-
WoW Opcode Distribution
Recently, I've been working on some pretty cool reverse engineering tools to help me reverse applications faster. While most of my work is on WoW, I have been known to work on other games in the past. But regardless, I wanted to share with you the results of my latest work. Although this is part of a larger project, perhaps you will find it useful as well.
Some background, while I was working on a tool, I realized that it might be helpful to know what instructions the game used and how often it used them. In essence, I wanted a "distribution" of the opcodes used in the game. A brief search online turned up nothing useful so I wrote a quick parser to calculate this information myself. I exported an ASM file from IDA and ran it through my parser. Below you will find the results for both x86 and x64 versions of the game (Version 7.1.0.23222).
Please keep in mind that this might not be 100% accurate but it does paint a good picture of what instructions are being used.
x86 Opcode Distribution
Code:
Function Count: 72895
Instruction Count: 3511902
Uniq Instructions: 396
OPCODE | COUNT
===============+========
mov | 798489
push | 687294
call | 284799
pop | 253165
lea | 157733
test | 127412
jz | 123722
cmp | 116614
add | 101945
retn | 78795
jmp | 74289
jnz | 72545
movss | 69509
xor | 69309
movsd | 43200
and | 39884
inc | 36737
sub | 36364
movzx | 25352
mulss | 22409
or | 18120
dec | 17465
movaps | 16271
addss | 13573
shr | 12303
jbe | 12005
imul | 11699
shl | 11351
jb | 11313
subss | 8229
movdqa | 7532
comiss | 7202
jle | 6437
fstp | 6325
movd | 6307
jl | 6240
ja | 6208
jnb | 6164
xorps | 4767
cmovnz | 4673
sar | 4462
movsx | 3927
rep | 3118
jg | 2975
cvtdq2pd | 2919
jge | 2767
cdq | 2687
cvtps2pd | 2481
cvtdq2ps | 2474
setnz | 2464
jns | 2264
divss | 2149
neg | 2131
addsd | 2004
div | 1929
js | 1749
cmovz | 1714
mulps | 1710
paddd | 1599
shufps | 1581
sbb | 1483
addps | 1448
movq | 1368
fld | 1367
cvtpd2ps | 1312
paddw | 1254
setz | 1231
movdqu | 1160
pmaddwd | 1099
adc | 1082
cmovb | 1050
subps | 1032
movups | 989
idiv | 981
punpcklbw | 950
cvttss2si | 902
psrad | 893
lahf | 832
ucomiss | 788
not | 787
movlpd | 705
cmovg | 685
fmul | 675
cmova | 669
psubw | 629
cmovl | 608
align | 565
punpcklwd | 550
cvttsd2si | 528
unpcklps | 517
punpckhwd | 482
ror | 458
packssdw | 449
jp | 444
jnp | 426
stosd | 417
mulsd | 413
paddsw | 411
movmskps | 390
setnle | 382
mul | 351
rol | 343
shrd | 341
psraw | 337
fadd | 321
pshufd | 310
pmullw | 306
cvtss2si | 304
lock | 301
cmpltps | 297
cmovs | 293
packuswb | 287
vmovdqu | 283
pavgb | 270
pxor | 264
shld | 259
nop | 255
punpcklqdq | 250
punpckhbw | 248
cmovnb | 235
pmaddubsw | 232
vpaddw | 220
cwde | 215
punpckldq | 213
movapd | 209
fldz | 203
por | 199
palignr | 197
psrldq | 196
psubusb | 187
pshuflw | 179
fld1 | 173
mulpd | 169
punpckhdq | 167
cvtss2sd | 157
punpckhqdq | 155
setnbe | 150
setnl | 147
subsd | 146
pand | 145
movhlps | 140
cmovbe | 134
comisd | 134
vmovdqa | 129
maxps | 126
fst | 116
setb | 112
int | 107
pshufb | 106
cmpleps | 104
andps | 103
fabs | 102
fsub | 102
fdiv | 100
psrlw | 100
addpd | 95
pcmpgtw | 91
setl | 89
fsincos | 87
pshufw | 87
