60 replies to this topic

[Suslik]

'aqrit', on 31 December 2011 - 10:59 PM, said:

nice work Suslik

I think this is the laziest solution:

// set the HEAP_ZERO_MEMORY flag for calls to HeapAlloc
BACKUP ~blah_backup~
AUTHOR ~blah~
README ~~
VERSION ~v0~

BEGIN ~tob_spell_turning_workaround~
	COPY ~bgmain.exe~ ~bgmain.exe~ 
		WRITE_BYTE "0x0063951B" 0x08
		WRITE_BYTE "0x0063AE6E" 0x08
		WRITE_BYTE "0x00640E4B" 0x08

Hey, it worked too! So my assumption that the bug is caused by uninitialized memory was correct! Awesome, thanks for the info, i suppose this solution is better than my workaround for doing the same thing the hard way, hehe.

[Suslik]

Hey Asc64. I've been working again on that problem about spell reflection animation. Not the problem about spells being consumed instead of being reflected(that problem was really solved in this thread by starting debug BGMain in TobExLoader / setting ZERO_HEAP_MEMORY flags), but about that spsturni.bam animation which should appear when a spell is being reflected but it does not.

I was investigating the problem in this thread for a while already: http://forums.gibber...showtopic=23754

I know you are a busy man and all and i'll try to summarize the info i currently have for you:

- Instead of being played normally, only the first frame of animation spsturni.bam appears in vanilla ToB game whenever a spell is reflected.
- The animation is played perfectly in vanilla SoA(without ToB)
- If I replace SoA's BGMain.exe with ToB's one it gets really glitchy due to lack of ToB's resources but I can load SoA's savegame with ToB's BGMain.exe and there is no reflection animation(only first frame again).

So I suggest that ToB's BGMain.exe fires spsturni.bam somehow wrong and only the first frame is played. SoA's BGMain.exe does it right on the other hand. If I am more or less able to debug ToB's executable(i know necessary function offsets), but i cannot do it with SoA's binary.

My question to you is: how do you suggest I can find the difference in spsturni.bam being fired in SoA's BGMain and ToB's one?

[Ascension64]

One way is to find the equivalent proc in the two EXEs. Hex-matching may work, but since you have spsturni in ASCII, you may be able to find references to that to track down the equivalent proc.

[Suslik]

Okay, thanks. I will try to set a memory breakpoint to "spsturni" string.

[Suslik]

What I currently know:
- "spsturni.bam" is fired somehow differently in SoA's BGMain.exe and ToB's one. This causes only the very first frame to be played in ToB.
- I know exact procedure address where it is called Both in SoA and ToB
- I have disassembled and then decompiled those two procedures.

Forgive me for posting such huge code listings, but I have failed to narrow the search range any further:

SoA's CReflectionSpellList::Update(), address 4605CB, it works well:

