Thanks, Paolo, that was the answer to at least some of my questions. I have to agree with you that "hacking on the verifier is a good way to learn about the metadata and the opcodes, more than about the runtime internals"--which is actually exactly what I wanted to do.