minps | 83
seto | 82
vpunpckhbw | 80
fxch | 78
cmovge | 77
vpunpcklbw | 77
psrlq | 75
rcpps | 75
xorpd | 75
pextrw | 74
setnb | 73
psllq | 72
psubd | 72
vpsubusb | 72
vpsubw | 72
andpd | 71
sqrtss | 70
fsubr | 68
vpmaddubsw | 64
vpor | 64
subpd | 62
vpaddd | 61
divsd | 59
faddp | 58
pandn | 58
fdivrp | 57
cvtsd2ss | 55
paddsb | 53
pcmpeqb | 53
pmaxub | 53
ucomisd | 52
psubsw | 50
movsw | 49
pshufhw | 48
vpackuswb | 48
setle | 47
vpand | 46
cmovle | 45
vpsrlw | 45
orps | 44
vpsraw | 44
sets | 41
pmaxsw | 40
vpmaddwd | 40
vpshufb | 40
setbe | 39
bswap | 38
leave | 38
orpd | 38
pminsw | 38
bts | 37
fmulp | 36
movhps | 36
packsswb | 36
vbroadcastf128 | 36
fdivr | 35
fnstsw | 35
sqrtps | 35
cpuid | 34
fsubrp | 34
vpaddsw | 33
movsb | 32
pmovmskb | 32
vpandn | 32
fstsw | 31
vmovups | 31
stmxcsr | 29
vpmaxub | 29
xchg | 29
fsubp | 28
movhpd | 28
andnps | 27
fild | 27
pinsrw | 27
unpcklpd | 27
bsr | 26
fnstcw | 26
psubsb | 26
cmovns | 25
vpavgb | 25
fldcw | 24
psubb | 24
setns | 24
fstcw | 22
bsf | 21
bt | 21
fchs | 20
movlhps | 20
vmovd | 20
vpermq | 20
fistp | 19
psadbw | 19
vxorps | 19
fcomp | 18
stosb | 18
vpsrldq | 18
vpxor | 18
maxss | 17
pslld | 17
stosw | 17
unpckhpd | 17
pmulld | 16
vshufps | 16
cvtpi2ps | 15
pcmpgtd | 15
sahf | 15
vmovhps | 15
vmovq | 15
vpaddsb | 15
cld | 14
minss | 14
paddusb | 14
pavgw | 14
pcmpeqd | 14
pcmpgtb | 14
vzeroupper | 13
cvtps2dq | 12
rcr | 12
vinserti128 | 12
vpcmpeqb | 12
wait | 12
vextractf128 | 11
fcompp | 10
prefetcht0 | 10
vmulps | 10
movlps | 9
std | 9
cbw | 8
fcom | 8
fpatan | 8
fscale | 8
psllw | 8
sqrtsd | 8
vpmaxsw | 8
vpminsw | 8
cmpeqps | 7
cmpeqsd | 7
frndint | 7
paddq | 7
pause | 7
psubq | 7
rsqrtss | 7
vaddps | 7
cvtsd2si | 6
paddb | 6
pmaxsd | 6
pminsd | 6
pmulhrsw | 6
vpbroadcastb | 6
vpshufd | 6
vpsubsb | 6
cvtsi2sd | 5
fucompp | 5
ldmxcsr | 5
pcmpistri | 5
pushf | 5
cmpltpd | 4
cvtsi2ss | 4
fldpi | 4
fsqrt | 4
fucom | 4
rsqrtps | 4
vpackssdw | 4
vpacksswb | 4
vpaddusb | 4
vpsrad | 4
vpunpckhdq | 4
vpunpckhwd | 4
vpunpckldq | 4
vpunpcklwd | 4
cmpltss | 3
cmpnless | 3
cvttps2pi | 3
divps | 3
emms | 3
fcomi | 3
fcomip | 3
fnclex | 3
fprem1 | 3
ftst | 3
fxam | 3
fyl2x | 3
shufpd | 3
vpcmpgtb | 3
xgetbv | 3
xlat | 3
andnpd | 2
blendvps | 2
cmpneqps | 2
cmpnlepd | 2
cvttpd2dq | 2
f2xm1 | 2
fcos | 2
fldl2e | 2
fptan | 2
fsin | 2
insertps | 2
movupd | 2
pcmpeqw | 2
pmovsxwd | 2
pslldq | 2
rdtsc | 2
repne | 2
setnp | 2
vbroadcasti128 | 2
vcvtdq2ps | 2
vcvtps2dq | 2
vpcmpgtw | 2
vpmovzxbd | 2
vpsubsw | 2
clc | 1
cmpltsd | 1
cmpneqpd | 1
cmpnleps | 1
cmpnlesd | 1
dpps | 1
fdivp | 1
fldlg2 | 1
fldln2 | 1
fprem | 1
frstor | 1
fsave | 1
fucomp | 1
jno | 1
minsd | 1
pinsrb | 1
popf | 1
psrld | 1
ptest | 1
pusha | 1
rcpss | 1
sqrtpd | 1
unpckhps | 1
vinsertf128 | 1
vrsqrtps | 1
vtestps | 1
x64 Opcode Distribution
Code:
Function Count: 59838
Instruction Count: 3867947
Uniq Instructions: 371
OPCODE | COUNT
===============+========
mov | 1287081
lea | 319704
call | 260264
test | 186900
jz | 165308
cmp | 156462
add | 132320
jnz | 114510
xor | 105343
jmp | 86986
pop | 84134
sub | 78542
retn | 74118
movss | 66314
movaps | 65908
push | 59945
movzx | 52731
movups | 50865
