Is it possible in IDA Pro to make a struct field offset to vtable which is defined in .data segment?
Here is what I want to achieve. I identified a class which I defined as a struct to store class data. One of the methods of the class uses class-field as if it's pointer to vtable.
int __thiscall SignOn(struc_4 *this)
{
v1 = this;
if ( !v1->vtable_40194AE0 )
return E_UNEXPECTED;
v1->field_3E8 = 0;
if ( !sub_686F7193(v1) )
return (*(*v1->vtable_40194AE0 + 12))(v1->vtable_40194AE0, 0, 0); // sub_40128EEE
}
As you can see it calls 3rd function from vtable. In run-time I identified that vtable_40194AE0 points to array in .data section which looks like this
off_40194AE0 dd offset InternalQueryInterface
dd offset AddRef
dd offset Release
dd offset sub_40128EEE ; 3
dd offset sub_40128F8C
dd offset sub_4012C2E2 ; 5
Is there a way to tell somehow IDA that vtable_40194AE0 always points to vtable at 0x40194AE0 so given call in the pseudo-code will look like
return vtable_40194AE0->sub_40128EEE(v1->vtable_40194AE0, 0, 0);
?
I tried to set vtable_40194AE0 of the structure to be "user-defined offset" but it doesn't help :(
Thanks a lot !
Answer
Of course, it's possible!
Open "Structures" window, find your class struct (struc_4 in your case) and open it (if it was collapsed). Select vtable field (it should be at first place), press Y and enter the type declaration as a pointer to vtable struct in opened window (vtable_40194AE0* in your case). That's it.