reference · rva-keyed
Address Registry
Every critical offset identified across 14 rounds, keyed by module-relative address (RVA) for stability across ASLR and builds. The IDA VA column shows the canonical imagebase 0x7FF925E50000 for direct IDB cross-reference.
Live virtual addresses are deliberately omitted — they are session-specific.
Module
| RVA | Name | IDA VA |
|---|---|---|
| — | d2r_loader.dll imagebase (IDB) | 0x7FF925E50000 |
Synthetic IAT
| RVA | Name | IDA VA |
|---|---|---|
| 0x1DAE190 | Synthetic IAT thunk table (248 entries) | 0x7FF927BFE190 |
| 0x22B1000 | Encrypted IDD blob | 0x7FF928101000 |
| 0x22B1376 | Plaintext canary name table | 0x7FF928101376 |
| 0x22B19A0 | RVA index / DLL marker table | 0x7FF9281019A0 |
| 0x22B1A70 | Runtime IID table (39 DLL canaries) | 0x7FF928101A70 |
| — | Trampoline arena (runtime heap, VirtualAlloc RWX→RX) ASLR-allocated; discovered via thunk-pointer chase | — |
Broker slots
| RVA | Name | IDA VA |
|---|---|---|
| 0x488CC0 | Aegis callback slot (host-side token) | 0x7FF927CD8CC0 |
| 0x488CC8 | Warden callback slot (host-side token) | 0x7FF927CD8CC8 |
Functions
| RVA | Name | IDA VA |
|---|---|---|
| 0x1F2AF0 | eidolon_iat_resolver_per_dll | 0x7FF926042AF0 |
| 0x1721DD0 | iat_resolver_outer_wrapper (per-DLL loop, CRT new[]) | 0x7FF927571DD0 |
| 0x1207340 | MBA mixer (per-round, called 6×) | 0x7FF927057340 |
| 0xEBF7D0 | IDD secret-qword decoder | 0x7FF926D0F7D0 |
| 0x693480 | MD5 block/finalize driver (CFF) | 0x7FF9264E3480 |
| 0x1D15F90 | MD5_Transform round-1 unrolled | 0x7FF927B65F90 |
| 0xC7C6F0 | PEB.Ldr walker + FNV-1a export resolver | 0x7FF926AC86F0 |
| 0x6124A0 | CFF megadispatcher (405 KB) | 0x7FF9264624A0 |
| 0x19203C0 | CFF megacaller (6 triples) | 0x7FF9277703C0 |
| 0x11E8110 | Fiber-entry thunk (pure megacaller tail-call, NOT a validator — R15) | 0x7FF927038110 |
| 0x143E960 | btel::ResponseProcessor ctor (CFF) — was phantom "VEH sibling B" (R15) | 0x7FF92728E960 |
| 0x12DF2F0 | .eid decrypt orchestrator candidate (2× NtProtectVirtualMemory, iterates 0x38-byte records) (R15) | 0x7FF92712F2F0 |
| 0x1B07770 | init-barrier wait-event one-shot (formerly "periodic watcher") (R15) | 0x7FF927957770 |
| 0x21BB000 | Top emitter-pattern candidate page inside .eid (R15 probe C) 8× rep stosb, 13× call rel32 — follow-up disassembly target | — |
Exception handling
| RVA | Name | IDA VA |
|---|---|---|
| 0xE9FDA0 | OS-registered VEH wrapper | 0x7FF926CEFDA0 |
| 0x143D200 | VEH inner dispatcher (demultiplexer only) | 0x7FF92728D200 |
| 0x222B40 | UEH: warden_emit_exception_event | 0x7FF926072B40 |
| 0x1614BC0 | VEH installer (via synthetic IAT) | 0x7FF927464BC0 |
| 0x11F3B00 | Synthetic-IAT dispatcher CFF | 0x7FF927043B00 |
