x86 blocks
--------------------------------------------------------------------------------
there are 2 types of opcodes: vm-opcodes, and x86-opcodes. vm-opcodes consist of
3 major parts: parameter fetching, parameter descrambling + real opcode body
execution and jump to next opcode. x86 opcodes contain only the realopcode body
part, they dont need parameter descrambling or jump to next. thats why their
execution is faster compared to vm-opcodes. besides that, x86opcodes are more
flexible, since they can do more stuff than vm-opcodes. actually, they could
'contain' every thinkable x86-code.

summary: x86 blocks are used when fast execution is needed, or when execution of
x86code is needed, that is not supported by the vm. each vm-opcode has its
x86opcode counterpart (ofc).

to execute some x86 block, the vm always uses a vm-jump opcode to jump to the
given x86 block. x86blocks are either already part of the vm, or they are
created in allocated memory during runtime, by the vm itself. their execution
looks always like this:


00000024 (0030f1f4): mov reg_0038, 002e1440
00000025 (0030f200): add reg_0038, reg_0008 reg_0038 = 002e1440, reg_0008 = 00c11000, res = 00ef2440
00000026 (0030f208): jmp reg_0038 reg_0038 = 00ef2440 <-- vm jmp to +002e1440, relative to vmbase
00ef2440: b1 03 mov cl, 0x03
00ef2442: d2 47 10 rol [edi+16], cl
00ef2445: 8b 8f b0 07 00 00 mov ecx, [edi+0x7B0]
00ef244b: 8b 9f 48 06 00 00 mov ebx, [edi+0x648]
00ef2451: 8b 97 70 06 00 00 mov edx, [edi+0x670]
00ef2457: 56 push esi <---- some x86 code (this code actually copies registercontent from a to b)
00ef2458: 57 push edi
00ef2459: 8b f3 mov esi, ebx
00ef245b: 8b fa mov edi, edx
00ef245d: f3 a4 repz movsb es:[edi], ds:[esi]
00ef245f: 5f pop edi
00ef2460: 5e pop esi

[...]

00ef2484: 8b 5f 38 mov ebx, [edi+56]
00ef2487: 8b 1b mov ebx, [ebx]
00ef2489: 89 5f 38 mov [edi+56], ebx <---- this is nothing more than "mov reg_0038, [reg_0038]

[...]

00ef24d2: bb 90 99 3e 00 mov ebx, 0x003E9990
00ef24d7: 89 5f 38 mov [edi+56], ebx <---- mov reg_0038, 003E9990

[...]

00ef24ee: 8b 4f 08 mov ecx, [edi+8] <---- jump to next vmopcode:
00ef24f1: 8b 5f 40 mov ebx, [edi+64] add reg_0040, reg_0008
00ef24f4: 03 d9 add ebx, ecx jmp reg_0040
00ef24f6: 89 5f 40 mov [edi+64], ebx
00ef24f9: 8b 5f 40 mov ebx, [edi+64]
00ef24fc: ff e3 jmp ebx




as you can see, some of the x86 opcodes are well recognized by the logger:
copy [reg_0670], [reg_0648], reg_07B0 dst = 001245E8, src = 00D4DC30, cnt = 0000B3E4
0000002a (0030f208): mov reg_0038, [reg_0038] reg_0038 = 00d0d4ac, [reg_0038] = 06f88323
0000002f (0030f208): mov reg_0038, 003e9990