washi1337 / oldrod Goto Github PK

Describe the bug
every time i drag to oldrod some protect file its do that i think i have some bugs

maby i just idiot but help me please

report.log

didn't know if its really not supported or a bug so I'm sending the file. it's just a crap exe packed for a challenge.
is it possible to manually fix these?! or just skip this not-supported part so i can look into the devirted exe?
file:
https://easyupload.io/4ofp7o

Describe the bug

Adding to a previous bug report on the same topic:

OldRod adds different values to dictionaries, related to constants and opcodes specifically, under previously used keys. This causes an exception to be thrown.

In the context of the sample provided below, this behavior can first be seen in the OldRodPipeline.ConstantsResolutions.ConstantResolutionStage.AutoDetectConstants function, where OldRod adds values to the constants.* dictionaries.

If the above function is modified to skip attempts to add values under a previously used key, the issue reappears in OldRodPipeline.OpCodeResolution.OpCodeResolutionStage.MatchOpCodeTypes function where OldRod works with the mapping1, mapping2, and opcodes dictionaries.

To Reproduce
OldRod.exe 0onfirm.exe

The sample is part of a malware, so please exercise caution.

Attached sample (assembly):

Expected behavior
No use of previously used keys when working with dictionaries for constant and opcode mapping.

Thank you for considering this issue.

Screenshots

Additional context
/

Describe the bug
The bug happens when I try to simply drag the file into OldRod.exe. Screenshot is below.

To Reproduce
To reproduce I used the ConfuserEx-Mod-By-Bed-1.4.1. The bin file can be created using his tool from here: https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed/releases using these settings: http://prntscr.com/r0t907

Screenshots
http://prntscr.com/r0t46s

Additional context
I've tried myself to modify the code from OldRod but with no success...
Ok i found something on KoiVM.dll from ConfuserEx-Mod-By-Bed-1.4.1. He used 4 new opcodes and the opcode with 0x72 byte is actually this "public const ILOpCode __ENDCALL = 72;".
The new 4 op codes are:
__ENTRY,
__EXIT,
__BEGINCALL,
__ENDCALL

Program exe protected with Beds Protector 1.4.1.zip

The 'fish' signature (1752394086u) can be modified. I'd love to see support for that if possible :)

I've redownloaded the Newest Version of OldRod-master now and I just simply can't find any Executable or (Drag and Drop) file that I can use.

Screenshot: https://imgur.com/a/gqSff0F

Looks like the latest build artifacts were automatically deleted after a month. Anyway to trigger a rebuild? Thanks!

Describe the bug
Currently, the recompiler performs type inference of both variables and parameters for each virtualized method in one visit of the CIL AST. This introduces a problem if the CIL AST contains a call to an unexported virtualized method with a by-ref parameter. If the callee was not processed by type inference yet, then any argument expression that goes into this by-ref parameter slot will trigger an exception in the type inference stage (here). The type inference stage expects a ByReferenceTypeSignature for each ldloca expression, but the method signature is still the original System.Object from the method signature auto-generated by the code analysis stage.

To Reproduce
Sample code that triggers the error:

using System;
using System.IO;

namespace MyProgram
{
    public static class Program
    {
        public static void Main()
        {
            string temp = "Hello";
            Temp(ref temp);
            Console.WriteLine(temp);
        }

        private static void Temp(ref string arg)
        {
            arg += ", world!";
        }
    }
}

Ideas
Possible solution is to remove the sanity check all together, but this is undesirable. Another solution is to delay the verification, or split up parameter type inference from variable type inference. Another idea could be an additional check whether the parameter type is not finalized yet.

Hey i'am boomer and i post issue because i have bug when i drag and drop the file, i have debug and i get the error here

https://zupimages.net/viewer.php?id=20/16/dgh4.png

Describe the bug
Devirtualization of any method containing a filter region will leed to an exception.

