Here is what I want to achieve. I identified a class which I defined as a struct to store class data. One of the methods of the class uses class-field as if it's pointer to vtable.
int __thiscall SignOn(struc_4 *this)
{
v1 = this;
if ( !v1->vtable_40194AE0 )
return E_UNEXPECTED;
v1->field_3E8 = 0;
if ( !sub_686F7193(v1) )
return (*(*v1->vtable_40194AE0 + 12))(v1->vtable_40194AE0, 0, 0); // sub_40128EEE
}
As you can see it calls 3rd function from vtable. In run-time I identified that vtable_40194AE0 points to array in .data section which looks like this
off_40194AE0 dd offset InternalQueryInterface
dd offset AddRef
dd offset Release
dd offset sub_40128EEE ; 3
dd offset sub_40128F8C
dd offset sub_4012C2E2 ; 5
Is there a way to tell somehow IDA that vtable_40194AE0 always points to vtable at 0x40194AE0 so given call in the pseudo-code will look like
return vtable_40194AE0->sub_40128EEE(v1->vtable_40194AE0, 0, 0);
?
I tried to set vtable_40194AE0 of the structure to be "user-defined offset" but it doesn't help :(
Thanks a lot !
To my knowledge, no. IDA structs are merely provided to make the process of visualizing disassembled data easier. The most you can do is comment the call site to identify the actual virtual function being called.