Initial commit

.gitignore

@@ -0,0 +1,4 @@
+__pycache__
+*.egg-info
+.venv
+

.justfile

@@ -0,0 +1,7 @@
+test:
+  ruff check src/smgdc
+  mypy -p src
+
+format:
+  ruff check src --select I001 --fix
+  ruff format src/smgdc

README.md

@@ -0,0 +1,5 @@
+# smgdc
+
+SourceMod gamedata checker.
+
+Rewrite of a previous internal project.

pyproject.toml

@@ -0,0 +1,33 @@
+[project]
+name = "smgdc"
+description = "SourceMod gamedata checker and file generator"
+version = "0.0.1"
+
+dependencies = [
+    "angr == 9.2.99",
+    "itanium_demangler == 1.1",
+    "msgspec == 0.18.6",
+]
+
+requires-python = ">= 3.11"
+
+[project.scripts]
+smgdc = "smgdc.app:main"
+
+[project.optional-dependencies]
+dev = [
+    "mypy == 1.9.0",
+    "ruff == 0.4.0"
+]
+
+[build-system]
+build-backend = 'setuptools.build_meta'
+requires = [
+    'setuptools',
+]
+
+[tool.ruff]
+line-length = 96
+
+[tool.mypy]
+disable_error_code = ["import-untyped"]

src/smgdc/angr/__init__.py

@@ -0,0 +1,7 @@
+#!/usr/bin/python3
+
+from .vtable_disamb import VtableDisambiguator
+
+__all__ = [
+    "VtableDisambiguator",
+]

