Incorrect member used when `__offset` used for structure pointer

[op2786]

Version and Platform (required):

• Binary Ninja Version: 3.6.4774-dev, 20b49d1e
• OS: macos
• OS Version: 14.2
• CPU Architecture: arm64

Bug Description: In the second screenshot below GetProcAddress second parameter should be hook->func_name but instead of it BN uses hook->mod_name. In disassembly it uses func_name correctly but all other ILs uses mod_name.

There is also another bug there which probably from same root cause. As seen in disassembly 163e4cf0 uses tramboline member of the structure, but HLIL uses hook_func.

Steps To Reproduce: I don't know how to reproduce this in another binary but I found a way in order to reproduce it:

1. Open BN and create new binary data
2. Paste the following data as raw hex (Paste From -> Raw hex)

4883ec28803de163010000747748895c2430488d1ddfd20000488974243848897c242033ff8bf7660f1f840000000000488b4310488338007429488b4bf8ff15fca40000488b13488bc8ff1550a30000488bc8e81871000085c0752dffc783ff02740bffc64883c32083fe0472c2488b742438488b5c2430488b7c2420c60568630100004883c428c3488b05a8a600008038007401ccb951000000e8ce660000cc

3. Select linear view and create a windows-x86_64 function at offset 0
4. Now add the type below to the user types

struct hook_d
{
    char* mod_name;
    char* func_name;
    void** hook_func;
    void** tramboline;
};

5. Now change the type of variable at 00000012 to struct hook_d* __offset(hook_d, 0x8) hook.
6. This is what we should get:

Expected Behavior: I expect BN to use correct members of the structure.

Screenshots:

[xusheng6]

v35 folks should search springbuck suffusive rustles neoplastic benzine to find the binary