Bad Opcode ? [Archive] - Reverse Engineering Team Board

View Full Version : Bad Opcode ?

Git

09-10-2010, 08:53 AM

First, I've been round the block a bit but I am a complete newbie when it comes to .NET. I have deobfuscated an exe and got back to sensible names, but spices.net is showing several Exceptions in the decompiled code. I figured these could be bad opcodes so I had a play with "Bad NET OpCodes Finder v0.6beta"

IL_0054: 02 ldarg.0 // ARG: This ; <== IL_001D, IL_004D
IL_0055: 7B13000004 ldfld f00000e
IL_005A: 02 ldarg.0 // ARG: This
IL_005B: 7B10000004 ldfld f00000b
IL_0060: 6F29000006 callvirt Int32 c00000a::m000015(Class c000008)
IL_0065: 25 dup
IL_0066: 0B stloc.1
IL_0067: 2000FFFFFF ldc.i4 0xFFFFFF00
IL_006C: 5F and
IL_006D: 39C5FFFFFF brfalse IL_0037
IL_0072: 07 ldloc.1
IL_0073: 2001010000 ldc.i4 0x00000101
IL_0078: 3C20000000 bge IL_009D
IL_007D: 07 ldloc.1
IL_007E: 16 ldc.i4.0
IL_007F: 3C02000000 bge IL_0086
IL_0084: 16 ldc.i4.0
IL_0085: 2A ret

Bad opcodes finder reckons the C5 in 39C5FFFFFF at IL_006D should be 00 rather than C5. Does that seem reasonable and should I trust it in general. I replaced 3 bad opcodes that it found in another method and spices.net then figured it had many Exceptions.

Git

bball0002

09-10-2010, 02:59 PM

That seems like a correct branch, but can you post the whole method?

Git

09-10-2010, 05:07 PM

Thanks. As you will see, the target of the branch is the first statement after a RET which seems reasonable.

Several long, long days later... OK, this is now officially driving me nuts. Almost any deobfuscation tool I run on this make nice readable names rather than the obsure ANSI chars it has for names of classes, methods, etc. In no case will the deobfuscated exe run, it always excepts. I can't find many tools for identifying .NET packers/deobfuscators, but those I have found say it is protected by SmartAssembly, but when I try to unprotect it with (eg) smartassassin it says it is not smartassembly. When I look at it in reflector I see one namespace called SmartAssembly.Attributes with one class PoweredByAttribute. Looking at it with various tools shows me it has 42 invalid methods and that changes little before or after deobfuscation, even though it runs before but not after.

Is there a definitive way I can find what this is protected with so I can hopefully find a tut so I can fix it?. My goal is to simply modify a few strings although I could make some more drastic changes if I can get back to source.

Any help or pointers please?

Git