Skip to content

Instantly share code, notes, and snippets.

Last active June 16, 2019 14:37
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save FransBouma/6b41665b14d006be32d081ff69ded3a4 to your computer and use it in GitHub Desktop.
Save FransBouma/6b41665b14d006be32d081ff69ded3a4 to your computer and use it in GitHub Desktop.
Hitman 2016 Final CT camera table, with smooth movement. For v1.7. By Jim2Point0 and myself.
<?xml version="1.0" encoding="utf-8"?>
<CheatTable CheatEngineTableVersion="21">
<Description>"Camera system. Toggle: INS. Enable first"</Description>
<VariableType>Auto Assembler Script</VariableType>
// Reworked Hitman 2016 cheat table with free camera / timestop / FoV
// Original camera / timestop: Jim2Point0
// Reworked camera / threading code: Otis / Infuse Project
// For Hitman v1.7.0.
// this table contains a thread based camera movement system which moves the camera based on the camera look vector direction
// so pressing e.g. 'left' (numpad 4) is moving the camera left, you're no longer moving over the world x/y/z axis which don't align with
// the camera direction in most cases.
// I've commented a lot of code in this table. For seasoned assembly programmers these comments might sound like 'water is wet' statements,
// but they might help the novice assembly programmer out what's going on (as SIMD programmer isn't straightforward!) :)
// The features are enabled / disabled by two child scripts, one for the FoV and one for the camera hook.
// This is done so the thread loop can run at almost full speed scanning keys and it's also easier to enable e.g. FoV without the
// camera.
globalalloc(OwnCode, 2048) // alloc memory for our code, once.
// Code labels
// Data labels
// Symbols. Registering them allows you to use them in the CE UI.
// Grab camera structure address, which is inside the camera struct we need.
// There are more instructions here, as the overwrite is bigger (14 bytes), as it uses a
// qword address sourced jump instead of a simple jump because the jump is into global allocated memory!
cmp [rbx+38],0 // could also check +20 or +24 for 0 if the above fails
jne GrabCameraOriginalCode
mov [_cameraStruct], rbx
cmp byte [_cameraEnabled], 1
je ExitCameraStructGrab // camera enabled, skip original code.
movss [rbx+00000090],xmm0 // original statement
movss xmm0,[rsp+58] // original statement
jmp ReturnAfterCameraStructGrab
// The lock mouse code.
// There are more instructions here, as the overwrite is bigger (14 bytes), as it uses a
// qword address sourced jump instead of a simple jump because the jump is into global allocated memory!
movaps xmm0,[rax] // original statement
cmp byte [_lockCamera], 1
je @f
movups [rbx+00000080],xmm0 // original statement, performs write.
movss xmm0,[rsp+50] // original statement
jmp ReturnAfterPerformLockCamera
// Code
// x64 calls to Win32 functions uses Windows ABI 64 bit calling convention: create 'shadow space on the stack
// for the first 4 arguments and 16-byte align the stack, which happens to be 40 bytes. Result is stored in RAX.
// So that's the sub rsp/add rsp statements doing around Win32 calls.
sub rsp, 28
mov rcx, #25
call kernel32.Sleep // for some reason CE compiles 'Sleep' wrong, but does do it properly when kernel32.Sleep is used. Oh well...
add rsp, 28
// check if the thread can die
cmp [_disableThread], 1
je MainThread_End // disabled, die
// check if the camera struct is already available. If not, loop to the beginning of the thread,
// which will be a sleep call. We do this as the thread can be created before the hook is set in the process.
cmp qword ptr [_cameraStruct], 0
je MainThread
// check if one of the keys is pressed
// keys supported:
// Camera pos: num8 (forward), num4 (backward), num6 (right), num4 (left), num9 (up), num3 (down).
// Enable/disable depends on separate script (see table)
// FoV : substract (decrease FoV), add (increase FoV). Enable/disable depends on separate script (see table)
// We'll do this one at a time, as it doesn't matter if we e.g. check up+left or first up and then left
// Camera position manipulation keys are ignored if camera is disabled
// We'll check with GetKeyState, and not GetAsyncKeyState, as GetAsyncKeyState can fail if CE is on a different monitor
// than the game.
// FoV keys
sub rsp, 28
mov rcx, 6D // numpad substract (VK_SUBSTRACT)
call GetKeyState
add rsp, 28
test ax, 8000
jz @f
// key pressed, do fov decrease
call DoFoVDecrease
sub rsp, 28
mov rcx, 6B // numpad add (VK_ADD)
call GetKeyState
add rsp, 28
test ax, 8000
jz @f
// key pressed, do fov inccrease
call DoFoVIncrease
sub rsp, 28
mov rcx, 6A // numpad mul (VK_MULTIPLY)
call GetKeyState
add rsp, 28
test ax, 8000
jz @f
// key pressed, reset fov
mov rcx, [_cameraStruct]
mov [rcx+17c], (float)0.7
// Free camera movement keys
// first check if the free camera is enabled. Enabling is done by a different script.
