Hello, this is my first posting here, and I hope i'm not being completely oblivious to the answer... but I've run into this a couple times in the past few weeks (of my intro to reversing)... I'll give an example:

I can open a file (app.exe) with a hex-editor and do a text search for an API call I KNOW this file makes (api call: 'sproInitialize'). Within the hex-editor I am able to find this string. Obviously though, being in this editor does me no good for my ultimate goal. However, my original reason for opening the file here was to find the api call. good. Now I know this is the file I was looking for... but wait!....

When I open this same file in W32dasm or IDA pro, nowhere is there a string ref, api ref, or simple text found referencing this call. Is there something I'm missing??? As far as I can tell, the program is not packed. Please help! thanks. -b

The text you find in the hex editor is most likely either from the import table of the exe or from a string that is used to dynamically load the function in the application. If IDA is unable to make the connection between a call to such a static import (e.g. because it is performed with an indirect call), or between the string and the code that uses it to dynamically load this function from the library, it will not necessarily be shown as a string in the IDA listing.

Use a debugger, and if it is a static import set a breakpoint on the IAT entry for the function, and if it is a string that is used to dynamically load the function set a memory read breakpoint on the string. This should let you find the code that uses the function while running the application under the debugger.

First, let me say thank you for responding (and so quickly!), you know how frustrating it can be to sit in a dark room for hours on end.. doing what we do... and reach a road block and wait for a response. Obviously I've been trying other things, but its nice to get a response...

that said.. I am a newbie... I've got the skills, just lacking some key knowledge...

I use two main debuggers: W32dasm 8.9, and Softice(I am still extremely new to softice). My main problems is that I cannot debug this app! It is a commandline runable program, but acts as a service. When I try to run it from the debugger: It loads fine, yet the debugger is tricked into thinking the program has terminated. As for Softice, I am running it as "Boot".. but am not too understanding of how to isolate this one application while running it.

Obviously I am grateful for the help, and will do some more research into furthor options I could try, but if you have the time:

Any thoughts on the debugger problem? Also, I am unfamiliar with "indirect calls", "IAT entries", & "setting a memory read breakpoint".Thanks. -b