src/smgdc/angr/vtable_disamb.py

@@ -0,0 +1,157 @@
+#!/usr/bin/python3
+
+import collections
+import itertools
+from typing import Iterable
+
+import itanium_demangler as demangler
+from cle.backends.symbol import Symbol
+
+import angr
+
+from .. import demangler_helpers as dh
+
+
+def read_cstring(mem, addr, encoding="utf-8", chunk=16, **kwargs):
+    """unpacks a variable-length, zero-terminated string from the binary"""
+    try:
+        unpacker = itertools.takewhile(
+            lambda x: x > 0,
+            itertools.chain.from_iterable(
+                mem.load(addr + o, chunk) for o in itertools.count(0, chunk)
+            ),
+        )
+        return bytes(unpacker).decode(encoding, **kwargs)
+    except Exception:
+        pass
+    return ""
+
+
+class VtableDisambiguator(angr.Analysis):
+    syms_by_addr: dict[int, set[Symbol]]
+    subclass_map: dict[Symbol, set[Symbol]]
+    superclass_map: dict[Symbol, set[Symbol]]
+
+    def __init__(self):
+        self.loader = self.project.loader
+        self.memory = self.loader.memory
+        self.analyze()
+
+    def analyze(self):
+        self.syms_by_addr = collections.defaultdict(set)
+        vtable_syms = set()
+        for symbol in self.loader.symbols:
+            self.syms_by_addr[symbol.rebased_addr].add(symbol)
+            if symbol.name.startswith("_ZTV"):
+                vtable_syms.add(symbol)
+
+        # we associate a type with their subclasses so we can check them to disambiguate duplicates on the base
+        self.subclass_map = collections.defaultdict(set)
+        self.superclass_map = collections.defaultdict(set)
+
+        for vtsym in vtable_syms:
+            if vtsym.is_import:
+                continue
+
+            vt_typeinfo = self.memory.unpack_word(vtsym.rebased_addr + 0x4)
+            for typeinfo_ptr, typeinfo_name in self.dump_class_parents(vt_typeinfo):
+                svtsym = self.loader.find_symbol(f"_ZTV{typeinfo_name}")
+                if not svtsym:
+                    continue
+                self.subclass_map[svtsym].add(vtsym)
+                self.superclass_map[vtsym].add(svtsym)
+
+    def dump_class_parents(self, typeinfo_ptr: int):
+        """
+        Returns a list of mangled typenames in ascending order (towards base classes at the end).
+        This takes a pointer to the class's typeinfo structure.
+        """
+        # HACK: adjust offset by -8h for angr to resolve to the correct symbol
+        #       IDA indicates the offset is at sym+8h
+        #       lief seems to resolve this correctly without offsetting by -8h
+        if not typeinfo_ptr:
+            return
+        typeinfo_class_sym = self.loader.find_symbol(
+            self.memory.unpack_word(typeinfo_ptr) - 0x8
+        )
+        if not typeinfo_class_sym:
+            return
+
+        typeinfo_name = read_cstring(self.memory, self.memory.unpack_word(typeinfo_ptr + 0x04))
+        if typeinfo_class_sym.name == "_ZTVN10__cxxabiv120__si_class_type_infoE":
+            # single inheritance
+            nested_typeinfo_ptr = self.memory.unpack_word(typeinfo_ptr + 0x08)
+            yield (typeinfo_ptr, typeinfo_name)
+            yield from self.dump_class_parents(nested_typeinfo_ptr)
+        elif typeinfo_class_sym.name == "_ZTVN10__cxxabiv121__vmi_class_type_infoE":
+            # multiple inheritance
+            nested_typeinfo_ptr = self.memory.unpack_word(typeinfo_ptr + 0x10)
+            yield (typeinfo_ptr, typeinfo_name)
+            yield from self.dump_class_parents(nested_typeinfo_ptr)
+        elif typeinfo_class_sym.name == "_ZTVN10__cxxabiv117__class_type_infoE":
+            yield (typeinfo_ptr, typeinfo_name)
+        else:
+            raise ValueError("unknown typeinfo class", typeinfo_class_sym)
+
+    def resolve_ambiguous_vfn(
+        self, vtidx, ambig_fnsyms, related_vtsyms: Iterable[Symbol]
+    ) -> Symbol | None:
+        """
+        Resolves an ambiguous virtual function by attempting to match against symbols in related
+        classes' vtables.
+        """
+        # ambiguous function
+        # walk through vtables of subclasses to find matching prototype at the given position
+        # if unsuccessful, walk through parent classes containing the vtable
+        # returns the exact name of the symbol used for this function
+        funcsig_set = set()
+        for fnsym in ambig_fnsyms:
+            funcsig_set.add(dh.extract_method_signature(demangler.parse(fnsym.name)))
+
+        if len(funcsig_set) == 1:
+            # we only have one name-signature combination here
+            return set(ambig_fnsyms).pop()
+
+        rebased_fnsym_addrs = set(fnsym.rebased_addr for fnsym in ambig_fnsyms)
+
+        for fnsym in ambig_fnsyms:
+            funcsig = dh.extract_method_signature(demangler.parse(fnsym.name))
+            for svt in related_vtsyms:
+                # only check functions at the same index
+                subfn_addr = self.loader.fast_memory_load_pointer(
+                    svt.rebased_addr + 0x4 * (2 + vtidx)
+                )
+
+                if subfn_addr in rebased_fnsym_addrs:
+                    # skip vtable entries that call the same exact function
+                    continue
+
+                subfns = self.syms_by_addr.get(subfn_addr)
+                if not subfns:
+                    continue
+
+                for subfn in subfns:
+                    sub_funcsig = dh.extract_method_signature(demangler.parse(subfn.name))
+                    if funcsig != sub_funcsig:
+                        continue
+
+                    # we found a subclass with a name / prototype that matches the base class
+                    return fnsym
+        return None
+
+    def get_possible_vtable_set_candidates(self, vtsym, vtidx) -> Iterable[set[Symbol]]:
+        # Yield the ordered list of subclasses for the given class.
+        yield self.subclass_map[vtsym]
+
+        # It's possible that this class inherited a base version of a method that is specialized
+        # in a different part of the class hierarchy, so yield lists of subclasses of parents
+        # that include the vtable index too.
+        max_vtsize = 4 * (vtidx + 2)
+        for parent_vtsym in sorted(
+            filter(lambda vt: vt.size > max_vtsize, self.superclass_map[vtsym]),
+            key=lambda vt: vt.size,
+        ):
+            yield self.subclass_map[parent_vtsym]
+
+
+angr.analyses.AnalysesHub.register_default("VtableDisambiguator", VtableDisambiguator)

