Copying REFramework's logic externally; not finding the correct name offset for an REField

[just-ero]

Hello,

I'm trying to copy REFramework's logic via external ReadProcessMemory calls on Resident Evil 7. In the environment I'm working in, I cannot declare proper structs to read, meaning I need to add field offsets manually. This is fine and works nearly correctly. Unfortunately, I don't appear to be able to find an REField's correct name offset. Simplified, my logic is the following:

// https://github.com/praydog/REFramework/blob/d4777c5e6fdcc35066dccf192c1a37f79aa26428/shared/sdk/REManagedObject.cpp#L361-L373
uintptr_t getObjInfo(uintptr_t reObject) {
  return Read<uintptr_t>(reObject + 0x00); // REObject.info
}

// https://github.com/praydog/REFramework/blob/d4777c5e6fdcc35066dccf192c1a37f79aa26428/shared/sdk/REManagedObject.cpp#L361-L373
uintptr_t getTypeDef(uintptr_t objInfo) {
  return Read<uintptr_t>(objInfo + 0x00); // REObjectInfo.classInfo
}

// https://github.com/praydog/REFramework/blob/d4777c5e6fdcc35066dccf192c1a37f79aa26428/shared/sdk/RETypeDefinition.cpp#L47-L72
uintptr_t getField(uintptr_t typeDef, uint32_t index) {
  auto tdb = getTdb(); // cached and 100% correct
  auto memberField = Read<uint32_t>(typeDef + 0x2C); // RETypeDefinition.member_field

  // 0x8 == sizeof(REField)
  return Read<uintptr_t>(tdb + 0x80) + 0x8 * (memberField + index); // RETypeDB.fields[RETypeDefinition.member_field + index]
}

// https://github.com/praydog/REFramework/blob/d4777c5e6fdcc35066dccf192c1a37f79aa26428/shared/sdk/RETypeDB.cpp#L232-L243
char* getFieldName(uintptr_t field) {
  auto tdb = getTdb();

  auto fieldImplId = Read<uint64_t>(field + 0x00) // REField.impl_id
    >> 18 & ((1 << 20) - 1); // uint64_t impl_id : 20

  // 0xC == sizeof(REFieldImpl)
  auto fieldImpl = Read<uintptr_t>(tdb + 0x88) + 0xC * fieldImplId; // RETypeDB.fieldsImpl[REField.impl_id]

  auto nameOffset = Read<uint32_t>(fieldImpl + 0x8) // REFieldImpl.name_offset
    >> 0 & ((1 << 30) - 1); // uint32_t name_offset : 30

  nameOffset &= getStringPoolBitmask();

  return getString(nameOffset);
}

// https://github.com/praydog/REFramework/blob/d4777c5e6fdcc35066dccf192c1a37f79aa26428/shared/sdk/RETypeDB.cpp#L181-L189
char* getString(uint32_t offset) {
  offset &= getStringPoolBitmask();

  if (offset >= getStringPoolSize())
    return nullptr;

  auto tdb = getTdb();

  return (char*)(Read<uintptr_t>(tdb + 0xC8) + offset); // RETypeDB->string_pool + offset
}

I can't see anything immediately wrong with my approach here, but the name offsets I'm receiving are incorrect.

If I manually add 0x2770 to the resulting nameOffset value I read, I consistently get the correct name for all of the fields. All of them, from every single type. What step did I miss?

[just-ero]

Y'know, maybe I should take it seriously when it says

char (*stringPool)[1]; // 0x00C8 + 8