Bind non-direct infrastructure collection helpers

2026-04-18 13:41:21 -07:00 · 2026-04-18 13:41:21 -07:00 · 647c0e9265
commit 647c0e9265
parent cf2e6cb6ad
3 changed files with 32 additions and 5 deletions
--- a/docs/rehost-queue.md
+++ b/docs/rehost-queue.md
@ -55,8 +55,12 @@ Working rule:
  `0x38a5/0x38a6/0x38a7`, and it feeds each live infrastructure record straight into
  `0x0048dcf0` after restoring one shared owner-local dword into the `0x90/0x94` lane. So the
  remaining infrastructure question is no longer whether `0x38a5` reaches the child-stream restore
-  path at all; it is which exact rows or compact-prefix regimes map to the child count, saved
-  primary-child ordinal, and per-child `+0x40` payload callbacks inside that direct path.
+  path at all. Direct disassembly now also shows `0x00518140` resolving a non-direct live entry by
+  tombstone bitset and then returning the first dword of a `12`-byte row from `[collection+0x3c]`,
+  while `0x00518680` loads that non-direct table family before `0x00493be0` starts iterating. So
+  the next infrastructure question is which fields inside those `12`-byte live-entry rows map to
+  the child count, saved primary-child ordinal, and per-child `+0x40` payload callbacks inside
+  that direct path.
 - The child loader identity is closed now too: local `.rdata` at `0x005cfd00` proves the
  `Infrastructure` child vtable uses the shared tagged callback strip directly, with
  `+0x40 = 0x00455fc0`, `+0x48 = 0x00455870`, and `+0x4c = 0x00455930`. So the remaining