Manalink C/ASM Dll

[foolosopher]

I 'd forgotten about lonefox comments. The names he refers should probably be valid in later releases, but for the addresses he refers to be valid, you need to use the .exe that he used also. I tried to download the one snacko posted in page 1 but it is removed, so if you have it can you post it here?

[gmzombie]

the one i used was the manalink 2.0 from January 1 2009 and it had those references that i explained

on a side note i tried to take rebirth out of the magic.exe and put it into the manalinkeh.dll via ollydbg but i cannot get the program to at the current address 41bd90 to take a jump command. it says i need a label but my code is this
JMP Manali_1.205705c but it says i need a label...thought that was the manali_1 anyways im doing this to first see how its done and secondly it will get card clutter out of the way for now. i would actually like someone if possible to add a manalinkeh.dll to the pre mok so i could do this without running into other code. less other code more of a possibility to find the answer. and finally does anybody know why there is so many target creature and target player code inside magic.exe you would think they would use a global function for it all?

[foolosopher]

Your ahead of me here, but you can also try to just remove a card's code and see what happens. Hopefully jumps and references won't be affected, most probably if the card is not used. If you find out how to move cards to somewhere else in ollydbg, could you please write it down as in 1 2 3. We can then split card removal.
I was also taking a closer look at the magic.asm from the versions that you posted (pre-mok, mok2 and skymarshal) and found that a very large portion of that code (like 50-60%) is variable declarations (dd and db) for player messages and their alignment, which could probably be safely removed
for comparing purposes.
I 'll try to verify this and get back to you. Anyway, if that's the case code comparison will be significantly easier and smaller and we should be able to start doing that soon.
Does anyone know if from mok2 to skymarshal card code was inserted in magic.exe? That would explain the code size difference between these updates.

Oh, can you post or send me the manalink 2.0 from January 1 2009 version.

thanks

[gmzombie]

im positive that there was card code addition or at least enhancements made to the game since 2.0

[foolosopher]

OK it seems that pre-mok code is too different to compare with mok2 or skymarshal, probably cause of shandalar code included in it, but the last two are quite comparable, especially if you remove "db 00h;" lines, which fill up 35MB of the 50MB of disassembled code of skymarshal.
Had a quick look between the two and some more alignment is required, but I believe we can get some results by comparing them. Skymarshal has some more code which I believe is mostly card code. Anyway, the real question is if we are to proceed, what is the size of the card limit at these updates. I know that the card images are
Mok2: 1300-514h images,
skymarshal: 1549-60Dh,
but that's just indicative. Card limit might as well be the same in those two versions. So if anyone knows if the card limit was changed between those two versions, that would be great help.

[gmzombie]

i was thnking about something. if we have static arrays that are keeping us at a limit. why then after we move the card code out of the exe couldnt we change that static to a dynamic array. wouldnt that give us more than enough room to build a correct dynamic array to keep the program running and without a limit? and if you really wanted to make it easier(well maybe easier) couldnt you make a dll file for every cycle or block of cards you create...like the golden years mod for example the iceage, homelands, coldsnap, alliances...etc

[foolosopher]

In order to do this you stumble upon the same problem that we have now. In order to make a bigger static or dynamic array for the cards you still have to change the references from the old arrays to the new ones. So when we "hopefully" finish what we are trying to do, we can decide on what you propose.
One more thing, could you check with ollydbg on the address 006906 somewhere there or a bit before that, you should find one of the arrays or a reference to it, that we are looking for.