src/smgdc/app.py

@@ -0,0 +1,50 @@
+#!/usr/bin/python3
+
+import configparser
+import pathlib
+import struct
+
+import msgspec
+
+from .validate import (
+    ByteSignature,
+    Code,
+    GameConfDict,
+    IntLiteral,
+    LinuxBinary,
+    PlatformBinary,
+    WindowsBinary,
+    convert_types,
+)
+
+
+def main() -> None:
+    # TODO implement
+    p = pathlib.Path("tf2.gamedata.ini")
+
+    config = configparser.ConfigParser()
+    config.read(p)
+
+    entries = msgspec.convert(
+        {s: config[s] for s in config.sections()},
+        type=GameConfDict,
+        dec_hook=convert_types(ByteSignature, Code, IntLiteral, struct.Struct, pathlib.Path),
+    )
+
+    linux_target = LinuxBinary(pathlib.Path("server_srv.so"))
+    windows_target = WindowsBinary(pathlib.Path("server.dll"))
+
+    for name, entry in entries.items():
+        target: PlatformBinary = linux_target
+        if entry.target.suffix == ".dll":
+            target = windows_target
+
+        try:
+            for key, result in entry.process(target).items():
+                print(key.substitute(name=name), "=", result)
+        except Exception as e:
+            print(name, f"failed ({type(e)}):", e)
+
+
+if __name__ == "__main__":
+    main()

src/smgdc/demangler_helpers.py

@@ -0,0 +1,49 @@
+#!/usr/bin/python3
+
+# helper functions to extract information from a demangler AST
+#
+# the returned tuples are not well-defined, but is expected to be internally consistent
+# i.e. signatures from different classes should match
+
+import itanium_demangler as demangler
+
+
+def extract_method_classname(node) -> tuple[demangler.Node, ...]:
+    def _extract(node: demangler.Node):
+        match node:
+            case node if node.kind == "qual_name":
+                return node.value[:-1]
+        raise ValueError(f"Unexpected node {node!r}")
+
+    if node.kind == "func":
+        return _extract(node.name)
+
+    raise ValueError(f"{node} is not a function")
+
+
+def extract_method_fname(node: demangler.Node) -> tuple[demangler.Node, ...]:
+    # returns method name with any associated qualifiers
+    def _extract(node: demangler.Node):
+        match node:
+            case node if node.kind == "cv_qual":
+                return (node.qual, _extract(node.value))
+            case node if node.kind == "qual_name":
+                return (node.value[-1],)
+        raise ValueError(f"Unexpected node {node!r}")
+
+    if node.kind == "func":
+        return _extract(node.name)
+    elif node.kind == "nonvirt_thunk":
+        return _extract(node.value.name)
+
+    raise ValueError(f"{node} is not a function")
+
+
+def extract_method_signature(node: demangler.Node) -> tuple[demangler.Node, ...]:
+    # returns tuples describing the method name, argument types, and return type
+    # this is expected to strip the class name
+    if node.kind == "func":
+        return (extract_method_fname(node), node.arg_tys, node.ret_ty)
+    elif node.kind == "nonvirt_thunk":
+        return extract_method_signature(node.value)
+    raise ValueError(f"{node} is not a function")

