Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Thread Tools Display Modes
Old 09-10-2010, 08:53 AM
Git Git is offline
Super Moderator
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default Bad Opcode ?

First, I've been round the block a bit but I am a complete newbie when it comes to .NET. I have deobfuscated an exe and got back to sensible names, but is showing several Exceptions in the decompiled code. I figured these could be bad opcodes so I had a play with "Bad NET OpCodes Finder v0.6beta"

IL_0054: 02               ldarg.0                       // ARG: This ; <== IL_001D, IL_004D
IL_0055: 7B13000004       ldfld f00000e
IL_005A: 02               ldarg.0                       // ARG: This
IL_005B: 7B10000004       ldfld f00000b
IL_0060: 6F29000006       callvirt Int32 c00000a::m000015(Class  c000008)
IL_0065: 25               dup
IL_0066: 0B               stloc.1
IL_0067: 2000FFFFFF       ldc.i4 0xFFFFFF00
IL_006C: 5F               and
IL_006D: 39C5FFFFFF       brfalse IL_0037
IL_0072: 07               ldloc.1
IL_0073: 2001010000       ldc.i4 0x00000101
IL_0078: 3C20000000       bge IL_009D
IL_007D: 07               ldloc.1
IL_007E: 16               ldc.i4.0
IL_007F: 3C02000000       bge IL_0086
IL_0084: 16               ldc.i4.0
IL_0085: 2A               ret
Bad opcodes finder reckons the C5 in 39C5FFFFFF at IL_006D should be 00 rather than C5. Does that seem reasonable and should I trust it in general. I replaced 3 bad opcodes that it found in another method and then figured it had many Exceptions.


Last edited by Git : 09-10-2010 at 09:01 AM.
Reply With Quote
Old 09-10-2010, 02:59 PM
bball0002 bball0002 is offline
Senior Member
Join Date: Mar 2009
Posts: 72

That seems like a correct branch, but can you post the whole method?
Reply With Quote
Old 09-10-2010, 05:07 PM
Git Git is offline
Super Moderator
Join Date: Oct 2007
Location: Torino
Posts: 1,797

Thanks. As you will see, the target of the branch is the first statement after a RET which seems reasonable.

Several long, long days later... OK, this is now officially driving me nuts. Almost any deobfuscation tool I run on this make nice readable names rather than the obsure ANSI chars it has for names of classes, methods, etc. In no case will the deobfuscated exe run, it always excepts. I can't find many tools for identifying .NET packers/deobfuscators, but those I have found say it is protected by SmartAssembly, but when I try to unprotect it with (eg) smartassassin it says it is not smartassembly. When I look at it in reflector I see one namespace called SmartAssembly.Attributes with one class PoweredByAttribute. Looking at it with various tools shows me it has 42 invalid methods and that changes little before or after deobfuscation, even though it runs before but not after.

Is there a definitive way I can find what this is protected with so I can hopefully find a tut so I can fix it?. My goal is to simply modify a few strings although I could make some more drastic changes if I can get back to source.

Any help or pointers please?

Attached Files
File Type: txt m00008.txt (8.4 KB, 8 views)

Last edited by Git : 09-14-2010 at 01:06 PM.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.