cmp byte [_cameraEnabled], 1
jne MainThread_EndLoop
// camera enabled, we can proceed with handling camera movement keys
// Check if alt is pressed. If so, we'll speed up the movement. We'll store the bit for later
mov rcx, 12 // Alt (VK_MENU)
call GetKeyState
and eax, 8000 // high bit is either set (key is pressed) or not (key isn't pressed). Rest of bits is garbage, so clear them
shr ax, F // so we simply shift right 15 bits, which moves the high bit to the LSB
mov [_altPressed], ax
// Check if ctrl is pressed. If so, we'll slow down the movement. Same code as Alt. We'll store the bit for later
mov rcx, 11 // Ctrl (VK_CONTROL)
call GetKeyState
and eax, 8000
shr ax, F
mov [_ctrlPressed], ax
mov rcx, 68 // numpad 8 (VK_NUMPAD8)
call GetKeyState
test ax, 8000
jz @f
// up is pressed, perform camera move forward.
call MoveCameraForward
mov rcx, 62 // numpad 2 (VK_NUMPAD2)
call GetKeyState
test ax, 8000
jz @f
// down is pressed, perform camera move backwards
call MoveCameraBackwards
mov rcx, 64 // numpad 4 (VK_NUMPAD4)
call GetKeyState
test ax, 8000
jz @f
// left is pressed, perform camera move sideways
call MoveCameraSidewaysLeft
mov rcx, 66 // numpad 6 (VK_NUMPAD6)
call GetKeyState
test ax, 8000
jz @f
// right is pressed, perform camera move sideways
call MoveCameraSidewaysRight
mov rcx, 69 // numpad 9 (VK_NUMPAD9)
call GetKeyState
test ax, 8000
jz @f
// z up is pressed, perform camera move upwards along Z axis
xor rbx, rbx // if rbx is set to 0 for this function it will move up, otherwise down
call MoveCameraUpDown
mov rcx, 63 // numpad 3 (VK_NUMPAD3)
call GetKeyState
test ax, 8000
jz @f
// z down is pressed, perform camera move downwards along Z axis
mov rbx, 1
call MoveCameraUpDown
// check if the thread can die
cmp [_disableThread], 1
jne MainThread // not disabled, so loop!
// end
mov [_disableThread], 2
// camera movement code
// We're using a normalized (vector with length 1.0) vector to move the camera.
// this vector is at [_cameraStruct]+60, with vX, vY, vZ, W. This is the 3rd row in the camera matrix in general, and also in this case.
// The 'W' isn't used, but as the SIMD instructions load 128bits into the registers, they'll load the 4th dword too.
// The vector is the camera look vector so we can use that to manipulate the camera coordinates:
// Forward means we're moving in the direction of the vector (X, Y and Z updated)
// Left/Right means we're moving in the x/y plane in the direction orthogonal on the look vector (X, Y updated, Z is left alone)
// Backwards means we're moving in the opposite direction of the vector (X, Y and Z updated)
// The vector uses (-x, -y, z) compared to the world/geometry coordinates. This means that
// if the vector is aligned with the x axis looking at the positive x of the world, it's vX component is negative. Same for vY.
// If you think 'Why is this bozo doing a sub when he wants to add?!', that's why ;)
push rax
mov rax, [_cameraStruct]
add rax, 90 // load camera X, Y, Z, W into xmm0. X is at [_cameraStruct+90]
movups xmm0, [rax]
sub rax, 30 // normalized vector is at [_cameraStruct+60]: vX, vY, vZ, vW
movups xmm1, [rax] // load normalized vector into xmm1 (vX, vY, vZ, vW)
call SizeLookVector // will apply alt/ctrl to vector in xmm1 so it makes movement either faster or slower.
subps xmm0, xmm1 // sub the vector from the camera pos, as we're moving in the direction of the vector, but the vector uses -x, -y. If it would have used x, y, we should have used addps
mov rax, [_cameraStruct]
add rax, 90
movups [rax], xmm0 // move the newly calculated pos back into the camera values.
pop rax
push rax
mov rax, [_cameraStruct]
add rax, 90 // load camera X, Y, Z, W into xmm0. X is at [_cameraStruct+90]
movups xmm0, [rax]
sub rax, 30 // normalized vector is at [_cameraStruct+60]: vX, vY, vZ, vW
movups xmm1, [rax] // load normalized vector into xmm1 (vX, vY, vZ, vW)
call SizeLookVector // will apply alt/ctrl to vector in xmm1 so it makes movement either faster or slower.
addps xmm0, xmm1 // add the vector from the camera pos, as we're moving in the opposite direction of the vector, but the vector uses -x, -y. If it would have used x, y, we should have used subps
mov rax, [_cameraStruct]
add rax, 90
movups [rax], xmm0 // move the newly calculated position back into the camera position values.
pop rax
// move left &amp; right will use the x/y portion of the normalized vector and set z to 0. This gives a vector in the x/y plane
// which potentially isn't of length 1 so we have to normalize it again.
// To refresh your memory concerning xmm regs: [0|1|2|3] are the parts. so vX is placed in the lower element (0), vY in (1) etc.
// I use it this way as CE displays xmm registers in that order in the debugger.