src/smgdc/types.py

@@ -0,0 +1,69 @@
+#!/usr/bin/python3
+
+import ast
+import re
+
+
+class ByteSignature:
+    """
+    A sequence of hex bytes to be searched.
+    """
+
+    pattern: list[str]
+    expr: re.Pattern
+
+    def __init__(self, pattern):
+        self.pattern = pattern.split()
+
+        # creates escaped byte pattern with hex literals or wildcard as appropriate
+        self.expr = re.compile(
+            b"".join(
+                [re.escape(bytes([int(b, 16)])) if b != "??" else b"." for b in self.pattern]
+            ),
+            re.S,
+        )
+
+    @property
+    def display_str(self):
+        # render as a bracketed, space-delimited hex string where wildcard bytes are denoted with '??'
+        return f"[{' '.join(self.pattern)}]".lower()
+
+    @property
+    def gameconf_str(self):
+        # render as a SourceMod-style escaped string
+        return "".join(r"\x" + b.upper() if b != "??" else r"\x2A" for b in self.pattern)
+
+    @property
+    def length(self):
+        return len(self.pattern)
+
+    def __repr__(self):
+        return f"ByteSignature({self.display_str})"
+
+
+class Code:
+    """
+    A class to parse and execute Python code in a reduced (but not secure) environment.
+    """
+
+    code_ast: ast.AST
+
+    def __init__(self, v):
+        self.code_ast = ast.parse(v, mode="eval")
+
+    def eval(self, **locals):
+        code = compile(self.code_ast, "<CONFIG>", mode="eval")
+        return eval(code, None, locals)
+
+    def __str__(self):
+        return ast.unparse(self.code_ast)
+
+
+class IntLiteral(int):
+    """
+    Subclass of ``int`` that performs implicit conversion of integer values.  This allows
+    configuration using numeric literals in non-base-10 configurations, such as 0xAA.
+    """
+
+    def __new__(cls, *args, **kwargs):
+        return super(IntLiteral, cls).__new__(cls, *args, base=0)