inc | 33340
mulss | 29029
movsxd | 28120
and | 27091
nop | 26210
or | 26076
dec | 20507
shr | 20019
addss | 18793
jnb | 16975
shl | 15908
jb | 15837
imul | 12899
jbe | 12720
movsd | 11817
subss | 10507
comiss | 10297
xorps | 10067
movdqa | 9338
shufps | 7650
ja | 7250
sar | 7193
jl | 7103
jle | 6815
mulps | 6044
movd | 5853
movsx | 4833
addps | 4495
jge | 4443
cvtdq2ps | 3788
setnz | 3676
jns | 3426
btr | 3390
cmovnz | 3002
jg | 2984
divss | 2946
bts | 2784
bt | 2620
js | 2599
cmovz | 2588
cmovb | 2586
unpcklps | 2480
xchg | 2459
div | 2421
movq | 2336
subps | 2119
paddd | 2022
lock | 2020
cvttss2si | 1943
cvtsi2ss | 1862
setz | 1655
neg | 1582
cmova | 1494
paddw | 1467
pmaddwd | 1452
cdqe | 1417
andps | 1370
psrad | 1251
cvtdq2pd | 1215
cvttsd2si | 1171
ucomiss | 1136
cvtps2pd | 948
align | 943
punpcklbw | 918
movdqu | 904
cdq | 897
not | 881
psubw | 872
sqrtss | 785
cmovg | 764
cqo | 750
mul | 700
cvtsi2sd | 691
punpcklwd | 657
cmovl | 652
movmskps | 633
psrldq | 632
packssdw | 629
mulsd | 620
cmovnb | 609
punpckhwd | 590
rol | 557
ror | 480
setb | 456
paddsw | 423
cmpltps | 418
cvtss2si | 402
addsd | 401
psraw | 352
idiv | 328
cvtsd2ss | 321
sbb | 321
pmullw | 288
packuswb | 276
rep | 275
punpcklqdq | 265
vmovdqu | 262
setnbe | 261
pshufd | 258
pmaddubsw | 254
int | 253
punpckldq | 242
cmovs | 237
punpckhbw | 229
subsd | 221
vpaddw | 217
por | 213
comisd | 210
pavgb | 194
setl | 194
setnb | 188
psubusb | 187
movhlps | 179
punpckhdq | 176
punpckhqdq | 174
maxps | 170
pxor | 165
cmovbe | 156
setnle | 153
vmovaps | 151
cvtss2sd | 143
setnl | 143
pshuflw | 142
cmovge | 129
vmulsd | 129
pand | 128
rcpps | 122
setbe | 120
cmpleps | 119
rsqrtps | 116
orps | 106
sets | 102
cwde | 101
vfmadd213sd | 101
psrlw | 100
pcmpgtw | 99
andnps | 93
movapd | 93
vmovsd | 89
minps | 85
divsd | 84
pshufw | 83
cmovo | 82
ucomisd | 80
vpor | 80
vmovq | 79
vmovdqa | 76
vpunpcklbw | 75
vpand | 73
vpsubusb | 72
vpsubw | 72
psubd | 71
vpunpckhbw | 70
vaddsd | 68
vsubsd | 68
cvtpd2ps | 66
vpmaddubsw | 64
vpaddd | 63
cmovle | 60
vmovapd | 59
vmovups | 58
pandn | 54
pmulhrsw | 54
setle | 54
paddsb | 53
pmaxub | 53
palignr | 52
setns | 51
vmovd | 51
pmulld | 50
pshufhw | 50
vpackuswb | 48
bsr | 45
vpsrlw | 45
sqrtps | 44
vpsraw | 44
pmaxsw | 41
pminsw | 41
vpmaddwd | 40
vpshufb | 40
cmpeqps | 39
packsswb | 39
bsf | 38
paddq | 38
pshufb | 38
pcmpeqb | 37
cmovns | 36
vpaddsw | 33
vfmadd231sd | 32
vpandn | 32
bswap | 31
adc | 30
psubsw | 30
vpmaxub | 29
cpuid | 28
movhpd | 28
movhps | 27
vpxor | 27
psubsb | 26
vbroadcastf128 | 26
vxorps | 26
mulpd | 25
vpavgb | 25
jp | 24
movlpd | 24
movlhps | 23
pmovzxdq | 22
psrlq | 20
unpcklpd | 20
vpermq | 20
vpsrldq | 20
movmskpd | 19
vshufps | 19
vcomisd | 18
maxss | 17
vandpd | 16
addpd | 15
minss | 15
pextrw | 15
vmovhps | 15
vpaddsb | 15
paddusb | 14
pavgw | 14
pcmpgtb | 14
pslld | 14
vcvtdq2pd | 14
vfnmadd231sd | 14
vmulss | 14
vaddss | 13
pmovmskb | 12
subpd | 12
vdivsd | 12
vinserti128 | 12
vpcmpeqb | 12
vxorpd | 12
xorpd | 12
andpd | 11
pmaxsd | 11
vextractf128 | 11
vmovss | 11
vorpd | 11
vpshufd | 11
cvtps2dq | 10
orpd | 10
pcmpgtd | 10
prefetcht0 | 10
vmulps | 10
pause | 9
psllq | 9
psrld | 9