[gmzombie]

here is what i found

Code: Select all

File C:\Documents and Settings\Mikey\My Documents\Magic\Program\Magic.exe
Address   Hex dump          Command                                  Comments
00006850   \55              PUSH EBP
00006851    8BEC            MOV EBP,ESP
00006853    83EC 04         SUB ESP,4
00006856    56              PUSH ESI
00006857    57              PUSH EDI
00006858    FF75 10         PUSH DWORD PTR SS:[EBP+10]
0000685B    FF75 0C         PUSH DWORD PTR SS:[EBP+0C]
0000685E    FF75 08         PUSH DWORD PTR SS:[EBP+8]
00006861    E8 2ABEFFFF     CALL 00002690
00006866    83C4 0C         ADD ESP,0C
00006869    3C 63           CMP AL,63
0000686B    0F84 23020000   JE 00006A94
00006871    807D 10 01      CMP BYTE PTR SS:[EBP+10],1
00006875    75 17           JNE SHORT 0000688E
00006877    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
0000687A    C1E0 05         SHL EAX,5
0000687D    FF80 C0317A00   INC DWORD PTR DS:[EAX+7A31C0]
00006883    FF80 B4317A00   INC DWORD PTR DS:[EAX+7A31B4]
00006889    E9 06020000     JMP 00006A94
0000688E    807D 10 6C      CMP BYTE PTR SS:[EBP+10],6C
00006892    75 2C           JNE SHORT 000068C0
00006894    8B4D 0C         MOV ECX,DWORD PTR SS:[EBP+0C]
00006897    390D 8C397A00   CMP DWORD PTR DS:[7A398C],ECX
0000689D    75 21           JNE SHORT 000068C0
0000689F    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
000068A2    3905 848C7300   CMP DWORD PTR DS:[738C84],EAX
000068A8    75 16           JNE SHORT 000068C0
000068AA    E8 D1A7FFFF     CALL 00001080
000068AF    33C0            XOR EAX,EAX
000068B1    C746 4C 0000000 MOV DWORD PTR DS:[ESI+4C],0
000068B8    8946 38         MOV DWORD PTR DS:[ESI+38],EAX
000068BB    E9 D6010000     JMP 00006A96
000068C0    807D 10 73      CMP BYTE PTR SS:[EBP+10],73
000068C4    75 2B           JNE SHORT 000068F1
000068C6    C605 11CF5500 0 MOV BYTE PTR DS:[55CF11],1
000068CD    C605 14CF5500 0 MOV BYTE PTR DS:[55CF14],1
000068D4    FF75 08         PUSH DWORD PTR SS:[EBP+8]
000068D7    E8 04B9FFFF     CALL 000021E0
000068DC    83C4 04         ADD ESP,4
000068DF    85C0            TEST EAX,EAX
000068E1    0F84 AD010000   JE 00006A94
000068E7    B8 01000000     MOV EAX,1
000068EC    E9 A5010000     JMP 00006A96
000068F1    807D 10 90      CMP BYTE PTR SS:[EBP+10],90
000068F5    75 0C           JNE SHORT 00006903
000068F7    6A 00           PUSH 0
000068F9    E8 121D0900     CALL 00098610
000068FE    83C4 04         ADD ESP,4
00006901    EB 59           JMP SHORT 0000695C
00006903    807D 10 6D      CMP BYTE PTR SS:[EBP+10],6D
00006907    75 58           JNE SHORT 00006961
00006909    C705 04F44E00 0 MOV DWORD PTR DS:[4EF404],1
00006913    6A 01           PUSH 1
