Call DLL

[chrrox]

I am trying to get the function arkLZDecodeMemory from arkkdm.dll but I only get the error

Error: file arkkdm.dll has not been found or cannot be loaded

This should be the correct LZ decompression for the arcade dance masters.
I attached a sample file
SIZE was - 00 0E 36 B0
ZSIZE was - 00 0B 21 18

Ida shows the function like this in psuedo code.

Code: Select all

int __stdcall arkLZDecodeMemory(void *a1, int a2, int a3)
{
  size_t v3; // eax
  signed __int32 v4; // edi
  void **v6; // eax
  void **v7; // esi

  v3 = _byteswap_ulong(*(_DWORD *)a2);
  v4 = _byteswap_ulong(*(_DWORD *)(a2 + 4));
  if ( v3 <= a3 )
  {
    if ( !v4 )
    {
      memcpy_0(a1, (const void *)(a2 + 8), v3);
      return 0;
    }
    v6 = (void **)XCd229cc000141(0);
    v7 = v6;
    v6[1] = (void *)(a2 + 8);
    if ( v4 <= 0 )
      v4 = -1;
    v6[3] = (void *)v4;
    *v6 = a1;
    v6[2] = (void *)a3;
    if ( !(unsigned __int8)XCd229cc00008c(v6) )
      XCd229cc0000e6("package", "????? cstream INFLATE failed.\n");
    XCd229cc000025(v7);
    XCd229cc0000e3(v7);
  }
  return 0;
}

[aluigi]

I didn't check that dll but there are various reasons why a dll may not be loaded:
- it's 64bit (quickbms is ever 32bit so can't load these dlls)
- it needs other dll that aren't available in the folder

[chrrox]

Do i need to copy normal windows dll's into the same folder with it?
These are the dll's it lists under the import table.
It should be 32 bit application.

libavs-win32.dll
libavs-win32-ea3.dll
ess.dll
libacio.dll
KERNEL32.dll
IMM32.dll
GDI32.dll
WINMM.dll
libafp-win32.dll
USER32.dll

[aluigi]

The first 4 and libafp-win32.dll must be in the same folder of your dll.

[chrrox]

Ah now it is loading it.
i am trying this script

Code: Select all

get SIZE asize
log MEMORY_FILE 0 SIZE
CallDLL "arkkdm.dll" arkLZDecodeMemory stdcall RETURN_VALUE MEMORY_FILE SIZE 0xE36B0

I get this error

--------------------------------------
- library arkkdm.dll loaded at address 10000000
- function found at offset 100542D0

-------------------
*EXCEPTION HANDLER*
-------------------
An error or crash occurred:

*EH* ExceptionCode c0000005 access violation
*EH* ExceptionFlags 00000000
*EH* ExceptionAddress 100542D7
10000000 + 000542d7 arkkdm.dll
*EH* NumberParameters 00000002
*EH* 00000000
*EH* 000E36B0

Last script line before the error or that produced the error:
3 CallDLL "arkkdm.dll" arkLZDecodeMemory stdcall RETURN_VALUE MEMORY_FILE 0xE36B0

how would you assume I should call this function?

[chrrox]

this code does not error but I get the input file back not uncompressed?

Code: Select all

get SIZE asize
log MEMORY_FILE 0 SIZE
CallDLL "arkkdm.dll" arkLZDecodeMemory stdcall RETURN_VALUE 0xE36B0 MEMORY_FILE 
get SIZE asize RETURN_VALUE
print "%SIZE%"
log NAME 0 SIZE RETURN_VALUE

[Ekey]

Because function in your case returns is 0.

1) As you can see in the code - 2 values (zsize and size) are taken from the buffer and swapped in process.

Code: Select all

  v3 = _byteswap_ulong(*(_DWORD *)a2);
  v4 = _byteswap_ulong(*(_DWORD *)(a2 + 4));

Code: Select all

MOV EAX,DWORD PTR DS:[EBX]
MOV EDI,DWORD PTR DS:[EBX+0x4]

BSWAP EAX
BSWAP EDI

Buffer data must be like this..
00 0E 36 B0 00 0B 21 18 5F 4B 54 4D 44 4C 00

2) Arguments:

Aslo it copy data by memcpy from a2 to a1. My opinion it's must be >

Code: Select all

dec_buffer, comp_buffer, size

[chrrox]

Interesting that makes sense.
Did you get calldll to work with this sample file?

[Ekey]

Nah. To find out the whole logic of this function, you need debug this app in runtime. What the game?

[chrrox]

Its Dance Evolution Arcade version.

[chrrox]

is this supported in quickbms konami's lz77
https://github.com/zhaihj/konami-lz77

I was able to test a tool that uses this different compression
https://segaretro.org/Saxman_compression
and its very close to being correct.

[aluigi]

I don't know if that konami-lz77 is under a different name but saxman is definitely there in quickbms