vsubss | 9
vzeroupper | 9
divps | 8
psllw | 8
vcomiss | 8
vpmaxsw | 8
vpminsw | 8
rsqrtss | 7
unpckhpd | 7
vaddps | 7
vpsrlq | 7
vpsubd | 7
cvttpd2dq | 6
paddb | 6
pmaxuw | 6
pminsd | 6
pmovsxwd | 6
rcr | 6
vcvtdq2ps | 6
vfmadd213ss | 6
vpbroadcastb | 6
vpsubsb | 6
vucomisd | 6
prefetchw | 5
vcvtsd2ss | 5
vcvttpd2dq | 5
vfmsub213sd | 5
vpsrad | 5
vpunpckldq | 5
cvtsd2si | 4
cvttps2dq | 4
pcmpeqd | 4
pmovsxdq | 4
pmovzxwd | 4
psubq | 4
sqrtpd | 4
vcvtss2sd | 4
vfmadd132sd | 4
vfmsub213ss | 4
vfnmadd132sd | 4
vpackssdw | 4
vpacksswb | 4
vpaddq | 4
vpaddusb | 4
vpsrld | 4
vpsubq | 4
vpunpckhdq | 4
vpunpckhwd | 4
vpunpcklwd | 4
btc | 3
cvtpd2dq | 3
vandps | 3
vcvtpd2dq | 3
vcvtsi2ss | 3
vcvtss2si | 3
vfmadd231ss | 3
vmulpd | 3
vorps | 3
vpcmpgtb | 3
vpmovsxdq | 3
vpsllq | 3
vucomiss | 3
xgetbv | 3
blendvps | 2
cmpltpd | 2
cmpneqps | 2
insertps | 2
ldmxcsr | 2
pabsd | 2
pslldq | 2
rdtsc | 2
retf | 2
stmxcsr | 2
vandnpd | 2
vbroadcasti128 | 2
vcmpsd | 2
vcvtps2dq | 2
vdivss | 2
vfnmadd213sd | 2
vpcmpeqq | 2
vpcmpgtw | 2
vpmovzxbd | 2
vpslld | 2
vpsubsw | 2
cld | 1
cmplesd | 1
cmpnltsd | 1
dpps | 1
emms | 1
ptest | 1
pushfq | 1
scasd | 1
sqrtsd | 1
vaddpd | 1
vcvtps2pd | 1
vfmadd132pd | 1
vfmsub132sd | 1
vhaddpd | 1
vinsertf128 | 1
vmovlhps | 1
vrsqrtps | 1
vtestps | 1
vunpcklpd | 1
-
Post Thanks / Like - 2 Thanks
-
That's cool. I'm curious what conclusions you would draw based on this information (or more generally how it is useful to you). You might get more accurate results if you wrote a python script to use the IDA API to traverse each instruction rather than manually parsing the ASM output.
-
Originally Posted by
namreeb
I'm curious what conclusions you would draw based on this information (or more generally how it is useful to you).
I'm experimenting with some debugging technologies which analyze code as it's running. For certain operations I perform additional analysis and then output the results at the end. It helps to know what operations the game is performing the most so that I can learn more about them and improve my analysis tools. Especially since my assembly skills could still use some work.
Originally Posted by
namreeb
You might get more accurate results if you wrote a python script to use the IDA API to traverse each instruction rather than manually parsing the ASM output.
Two reasons why I didn't do that: (1) I didn't want to spend a lot of time (I don't know Python and my IDA API knowledge is really bad). On the other hand, I knew exactly how to do it with my approach and so it only took about 20 minutes to implement. (2) The results I did get were pretty accurate since IDA creates a very consistent ASM file. In essence I didn't need something too terribly accurate, just a rough idea and it seemed to work pretty well.
-
I see 6325 fstp instructions for x86, I always look for instructions like that because they are used to move a float to an specific memory address, in GW2 an instruction like that is used in the day and night cycle. It's very useful to find curious values.
Great job Torpedoes as always
-
Post Thanks / Like - 1 Thanks
Torpedoes (1 members gave Thanks to karliky for this useful post)