Eidolon
investigation archive

Rounds

Each round spawned a team of parallel agents against the live loader and the IDB. Findings are preserved verbatim; later rounds correct earlier claims — see thephantom list for a debunked-claims index.

  1. R6

    Round 6 — Master Lua probe + 5 IDA agents

    First full runtime probe of the live loader. Discovered 9 major findings: no in-DLL caller-provenance, no CFG enforcement, no bot-DLL scan, MD5 driver at sub_7FF9264E3480, 4 kill paths catalogued.

    2026-04-17

  2. R7

    Round 7 — IDD decryption + MD5 corrections

    Live-confirmed IDD XOR key works. Ruled out panic-vtable claim. Corrected op-tag hypothesis. Discovered MD5 as second integrity primitive alongside FNV-1a.

    2026-04-17

  3. R8

    Round 8 — Trampoline arena + VEH framing corrections

    Located trampoline arena at heap 0x2049BCF0000. Dumped 248 thunks. Identified real VEH sub_7FF926CEFDA0. Established sub_7FF927057340 as per-API MBA mixer.

    2026-04-17

  4. R11

    Round 11 — 17 API thunks resolved + fusion math decoded

    First live-resolved Win32 API names for 17 thunks. Full 6-round MBA fusion equations recovered. BTel seal sibling separated from primary IAT path.

    2026-04-17

  5. R12

    Round 12 — 63 thunks decoded + round-6 partial reversal

    Emulator fix unlocked 63/248 thunks. Recovered live PEB.Ldr. Initially thought caller-provenance was back in play — Round 13 reversed this.

    2026-04-17

  6. R13

    Round 13 — 10 agents, definitive negatives

    Reinstated round-6 no-caller-provenance verdict (CRT-only consumers of stack-walk APIs). Rolling checksum is CFF opaque predicate, not integrity. Thread manipulation uses CONTEXT_FULL, not DRx. Trampoline emitter definitively in .eid.

    2026-04-17

  7. R14

    Round 14 — Dynamic team + IDA finalization + dossier

    Dynamic probes flagged 7 external PIDs holding PROCESS_VM_READ; .eid pages 16-30 are decrypted code; 49 IDA renames committed; master dossier v4 published. (R15 note: the broker-candidate filter in D1 was subsequently shown to be noise-dominated — see R15 for the correction.)

    2026-04-17

  8. R15

    Round 15 — Six-agent deep dive + live probe verification

    R13 sibling-VEH-B hypothesis is actually btel::ResponseProcessor ctor. Fiber entry is not a validator. R14's external-broker candidate list turned out to be dev-machine noise (0 of 169 Process handles target D2R). Three distinct per-record XOR keys confirmed in .eid. No runtime self-hash of .text. Thunk emulator v3 delivered (636 lines). 39 total phantoms.

    2026-04-17