Login/Register
Is it possible in IDA Pro to make a struct field offset to vtable which is defined in .data segment?
Asked Answered
Solved comreverse-engineeringvtabledisassemblyida
H

3

6

Here is what I want to achieve. I identified a class which I defined as a struct to store class data. One of the methods of the class uses class-field as if it's pointer to vtable.

int __thiscall SignOn(struc_4 *this)
{
  v1 = this;
  if ( !v1->vtable_40194AE0 )
    return E_UNEXPECTED;
  v1->field_3E8 = 0;
  if ( !sub_686F7193(v1) )
    return (*(*v1->vtable_40194AE0 + 12))(v1->vtable_40194AE0, 0, 0); // sub_40128EEE
}

As you can see it calls 3rd function from vtable. In run-time I identified that vtable_40194AE0 points to array in .data section which looks like this

off_40194AE0    dd offset InternalQueryInterface
                dd offset AddRef
                dd offset Release
                dd offset sub_40128EEE  ; 3
                dd offset sub_40128F8C
                dd offset sub_4012C2E2  ; 5

Is there a way to tell somehow IDA that vtable_40194AE0 always points to vtable at 0x40194AE0 so given call in the pseudo-code will look like

return vtable_40194AE0->sub_40128EEE(v1->vtable_40194AE0, 0, 0);

?

I tried to set vtable_40194AE0 of the structure to be "user-defined offset" but it doesn't help :(

Thanks a lot !

Hales answered 9/5, 2011 at 2:3 Comment(0)
A
0

To my knowledge, no. IDA structs are merely provided to make the process of visualizing disassembled data easier. The most you can do is comment the call site to identify the actual virtual function being called.

Aggrandize answered 14/5, 2011 at 7:0 Comment(0)
E
5

Of course, it's possible!

Open "Structures" window, find your class struct (struc_4 in your case) and open it (if it was collapsed). Select vtable field (it should be at first place), press Y and enter the type declaration as a pointer to vtable struct in opened window (vtable_40194AE0* in your case). That's it.

Edmead answered 26/11, 2011 at 18:12 Comment(1)
Hi! vtable_40194AE0 is not a struct in my case. It's a name of a field of structure struc_4.Hales
B
2

You can make a structure representing the vtable, declare C types of its fields with Y (to be typed function pointers) and make the offset in the call [ecx+12] an offset of that structure with T. This way, IDA will recognize the call's arguments.

In the structure representing the class, set the type of vtable field to be a pointer to the vtable structure, then if you're lucky, decompiler will put things together and put the vtable structure field name into the call instead of an offset.

Boaten answered 11/11, 2013 at 19:45 Comment(0)
A
0

To my knowledge, no. IDA structs are merely provided to make the process of visualizing disassembled data easier. The most you can do is comment the call site to identify the actual virtual function being called.

Aggrandize answered 14/5, 2011 at 7:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.