在IDA Pro中是否可以将一个结构体字段偏移到.data段中定义的vtable？ [英] Is it possible in IDA Pro to make a struct field offset to vtable which is defined in .data segment?

查看：781 发布时间：2016/12/18 18:25:21 com reverse-engineering vtable disassembler ida

本文介绍了在IDA Pro中是否可以将一个结构体字段偏移到.data段中定义的vtable？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

这里是我想要实现的。我识别了一个类，我定义为一个结构来存储类数据。类的方法之一使用类字段，就像它是指向vtable的指针。

  int __thiscall SignOn（struc_4 * this） 
 {
 v1 = this; 
 if（！v1-> vtable_40194AE0）
 return E_UNEXPECTED; 
 v1-> field_3E8 = 0; 
 if（！sub_686F7193（v1））
 return（*（* v1-> vtable_40194AE0 + 12））（v1-> vtable_40194AE0,0,0） // sub_40128EEE 
}

正如你所看到的，它从vtable调用3rd函数。在运行时，我发现vtable_40194AE0指向.data节的数组，看起来像这样

  off_40194AE0 dd offset InternalQueryInterface 
 dd offset AddRef 
 dd offset发布
 dd偏移sub_40128EEE; 3 
 dd偏移sub_40128F8C 
 dd偏移sub_4012C2E2;有没有办法告诉IDA vtable_40194AE0总是指向vtable在0x40194AE0所以给予调用伪代码将看起来像
  return vtable_40194AE0-> sub_40128EEE（v1-> vtable_40194AE0,0,0）; 
  
？
 
 
 我试图设置vtable_40194AE0的结构是用户定义的偏移，但它不帮助：（
 
 
 非常感谢！
 
Here is what I want to achieve. I identified a class which I defined as a struct to store class data. One of the methods of the class uses class-field as if it's pointer to vtable.
int __thiscall SignOn(struc_4 *this)
{
  v1 = this;
  if ( !v1->vtable_40194AE0 )
    return E_UNEXPECTED;
  v1->field_3E8 = 0;
  if ( !sub_686F7193(v1) )
    return (*(*v1->vtable_40194AE0 + 12))(v1->vtable_40194AE0, 0, 0); // sub_40128EEE
}
As you can see it calls 3rd function from vtable. In run-time I identified that vtable_40194AE0 points to array in .data section which looks like this
off_40194AE0    dd offset InternalQueryInterface
                dd offset AddRef
                dd offset Release
                dd offset sub_40128EEE  ; 3
                dd offset sub_40128F8C
                dd offset sub_4012C2E2  ; 5
Is there a way to tell somehow IDA that vtable_40194AE0 always points to vtable at 0x40194AE0 so given call in the pseudo-code will look like
return vtable_40194AE0->sub_40128EEE(v1->vtable_40194AE0, 0, 0);
?

I tried to set vtable_40194AE0 of the structure to be "user-defined offset" but it doesn't help :(

Thanks a lot !
 解决方案 
To my knowledge, no. IDA structs are merely provided to make the process of visualizing disassembled data easier. The most you can do is comment the call site to identify the actual virtual function being called.

                        这篇关于在IDA Pro中是否可以将一个结构体字段偏移到.data段中定义的vtable？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！
                        
                    
                    
                        查看全文

在IDA Pro中是否可以将一个结构体字段偏移到.data段中定义的vtable？ [英] Is it possible in IDA Pro to make a struct field offset to vtable which is defined in .data segment?

问题描述

相关文章

.NET组件控件最新文章

热门教程

热门工具

登录关闭

在IDA Pro中是否可以将一个结构体字段偏移到.data段中定义的vtable？ [英] Is it possible in IDA Pro to make a struct field offset to vtable which is defined in .data segment?

问题描述

相关文章

.NET组件控件最新文章

热门教程

热门工具

登录 关闭

登录关闭