Spoiler

int __thiscall CheckReflectingSpells_4605CB(void *this, int a2)
{
  int v2; // edx@6
  int v3; // ST10_4@12
  int v4; // eax@12
  int v5; // eax@15
  int v6; // ecx@15
  int v7; // eax@18
  int v8; // edx@18
  int v9; // eax@20
  int v10; // ecx@25
  __int16 v11; // ax@38
  int v12; // ecx@38
  int v13; // edx@38
  int v14; // ecx@39
  int v15; // eax@39
  int v16; // ecx@39
  int v18; // [sp-8h] [bp-108h]@12
  signed int v19; // [sp-4h] [bp-104h]@12
  int v20; // [sp+0h] [bp-100h]@36
  int v21; // [sp+4h] [bp-FCh]@31
  int v22; // [sp+8h] [bp-F8h]@29
  int v23; // [sp+Ch] [bp-F4h]@23
  int v24; // [sp+10h] [bp-F0h]@18
  void *v25; // [sp+14h] [bp-ECh]@8
  int v26; // [sp+18h] [bp-E8h]@1
  int v27; // [sp+1Ch] [bp-E4h]@39
  int v28; // [sp+20h] [bp-E0h]@39
  int v29; // [sp+24h] [bp-DCh]@39
  int v30; // [sp+28h] [bp-D8h]@39
  int v31; // [sp+2Ch] [bp-D4h]@39
  int v32; // [sp+30h] [bp-D0h]@39
  int v33; // [sp+34h] [bp-CCh]@39
  int v34; // [sp+38h] [bp-C8h]@38
  int v35; // [sp+3Ch] [bp-C4h]@38
  int v36; // [sp+40h] [bp-C0h]@33
  int v37; // [sp+44h] [bp-BCh]@28
  int v38; // [sp+48h] [bp-B8h]@28
  int v39; // [sp+4Ch] [bp-B4h]@25
  int v40; // [sp+50h] [bp-B0h]@25
  int v41; // [sp+54h] [bp-ACh]@25
  int v42; // [sp+58h] [bp-A8h]@20
  int v43; // [sp+5Ch] [bp-A4h]@20
  int v44; // [sp+60h] [bp-A0h]@20
  int v45; // [sp+64h] [bp-9Ch]@20
  __int16 v46; // [sp+68h] [bp-98h]@18
  int v47; // [sp+6Ch] [bp-94h]@18
  int v48; // [sp+70h] [bp-90h]@18
  int v49; // [sp+74h] [bp-8Ch]@18
  int v50; // [sp+78h] [bp-88h]@18
  int v51; // [sp+7Ch] [bp-84h]@4
  int v52; // [sp+80h] [bp-80h]@39
  int v53; // [sp+84h] [bp-7Ch]@39
  int v54; // [sp+88h] [bp-78h]@39
  int v55; // [sp+8Ch] [bp-74h]@39
  int *v56; // [sp+90h] [bp-70h]@38
  int v57; // [sp+94h] [bp-6Ch]@35
  int v58; // [sp+98h] [bp-68h]@38
  int v59; // [sp+9Ch] [bp-64h]@26
  int v60; // [sp+A0h] [bp-60h]@26
  int v61; // [sp+A4h] [bp-5Ch]@22
  int v62; // [sp+A8h] [bp-58h]@25
  int v63; // [sp+ACh] [bp-54h]@17
  int v64; // [sp+B0h] [bp-50h]@20
  int v65; // [sp+B4h] [bp-4Ch]@7
  void *Memory; // [sp+B8h] [bp-48h]@7
  int v67; // [sp+BCh] [bp-44h]@38
  int v68; // [sp+C0h] [bp-40h]@38
  void *v69; // [sp+C4h] [bp-3Ch]@40
  int v70; // [sp+D0h] [bp-30h]@35
  int v71; // [sp+D4h] [bp-2Ch]@25
  int v72; // [sp+D8h] [bp-28h]@20
  int v73; // [sp+DCh] [bp-24h]@12
  int v74; // [sp+E0h] [bp-20h]@4
  int v75; // [sp+E4h] [bp-1Ch]@3
  int v76; // [sp+E8h] [bp-18h]@4
  int v77; // [sp+ECh] [bp-14h]@1
  int v78; // [sp+F0h] [bp-10h]@3
  int v79; // [sp+FCh] [bp-4h]@17