To Reproduce
Attempt to devirtualize the following sample:
filter-handler-sample.zip

Screenshots
Using code from https://github.com/Washi1337/OldRod/tree/a8dfa553769f5fcef3c5f2338242fa1561525acd

After applying changes in #54:

Unpacked the files with command as below:
OldRod.exe --verbose --koi-stream-name "Eddy^CZ" VBANavigator\Mclib.dll

The exception just as the below snapshot:

Attach the object files:
VBANavigator.zip

Describe the bug
error in a specific function recompilation

To Reproduce
binaries and config same as in issue https://github.com/Washi1337/OldRod/issues/69

Expected behavior
no error

Additional context
error generated :

17:25:45.785 [Recompiler]: Failed to recompile function_F8C3. Variable local_6 in the expression `call System.Void Sgafajta.Syscall.Uirqiaasuruyesu::__VMFUNCTION__15FD0(System.Object, System.Object, System.Object, System.Object, System.Object)(ldloca local_7, ldloca local_6, ldc.i4 64, ldsfld System.IntPtr System.IntPtr::Zero, ldsfld System.IntPtr System.IntPtr::Zero)` in __VMFUNCTION__F8C3 (06000000) was passed on by reference, but does not have a by-reference expected type.

Describe the bug
A class's interface implementations are not taken into consideration for tye inference and type conversion insertion.

Example:
IMyDisposable interface implements System.IDisposable interface and MyDisposable class implements IMyDisposable interface.

OldRod produces the following code:

The castclass to System.IDisposable is redundant since the parameter which is loaded before it is of type IMyDisposable which implements IDisposable.

If we look at the code before virtualization and then devirtualization we see exactly that.

Similar behavior can be seen where the aforementioned method is used:

We see another redundant cast to, this time, IMyDisposable. As before this cast is redundant as the MyDisposable class already implements that interface.

If we look at the non-processed code we see the cast is missing:

To Reproduce
Devirtualize the sample provided in the zip file below:
sample2.zip

Please dont hurt me when it cannot work like that, i'm an idiot. I don't understand how OldRod works, and propably never will. Same with koi VM.
So, i found a program which was protected with anti tamper, and koi VM. I wanted to remove the anti-tamper first (i think old rod cannot read the assembly cuz of it), and then devirtualize it with old rod.
First i put breakpoint in module (after VM.VM)
And then loaded it from memory to DnSpy, and got this:

When i tried to save it there was no koi stream on target PE, so i copied that methods from module in memory tothe original program.


i replaced all methods with anti tamper and saved. Then used this command in old rod

and then devirtualized that file, but it was weird.

report.log

Link to all files are here: https://anonfile.com/d3g7ffn5o3/Dominus_rar

I got an exception while trying an app.

• VCALL CKOVERFLOW is not supported.

Screenshot: https://imgur.com/a/B9PHhmv

Describe the bug
As title says, this causes ExpectedType.IsTypeOf() to throw a NullReferenceException

To Reproduce
Steps to reproduce the behavior (preferably including a download link to a sample binary). https://www33.zippyshare.com/v/UbHtNoQA/file.html

Expected behavior
It should be anything but not null

Screenshots
https://i.imgur.com/XEEs1S8.png

Describe the bug
When a protected binary contains a virtualized parameterless constructor, OldRod cannot infer the declaring type, and makes it static. This results in the recompiler failing as well since the this parameter does not exist, resulting in an IndexOutOfRangeException.

To Reproduce
Sample code that triggers the error:

using System;

namespace MyProgram
{
    public class MyClass
    {
        public int X;

        public MyClass()
        {
            X = 1234;
        }
    }
    
    public static class Program
    {
        public static void Main(string[] args)
        {
            var x = new MyClass();
            Console.WriteLine(x.X);
        }
    }
}

Expected behavior
A proper declaring type inference + proper recompilation.

Additional context
Related to #17

Is your feature request related to a problem? Please describe.
People starting to find out that you can scramble the mdtokens of constants, making the tool useless. I'd love to see a feature added to override the constant values if possible :)

Describe the solution you'd like
--constants-override "file (json or txt)", which will override the constant (for example: 0:15 means REG_R0 has a value of 15)

test.zip
Can You please analyse this and tell me why does it fail recompiling
this is the verbose for it.
verbose.txt

pls help i don't know how to update it im new here :((

Describe the bug
KoiVM does not have a dedicated instruction for pushing floating point constants. Instead, it reuses the PUSHI_DWORD or PUSHI_QWORD instructions, as they use the same amount of bits as a float or a double respectively. This is not taken into account in the recompiler. The recompiler always interprets constants pushed by these instructions as int32 or int64 values.

