After several months of painstaking work, we are happy to introduce a new, much improved version of VB Decompiler. This time we also changed its key feature, native code decompilation. Many VB Decompiler users have been waiting for that, and finally, after a great deal of code refactoring, we succeeded in redesigning and considerably improving the emulator. Now you can partially debug a program compiled in Native Code and P-Code on the built-in emulator, without running the program on the real CPU!
Tracing (or, to be more exact, step-by-step emulation) lets you put the emulation on hold on each line of the assembler code, so that you can check the processor and co-processor registers, the stack, and the variables. Because code is processed by the emulator, not run on the real processor, this feature will be very useful for virus analysts who examine malware in anti-virus labs.
Now, a little bit of implementation details. Tracing is possible for an individual function only; when that function is being processed, the emulator will consider the stack, the registers, and the variables to be empty. So far, though the emulator already supports a lot of Intel x86 commands, some commands are not supported (and will be skipped when tracing code). The tracer also does not display any changes in flags. In the current implementation, only the processing of the cmp and jcc commands is affected by the flags. Calling external functions is not supported; yet both the stdcall and cdecl calls are correctly processed, with correcting the stack by sub esp, XX and add esp, XX. The current version of VB Decompiler only supports forward tracing, without looping inside loops, and without jumping over commands. As for the rest, the tracing is easy (you can continue or cancel it from the keyboard, without using the mouse) and almost like normal tracing.
Alas, this feature is not included in the basic licenses for VB decompiler. We've spent a great deal of time implementing the new tracing feature, but the number of potential users is very low. So we decided that using that feature would require buying a separate license.