  v26 = (int)this;
  v77 = 0;
  while ( *(_DWORD *)(v26 + 12) != 0 )
  {
    v78 = CheckList_9ECCFA(v26);
    v75 = *(_DWORD *)(*(_DWORD *)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> + 76);
    do
    {
      do
      {
        v51 = *(_DWORD *)(dword_B088DC + 17048);
        LOBYTE(v76) = sub_64873B((void *)(v51 + 13886), v75, byte_A46B87, (int)&v74, -1);
      }
      while ( (unsigned __int8)v76 == (unsigned __int8)byte_A46B84 );
    }
    while ( (unsigned __int8)v76 == (unsigned __int8)byte_A46B85 );
    v2 = (unsigned __int8)v76;
    if ( (unsigned __int8)v76 == (unsigned __int8)byte_A46B80 )
    {
      if ( *(_DWORD *)(v78 + 16) != -1 )
      {
        v73 = (int)*(&off_A53144 + *(_BYTE *)(a2 + 1044));
        v19 = 12507095;
        v18 = v73;
        v3 = *(_DWORD *)(v78 + 16);
        v4 = sub_8800F7(a2);
        sub_87F8F5(v4, v3, v73, 12507095);
      }
      if ( !*(_DWORD *)(v78 + 20) )
      {
        v2 = v78;
        if ( *(_DWORD *)v78 > 0 )
        {
          v19 = 0;
          v18 = 0;
          HIWORD(v5) = HIWORD(v78);
          LOWORD(v5) = *(_WORD *)(v78 + 4);
          sub_52DD33(v5, -*(_DWORD *)v78, 1, 0, 0, 0);
          v19 = 0;
          v18 = 0;
          HIWORD(v6) = HIWORD(v78);
          LOWORD(v6) = *(_WORD *)(v78 + 4);
          sub_52DD33(v6, -*(_DWORD *)v78, 1, 0, 0, 0);
          v2 = a2;
          *(_DWORD *)(a2 + 13844) = 1;
        }
        if ( !*(_DWORD *)(v78 + 12) )
        {
          v77 = 1;
          v63 = sub_9EECF8(0x1Eu);
          v79 = 0;
          if ( v63 )
          {
            v50 = *(_DWORD *)(a2 + 48);
            v49 = *(_DWORD *)(a2 + 48);
            v48 = v74 + 6;
            v47 = *(_DWORD *)(v74 + 48);
            v46 = *(_WORD *)(*(_DWORD *)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> + 66);
            v7 = sub_5E2E29(a2);
            LOWORD(v8) = v46;
            v24 = sub_5AA76C(v8, v47, v48, v7, v49, v50);
          }
          else
          {
            v24 = 0;
          }
          v64 = v24;
          v79 = -1;
          v72 = v24;
          sub_59C1B8(v24, 0);
          v45 = v74 + 6;
          v44 = *(_DWORD *)(v74 + 48);
          v43 = *(_DWORD *)(a2 + 48);
          v42 = *(_DWORD *)(a2 + 18);
          v9 = sub_5E2E29(a2);
          (*(void (__thiscall **)(_DWORD, int, int, int, _DWORD, _DWORD, int, _DWORD))(**(_DWORD **)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> + 100))(
            *(_DWORD *)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' />,
            v42,
            v43,
            v44,
            *(_DWORD *)v45,
            *(_DWORD *)(v45 + 4),
            v9,
            0);
          *(_DWORD *)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> = 0;
        }
        if ( *(_DWORD *)(v78 + 24) )
        {
          v61 = sub_9EECF8(0x19Au);
          v79 = 1;
          if ( v61 )
          {
            sub_460E10(v61);
            *(_DWORD *)v61 = &off_A40338;
            *(_DWORD *)(v61 + 12) = 261;
            v23 = v61;
          }
          else
          {
            v23 = 0;
          }
          v62 = v23;
          v79 = -1;
          v71 = v23;
          v41 = *(_DWORD *)v78;
          *(_DWORD *)(v23 + 24) = v41;
          v40 = *(_DWORD *)(a2 + 48);
          v39 = *(_DWORD *)(a2 + 48);
          v10 = v39;
          *(_DWORD *)(v71 + 268) = v39;
          *(_DWORD *)(v71 + 406) = v40;
          LOBYTE(v10) = byte_A40744;
          (*(void (__thiscall **)(int, int, int, signed int, signed int))(*(_DWORD *)a2 + 112))(a2, v71, v10, 1, 1);
        }
      }
      v59 = v78;
      v60 = v78;
      if ( v78 )
      {
        if ( *(_DWORD *)(v60 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> )
        {
          v37 = *(_DWORD *)(v60 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' />;
          v38 = v37;
          if ( v37 )
            v22 = (**(int (__thiscall ***)(_DWORD, _DWORD))v38)(v38, 1);
          else
            v22 = 0;
        }
        operator delete((void *)v60);
        v2 = v60;
        v21 = v60;
      }
      else
      {
        v21 = 0;
      }
      v36 = *(_DWORD *)(dword_B088DC + 17048);
      LOBYTE(v2) = byte_A46B87;
      LOBYTE(v76) = sub_648CD8(v75, v2, -1);
    }
    else
    {
      v65 = v78;
      Memory = (void *)v78;
      if ( v78 )
      {
        sub_461370(Memory, v78);
        operator delete(Memory);
        v25 = Memory;
      }
      else
      {
        v25 = 0;
      }
    }
  }
  if ( v77 )
  {
    v70 = 0;
    v57 = sub_9EECF8(0x2A2u);
    v79 = 2;
    if ( v57 )
      v20 = sub_6284BD(v57);
    else
      v20 = 0;
    v58 = v20;
    v79 = -1;
    v70 = v20;
    v56 = &v18;
    CastEffect_939E94(&v18, (int)"spsturni");
    sub_6203C0(v18, v19);
    v79 = 3;
    v67 = sub_62054B(&v68);
    v11 = sub_85ADC4(a2 + 6, v74 + 6);
    *(_DWORD *)(v67 + 780) = v11;
    *(_DWORD *)(v67 + 122) = 8;
    *(_BYTE *)(v67 + 910) = 1;
    v35 = *(_DWORD *)(a2 + 48);
    *(_DWORD *)(v70 + 606) = v35;
    *(_DWORD *)(v70 + 82) = 1;
    v12 = *(_DWORD *)(a2 + 10);
    v13 = v70;
    *(_DWORD *)(v70 + 598) = *(_DWORD *)(a2 + 6);
    *(_DWORD *)(v13 + 602) = v12;
    v34 = *(_DWORD *)(a2 + 18);
    sub_629F3E(v34, a2 + 6, 32, byte_A445F6);
    if ( v67 )
    {
      v14 = *(_DWORD *)(v67 + 102);
      v54 = *(_DWORD *)(v67 + 98);
      v55 = v14;
      v29 = a2 + 6;
      v30 = v14 + *(_DWORD *)(a2 + 10);
      v15 = *(_DWORD *)(a2 + 6);
      v31 = v54 + v15;
      v32 = v54 + v15;
      v33 = v30;
      v16 = v30;
      v52 = v54 + v15;
      v53 = v30;
      v28 = *(_DWORD *)(a2 + 18);
      v19 = 0;
      LOBYTE(v16) = byte_A445F6;
      v18 = v16;
      sub_62281E(v28, &v52, *(_DWORD *)(v67 + 134), byte_A445F6, 0);
      v27 = *(_DWORD *)(v67 + 48);
      sub_9ECC88(v27);
    }
    v79 = -1;
    if ( v69 )
    {
      if ( sub_93A088(byte_B05C4C) )
      {
        if ( v68 )
        {
          sub_92827D(v69);
          v68 = 0;
        }
        sub_935524(v69);
      }
    }
    v69 = 0;
  }
  return sub_9ECBA4(v26);
}