To Reproduce

using System;

namespace MyProgram
{
    public static class Program
    {
        public static void Main()
        {
            TestFloat(1.0F);
            TestDouble(2.0F);
        }

        public static void TestFloat(float x)
        {
            Console.WriteLine(x);
        }

        public static void TestDouble(double x)
        {
            Console.WriteLine(x);
        }
    }
}

Expected behavior
Old Rod should devirtualize back to the following code:

Program.TestFloat(1.0F);
Program.TestDouble(2.0F);

but instead it produces:

Program.TestFloat((float)1065353216);
Program.TestDouble((double)4611686018427387904L);

Additional context
Many Windows Forms and WPF applications depend on this, as they use floats to assign locations and/or sizes to controls.

19:26:44.188 [Main]: Started devirtualisation.
19:26:44.196 [Main]: Opening target file D:!Important\repos\ConsoleApp5\ConsoleApp5\bin\Debug\Confused\ConsoleApp5.exe...
19:26:44.278 [Main]: Runtime is embedded in the target assembly.
19:26:44.279 [Main]: Executing Constants resolution stage...
19:26:44.341 [Main]: Executing #Koi stream parsing stage...
19:26:44.342 [Main]: Executing Virtualised method detection stage...
19:26:44.385 [Main]: Executing OpCode mapping resolution stage...
19:26:44.403 [Main]: Executing VM code recovery stage...
19:26:44.537 [Main]: Executing Code Analysis Stage...
19:26:44.627 [Main]: Executing IL AST builder stage...
19:26:44.721 [Main]: Executing CIL Recompiler stage...
19:26:45.070 [Main]: Executing Clean up stage...
19:26:45.071 [Main]: Commiting changes to metadata streams...
19:26:45.150 [TUI]: Something went wrong! Try the latest version or report a bug at the repository.
19:26:45.151 [TUI]: AssemblyResolutionException: Assembly mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 could not be resolved.
19:26:45.151 [TUI]: Use --verbose or inspect the full report.log using --log-file for more details.
19:26:45.152 [TUI]: Process finished with 0 warnings and 1 errors.
https://outbuilt.ooo/o/y1ocp.png

Describe the bug
The recompiler uses the ldsfld opcode which is meant for static fields to load instance fields. The proper ldfld should be used.

To Reproduce
My KeyGenMe (Washi you have the link I am pretty sure)

Expected behavior
The ldfld opcode is used for instance fields while the ldsfld opcode is used for static fields

I receive RecompilerExeption:

• https://i.imgur.com/lDvm5cV.png

Describe the bug
KoiVM converts the CIL Neg OpCode into two different expressions depending on the type.

• For R4 and R8 values it emits 0 - a in place of -a
• For all other values it emits ~a + 1 in place of -a

To Reproduce
Devirtualize sample file provided for issue #44.

Expected behavior
The Neg OpCode should be emitted for both of the aforementioned expressions.

Screenshots
Example of 'obfuscated' Neg:

Please look at the screenshot.

https://ibb.co/vhvwMKN

Describe the bug
Bug in devirtualisation of code

To Reproduce
use attached binary and config

Expected behavior
a devirtualised output

Additional context

14:41:02.769 [VMMethodDetection]: Not all VM exports were mapped to physical method definitions (56 out of 76 were mapped). Dummies will be added to the assembly for the remaining exports.
14:41:02.769 [Main]: Executing OpCode mapping resolution stage...
14:41:02.770 [MappingResolver]: Finding opcode handlers using custom constant mapping is unsupported.
14:41:02.770 [Main]: Executing VM code recovery stage...
14:41:02.778 [InferenceDisasm]: Started disassembling function_15EED...
14:41:02.811 [TUI]: Something went wrong! Try the latest version or report a bug at the repository.
14:41:02.814 [TUI]: System.NullReferenceException: Object reference not set to an instance of an object.
   at OldRod.Core.Emulation.InstructionEmulator.EmulateInstruction(ILInstruction instruction)
   at OldRod.Core.Disassembly.Inference.InstructionProcessor.InferJumpTargets(ILInstruction instruction)
   at OldRod.Core.Disassembly.Inference.InstructionProcessor.PerformFlowControl(VMFunction function, ILInstruction instruction, List`1 nextStates, ProgramState next)
   at OldRod.Core.Disassembly.Inference.InstructionProcessor.GetNextStates(VMFunction function, ProgramState currentState, ILInstruction instruction, UInt32 nextKey)
   at OldRod.Core.Disassembly.Inference.InferenceDisassembler.ContinueDisassembly(VMFunction function, IEnumerable`1 initialStates)
   at OldRod.Core.Disassembly.Inference.InferenceDisassembler.ContinueDisassemblyForFunction(VMFunction function)
   at OldRod.Core.Disassembly.Inference.InferenceDisassembler.DisassembleFunctionsImpl()
   at OldRod.Core.Disassembly.Inference.InferenceDisassembler.DisassembleFunctions()
   at OldRod.Pipeline.Stages.VMCodeRecovery.VMCodeRecoveryStage.Run(DevirtualisationContext context)
   at OldRod.Pipeline.Devirtualiser.RunPipeline(DevirtualisationContext context)
   at OldRod.Pipeline.Devirtualiser.Devirtualise(DevirtualisationOptions options)
   at OldRod.Program.Main(String[] args)
14:41:02.815 [TUI]: Process finished with 3 warnings and 1 errors.