00006915    6A 04           PUSH 4
00006917    FF75 08         PUSH DWORD PTR SS:[EBP+8]
0000691A    E8 416B0200     CALL 0002D460
0000691F    83C4 0C         ADD ESP,0C
00006922    833D 94F14E00 0 CMP DWORD PTR DS:[4EF194],1
00006929    74 31           JE SHORT 0000695C
0000692B    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
0000692E    8B4D 0C         MOV ECX,DWORD PTR SS:[EBP+0C]
00006931    E8 4AA7FFFF     CALL 00001080
00006936    C746 4C 0100000 MOV DWORD PTR DS:[ESI+4C],1
0000693D    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
00006940    8946 74         MOV DWORD PTR DS:[ESI+74],EAX
00006943    8B45 0C         MOV EAX,DWORD PTR SS:[EBP+0C]
00006946    8946 78         MOV DWORD PTR DS:[ESI+78],EAX
00006949    C646 36 01      MOV BYTE PTR DS:[ESI+36],1
0000694D    837E 38 00      CMP DWORD PTR DS:[ESI+38],0
00006951    75 09           JNE SHORT 0000695C
00006953    814E 38 0000080 OR DWORD PTR DS:[ESI+38],00080000
0000695A    EB 00           JMP SHORT 0000695C
0000695C    E9 33010000     JMP 00006A94
00006961    807D 10 72      CMP BYTE PTR SS:[EBP+10],72
00006965    0F85 8E000000   JNE 000069F9
0000696B    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
0000696E    8B4D 0C         MOV ECX,DWORD PTR SS:[EBP+0C]
00006971    E8 0AA7FFFF     CALL 00001080
00006976    8B8E 10010000   MOV ECX,DWORD PTR DS:[ESI+110]
0000697C    8B86 0C010000   MOV EAX,DWORD PTR DS:[ESI+10C]
00006982    E8 49A7FFFF     CALL 000010D0
00006987    837F 6C FF      CMP DWORD PTR DS:[EDI+6C],-1
0000698B    74 5D           JE SHORT 000069EA
0000698D    8B46 4C         MOV EAX,DWORD PTR DS:[ESI+4C]
00006990    25 FF000000     AND EAX,000000FF
00006995    0147 38         ADD DWORD PTR DS:[EDI+38],EAX
00006998    C647 36 00      MOV BYTE PTR DS:[EDI+36],0
0000699C    F647 3A 08      TEST BYTE PTR DS:[EDI+3A],08
000069A0    74 52           JE SHORT 000069F4
000069A2    8167 38 FFFFF7F AND DWORD PTR DS:[EDI+38],FFF7FFFF
000069A9    A1 E8767800     MOV EAX,DWORD PTR DS:[7876E8]
000069AE    50              PUSH EAX
000069AF    A1 10367A00     MOV EAX,DWORD PTR DS:[7A3610]
000069B4    50              PUSH EAX
000069B5    A1 70837200     MOV EAX,DWORD PTR DS:[728370]
000069BA    50              PUSH EAX
000069BB    A1 E8767800     MOV EAX,DWORD PTR DS:[7876E8]
000069C0    50              PUSH EAX
000069C1    A1 10367A00     MOV EAX,DWORD PTR DS:[7A3610]
000069C6    50              PUSH EAX
000069C7    E8 D4950900     CALL 0009FFA0
000069CC    83C4 14         ADD ESP,14
000069CF    8945 FC         MOV DWORD PTR SS:[EBP-4],EAX
000069D2    83F8 FF         CMP EAX,-1
000069D5    74 1D           JE SHORT 000069F4
000069D7    8BC8            MOV ECX,EAX
000069D9    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