The same procedure in ToB's BGMain.exe, address 464BFB:

Spoiler

int __thiscall CheckReflectingSpells_464bfb(void *this, int a2)
{
  int v2; // edx@6
  int v3; // ST10_4@12
  int v4; // eax@12
  int v5; // eax@15
  int v6; // ecx@15
  int v7; // eax@18
  int v8; // edx@18
  int v9; // eax@20
  int v10; // ecx@25
  __int16 v11; // ax@38
  int v12; // ecx@38
  int v13; // edx@38
  int v14; // ecx@39
  int v15; // eax@39
  int v16; // ecx@39
  int v18; // [sp-8h] [bp-108h]@12
  signed int v19; // [sp-4h] [bp-104h]@12
  int v20; // [sp+0h] [bp-100h]@36
  int v21; // [sp+4h] [bp-FCh]@31
  int v22; // [sp+8h] [bp-F8h]@29
  int v23; // [sp+Ch] [bp-F4h]@23
  int v24; // [sp+10h] [bp-F0h]@18
  void *v25; // [sp+14h] [bp-ECh]@8
  int v26; // [sp+18h] [bp-E8h]@1
  int v27; // [sp+1Ch] [bp-E4h]@39
  int v28; // [sp+20h] [bp-E0h]@39
  int v29; // [sp+24h] [bp-DCh]@39
  int v30; // [sp+28h] [bp-D8h]@39
  int v31; // [sp+2Ch] [bp-D4h]@39
  int v32; // [sp+30h] [bp-D0h]@39
  int v33; // [sp+34h] [bp-CCh]@39
  int v34; // [sp+38h] [bp-C8h]@38
  int v35; // [sp+3Ch] [bp-C4h]@38
  int v36; // [sp+40h] [bp-C0h]@33
  int v37; // [sp+44h] [bp-BCh]@28
  int v38; // [sp+48h] [bp-B8h]@28
  int v39; // [sp+4Ch] [bp-B4h]@25
  int v40; // [sp+50h] [bp-B0h]@25
  int v41; // [sp+54h] [bp-ACh]@25
  int v42; // [sp+58h] [bp-A8h]@20
  int v43; // [sp+5Ch] [bp-A4h]@20
  int v44; // [sp+60h] [bp-A0h]@20
  int v45; // [sp+64h] [bp-9Ch]@20
  __int16 v46; // [sp+68h] [bp-98h]@18
  int v47; // [sp+6Ch] [bp-94h]@18
  int v48; // [sp+70h] [bp-90h]@18
  int v49; // [sp+74h] [bp-8Ch]@18
  int v50; // [sp+78h] [bp-88h]@18
  int v51; // [sp+7Ch] [bp-84h]@4
  int v52; // [sp+80h] [bp-80h]@39
  int v53; // [sp+84h] [bp-7Ch]@39
  int v54; // [sp+88h] [bp-78h]@39
  int v55; // [sp+8Ch] [bp-74h]@39
  int *v56; // [sp+90h] [bp-70h]@38
  void *v57; // [sp+94h] [bp-6Ch]@35
  int v58; // [sp+98h] [bp-68h]@38
  int v59; // [sp+9Ch] [bp-64h]@26
  int v60; // [sp+A0h] [bp-60h]@26
  int v61; // [sp+A4h] [bp-5Ch]@22
  int v62; // [sp+A8h] [bp-58h]@25
  void *v63; // [sp+ACh] [bp-54h]@17
  int v64; // [sp+B0h] [bp-50h]@20
  int v65; // [sp+B4h] [bp-4Ch]@7
  void *Memory; // [sp+B8h] [bp-48h]@7
  int v67; // [sp+BCh] [bp-44h]@38
  int v68; // [sp+C0h] [bp-40h]@38
  void *v69; // [sp+C4h] [bp-3Ch]@40
  int v70; // [sp+D0h] [bp-30h]@35
  int v71; // [sp+D4h] [bp-2Ch]@25
  int v72; // [sp+D8h] [bp-28h]@20
  int v73; // [sp+DCh] [bp-24h]@12
  int v74; // [sp+E0h] [bp-20h]@4
  int v75; // [sp+E4h] [bp-1Ch]@3
  int v76; // [sp+E8h] [bp-18h]@4
  int v77; // [sp+ECh] [bp-14h]@1
  int v78; // [sp+F0h] [bp-10h]@3
  int v79; // [sp+FCh] [bp-4h]@17