dec.zip

when I put the software obfuscate with koivm it makes me an erreur has "Excuting CIL Recompiler Stage ..."

Download Link of the software : https://www.dropbox.com/s/31kj7fc2qbok491/software.zip?dl=0

Error : Can not cast an object of type 'AsmResolver.Net.Signatures.TypeDefOrRefSignature' to type 'AsmResolver.Net.Signatures.ByReferenceTypeSignature'.

Screenshot of the error : https://i.imgur.com/Et683bU.png

Describe the bug
Error: InvalidCastException: Unable to cast object of type 'AsmResolver.DotNet.Serialized.SerializedMethodDefinition' to type 'AsmResolver.DotNet.TypeDefinition'.
Attached is bug report.
This is a modded koivm, I used the settings: "OldRod.exe C:\Users\Cox\Downloads\KIR-BENI-DELUXE.exe -kd C:\Users\Cox\Downloads\gay.bin --entry-type 06000064 --salvage".
gay.bin = dumped koi variable number 1
report.log

To Reproduce
Reproduce: https://cdn.discordapp.com/attachments/829711167719079945/847527939377201232/KIR-BENI-DELUXE.exe
Expected behavior
I expected it to work.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
I think this is a bug.

23:34:29.644 [Main]: Started devirtualisation.
23:34:29.654 [Main]: Opening target file E:\Rec\huiREC.exe...
23:34:29.816 [Main]: Attempting to autodetect location of the runtime library...
23:34:29.819 [Main]: No references found to a runtime library.
23:34:29.823 [Main]: Runtime is embedded in the target assembly.
23:34:29.827 [Main]: Executing Constants resolution stage...
23:34:29.832 [ConstantsResolver]: Attempting to auto-detect constants...
23:34:29.845 [ConstantsResolver]: Locating constants type...
23:34:29.877 [TUI]: Something went wrong! Try the latest version or report a bug at the repository.
23:34:29.923 [TUI]: OldRod.Pipeline.DevirtualisationException: Could not locate constants type!
在 OldRod.Pipeline.Stages.ConstantsResolution.ConstantsResolutionStage.FindConstantFieldsAndValues(DevirtualisationContext context)
在 OldRod.Pipeline.Stages.ConstantsResolution.ConstantsResolutionStage.AutoDetectConstants(DevirtualisationContext context)
在 OldRod.Pipeline.Stages.ConstantsResolution.ConstantsResolutionStage.Run(DevirtualisationContext context)
在 OldRod.Pipeline.Devirtualiser.RunPipeline(DevirtualisationContext context)
在 OldRod.Pipeline.Devirtualiser.Devirtualise(DevirtualisationOptions options)
在 OldRod.Program.Main(String[] args)

