My Simple Virtual Machine

by mohamed ali MRABET

In the Interest of binary obfuscation , Programmers often embed a virtual machine in their programs due to its tedious analysis and highly obfuscated routines which make use of a custom instruction set , hence this leaves no clue for the analyst as to what the binary workflow intends to perform and will unquestionably slow down reverse engineering tasks .Accordingly , this is what pushed me to code my own register-based virtual machine which comprises of 17 virtual instructions (MOV ,CALL, XOR, JMP, RET, CMP, HALT... etc ...) , virtual stack(because of the 'CALL' instruction) and 10 virtual registers(R1 ,R2 ,SP ,BP ..etc ).
In abstract terms , the virtual instructions are 4 bytes-aligned , each of which holds an operand and addressing mode , displacement and immediate value and the maximum value that a register can have is 255 .
Technically speaking , the VCPU is structured as the following :

  • Virtual Stack
  • Eflags
  • Virtual Registers
  • Program Counter
  • Base address

And since the virtual instruction is 4-byte length , thus the encoding scheme is conceived in this fashion :