  v26 = (int)this;
  v77 = 0;
  while ( *(_DWORD *)(v26 + 12) != 0 )
  {
    v78 = CheckList_A4E60A(v26);
    v75 = *(_DWORD *)(*(_DWORD *)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> + 76);
    do
    {
      do
      {
        v51 = *(_DWORD *)(dword_B773CC + 17082);
        LOBYTE(v76) = sub_67626B((void *)(v51 + 14326), v75, byte_AAD1CB, (int)&v74, -1);
      }
      while ( (unsigned __int8)v76 == (unsigned __int8)byte_AAD1C8 );
    }
    while ( (unsigned __int8)v76 == (unsigned __int8)byte_AAD1C9 );
    v2 = (unsigned __int8)v76;
    if ( (unsigned __int8)v76 == (unsigned __int8)byte_AAD1C4 )
    {
      if ( *(_DWORD *)(v78 + 16) != -1 )
      {
        v73 = (int)*(&off_AB9B78 + *(_BYTE *)(a2 + 1052));
        v19 = 12507095;
        v18 = v73;
        v3 = *(_DWORD *)(v78 + 16);
        v4 = sub_8D4AAC(a2);
        sub_8D42AA(v4, v3, v73, 12507095);
      }
      if ( !*(_DWORD *)(v78 + 20) )
      {
        v2 = v78;
        if ( *(_DWORD *)v78 > 0 )
        {
          v19 = 0;
          v18 = 0;
          HIWORD(v5) = HIWORD(v78);
          LOWORD(v5) = *(_WORD *)(v78 + 4);
          sub_542FB5(v5, -*(_DWORD *)v78, 1, 0, 0, 0);
          v19 = 0;
          v18 = 0;
          HIWORD(v6) = HIWORD(v78);
          LOWORD(v6) = *(_WORD *)(v78 + 4);
          sub_542FB5(v6, -*(_DWORD *)v78, 1, 0, 0, 0);
          v2 = a2;
          *(_DWORD *)(a2 + 14032) = 1;
        }
        if ( !*(_DWORD *)(v78 + 12) )
        {
          v77 = 1;
          v63 = malloc_A50608(0x1Eu);
          v79 = 0;
          if ( v63 )
          {
            v50 = *(_DWORD *)(a2 + 48);
            v49 = *(_DWORD *)(a2 + 48);
            v48 = v74 + 6;
            v47 = *(_DWORD *)(v74 + 48);
            v46 = *(_WORD *)(*(_DWORD *)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> + 66);
            v7 = sub_60365E(a2);
            LOWORD(v8) = v46;
            v24 = sub_5C787F(v8, v47, v48, v7, v49, v50);
          }
          else
          {
            v24 = 0;
          }
          v64 = v24;
          v79 = -1;
          v72 = v24;
          sub_5B91FD(v24, 0);
          v45 = v74 + 6;
          v44 = *(_DWORD *)(v74 + 48);
          v43 = *(_DWORD *)(a2 + 48);
          v42 = *(_DWORD *)(a2 + 18);
          v9 = sub_60365E(a2);
          (*(void (__thiscall **)(_DWORD, int, int, int, _DWORD, _DWORD, int, _DWORD))(**(_DWORD **)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> + 100))(
            *(_DWORD *)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' />,
            v42,
            v43,
            v44,
            *(_DWORD *)v45,
            *(_DWORD *)(v45 + 4),
            v9,
            0);
          *(_DWORD *)(v78 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> = 0;
        }
        if ( *(_DWORD *)(v78 + 24) )
        {
          v61 = (int)malloc_A50608(0x19Au);
          v79 = 1;
          if ( v61 )
          {
            sub_465440(v61);
            *(_DWORD *)v61 = &off_AA6350;
            *(_DWORD *)(v61 + 12) = 261;
            v23 = v61;
          }