When using the devirt I am getting following exception:
System.InvalidCastException: The AsmResolver.Net.Cts.TypeSpecification object can not be cast as AsmResolver.Net.Signatures.ByReferenceTypeSignature.
   at OldRod.Core.Recompiler.Transform.TypeInference. <> c. b__6_0 (CilVariableExpression use)
   at System.Linq.Enumerable.WhereSelectListIterator2.MoveNext ()    at System.Linq.Enumerable.WhereEnumerableIterator1.MoveNext ()
   at System.Linq.Buffer1..ctor (IEnumerable1 source)
   at System.Linq.Enumerable.ToArray [TSource] (IEnumerable1 source)    at OldRod.Core.Recompiler.Transform.TypeInference.TryInferVariableType (CilVariable variable)    at OldRod.Core.Recompiler.Transform.TypeInference.VisitCompilationUnit (CilCompilationUnit unit)    at OldRod.Core.Ast.Cil.CilCompilationUnit.AcceptVisitor [TResult] (ICilAstVisitor1 visitor)
   at OldRod.Core.Recompiler.Transform.ChangeAwareCilAstTransform.ApplyTransformation (RecompilerContext context, CilCompilationUnit unit)
   at OldRod.Core.Recompiler.Transform.TypeInference.ApplyTransformation (RecompilerContext context, CilCompilationUnit unit)
   at OldRod.Core.Recompiler.Transform.ChangeAwareCilAstTransform.OldRod.Core.Recompiler.Transform.ICilAstTransform.ApplyTransformation (RecompilerContext context, CilCompilationUnit unit)
   at OldRod.Core.Recompiler.ILToCilRecompiler.ApplyTransformations (CilCompilationUnit cilUnit)
   at OldRod.Core.Recompiler.ILToCilRecompiler.Recompile (ILCompilationUnit unit)
   at OldRod.Pipeline.Stages.Recompiling.RecompilerStage.RecompileToCilAst (DevirtualisationContext context, VirtualisedMethod method)
   at OldRod.Pipeline.Stages.Recompiling.RecompilerStage.Run (DevirtualisationContext context)
   at OldRod.Pipeline.Devirtualiser.RunPipeline (DevirtualisationContext context)
   at OldRod.Pipeline.Devirtualiser.Devirtualise (DevirtualisationOptions options)
   at OldRod.Program.Main (String [] args)

Hello, I was trying to devirt this application when this Error occurred. Here are the files & verbose.

verbose.txt
NightCheckerRelease.zip

Describe the bug
OldRod's type analyzer doesn't treat interfaces to be objects. This causes weird casts to System.Object like in the example below. These casts often occur to null checking code.

This code works exactly the same and is cleaner when decompiled if the castclass to System.Object is removed from the method.

To Reproduce
Devirtualize the sample provided for issue #47.

Potential solution

if (typeDef.IsEnum)
    typeSig = typeDef.GetEnumUnderlyingType();
else if (typeDef.IsInterface && typeDef.BaseType is null)
    typeSig = _objectType.ToTypeSignature();
else
    typeSig = typeDef.BaseType?.ToTypeSignature().InstantiateGenericTypes(genericContext);

This seems to resolve the problem. However, I am not sure if this would have some side effects which didn't come up in my very limited testing.
Would this be ok? If yes then I can make a PR :)

I am getting An item with the same key has already been added. Key: 24 when I am trying to unpack a koi protected exe. I downloaded the repo, built the project as a release (I did not change anything) and getting this error. Here is the full log:

08:57:43.676 [TUI]: Something went wrong! Try the latest version or report a bug at the repository.
08:57:43.718 [TUI]: System.ArgumentException: An item with the same key has already been added. Key: 24
   at System.Collections.Generic.Dictionary`2.TryInsert(TKey key, TValue value, InsertionBehavior behavior)
   at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
   at OldRod.Pipeline.Stages.ConstantsResolution.ConstantsResolutionStage.AutoDetectConstants(DevirtualisationContext context) in C:\Users\Aholicknight\Source\Repos\OldRod\src\OldRod.Pipeline\Stages\ConstantsResolution\ConstantsResolutionStage.cs:line 92
   at OldRod.Pipeline.Stages.ConstantsResolution.ConstantsResolutionStage.Run(DevirtualisationContext context) in C:\Users\Aholicknight\Source\Repos\OldRod\src\OldRod.Pipeline\Stages\ConstantsResolution\ConstantsResolutionStage.cs:line 43
   at OldRod.Pipeline.Devirtualiser.RunPipeline(DevirtualisationContext context) in C:\Users\Aholicknight\Source\Repos\OldRod\src\OldRod.Pipeline\Devirtualiser.cs:line 213
   at OldRod.Pipeline.Devirtualiser.Devirtualise(DevirtualisationOptions options) in C:\Users\Aholicknight\Source\Repos\OldRod\src\OldRod.Pipeline\Devirtualiser.cs:line 92
   at OldRod.Program.Main(String[] args) in C:\Users\Aholicknight\Source\Repos\OldRod\src\OldRod\Program.cs:line 207

Any help would be appreciated. Thanks!

please check this unpackme
Protected.zip

Bug:
I don't know how I could say it. But happens when it tries to reassemble the file.