000069DC    E8 9FA6FFFF     CALL 00001080
000069E1    814E 38 0000080 OR DWORD PTR DS:[ESI+38],00080000
000069E8    EB 0A           JMP SHORT 000069F4
000069EA    C705 94F14E00 0 MOV DWORD PTR DS:[4EF194],1
000069F4    E9 9B000000     JMP 00006A94
000069F9    807D 10 39      CMP BYTE PTR SS:[EBP+10],39
000069FD    75 4F           JNE SHORT 00006A4E
000069FF    C605 11CF5500 0 MOV BYTE PTR DS:[55CF11],1
00006A06    C605 14CF5500 0 MOV BYTE PTR DS:[55CF14],1
00006A0D    FF75 08         PUSH DWORD PTR SS:[EBP+8]
00006A10    E8 CBB7FFFF     CALL 000021E0
00006A15    83C4 04         ADD ESP,4
00006A18    85C0            TEST EAX,EAX
00006A1A    74 78           JE SHORT 00006A94
00006A1C    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
00006A1F    C1E0 05         SHL EAX,5
00006A22    8B90 DCF34E00   MOV EDX,DWORD PTR DS:[EAX+4EF3DC]
00006A28    D1EA            SHR EDX,1
00006A2A    42              INC EDX
00006A2B    52              PUSH EDX
00006A2C    8815 11CF5500   MOV BYTE PTR DS:[55CF11],DL
00006A32    8815 14CF5500   MOV BYTE PTR DS:[55CF14],DL
00006A38    FF75 08         PUSH DWORD PTR SS:[EBP+8]
00006A3B    E8 A0B7FFFF     CALL 000021E0
00006A40    83C4 04         ADD ESP,4
00006A43    5A              POP EDX
00006A44    4A              DEC EDX
00006A45    85C0            TEST EAX,EAX
00006A47  ^ 74 E2           JE SHORT 00006A2B
00006A49    8D42 01         LEA EAX,[EDX+1]
00006A4C    EB 48           JMP SHORT 00006A96
00006A4E    807D 10 8F      CMP BYTE PTR SS:[EBP+10],8F
00006A52    75 21           JNE SHORT 00006A75
00006A54    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
00006A57    C1E0 05         SHL EAX,5
00006A5A    83B8 F0F44E00 0 CMP DWORD PTR DS:[EAX+4EF4F0],0
00006A61    74 12           JE SHORT 00006A75
00006A63    83B8 E4F44E00 0 CMP DWORD PTR DS:[EAX+4EF4E4],0
00006A6A    74 09           JE SHORT 00006A75
00006A6C    830D B4056200 0 OR DWORD PTR DS:[6205B4],00000001
00006A73    EB 1F           JMP SHORT 00006A94
00006A75    807D 10 22      CMP BYTE PTR SS:[EBP+10],22
00006A79    74 06           JE SHORT 00006A81
00006A7B    807D 10 C7      CMP BYTE PTR SS:[EBP+10],0C7
00006A7F    75 13           JNE SHORT 00006A94
00006A81    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
00006A84    8B4D 0C         MOV ECX,DWORD PTR SS:[EBP+0C]
00006A87    E8 F4A5FFFF     CALL 00001080
00006A8C    33C0            XOR EAX,EAX
00006A8E    8946 4C         MOV DWORD PTR DS:[ESI+4C],EAX
00006A91    8946 38         MOV DWORD PTR DS:[ESI+38],EAX
00006A94    33C0            XOR EAX,EAX
00006A96    5F              POP EDI
00006A97    5E              POP ESI
00006A98    C9              LEAVE
00006A99    C3              RETN


