Could be difficult as is, inside the apps would probably be
something like cmp reg,'t', which could be quite hard to
locate as long as you are not supposed to know the 't' part...

So, instead of focusing on what you can't locate easily, why not
starting your trace at the point where the program retrieve the
password ? (using functions such as getchar, or fget.. ?)

etherlord