Index: /trunk/src/VBox/VMM/VMMAll/IEMAll.cpp
===================================================================
--- /trunk/src/VBox/VMM/VMMAll/IEMAll.cpp	(revision 37917)
+++ /trunk/src/VBox/VMM/VMMAll/IEMAll.cpp	(revision 37918)
@@ -5005,9 +5005,9 @@
 #ifdef DEBUG
 # define IEMOP_MNEMONIC(a_szMnemonic) \
-    Log2(("decode - %04x:%RGv %s%s\n", pIemCpu->CTX_SUFF(pCtx)->cs, pIemCpu->CTX_SUFF(pCtx)->rip, \
-          pIemCpu->fPrefixes & IEM_OP_PRF_LOCK ? "lock " : "", a_szMnemonic))
+    Log2(("decode - %04x:%RGv %s%s [#%u]\n", pIemCpu->CTX_SUFF(pCtx)->cs, pIemCpu->CTX_SUFF(pCtx)->rip, \
+          pIemCpu->fPrefixes & IEM_OP_PRF_LOCK ? "lock " : "", a_szMnemonic, pIemCpu->cInstructions))
 # define IEMOP_MNEMONIC2(a_szMnemonic, a_szOps) \
-    Log2(("decode - %04x:%RGv %s%s %s\n", pIemCpu->CTX_SUFF(pCtx)->cs, pIemCpu->CTX_SUFF(pCtx)->rip, \
-          pIemCpu->fPrefixes & IEM_OP_PRF_LOCK ? "lock " : "", a_szMnemonic, a_szOps))
+    Log2(("decode - %04x:%RGv %s%s %s [#%u]\n", pIemCpu->CTX_SUFF(pCtx)->cs, pIemCpu->CTX_SUFF(pCtx)->rip, \
+          pIemCpu->fPrefixes & IEM_OP_PRF_LOCK ? "lock " : "", a_szMnemonic, a_szOps, pIemCpu->cInstructions))
 #else
 # define IEMOP_MNEMONIC(a_szMnemonic) do { } while (0)
@@ -5036,5 +5036,5 @@
     do \
     { \
-        if (pIemCpu->fPrefixes & IEM_OP_PRF_LOCK) \
+        if (pIemCpu->enmCpuMode == IEMMODE_64BIT) \
             return IEMOP_RAISE_INVALID_OPCODE(); \
     } while (0)
@@ -5823,6 +5823,9 @@
      * Execute the instruction in REM.
      */
-    int rc = REMR3EmulateInstruction(IEMCPU_TO_VM(pIemCpu), IEMCPU_TO_VMCPU(pIemCpu));
+    PVM pVM = IEMCPU_TO_VM(pIemCpu);
+    EMRemLock(pVM);
+    int rc = REMR3EmulateInstruction(pVM, IEMCPU_TO_VMCPU(pIemCpu));
     AssertRC(rc);
+    EMRemUnlock(pVM);
 