and the reference in code for olly is 00407250 is where 0006850 starts.

[gmzombie]

here is the code with the virtual addresses

Code: Select all

       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
       db   CCh;   'Œ'
        push   ebp
        mov   ebp,esp
        sub   esp,00000004h
        push   esi
        push   edi
        push   [ebp+10h]
        push   [ebp+0Ch]
        push   [ebp+08h]
        call   SUB_L00403090
        add   esp,0000000Ch
        cmp   al,63h
        jz    L00407494
        cmp   byte ptr [ebp+10h],01h
        jnz   L0040728E
        mov   eax,[ebp+08h]
        shl   eax,05h
        inc   [eax+L007A31C0]
        inc   [eax+L007A31B4]
        jmp   L00407494
 L0040728E:
        cmp   byte ptr [ebp+10h],6Ch
        jnz   L004072C0
        mov   ecx,[ebp+0Ch]
        cmp   [L007A398C],ecx
        jnz   L004072C0
        mov   eax,[ebp+08h]
        cmp   [L00738C84],eax
        jnz   L004072C0
        call   SUB_L00401A80
        xor   eax,eax
        mov   dword ptr [esi+4Ch],00000000h
        mov   [esi+38h],eax
        jmp   L00407496
 L004072C0:
        cmp   byte ptr [ebp+10h],73h
        jnz   L004072F1
        mov   byte ptr [L0055CF11],01h
        mov   byte ptr [L0055CF14],01h
        push   [ebp+08h]
        call   SUB_L00402BE0
        add   esp,00000004h
        test   eax,eax
        jz    L00407494
        mov   eax,00000001h
        jmp   L00407496
 L004072F1:
        cmp   byte ptr [ebp+10h],90h
        jnz   L00407303
        push   00000000h
        call   SUB_L00499010
        add   esp,00000004h
        jmp   L0040735C
 L00407303:
        cmp   byte ptr [ebp+10h],6Dh
        jnz   L00407361
        mov   dword ptr [L004EF404],00000001h
        push   00000001h
        push   00000004h
        push   [ebp+08h]
        call   SUB_L0042DE60
        add   esp,0000000Ch
        cmp   dword ptr [L004EF194],00000001h
        jz    L0040735C
        mov   eax,[ebp+08h]
        mov   ecx,[ebp+0Ch]
        call   SUB_L00401A80
        mov   dword ptr [esi+4Ch],00000001h
        mov   eax,[ebp+08h]
        mov   [esi+74h],eax
        mov   eax,[ebp+0Ch]
        mov   [esi+78h],eax
        mov   byte ptr [esi+36h],01h
        cmp   dword ptr [esi+38h],00000000h
        jnz   L0040735C
        or   dword ptr [esi+38h],00080000h
        jmp   L0040735C
 L0040735C:
        jmp   L00407494
 L00407361:
        cmp   byte ptr [ebp+10h],72h
        jnz   L004073F9
        mov   eax,[ebp+08h]
        mov   ecx,[ebp+0Ch]
        call   SUB_L00401A80
        mov   ecx,[esi+00000110h]
        mov   eax,[esi+0000010Ch]
        call   SUB_L00401AD0
        cmp   dword ptr [edi+6Ch],FFFFFFFFh
        jz    L004073EA
        mov   eax,[esi+4Ch]
        and   eax,000000FFh
        add   [edi+38h],eax
        mov   byte ptr [edi+36h],00h
        test   byte ptr [edi+3Ah],08h
        jz    L004073F4
        and   dword ptr [edi+38h],FFF7FFFFh
        mov   eax,[L007876E8]
        push   eax
        mov   eax,[L007A3610]
        push   eax
        mov   eax,[L00728370]
        push   eax
        mov   eax,[L007876E8]
        push   eax
        mov   eax,[L007A3610]
        push   eax
        call   SUB_L004A09A0
        add   esp,00000014h
        mov   [ebp-04h],eax
        cmp   eax,FFFFFFFFh
        jz    L004073F4
        mov   ecx,eax
        mov   eax,[ebp+08h]
        call   SUB_L00401A80
        or   dword ptr [esi+38h],00080000h
        jmp   L004073F4
 L004073EA:
        mov   dword ptr [L004EF194],00000001h
 L004073F4:
        jmp   L00407494
 L004073F9:
        cmp   byte ptr [ebp+10h],39h
        jnz   L0040744E
        mov   byte ptr [L0055CF11],01h
        mov   byte ptr [L0055CF14],01h
        push   [ebp+08h]
        call   SUB_L00402BE0
        add   esp,00000004h
        test   eax,eax
        jz    L00407494
        mov   eax,[ebp+08h]
        shl   eax,05h
        mov   edx,[eax+L004EF3DC]
        shr   edx,1
        inc   edx
 L0040742B:
        push   edx
        mov   [L0055CF11],dl
        mov   [L0055CF14],dl
        push   [ebp+08h]
        call   SUB_L00402BE0
        add   esp,00000004h
        pop   edx
        dec   edx
        test   eax,eax
        jz    L0040742B
        lea   eax,[edx+01h]
        jmp   L00407496
 L0040744E:
        cmp   byte ptr [ebp+10h],8Fh
        jnz   L00407475
        mov   eax,[ebp+08h]
        shl   eax,05h
        cmp   dword ptr [eax+L004EF4F0],00000000h
        jz    L00407475
        cmp   dword ptr [eax+L004EF4E4],00000000h
        jz    L00407475
        or   dword ptr [L006205B4],00000001h
        jmp   L00407494
 L00407475:
        cmp   byte ptr [ebp+10h],22h
        jz    L00407481
        cmp   byte ptr [ebp+10h],C7h
        jnz   L00407494
 L00407481:
        mov   eax,[ebp+08h]
        mov   ecx,[ebp+0Ch]
        call   SUB_L00401A80
        xor   eax,eax
        mov   [esi+4Ch],eax
        mov   [esi+38h],eax
 L00407494:
        xor   eax,eax
 L00407496:
        pop   edi
        pop   esi
        leave
        retn