          else
          {
            v23 = 0;
          }
          v62 = v23;
          v79 = -1;
          v71 = v23;
          v41 = *(_DWORD *)v78;
          *(_DWORD *)(v23 + 24) = v41;
          v40 = *(_DWORD *)(a2 + 48);
          v39 = *(_DWORD *)(a2 + 48);
          v10 = v39;
          *(_DWORD *)(v71 + 268) = v39;
          *(_DWORD *)(v71 + 406) = v40;
          LOBYTE(v10) = byte_AA6774;
          (*(void (__thiscall **)(int, int, int, signed int, signed int))(*(_DWORD *)a2 + 112))(a2, v71, v10, 1, 1);
        }
      }
      v59 = v78;
      v60 = v78;
      if ( v78 )
      {
        if ( *(_DWORD *)(v60 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' /> )
        {
          v37 = *(_DWORD *)(v60 + <img src='http://www.shsforums.net/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='8)' />;
          v38 = v37;
          if ( v37 )
            v22 = (**(int (__thiscall ***)(_DWORD, _DWORD))v38)(v38, 1);
          else
            v22 = 0;
        }
        operator delete((void *)v60);
        v2 = v60;
        v21 = v60;
      }
      else
      {
        v21 = 0;
      }
      v36 = *(_DWORD *)(dword_B773CC + 17082);
      LOBYTE(v2) = byte_AAD1CB;
      LOBYTE(v76) = sub_676808(v75, v2, -1);
    }
    else
    {
      v65 = v78;
      Memory = (void *)v78;
      if ( v78 )
      {
        sub_4659A0(Memory, v78);
        operator delete(Memory);
        v25 = Memory;
      }
      else
      {
        v25 = 0;
      }
    }
  }
  if ( v77 )
  {
    v70 = 0;
    v57 = malloc_A50608(0x2A6u);
    v79 = 2;
    if ( v57 )
      v20 = sub_65467D(v57);
    else
      v20 = 0;
    v58 = v20;
    v79 = -1;
    v70 = v20;
    v56 = &v18;
    CastEffect_999EFB(&v18, (int)"spsturni");
    sub_64C310(v18, v19);
    v79 = 3;
    v67 = sub_64C49B(&v68);
    v11 = sub_8AD080(a2 + 6, v74 + 6);
    *(_DWORD *)(v67 + 780) = v11;
    *(_DWORD *)(v67 + 122) = 8;
    *(_BYTE *)(v67 + 910) = 1;
    v35 = *(_DWORD *)(a2 + 48);
    *(_DWORD *)(v70 + 606) = v35;
    *(_DWORD *)(v70 + 82) = 1;
    v12 = *(_DWORD *)(a2 + 10);
    v13 = v70;
    *(_DWORD *)(v70 + 598) = *(_DWORD *)(a2 + 6);
    *(_DWORD *)(v13 + 602) = v12;
    v34 = *(_DWORD *)(a2 + 18);
    sub_6561F8(v34, a2 + 6, 32, byte_AAA9EE);
    if ( v67 )
    {
      v14 = *(_DWORD *)(v67 + 102);
      v54 = *(_DWORD *)(v67 + 98);
      v55 = v14;
      v29 = a2 + 6;
      v30 = v14 + *(_DWORD *)(a2 + 10);
      v15 = *(_DWORD *)(a2 + 6);
      v31 = v54 + v15;
      v32 = v54 + v15;
      v33 = v30;
      v16 = v30;
      v52 = v54 + v15;
      v53 = v30;
      v28 = *(_DWORD *)(a2 + 18);
      v19 = 0;
      LOBYTE(v16) = byte_AAA9EE;
      v18 = v16;
      sub_64E918(v28, &v52, *(_DWORD *)(v67 + 134), byte_AAA9EE, 0);
      v27 = *(_DWORD *)(v67 + 48);
      sub_A4E598(v27);
    }
    v79 = -1;
    if ( v69 )
    {
      if ( sub_99A0EF(byte_B7473C) )
      {
        if ( v68 )
        {
          sub_987FCD(v69);
          v68 = 0;
        }
        sub_99555F(v69);
      }
    }
    v69 = 0;
  }
  return RemoveElement_A4E4B4(v26);
}

