Technical Details - szapp/Ninja GitHub Wiki

Ninja is wrapped into a Windows dynamic link library (DLL). When loaded (and the parent process has been confirmed to be a supported version of Gothic, Gothic Sequel, Gothic 2 or Gothic 2 NotR), Ninja injects itself to the executable.

The reason for this compartmentalization is to separate core and wrapper and to avoid slow absolute (eax) jumps within the executed code by injecting it into the executable at fixed addresses to make use of relative jumps to addresses known at time of assembling.

This address space spans multiple methods of the deprecated class zCNetEventManager starting with zCNetEventManager::HandleNetMessage. After a long testing period any safety checks for ensuring that the overwritten methods are indeed never called are now omitted. This address space corresponds to 0x452640 - 0x454DF0 (Gothic 1.08k_mod) and 0x457470 - 0x459E60 (Gothic 2 NotR 2.6fix). Note: this ranges might be outdated.

Ninja is written entirely in assembly.