It seems like one would be able to use the class RTTI ids to get an address inside that class' TypeDescriptor and then read the corresponding vtable address from it. When I try this I get what looks like bogus vtable addresses, and in fact all of the pointers to function pointers in between the ".?AVxxx" mangled names in SkyrimSE.exe appear to be the same.

This is with me trying something like:
(RE::msvc::type_info*)(RE::RTTI_PlayerCharacter.address())->_vftable

This is consistent with what I see when I inspect the same bits of memory in SkyrimSE.exe eg. in Ghidra. So, I'm not suggesting anything is broken or wrong, but I'm very curious how one would use the RTTI offsets in the db together with the CommonLIbSSE utilities to find any particular vtable. Am I doing this entirely wrong and I'm meant to use the RTTI offsets for something else entirely?

Hi, I'd recommend you read this article if you would like to learn more about rtti and how it works. However, it seems unlikely that you actually need to find arbitrary references to vtables using the rtti. It sounds like you are a bit misguided.

Thanks for that link! I'm curious why you say I don't need to use the rtti to find references to the vtables. Is that because there's a different way to find the addresses of virtual functions using CommonLibSSE, or because I should be using a more straight-forward approach to reversing the c++ in skyrimse.exe in the first place (e: if it's the latter then that's fair enough, I don't mean to sound like I'm asking for an explanation of things unrelated to CommonLibSSE)? Apologies if I'm asking dumb questions, I mean well :)

vtables are embedded within objects. If you need to invoke a virtual method, then you can do so with an instance of the object. If you want to find vtables during static analysis, then I would recommend you use IDA pro.

I think I figured out how I've confused myself. The docs for the TypeDescriptor struct that I found noted that the first field ("pvftable") was a pointer to the type_info class vtable, and I misunderstood that to be the vtable of the class for which this (struct) is the type_info. Of course it actually means it is a pointer to the vtable of the class named "type_info", and this explains why every instance of it I found had the same pointer inside.

Thanks for the very practical advice of looking inside an instance. I started down this rabbit hole because I couldn't contrive any experiment to get a reference to a child of Projectile while live debugging. Anyway, sorry for the diversion here. You gave me good advice despite my confusion.

e: One clarification, in this case I'm not trying to find the vtable so I can call a virtual function, I'm trying to find it so that I can hook the function. I don't think that matters to the discussion though.