[foolosopher]

Hi, been busy the last two weeks and haven't meddled with ollydbg, but started the comparison, so here's latest findings, for what it's worth...
1)found aswan_jaguar changing some sounds (I guess everybody knows that )
2)
jnz exchanged with jg at some cases
ecx exchanged with eax at some cases
between the two files, dunno why yet, suggestions welcome
3) 00800022h exchanged with L00800022, same as above
4) the most interesting, at some point we get the following code pattern
db 40h; '@'
db FFh; 'ï'
db 0Fh;
db 01h;
db E8h; '¨'
db 44h; 'D'
db 75h; 'u'
db 6Dh; 'm'
db 6Dh; 'm'
db 79h; 'y'
db 94h; '"'
db 03h;
db 42h; 'B'
db FFh; 'ï'
db 01h;
db 01h;
db 01h;
db 10h;
this appears about
Mok2: 261
Skymarshal: 28908
this also appears in the skymagic editor, but not in the csv, so I guess that comes from one of the tables that we are looking for, which is probably static and gets initialized at some point, when the game starts.
I think it's also proof that card number was changed between the two versions.
However, this is a small part of the information of the cards, so we will probably need to calculate the size of the structs holding card info.

[gmzombie]

ok i think i have made a breakthrough on howto clean up the magic.exe file moving card code to the dll file and using skymagic editor.will try this more later

[gmzombie]

i can move some code easily. i moved hyperion blacksmith as an example and changed the code pointer and it worked. i also copied the vanilla card code and put it in the dll file but havent taken out the code yet due to there being more references to it. so it might not be so cut and dry and i found one more array i believe thatshows a current count of 2000 and its addy is 56260c. i dunno if it helps but maybe it will.

[foolosopher]

OK, here's what I have:
In the attached xls
stats: a few statistics for mok2 and skymarshal versions
diffs: the differences that I found in the code of the two versions and some alterations that I made, which I believe was due to PE, in order to be able to single out the differences for the 2000 limit
struct-sizes: calculated (correctly I hope) the struct sizes that I found in manalink.h. Another column has the hex equivalents and another the occurrences of those sizes in the skymarhal version

Also run a modified skymarshal of 2000 cards in olly and saw that 7D0 was loaded in eax before it broke execution. Didn't have time to look further than that yet.
In the skymarshal version there is more code for about 250 cards which I didn't clear out.
To sum it up, after the changes that I made there are generally a few differences here and there between the two versions, (most of which seem insignificant to me at least) , apart from the part where the additional card code exists.
Anyone willing to check on those diffs please do and report back any comments.
Now if gmzombie can clear out all card code that would probably provide much safer code for a comparison.
If that is too much work, tell me how to do it and we can split the files to work on.

[gmzombie]

the only problem i see so far is when i try and move code and then test the card some cards work with there abilities and some cards have direct jumps that need to be changed..ie royal assassin and n paladin. but i will work on this it may take a bit of time but i will continue to work on it and send you an updated version once i get some of it done so you can see what im doing.

[foolosopher]

Is it possible that you completely remove most cards and see if we can just get magic running with very few cards. Then I 'll try to disassemble it again into c and see what comes of it. The other topic is opening my appetite again!