src/smgdc/validate.py

@@ -0,0 +1,237 @@
+#!/usr/bin/python3
+
+import contextlib
+import enum
+import hashlib
+import io
+import itertools
+import mmap
+import pathlib
+import pickle
+import string
+import struct
+import typing
+
+import angr
+import msgspec
+
+from . import vtable as vt_helpers
+from .types import ByteSignature, Code, IntLiteral
+
+KEY_AS_IS = string.Template("${name}")
+
+
+def KEY_SUFFIX(s):
+    return string.Template(f"${{name}} [{s}]")
+
+
+# collection of functions that can be used during value read operations
+eval_functions = {
+    # truncate the given value to the given number of bits
+    # https://stackoverflow.com/a/53424236
+    "truncate": lambda val, num_bits: val & (2**num_bits - 1),
+}
+
+
+def convert_types(*types):
+    def _dec_hook(type: typing.Type, obj: typing.Any) -> typing.Any:
+        if type in types:
+            return type(obj)
+        raise NotImplementedError
+
+    return _dec_hook
+
+
+# entries may output multiple values, such as separate Windows / Linux vtable indices
+# or bytesigs + offsets
+ResultValues = dict[string.Template, typing.Any]
+
+
+class BaseBinary:
+    path: pathlib.Path
+    angr: angr.Project
+    _file: io.IOBase
+
+    def __init__(self, path: pathlib.Path, cache_path: pathlib.Path | None = None):
+        self.path = path
+        self._file = open(self.path, "rb")
+
+        file_hash = hashlib.sha256(self.path.read_bytes())
+        cached_proj = (cache_path or pathlib.Path()) / f"{file_hash.hexdigest()}.angr.pkl"
+        if not cached_proj.exists():
+            self.angr = angr.Project(self.path, load_options={"auto_load_libs": False})
+            cached_proj.write_bytes(pickle.dumps(self.angr))
+        else:
+            self.angr = pickle.loads(cached_proj.read_bytes())
+
+    @contextlib.contextmanager
+    def mmap(self):
+        mm = mmap.mmap(self._file.fileno(), 0, access=mmap.ACCESS_READ)
+        yield mm
+        mm.close()
+
+    def read(self, address, size) -> bytes:
+        # shorthand to read a value from a physical file
+        with self.mmap() as memory:
+            return memory[address : address + size]
+
+
+class WindowsBinary(BaseBinary):
+    def __init__(self, path: pathlib.Path, cache_path: pathlib.Path | None = None):
+        super().__init__(path, cache_path)
+
+
+class LinuxBinary(BaseBinary):
+    def __init__(self, path: pathlib.Path, cache_path: pathlib.Path | None = None):
+        super().__init__(path, cache_path)
+
+
+PlatformBinary = WindowsBinary | LinuxBinary
+
+
+class NumericOutputFormat(enum.StrEnum):
+    INT = "int"
+    HEX = "hex"
+    HEX_SUFFIX = "hex_suffix"
+
+    def format_value(self, value) -> str:
+        if self == NumericOutputFormat.HEX:
+            return hex(value)
+        elif self == NumericOutputFormat.HEX_SUFFIX:
+            return f"{value:X}h"
+        raise NotImplementedError(f"Missing numeric output for {self.value}")
+
+
+class BaseEntry(msgspec.Struct, kw_only=True):
+    # the partial path pointing to a binary
+    target: pathlib.Path
+
+    def process(self, bin: PlatformBinary) -> ResultValues:
+        raise NotImplementedError(f"Cannot process {type(self).__qualname__}")
+
+
+class LocationEntry(BaseEntry):
+    symbol: str | None = None
+    offset: IntLiteral = IntLiteral("0")
+    bytescan: ByteSignature | None = None
+
+    offset_fmt: NumericOutputFormat = NumericOutputFormat.HEX
+
+    def __post_init__(self):
+        if self.bytescan:
+            return
+        if self.symbol:
+            return
+        raise ValueError("Missing location anchor (expected either 'bytescan' or 'symbol')")
+
+    def calculate_phys_address(self, bin: PlatformBinary) -> int:
+        # returns the physical offset within the file
+        if self.bytescan:
+            with bin.mmap() as memory:
+                matches = self.bytescan.expr.finditer(memory)
+                match = next(matches, None)
+                if match:
+                    return match.start() + self.offset
+                else:
+                    raise AssertionError(
+                        "No matches found for 'bytescan' value " f"{self.bytescan.display_str}"
+                    )
+        sym = bin.angr.loader.find_symbol(self.symbol)