Most functions(i have checked about 95% of them) are 100% identical inside(of course addresses and offsets are different). But I only looked one level deeper(I did not compare functions inside functions and so on).

There was a minor difference in function 64C49B(one extra function was called in ToB and was not called in SoA), but editing it did not help(I have NOP'ed the function call).

Apparently both listings are quite similar. It seems like they only have different offsets and probably constants which I do not know.

Expected feedback:
- Amidoinitrite?
- Any info on functions/constants that were used in ToB's listing
- Any info on where else to look for the root of the problem

Edited by Suslik, 08 January 2012 - 12:23 PM.

[Ascension64]

I'd really have to have a detailed look at this to work out what is going on. Are the two pseudocodes you posted equivalent? Hard to eye-ball just from looking at it.

[Suslik]

As I have already said, listings seem to be equivalent. Furthermore, even all functions that are called inside these two are equivalent too, but I have checked only one level deeper in stack.

I think I can do monotonous work like comparing all those functions myself, I want you just to tell me what to pay attention on. And where else to look.

[Ascension64]

Quote

I want you just to tell me what to pay attention on. And where else to look.

Hmm, like I said, a bit hard without me delving into detail what's going on. I'll let you know when I do.

[Suslik]

Ok. I am sort of stuck for now and do not know where else to look. I'll wait for any info from you.

[Ascension64]

Looks like the CProtectedSpl update counter at CCreatureObject+6448h doesn't get zero'ed, causing the problem that you fixed with zeroing memory.

Not sure about the spell turning graphic yet.

[Ascension64]

Hmm, I just tested the issue under the SoA 23037 executable, and the infinite spell absorption as well as the graphic not showing also exist. Did you see the graphic in a different version of SoA?

Update: Turns out SoA 22941 still plays the spell turn graphic, and that this code is added somewhere between 22941 and 23037.

In void CVisualEffect::AIUpdate()

//using ToB26498 offsets
mov	edx, [ebp+var_34]
mov	eax, [edx+6450h]
mov	[ebp+var_1A0], eax
mov	ecx, [ebp+var_1A0]
cmp	ecx, ds:dword_AAD1D0
jnz	short loc_654CCA
mov	edx, [ebp+var_2B4]
mov	eax, [edx+30h]
mov	[ebp+var_1A8], eax
mov	ecx, [ebp+var_34]
mov	[ebp+var_1A4], ecx
mov	edx, [ebp+var_1A4]
mov	eax, [ebp+var_1A8]
mov	[edx+6450h], eax
jmp	short loc_654D36 //if cre.eVisualEffect == -1, cre.eVisualEffect = this.e; ...

loc_654CCA:
mov	ecx, [ebp+var_34]
mov	edx, [ecx+6450h]
mov	[ebp+var_1AC], edx
mov	eax, [ebp+var_2B4]
mov	ecx, [ebp+var_1AC]
cmp	ecx, [eax+30h] //if cre.eVisualEffect == this.e, ...
jz	short loc_654D36
mov	edx, dword_B773CC
mov	eax, [edx+42BAh]
mov	[ebp+var_1B0], eax
push	0FFFFFFFFh
mov	cl, ds:byte_AAD1CB
push	ecx
mov	edx, [ebp+var_2B4]
mov	eax, [edx+25Eh]
push	eax
mov	ecx, [ebp+var_1B0]
add	ecx, 37F6h
call	sub_676808
mov	byte ptr [ebp+var_14], al
mov	ecx, [ebp+var_2B4]
call	sub_656D2E //purge!
jmp	loc_6561E8

Since the spell turning graphic on the ground is already owned by the cre, the extra graphic gets purged because it is a new visual effect and doesn't have the same index (e) as the graphic on the ground.

Probably an unintentional bug created by a bugfix for something else, so we can't just remove this extra code.

Update2: So, you can simply make it play independently of the cre by not giving the VisualEffect an owner.

In void CProtectedSplList::Update(CCreatureObject&)

loc_465116:
mov	ecx, [ebp+var_100]
mov	[ebp+var_68], ecx
mov	[ebp+var_4], 0FFFFFFFFh
mov	edx, [ebp+var_68]
mov	[ebp+var_30], edx //pVisualEffect
sub	esp, 8
mov	ecx, esp
mov	[ebp+var_70], esp
push	offset aSpsturni ; "spsturni"
call	sub_999EFB
lea	ecx, [ebp+var_40]
call	sub_64C310
mov	[ebp+var_4], 3
lea	ecx, [ebp+var_40]
call	sub_64C49B
mov	[ebp+var_44], eax //pVidCell
mov	eax, [ebp+var_20]
add	eax, 6
push	eax
mov	ecx, [ebp+arg_0]
add	ecx, 6
push	ecx
call	sub_8AD080
add	esp, 8
movsx	edx, ax
mov	eax, [ebp+var_44]
mov	[eax+30Ch], edx
mov	ecx, [ebp+var_44]
mov	dword ptr [ecx+7Ah], 8
mov	edx, [ebp+var_44]
mov	byte ptr [edx+38Eh], 1
mov	eax, [ebp+arg_0]
mov	ecx, [eax+30h]
mov	[ebp+var_C4], ecx //pCreatureObject->e
mov	edx, [ebp+var_30]
mov	eax, [ebp+var_C4]
//------------------------------------------------------- nop me!
mov	[edx+25Eh], eax //pVisualEffect->eOwner
//-------------------------------------------------------
mov	ecx, [ebp+var_30]
mov	dword ptr [ecx+52h], 1
mov	edx, [ebp+arg_0]
mov	eax, [edx+6]
mov	ecx, [edx+0Ah]
mov	edx, [ebp+var_30]
mov	[edx+256h], eax
mov	[edx+25Ah], ecx
mov	eax, [ebp+arg_0]
mov	ecx, [eax+12h]
mov	[ebp+var_C8], ecx
mov	dl, ds:byte_AAA9EE
push	edx
push	20h
mov	eax, [ebp+arg_0]
add	eax, 6
push	eax
mov	ecx, [ebp+var_C8]
push	ecx
mov	ecx, [ebp+var_30]
call	sub_6561F8

Edited by Ascension64, 10 January 2012 - 10:40 PM.

