Phantom List
Across 14 rounds, many early-round hypotheses turned out wrong. Each entry below records the original claim, the round that debunked it, and the current truth. Future investigators should avoid re-investigating these.
OLLVM obfuscation salts, not hooks
IDA mis-resolution of indirect call
Real slot is gs:[0x20] FiberData
Runtime-reconstructed PE .pdata singleton
CFF dispatcher of one obfuscated function
Byte-coincidence; no real vmcall
No polynomial or round-constant table present
OLLVM/Tigress CFF. .eid holds import metadata, not bytecode
Host-side tokens, no in-DLL reader
Variable-length records
DLL-marker + function-entry variable-length records
At RVA 0x1F2AF0 (IDA 0x7FF926042AF0)
NOT in this DLL; consumers of stack-walk APIs are MSVC CRT only
GuardFlags=0x100 only; function table empty; dispatch stub no-op
Module enum exists but passive — no kill path from walker
It is an MD5 driver
.pdata RUNTIME_FUNCTION entry; patching does nothing
r8=rsi (state ptr); real op is (rcx,rdx,r9) triplet; dispatch keyed on global cookie
No static template; OLLVM-obfuscated per-byte arithmetic
Only 5 real direct callees; 18 were CFG artifacts
Fiber-state CFF dispatcher; real VEH is at RVA 0xE9FDA0
Lock-acquire primitive
Stack-walk APIs in IAT, but consumers are CRT only, not Eidolon
Only 5 opcode-byte immediates; returns bool; BTel HTTP helper
Build-time CFF seed constants, ZERO writers
CFF opaque predicate (pseudo-random loop bound); NOT an integrity check
39 DLL canaries (one API per DLL decoy); real 248 is the synthetic IAT thunk table
VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
It is a consumer; FF 15 is indirect call, not a write. Real writer is in .eid
SetThreadContext uses CONTEXT_FULL (0x10000B), not CONTEXT_DEBUG_REGISTERS (0x10010)
No layer 2. Fingerprint constants are plaintext integrity tags
Resolver is per-DLL; 39 DLLs, 0x48 stride per descriptor
Not set; does not use Win11 instrumentation callback
Zero static callers across three independent scans
btel::ResponseProcessor constructor (RTTI + vtable-write confirmed)
Pure CFF megacaller tail-call with triple (0x4F, 0x38, 0x5E); no stack walk, no gs: reads, no csum writes
R14 flagged 7 PIDs by a naive PROCESS_VM_READ filter. R15 verified 169 of their Process handles and found 0 targeting D2R; the candidate list was research-machine noise (IDE, browser, Windows services), not brokers. Broker identity remains unknown.
Live probe measured page-0 entropy of 3.98 — effectively plaintext. The region holds the 44-record stub table, not encrypted code
No WinVerifyTrust callsite (strings are a red herring), no periodic hash, no AV handler, no self-hash. Defense is CFF obfuscation + state kill paths, not cryptographic self-verification
Lesson: multi-agent reverse engineering is noisy. Parallel investigations surface contradictions that serial analysis misses. The correction rate across R1-R14 was ~34 phantoms / 53 agent-reports = 65% of agent conclusions were later revised. Keep investigating.