     /*
Index: /trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h
===================================================================
--- /trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h	(revision 37917)
+++ /trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h	(revision 37918)
@@ -44,4 +44,58 @@
     return VINF_SUCCESS;
 }
+
+
+#if 0
+/**
+ * Calculates the parity bit.
+ *
+ * @returns true if the bit is set, false if not.
+ * @param   u8Result            The least significant byte of the result.
+ */
+static bool iemHlpCalcParityFlag(uint8_t u8Result)
+{
+    /*
+     * Parity is set if the number of bits in the least significant byte of
+     * the result is even.
+     */
+    uint8_t cBits;
+    cBits  = u8Result & 1;              /* 0 */
+    u8Result >>= 1;
+    cBits += u8Result & 1;
+    u8Result >>= 1;
+    cBits += u8Result & 1;
+    u8Result >>= 1;
+    cBits += u8Result & 1;
+    u8Result >>= 1;
+    cBits += u8Result & 1;              /* 4 */
+    u8Result >>= 1;
+    cBits += u8Result & 1;
+    u8Result >>= 1;
+    cBits += u8Result & 1;
+    u8Result >>= 1;
+    cBits += u8Result & 1;
+    return !(cBits & 1);
+}
+#endif /* not used */
+
+
+/**
+ * Updates the specified flags according to a 8-bit result.
+ *
+ * @param   pIemCpu             The.
+ * @param   u8Result            The result to set the flags according to.
+ * @param   fToUpdate           The flags to update.
+ * @param   fUndefined          The flags that are specified as undefined.
+ */
+static void iemHlpUpdateArithEFlagsU8(PIEMCPU pIemCpu, uint8_t u8Result, uint32_t fToUpdate, uint32_t fUndefined)
+{
+    PCPUMCTX pCtx = pIemCpu->CTX_SUFF(pCtx);
+
+    uint32_t fEFlags = pCtx->eflags.u;
+    iemAImpl_test_u8(&u8Result, u8Result, &fEFlags);
+    pCtx->eflags.u &= ~(fToUpdate | fUndefined);
+    pCtx->eflags.u |= (fToUpdate | fUndefined) & fEFlags;
+}
+
 
 /** @} */
@@ -2878,4 +2932,27 @@
 
 
+/**
+ * Implements 'AAD'.
+ *
+ * @param   enmEffOpSize    The effective operand size.
+ */
+IEM_CIMPL_DEF_1(iemCImpl_aad, uint8_t, bImm)
+{
+    PCPUMCTX pCtx = pIemCpu->CTX_SUFF(pCtx);
+
+    uint16_t const ax = pCtx->ax;
+    uint8_t const  al = (uint8_t)ax + (uint8_t)(ax >> 8) * bImm;
+    pCtx->ax = al;
+    iemHlpUpdateArithEFlagsU8(pIemCpu, al,
+                              X86_EFL_SF | X86_EFL_SF | X86_EFL_PF,
+                              X86_EFL_OF | X86_EFL_AF | X86_EFL_CF);
+
+    iemRegAddToRip(pIemCpu, cbInstr);
+    return VINF_SUCCESS;
+}
+
+
+
+
 /*
  * Instantiate the various string operation combinations.
Index: /trunk/src/VBox/VMM/VMMAll/IEMAllInstructions.cpp.h
===================================================================
--- /trunk/src/VBox/VMM/VMMAll/IEMAllInstructions.cpp.h	(revision 37917)
+++ /trunk/src/VBox/VMM/VMMAll/IEMAllInstructions.cpp.h	(revision 37918)
@@ -3274,5 +3274,5 @@
     if ((bRm & X86_MODRM_MOD_MASK) == (3 << X86_MODRM_MOD_SHIFT))
         return IEMOP_RAISE_INVALID_OPCODE();
-    uint8_t const iGReg = ((bRm >> X86_MODRM_REG_SHIFT) & bRm & X86_MODRM_REG_SMASK) | pIemCpu->uRexReg;
+    uint8_t const iGReg = ((bRm >> X86_MODRM_REG_SHIFT) & X86_MODRM_REG_SMASK) | pIemCpu->uRexReg;
 
     switch (pIemCpu->enmEffOpSize)
@@ -9758,6 +9758,15 @@
 /** Opcode 0xd4. */
 FNIEMOP_STUB(iemOp_aam_Ib);
+
+
 /** Opcode 0xd5. */
-FNIEMOP_STUB(iemOp_aad_Ib);
+FNIEMOP_DEF(iemOp_aad_Ib)
+{
+    IEMOP_MNEMONIC("aad Ib");
+    uint8_t bImm; IEM_OPCODE_GET_NEXT_U8(&bImm);
+    IEMOP_HLP_NO_LOCK_PREFIX();
+    IEMOP_HLP_NO_64BIT();
+    return IEM_MC_DEFER_TO_CIMPL_1(iemCImpl_aad, bImm);
+}