[Salk]

Very nice find, guys!

[Suslik]

Ascension64

Quote

Looks like the CProtectedSpl update counter at CCreatureObject+6448h doesn't get zero'ed, causing the problem that you fixed with zeroing memory.

Quote

Update: Turns out SoA 22941 still plays the spell turn graphic, and that this code is added somewhere between 22941 and 23037.

Man, you're awesome.

Quote

Since the spell turning graphic on the ground is already owned by the cre, the extra graphic gets purged because it is a new visual effect and doesn't have the same index (e) as the graphic on the ground.
Probably an unintentional bug created by a bugfix for something else, so we can't just remove this extra code.

I see. Apparently my asm comprehension skills fail to figure such complex issues myself. But why does it get purged only for being owned by the same creature? There are apparently a lot of graphics can be attached to 1 creature(spell protections/mirror images/globes/etc), why can't we attach one more?

Quote

Update2: So, you can simply make it play independently of the cre by not giving the VisualEffect an owner.

It does work, but I have to call it only a workaround, because in SoA the animation is attached to cre and when creature walks, animation moves with it. But if we nullify its parent, it just stands where it was spawned. Do you see any ways to make it work without detaching it from cre?

and again, really great job.

Edited by Suslik, 12 January 2012 - 08:01 AM.

[Ascension64]

Quote

I see. Apparently my asm comprehension skills fail to figure such complex issues myself. But why does it get purged only for being owned by the same creature? There are apparently a lot of graphics can be attached to 1 creature(spell protections/mirror images/globes/etc), why can't we attach one more?

We can. A visual effect is essentially made up of a list of vid cells, and two lists of vef components. For various other visual effects, the engine would add a vid cell to the visual effect, if the creature already has an existing visual effect. The bugged code above is probably legacy in that it simply creates a visual effect, adds SPSTURNI vid cell, and sets the creature as its owner without actually checking beforehand whether the creature already had a visual effect.

Quote

It does work, but I have to call it only a workaround, because in SoA the animation is attached to cre and when creature walks, animation moves with it. But if we nullify its parent, it just stands where it was spawned. Do you see any ways to make it work without detaching it from cre?

So a more complicated fix would be to check if the creature already has a visual effect, and if not make a visual effect containing SPSTURNI vid cell. If it already does, simply add the vid cell to it. I think there already exists a proc to do this, so we don't necessarily have to re-code it.

However, I wonder why the bouncing animation should move with the creature. A spell bouncing off a wall should have the wall stationary and not moving.

[Suslik]

Quote

However, I wonder why the bouncing animation should move with the creature. A spell bouncing off a wall should have the wall stationary and not moving.

well, it just looks somewhat weird when a creature with high movement speed(boots of speed, improved haste) can walk more than my screen's width while the animation is slowly floating stationary in the air.

can you please send me 23037 executable? it's easier to compare with my 22941(?) than ToB.

Edited by Suslik, 13 January 2012 - 04:49 AM.

[Dakk]

'Ascension64', on 13 January 2012 - 08:02 AM, said:

However, I wonder why the bouncing animation should move with the creature. A spell bouncing off a wall should have the wall stationary and not moving.

Isn't that - moving with the caster - the behaviour of all caster protections (mirror image, GOI, Otiluke etc) in the game?

[Ascension64]

'Suslik', on 13 January 2012 - 10:16 PM, said:

can you please send me 23037 executable? it's easier to compare with my 22941(?) than ToB.

Probably easier just to download the 23037 patch online and extract the cab.

Quote

Isn't that - moving with the caster - the behaviour of all caster protections (mirror image, GOI, Otiluke etc) in the game?

These are continuous graphics though, like the spell turning graphic on the floor. The graphic that isn't showing is one that only plays when a spell bounces.

[Ascension64]

I've had a closer look at whether it is possible to make the turning move with the creature.
Turns out that if the visual effect isn't purged because the creature already has one, the vid cell itself is purged unless an effect re-applies it. So, it becomes incredibly tricky to achieve this.

[Suslik]

Quote

Turns out that if the visual effect isn't purged because the creature already has one, the vid cell itself is purged unless an effect re-applies it. So, it becomes incredibly tricky to achieve this.

but.. why? why did that not happen in earlier builds? and which functions(addresses i mean) are you currently investigating?

[Ascension64]

I use hardware breakpoints to track object instances, so it could land on any proc. Will give you some details tomorrow.
Why is always a tough question to answer. I am reluctant to remove functioning code because it is likely to be part of a bugfix... there was lot wrong with unpatched Shadows of Amn.