Bad Opcode ?

[Git]

First, I've been round the block a bit but I am a complete newbie when it comes to .NET. I have deobfuscated an exe and got back to sensible names, but spices.net is showing several Exceptions in the decompiled code. I figured these could be bad opcodes so I had a play with "Bad NET OpCodes Finder v0.6beta"

Code:

IL_0054: 02               ldarg.0                       // ARG: This ; <== IL_001D, IL_004D
IL_0055: 7B13000004       ldfld f00000e
IL_005A: 02               ldarg.0                       // ARG: This
IL_005B: 7B10000004       ldfld f00000b
IL_0060: 6F29000006       callvirt Int32 c00000a::m000015(Class  c000008)
IL_0065: 25               dup
IL_0066: 0B               stloc.1
IL_0067: 2000FFFFFF       ldc.i4 0xFFFFFF00
IL_006C: 5F               and
IL_006D: 39C5FFFFFF       brfalse IL_0037
IL_0072: 07               ldloc.1
IL_0073: 2001010000       ldc.i4 0x00000101
IL_0078: 3C20000000       bge IL_009D
IL_007D: 07               ldloc.1
IL_007E: 16               ldc.i4.0
IL_007F: 3C02000000       bge IL_0086
IL_0084: 16               ldc.i4.0
IL_0085: 2A               ret

Bad opcodes finder reckons the C5 in 39C5FFFFFF at IL_006D should be 00 rather than C5. Does that seem reasonable and should I trust it in general. I replaced 3 bad opcodes that it found in another method and spices.net then figured it had many Exceptions.

Git

[bball0002]

That seems like a correct branch, but can you post the whole method?

[Git]

Thanks. As you will see, the target of the branch is the first statement after a RET which seems reasonable.

Several long, long days later... OK, this is now officially driving me nuts. Almost any deobfuscation tool I run on this make nice readable names rather than the obsure ANSI chars it has for names of classes, methods, etc. In no case will the deobfuscated exe run, it always excepts. I can't find many tools for identifying .NET packers/deobfuscators, but those I have found say it is protected by SmartAssembly, but when I try to unprotect it with (eg) smartassassin it says it is not smartassembly. When I look at it in reflector I see one namespace called SmartAssembly.Attributes with one class PoweredByAttribute. Looking at it with various tools shows me it has 42 invalid methods and that changes little before or after deobfuscation, even though it runs before but not after.

Is there a definitive way I can find what this is protected with so I can hopefully find a tut so I can fix it?. My goal is to simply modify a few strings although I could make some more drastic changes if I can get back to source.

Any help or pointers please?

Git