From af5f70cd68f5a8c4911dfd671c5d4e42c2fe8f17 Mon Sep 17 00:00:00 2001
From: Brian Gyss <bgyss@hey.com>
Date: Tue, 3 Feb 2026 22:58:08 -0800
Subject: [PATCH] Add Crimsonland process notes

---
 RESEARCH.md                  | 1 +
 docs/exploratory-pipeline.md | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/RESEARCH.md b/RESEARCH.md
index 4828e79..7c611ea 100644
--- a/RESEARCH.md
+++ b/RESEARCH.md
@@ -83,6 +83,7 @@ Needed research:
 - nstool (XCI/NCA/NSO extraction): https://github.com/jakcron/nstool
 - Ghidra SLEIGH language reference (p-code semantics): https://github.com/NationalSecurityAgency/ghidra/blob/master/GhidraDocs/languages/html/sleigh.html
 - sleigh library (p-code lifting implementation): https://github.com/lifting-bits/sleigh
+- Resurrecting Crimsonland (banteg, 2026-02-01): headless Ghidra pipeline with evidence-backed rename map and regen loop, plus runtime instrumentation (WinDbg/cdb, Frida) for behavior capture; useful automation and validation ideas. https://banteg.xyz/posts/crimsonland/
 
 ## Research Deliverables
 - A research summary for each category with sources.
diff --git a/docs/exploratory-pipeline.md b/docs/exploratory-pipeline.md
index 4568ff5..cf36656 100644
--- a/docs/exploratory-pipeline.md
+++ b/docs/exploratory-pipeline.md
@@ -40,6 +40,14 @@ performance_mode = "handheld"
 - The emitted `main.rs` invokes the entry function and records the ABI version.
 - A `manifest.json` file with input hashes, provenance hash, and generated file list.
 
+## Process Automation Ideas (Crimsonland Write-up)
+- Build a deterministic analysis regen loop: drive a headless decompiler to export XML and decompile artifacts; treat exports as generated outputs and keep only inputs plus a rename/type map under version control.
+- Maintain a structured `name_map.json` (or equivalent) where each rename/type entry includes address and evidence; reapply it to regenerate names and types consistently.
+- Detect bundled third-party libraries via version strings and inject known headers/typedefs before decompilation to improve type recovery.
+- Create a long-running runtime analysis session with log tailing so behavioral observations can be captured while keeping the debugger attached.
+- Use runtime hooks to capture validation fixtures (framebuffer dumps, deterministic samples) and store them alongside provenance for later regression checks.
+- Consider agent-assisted rename and pattern discovery backed by a curated knowledge base; only promote renames with evidence.
+
 ## Next Steps
 - Add a real input parser for Switch binaries.
 - Expand the lifter to cover more AArch64 instructions and control flow.