+        if not sym:
+            raise AssertionError("Could not find symbol {self.symbol}")
+        offset = bin.angr.loader.main_object.addr_to_offset(sym.rebased_addr + self.offset)
+        assert offset
+        return offset
+
+
+class VirtualFunctionEntry(BaseEntry, tag="vfn"):
+    # linux-specific entry that takes a symbol and returns values for Windows / Linux
+    symbol: str
+    typename: str | None = msgspec.field(name="vtable", default=None)
+
+    def __post_init__(self):
+        raise ValueError("Missing vfn?")
+
+    @property
+    def typename_from_symbol(self):
+        if not self.symbol.startswith("_ZN"):
+            return
+        start_range = 3
+        if self.symbol.startswith("_ZNK"):
+            start_range = 4
+
+        # this only handles the simple case of a non-template classname
+        int_prefix = "".join(itertools.takewhile(str.isdigit, self.symbol[start_range:]))
+        chars_to_read = int(int_prefix)
+
+        end_range = start_range + len(int_prefix) + chars_to_read
+        if not self.symbol[end_range].isdigit():
+            raise ValueError(f"Could not parse function symbol {self.symbol} into a type name")
+        return self.symbol[start_range:end_range]
+
+    def process(self, bin: PlatformBinary) -> ResultValues:
+        # returns windows and linux vtable offsets
+        # TODO: implement
+        assert isinstance(bin, LinuxBinary)
+        self.typename = self.typename or self.typename_from_symbol
+        vtda = bin.angr.analyses.VtableDisambiguator()
+        vtsym = bin.angr.loader.find_symbol(f"_ZTV{self.typename}")
+        if not vtsym:
+            raise ValueError(f"Could not find vtable symbol _ZTV{self.typename}")
+        orig_vtable, *thunk_vtables = vt_helpers.get_vtables_from_address(bin, vtda, vtsym)
+        win_vtable = vt_helpers.get_windows_vtables_from(bin, vtda, vtsym)
+
+        sym = bin.angr.loader.find_symbol(self.symbol)
+        return {
+            KEY_SUFFIX("LINUX"): orig_vtable.index(sym) if sym in orig_vtable else None,
+            KEY_SUFFIX("WINDOWS"): win_vtable.index(sym) if sym in win_vtable else None,
+        }
+
+
+class ByteSigEntry(LocationEntry, tag="bytesig", kw_only=True):
+    # value to be inserted into gameconf after asserting that the given location matches
+    contents: ByteSignature
+
+    # most bytesigs are expected to be unique; escape hatch for those that are just typecasted
+    allow_multiple: bool = False
+
+    def process(self, bin: PlatformBinary) -> ResultValues:
+        with bin.mmap() as memory:
+            matches = self.contents.expr.finditer(memory)
+            match = next(matches, False)
+            if not match:
+                # no matches found at all, fail validation
+                raise AssertionError(f"No matches found for {self.contents.display_str}")
+            if not self.allow_multiple and next(matches, False):
+                # non-unique byte pattern, fail validation
+                raise AssertionError(f"Multiple matches found for {self.contents.display_str}")
+            return {
+                KEY_AS_IS: self.contents.gameconf_str,
+            }
+
+
+class ValueReadEntry(LocationEntry, tag="value", kw_only=True):
+    # value to decode at a given symbol / offset
+    struct: struct.Struct
+    assert_stmt: Code | None = msgspec.field(default=None, name="assert")
+    modify_stmt: Code | None = msgspec.field(default=None, name="modify")
+
+    def process(self, bin: PlatformBinary) -> ResultValues:
+        address = self.calculate_phys_address(bin)
+        data = bin.read(address, self.struct.size)
+        result, *_ = self.struct.unpack(data)
+
+        if self.modify_stmt:
+            result = self.modify_stmt.eval(value=result)
+
+        # run assertion to ensure value is expected
+        if self.assert_stmt and not self.assert_stmt.eval(value=result, **eval_functions):
+            raise AssertionError(f"Assertion failed: '{self.assert_stmt}' for value {result}")
+        return {
+            KEY_AS_IS: result,
+            KEY_SUFFIX("OFFSET"): self.offset_fmt.format_value(self.offset),
+        }
+
+
+ConfigEntry = typing.Union[VirtualFunctionEntry, ByteSigEntry, ValueReadEntry]
+GameConfDict = dict[str, ConfigEntry]

