant), but what isn't explained of course is the *meaning* of those constants.

However, if you search for those constants in plugin.h in the development kit you will find their meanings.

It appears that the "selected command" menu item is the one that will occur most often in a normal analysis. I couldn't find a normal instruction which would produce the "selected address" menu without altering the Analysis mode.


So the challenge then is to produce a situation (unless you can find an existing instruction - which you'll probably be able to once you understand the difference) which will cause the "selected address" menu item to appear on an instruction. You should be able to do this by studying the relevant plugin.h constants and by altering the Analysis heuristics. When you can do this, and revert back to the original condition, the difference between the two menu items should become more apparent


Cheers,
Kayaker