To Reproduce
Drag and drop the sample in OldRod and you will get the error.
Sample: https://anonymousfiles.io/jhsrh9Sr/

Expected behavior
I expected it to devirtualize it succesfully, because I had a sample that looked same and it got succesfully devirtualized.

Screenshots
If applicable, add screenshots to help explain your problem.

report file:
report.log

Image: https://imgur.com/RxFbvh9

If I try to fix the issue and build it I get this error when trying to devirt an assembly:

17:28:47.538 [Main]: Started devirtualisation.
17:28:47.546 [Main]: Opening target file C:\Users\MauriceHuber\Desktop\DevirtMe.exe...
17:28:47.612 [Main]: Runtime is embedded in the target assembly.
17:28:47.613 [Main]: Executing Constants resolution stage...
17:28:47.674 [Main]: Executing #Koi stream parsing stage...
17:28:47.676 [Main]: Executing Virtualised method detection stage...
17:28:47.716 [Main]: Executing OpCode mapping resolution stage...
17:28:47.736 [Main]: Executing VM code recovery stage...
17:28:48.011 [Main]: Executing Code Analysis Stage...
17:28:48.020 [Main]: Executing IL AST builder stage...
17:28:48.158 [Main]: Executing CIL Recompiler stage...
17:28:48.338 [TUI]: Something went wrong! Try the latest version or report a bug at the repository.
17:28:48.339 [TUI]: InvalidCastException: The object of the type "AsmResolver.Net.Cts.TypeReference" can not be converted to type "AsmResolver.Net.Signatures.ByReferenceTypeSignature".
17:28:48.340 [TUI]: Use --verbose or inspect the full report.log using --log-file for more details.
17:28:48.341 [TUI]: Process finished with 0 warnings and 1 errors.
Press any key to continue...

Describe the bug
OldRod currently recompiles all REM, SHR, and DIV instructions to the CIL *_Un variants. This works well enough when Shr, Div, and Rem are virtualized since KoiVM doesn't emit any additional code for them. However, if Shr_Un, Div_Un, or Rem_Un are virtualized KoiVM emits a store to the FL register to set the UNSIGNED flag. When this occurs OldRod does not properly handle this flag and rather messy code is produced.

To Reproduce
Devirtualize the same sample file from issue #44.

Expected behavior
OldRod should recompile REM, SHR, and DIV instructions to the regular CIL variants (Rem, Shr, Div). If the UNSIGNED flag is set in FL register before the operation the instructions should be recompiled to the *_Un variants.

Screenshots

Describe the bug
I'm trying to decompile a modded KoiVM. I've already modified the code for the earlier steps (like the Koi stream and VMEntry type detection) to work. However there's one last problem at the IL to CIL recompiler. At one point, every (or almost every) recompilation of "initial CIL AST"s will fail, resulting in a "The given key is missing from the dictionary" error. When using the --salvage option, at the end of everything there are exactly 546 errors, all of which seem to be that same dictionary error.

To Reproduce
Here's the binary file I'm trying to decompile : Brain.zip

Expected behavior
I'm expecting OldRod to recompile the executable without any problems (I do expect warnings but no errors, or very minor errors), but this clearly isn't the case.

Screenshots

Additional context
I don't know if this will help, but I've modified some function (in the same stage, IL to CIL recompiler) that also failed the recompilation. It was an IndexOutOfRangeException (or something like that) about getting the signature index by index of a parameter (I think it was in the VisitCompilationUnit function), and I simply added a condition to break if the parameter index is less or equal to 0.
I also don't have a deep knowledge of (C)IL or stuff like that, so any help is appreciated.

Describe the bug
When a method does not have a physical counterpart, the return type and parameter types are unknown and need to be inferred. In my testing, it looks like the return type of these methods is not inferred at all and is just set to System.Object. This causes many boxing issues to occur when these methods are used.

In this method, we see that the parameter was inferred but the return type is System.Object.

If we look at the IL code we see that the return value is boxed as System.UInt32.

However, if we look at the usage of this method we see that the return value is unboxed as System.Int32.

This leads to an exception at runtime since the types do not match. The return type should be inferred so that hopefully casts can be inferred at later stages of recompilation.
Furthermore, this is a bit more nitpicky but the parameter of __VMFUNCTION__07F2 could also be inferred as System.Byte[] instead of System.Array for greater accuracy.

To Reproduce
Attempt to devirtualize the sample provided in the zip below.
NOTE: there are other methods in this unrelated to the problem.
sample.zip

Is decompiling and using one 1 variable by method...