src/smgdc/vtable.py

@@ -0,0 +1,132 @@
+#!/usr/bin/python3
+
+# vtable helpers
+# this should probably be cleaned up and moved somewhere else
+
+import collections
+import itertools
+import operator
+import typing
+
+import itanium_demangler
+from cle.backends.symbol import Symbol
+
+from . import demangler_helpers as dh
+from .angr import VtableDisambiguator
+
+if typing.TYPE_CHECKING:
+    from .validate import LinuxBinary
+
+VTable = list[Symbol]
+
+# hotfix for demangler
+itanium_demangler._is_ctor_or_dtor = itanium_demangler.is_ctor_or_dtor
+
+
+def reorder_vfns_windows_estimate(symbols: list[Symbol], start_pos) -> list[Symbol]:
+    name_buckets = collections.defaultdict(list)
+    for n, symbol in enumerate(symbols):
+        # collect overrides into buckets based on function name
+        dmsym = itanium_demangler.parse(symbol.name)
+        if dmsym:
+            name_buckets[dh.extract_method_fname(dmsym)].append(symbol)
+        else:
+            # hack for __cxa_pure_virtual
+            name_buckets[(dmsym, n)].append(symbol)
+
+    output_symbols: list[Symbol] = []
+    for fname, syms in name_buckets.items():
+        # on windows, overloads are made consecutive and in reverse of declared order
+        # iteration order is guaranteed as of 3.7+ to be the insertion order,
+        # so this should output symbols otherwise in their original order
+        output_symbols.extend(reversed(syms))
+
+    return output_symbols
+
+
+def get_windows_vtables_from(
+    bin: "LinuxBinary", vtda: VtableDisambiguator, vt: Symbol
+) -> VTable:
+    vt_typeinfo = bin.angr.loader.memory.unpack_word(vt.rebased_addr + 0x4)
+
+    vt_parent_spans = [1]
+    for typeinfo_ptr, name in reversed(list(vtda.dump_class_parents(vt_typeinfo))):
+        vt_parent = bin.angr.loader.find_symbol(f"_ZTV{name}")
+        if not vt_parent:
+            continue
+        vt_first, *_ = get_vtables_from_address(bin, vtda, vt_parent)
+        vt_parent_spans.append(len(vt_first))
+
+    vt_first, *vt_others = get_vtables_from_address(bin, vtda, vt)
+    thunk_fns = set()
+    for vt_other in vt_others:
+        for sym in vt_other:
+            dmsym = itanium_demangler.parse(sym.name)
+            if dmsym.kind == "nonvirt_thunk":
+                thunk_fns.add(dh.extract_method_signature(dmsym))
+
+    vt_out = []
+    for vt_low, vt_high in itertools.pairwise(vt_parent_spans):
+        # we can only reorder overloads within the class they were initially specified
+        # e.g. CTFPlayer's ChangeTeam cannot be merged with CBaseEntity's
+        class_vfns = []
+
+        for sym in vt_first[vt_low:vt_high]:
+            # filter MI thunks
+            dmsym = itanium_demangler.parse(sym.name)
+            if dmsym:
+                # __cxa_pure_virtual hits this
+                if (
+                    not itanium_demangler.is_ctor_or_dtor(dmsym)
+                    and dh.extract_method_signature(dmsym) in thunk_fns
+                ):
+                    continue
+            class_vfns.append(sym)
+        vt_out.extend(reorder_vfns_windows_estimate(class_vfns, vt_low))
+
+    return vt_out
+
+
+def get_vtables_from_address(
+    bin: "LinuxBinary", vtda: VtableDisambiguator, vt: Symbol
+) -> list[VTable]:
+    # returns a list of vtables for each vtable present on the class
+    VTableFunction = collections.namedtuple("VTableFunction", "tblidx sym")
+
+    table_index = 0
+    function_list: list[VTableFunction] = []
+    addr_range = iter(range(vt.rebased_addr, vt.rebased_addr + vt.size, 4))
+    for n, addr in enumerate(addr_range):
+        # get symbols that map to that address
+        deref = bin.angr.loader.fast_memory_load_pointer(addr)
+        # assert deref
+        fnsyms = set(vtda.syms_by_addr.get(deref) or set())
+        if not fnsyms:
+            # vtable boundary
+            table_index += 1
+            next(addr_range)  # consume typeinfo
+            continue
+
+        if len(fnsyms) == 1 or not function_list:
+            function_list.append(VTableFunction(table_index, fnsyms.pop()))
+            continue
+        elif len(fnsyms) > 1:
+            # function in vtable is referenced by multiple names; perform disambiguation
+            matched_overload = None
+            for related in vtda.get_possible_vtable_set_candidates(vt, n):
+                matched_overload = vtda.resolve_ambiguous_vfn(n, fnsyms, related)
+                if matched_overload:
+                    break
+
+            # it's possible that the other function(s) is/are resolveable.
+            # without doing multiple passes and saving the disambiguity somewhere it'll be difficult to match
+
+            if matched_overload:
+                function_list.append(VTableFunction(table_index, matched_overload))
+                continue
+        function_list.append(VTableFunction(table_index, None))
+
+    return [
+        list(vfn.sym for vfn in vtbl)
+        for tblidx, vtbl in itertools.groupby(function_list, key=operator.attrgetter("tblidx"))
+    ]