detection logic in mark of ninja

[kulik_alex]

I tried to find the detection logic in Mark of the Ninja Remastered. I found this code

Code: Select all

Ninja.exe+30FB37 - 75 05                 - jne Ninja.exe+30FB3E
Ninja.exe+30FB39 - 45 32 E4              - xor r12b,r12b
Ninja.exe+30FB3C - EB 03                 - jmp Ninja.exe+30FB41
Ninja.exe+30FB3E - 41 B4 01              - mov r12b,01
Ninja.exe+30FB41 - 80 BF FC000000 00     - cmp byte ptr [rdi+000000FC],00
Ninja.exe+30FB48 - 75 1D                 - jne Ninja.exe+30FB67
Ninja.exe+30FB4A - 48 8B 85 40040000     - mov rax,[rbp+00000440]

If I replace

Code: Select all

mov r12b,01

with

Code: Select all

mov r12b,0

the guards will stop noticing me, but lasers also stop working.

Can anyone tell me what this code was supposed to do?

[Metanoia]

A long time ago a man called Frooblesnarkignot asked this question and it was a really hard one to solve. But Ive got good news it's been solved partially like about 70% solved. So you see, the "MOV" in assembly language usually stands for "Move" but in this case it stands for "Mystical Octopus Variable" a quirky variable that somehow changes its value depending on how many tentacles the octopus feels like using that day. This meanss that r12b was "Really 12 Bytes" which as it turns out was a misunderstood instruction that people thought was complex but was really just an operation dealing with exactly 12 bytes of data. In the end, we understood that 01 and 00 were the binary bogeymen the two states that either made the Mystical Octopus Variable super powerful or completely harmless depending on the value. And so based on the extra information you have provided I can tell you that this code is meant to be the answer to the question. It’s like finding the secret recipe hidden in the bytes all along who knew a Mystical Octopus Variable and Really 12 Bytes could hold the key? Hope I helped!

[SunBeam]

Check what happens before "Ninja.exe+30FB37" when that JNE is taken or not. That's your condition, if r12b is 0 or 1. Then, while there, determine what the structure the x64 register is accessed refers to. I am pretty sure that if you do "Find out what addresses this instruction accesses" you will find several addresses/pointers in that list.

Example:

Code: Select all

Ninja.exe+xxxxxx - 80 BF 00010000 00     - cmp byte ptr [rdi+00000100],00
Ninja.exe+30FB37 - 75 05                 - jne Ninja.exe+30FB3E
Ninja.exe+30FB39 - 45 32 E4              - xor r12b,r12b
Ninja.exe+30FB3C - EB 03                 - jmp Ninja.exe+30FB41
Ninja.exe+30FB3E - 41 B4 01              - mov r12b,01

Verify who "RDI" is and set-up a filter to make it jump directly to "Ninja.exe+30FB39" if struct is something you know: Player, VisibilityComponent belonging to Player, etc. (you can also do VIsibilityComponent (RDI) + offset == Player and check Player to be you). Of course, this is heuristically, you will have to determine what is what. That's the concept, at least.

BR,
Sun

P.S. #1: One lesson you need to learn is to express yourself properly: which version of the game, which game store, cracked/not cracked -- because your code snippet will be valid only for your exe. Which means any other who wants to help out investigating that snippet will have to do so on your EXACT version of the game (exact exe that you have). Game also has to be capable of being run, else we can't debug in real time...

P.S. #2: Are you playing this one? -> [Link]

[kulik_alex]

P.S. #2: Are you playing this one? -> [Link]

The link didn't open. idk.
I played the GOG version.
I'm not really interested in the game, I'm more interested in the tools to solve this problem. Technically ghidra can do what I want, but I'm still looking for something memory oriented or even manual.

[kulik_alex]

Looks like I just changed that variable.

Code: Select all

bVar6

Code: Select all

  if (plVar16 != *(longlong **)(param_1 + 0x178)) {
    do {
      lVar4 = *plVar16;
      lVar5 = *(longlong *)(lVar4 + 0x470);
      if ((*(char *)(param_1 + 0xfc) == '\0') &&
         (cVar9 = FUN_1404538c0(param_1 + 0x60,lVar4,0,0), cVar9 == '\0')) {
        bVar6 = false;
      }
      else {
        bVar6 = true;
      }

[kulik_alex]

Code: Select all

Ninja.exe+30FAD9 - 48 8B 9F 70010000     - mov rbx,[rdi+00000170]
Ninja.exe+30FAE0 - 48 3B 9F 78010000     - cmp rbx,[rdi+00000178]

I can kill the loop and that will give me invisibility too. I still don't know what the loop does. It looks like the loop is going through a list of something, usually the list only contains one element, for each guard.

[kulik_alex]

Verify who "RDI" is ...

According to Structure dissect, RDI is AI::cScrappersBrain

[kulik_alex]

Ghidra behaves very badly with this game, it can't even determine the return type of a function. I couldn't find anything online about gameplay mods for the game.
So, here is what I see.
These 8 numbers are related to the detection of a simple security guard.

Code: Select all

1176.775513;86.37301636;1103.116333;-418.8022766
2143.295898;505.0429077;1909.845093;-1096.02832

This code reads these numbers.

Code: Select all

[ENABLE]
"Ninja.exe"+30F4C7:
xorps xmm6,xmm6
xorps xmm7,xmm7
xorps xmm8,xmm8
xorps xmm9,xmm9
jmp "Ninja.exe"+30F4DF
[DISABLE]
"Ninja.exe"+30F4C7:
db F3 41 0F 10 76 04 F3 41 0F 10 7E 08 F3 45 0F 10 46 0C F3 45 0F 10 4E 10

Good luck if you plan to do anything in this field.

[kulik_alex]

Ok!!!!!
There are built-in cheats in the game. I found 2.
god

Code: Select all

Ninja.exe+827E2A

invis

Code: Select all

Ninja.exe+827E2B

Set bytes to 1.

And yes, the game itself kills detection and laser in one byte.