Eidolon
Reverse-engineering dossier · v4 · 2026-04-17

Eidolonthe D2R anti-tamper harness, mapped.

A complete reverse-engineering investigation of d2r_loader.dll, the in-process front-half of Blizzard’s cloud trust system for Diablo II: Resurrected. Fifteen rounds of parallel-agent analysis — static IDA Pro work plus live runtime probes — across a 36 MB OLLVM-flattened binary.

Read the full dossierAddress registry →Browse rounds →
15
Investigation rounds
R1 through R14 + compilation
53
Parallel agents
IDA Pro + live runtime + synthesis
64
APIs verified
thunks decoded from 248
34
Phantoms debunked
wrong claims caught

What is Eidolon?

A telemetry-and-attestation harness — not a kernel anti-cheat or bytecode VM. Dominant capabilities, in order of weight:

Telemetry pipeline

HTTPS to telemetry-in.battle.net, AWS SigV4 signed, cert-pinned against Blizzard subject. Nine Standard.* event types.

Out-of-process broker bridge

Two .data slots (RVA 0x488CC0 Aegis, 0x488CC8 Warden) read via ReadProcessMemory by a sibling process. Seven candidate PIDs identified in round 14.

Synthetic IAT with polymorphic trampolines

248 heap trampolines — per-API mix of DEC/INC/ROL/ROR/ADD/SUB/XOR plus PEB.Ldr folds. Emitter lives in encrypted .eid section.

OLLVM / Tigress CFF everywhere

The 405 KB 'megadispatcher' and all state machines are control-flow-flattened. No bytecode VM exists — earlier claims were phantoms.

Crypto primitives

Rolling 8-byte XOR (key 0xFFFF834A942B7856) for the IDD blob. MD5 + FNV-1a. AWS SigV4 for telemetry. TLS cert pinning.

Light anti-debug hygiene

RDTSC timing, DR0..DR3 reads, WinVerifyTrust self-verify, gadget rate-guard, single ProcessDebugPort probe. No HW breakpoint arming. No stack-walker.

What Eidolon is NOT

14 rounds of investigation debunked 34 early-round hypotheses. Critical corrections:

  • No kernel anti-cheat. The kernel component (full Warden) is elsewhere.
  • No bytecode VM. Round 3-4 'VM dispatcher' claims were OLLVM CFF state machines.
  • No inline caller-provenance check. Round 12 briefly claimed stack-walk APIs in the IAT; Round 13 proved only the static MSVC CRT uses them.
  • No hash-based code-section integrity check. SHA-256/FNV/CRC over .text not present.
  • No hardware-breakpoint arming on game threads. SetThreadContext uses CONTEXT_FULL, not CONTEXT_DEBUG_REGISTERS.
  • No CFG/XFG enforcement. GuardFlags = 0x100 metadata only; function table empty; dispatch stub is no-op.
See all 34 debunked claims →

Quick reference

Complete Dossier

~4,800-word canonical reference. 19 sections. Start here.

Address Registry

50+ critical offsets by RVA. Functions, globals, kill paths.

API Map

64 thunks decoded to concrete Win32 APIs, keyed by RVA offset.

Phantom List

Every debunked claim with the correcting round.

Round Archive

Full findings for rounds 6-14 of the investigation.

Latest Round

R14: dynamic probes + IDA finalization + master dossier v4.