Geek Answers Handbook

Is it possible in IDA Pro to do a structure field offset for a vtable that is defined in a .data segment?

This is what I want to achieve. I defined a class that I defined as a struct for storing class data. One of the class methods uses the class class as if it were pointing to a vtable.

int __thiscall SignOn(struc_4 *this) { v1 = this; if ( !v1->vtable_40194AE0 ) return E_UNEXPECTED; v1->field_3E8 = 0; if ( !sub_686F7193(v1) ) return (*(*v1->vtable_40194AE0 + 12))(v1->vtable_40194AE0, 0, 0); // sub_40128EEE }

As you can see, it calls the 3rd function from vtable. At runtime, I determined that vtable_40194AE0 points to an array in the .data section, which looks like this:

 off_40194AE0 dd offset InternalQueryInterface dd offset AddRef dd offset Release dd offset sub_40128EEE ; 3 dd offset sub_40128F8C dd offset sub_4012C2E2 ; 5

Is there any way to tell IDA in some way that vtable_40194AE0 always points to vtable at 0x40194AE0, so this call in pseudo-code will look like

 return vtable_40194AE0->sub_40128EEE(v1->vtable_40194AE0, 0, 0);

?

I tried to set vtable_40194AE0 of the structure as "user offset", but this does not help :(

Thanks a lot!

+4
source share
3 answers

As far as I know, no. IDA structures are provided only to simplify the process of visualizing disassembled data. The most you can do is comment out the call site to identify the virtual function being called.

0
source

Of course it is possible!

Open the Structures window, find your class structure ( struc_4 in your case) and open it (if it was minimized). Select the vtable field (it should come first), press Y and enter the type declaration as a pointer to the vtable struct in the window that opens ( vtable_40194AE0 * in your case). What is it.

+5
source

You can create a structure representing vtable, declare the C types of your fields with Y (for entering function pointers) and make the offset in call [ecx+12] offset of this structure with T In this way, the IDA recognizes call arguments.

In the structure representing the class, set the vtable field type to a pointer to the vtable structure, then if you were lucky the decompiler would put things together and put the field name of the vtable structure instead of calling the offset.

+1
source

More articles:


All Articles