Kill paths
| RVA | Name | IDA VA |
|---|---|---|
| 0xAA1140 | Panic stub (ORPHAN — no static callers) | 0x7FF9268F1140 |
| 0x976B70 | Path A: VEH-fatal → TerminateProcess | 0x7FF9267C6B70 |
| 0xDF7950 | Path B: fingerprint-fail kill (8 callers) | 0x7FF926C47950 |
| 0xF97590 | Path C: VM-init integrity kill | 0x7FF926DE7590 |
| 0x4FC720 | Exit-code formatter | 0x7FF92634C720 |
Anti-debug
| RVA | Name | IDA VA |
|---|---|---|
| 0xDBCF80 | ZwQueryInformationProcess ProcessDebugPort probe | 0x7FF926C0AF80 |
| 0x380E00 | antidbg_drread_block_d (HW-BP detect) | 0x7FF9261D0E00 |
| 0xFA20B0 | Module32First/Next enum walker (passive) | 0x7FF926DF20B0 |
| 0x13FB2E0 | Thread32First/Next enum dispatcher | 0x7FF92714B2E0 |
| 0xC4A1C0 | Suspend+SetContext CONTEXT_FULL loop | 0x7FF926A9A1C0 |
| 0x7D9CF0 | Thread-hijack Get/Set pair CONTEXT_FULL | 0x7FF926629CF0 |
JIT arena
| RVA | Name | IDA VA |
|---|---|---|
| 0x139BBD0 | Arena VirtualAlloc (RWX) allocator | 0x7FF9271EBBD0 |
| 0xE3BC80 | Arena VirtualProtect harden → PAGE_EXECUTE_READ | 0x7FF926C8BC80 |
| 0x2330000 – 0x24B8000 | .eid decrypted code region (R14 D3 entropy scan) pages 16–30 of .eid, ~1.5 MB; likely emitter location | — |
Globals
| RVA | Name | IDA VA |
|---|---|---|
| 0x1E89D40 | IAT scratch output buffer (static BSS) | 0x7FF927CD9D40 |
| 0x1DD1FE0 | CFF opaque-predicate csum (NOT integrity) round 13 I30: used as pseudo-random loop bound | 0x7FF927C21FE0 |
| 0x1E21A4C | Megadispatcher seed (sampled 0x2EB7282F) | 0x7FF927C71A4C |
| 0x1E43348 | IAT-sibling CFF seed (constant 0xC33D52D5) | 0x7FF927C93348 |
| 0x1E54168 | BTel CFF seed entry (constant 0xB4395223) | 0x7FF927CA4168 |
| 0x1E0FDEC | IAT resolver CFF entry seed | 0x7FF927C5FDEC |
| 0x1DECDC0 | Cached ntdll base (obfuscated) | 0x7FF927C3CDC0 |
| 0x1DECDC8 | Cached kernel32 base (obfuscated) | 0x7FF927C3CDC8 |
| 0x1DDAF80 | Per-API encrypted seed slots (9 qwords) | 0x7FF927C2AF80 |
| 0x1E8E840 | Saved previous UEH (for chain) | 0x7FF927CDE840 |
| 0x1E8E8A0 | init-barrier thread handle (one-shot, not periodic — R15 correction) | 0x7FF927CDE8A0 |
| 0x22AB8F9 | .eid stub record table (44 × 40-byte records, 3 distinct XOR keys — R15) keys: 0xFFFF834A942B7856 ×26, 0xFFFF834BF90829BC ×17 (new), 0xFFFF834A0B7949E4 ×1 (new) | 0x7FF9281018F9 |
| 0x1D57510 | PE-integrity XOR mask (xmmword, 16B) — R15 68 A0 FE 66 4A 8C AD D5 68 41 92 9F 68 52 3A 16 | 0x7FF927BA7510 |
| 0x1D57610 | Trampoline IV-blob (xmmword, 16B) — cosmetic MD5-IV shape, obfuscation seed only — R15 | 0x7FF927BA7610 |
| 0x1DF09E8 | Trampoline per-callsite decode secret (0xDC20F11A217C3AFA) — R15 | 0x7FF927C409E8 |
| 0x1DEEE94 | PVA state cluster (debug-detect) dword_EE94..EEAC, 5 dwords | 0x7FF927C3EE94 |