// so shuffle commands have their bits backwards compared to the order of the xmm elements: 33 22 11 00
// Clear? thought so :)
push rax
call GetCameraVectorAsXYVector // will load camera vector into xmm1, move it to x/y plane, normalize it
// move left means we have to rotate the x/y vector 90 degrees counter-clockwize. This is simple: new vector is (-vY, vX).
// first move the elements to the right position
shufps xmm1, xmm1, F1 // shuffle using: 11 11 00 01. xmm1 now contains (vY, vX, 0, vW)
xorps xmm2, xmm2 // set the value of xmm2 to 0
subss xmm2, xmm1 // substract 1st value of xmm1, which is vY, from 0
movss xmm1, xmm2 // move -vY from xmm2's first element into xmm1. xmm1 now contains (-vY, vX, 0, vW)
call SizeLookVector
mov rax, [_cameraStruct]
add rax, 90 // load camera X, Y, Z, W into xmm0. X is at [_cameraStruct+90]
movups xmm0, [rax]
subps xmm0, xmm1 // add the vector we calculated to the camera position. But x/y are negative aligned, remember? So we do sub! It should now move left
mov rax, [_cameraStruct]
add rax, 90
movups [rax], xmm0 // move the newly calculated position back into the camera position values.
pop rax
push rax
call GetCameraVectorAsXYVector // will load camera vector into xmm1, move it to x/y plane, normalize it
// move right means we have to rotate the x/y vector 90 degrees clockwize. This is simple: new vector is (vY, -vX).
xorps xmm2, xmm2 // set the value of xmm2 to 0
subss xmm2, xmm1 // substract 1st value of xmm1, which is vX, from 0
movss xmm1, xmm2 // move -vX from xmm2's first element into xmm1. xmm1 now contains (-vX, vY, 0, vW)
shufps xmm1, xmm1, F1 // shuffle using: 11 11 00 01. xmm1 now contains (vY, -vX, 0, vW)
call SizeLookVector
mov rax, [_cameraStruct]
add rax, 90 // load camera X, Y, Z, W into xmm0. X is at [_cameraStruct+90]
movups xmm0, [rax]
subps xmm0, xmm1 // add the vector we calculated to the camera position. But x/y are negative aligned, remember? So we do sub! It should now move right
mov rax, [_cameraStruct]
add rax, 90
movups [rax], xmm0 // move the newly calculated position back into the camera position values.
pop rax
// Camera up / down movement is done by first creating a vector (0, 0, 1.0) as look vector, size it with the size code, and
// simply add it to the camera coords for up and sub it from the camera coords for down. Z is aligned with world coordinates Z.
// In: rbx: 0==up, not 0==down
push rax
call GetZVector // xmm1 now contains (0, 0, 1.0, 0)
call SizeLookVector // size it based on alt/ctrl keys
mov rax, [_cameraStruct]
add rax, 90 // load camera X, Y, Z, W into xmm0. X is at [_cameraStruct+90]
movups xmm0, [rax]
test rbx, rbx // check whether the register is set to 0. If so, we'll move up, otherwise we'll move down
je MoveCameraUpDown_Up
subps xmm0, xmm1 // sub the vector we calculated from the camera position. Z is aligned with the world axis, so we use sub
jmp MoveCameraUpDown_Store
addps xmm0, xmm1 // add the vector we calculated to the camera position. Z is aligned with the world axis, so we use add (finally, some sanity!)
mov rax, [_cameraStruct]
add rax, 90
movups [rax], xmm0 // move the newly calculated position back into the camera position values.
pop rax
// returns in xmm1 a vector (0, 0, 1.0, 0).
// in: nothin'
// out: the vector (0, 0, 1.0, 0)
// Changes: xmm1
push rax
xorps xmm1, xmm1 // set the value of xmm1 to 0
mov rax, (float)1.0
movd xmm1, rax // move 1.0 into xmm1. Which now contains 1.0, 0, 0, 0
shufps xmm1, xmm1, 45 // shuffle xmm1 so the 1.0 is placed at the 3rd element, which is Z. So we'll use: 01 00 01 01
pop rax
// Loads the camera vector into xmm1, will reset vZ to 0 and will normalize the vector (vX, vY) to length 1.0.
// It's a bit dirty, as it will fail with the vector pointing along the Z axis and x/y being 0.0, but the game doesn't allow that
// In: nothin'
// Out: xmm1: normalized camera vector in x/y plane with vZ set to 0.0.
// Changes: xmm2, xmm3
push rax
mov rax, [_cameraStruct]
add rax, 60 // normalized vector is at [_cameraStruct+60]: vX, vY, vZ, vW
movups xmm1, [rax] // load normalized vector into xmm1 (vX, vY, vZ, vW)
xorps xmm2, xmm2 // reset xmm2 to 0, all 4 components
mov rax, -1
movd xmm2, rax // the 1st element (index 0) contains -1 (ffffffff).
shufps xmm2, xmm2, 10 // shuffle using: 00 01 00 00 all 4 elements are now filled with -1 except the 3rd (which contains Z)
andps xmm1, xmm2 // this will set the 3rd element (vZ) to 0, keep all other elements. xmm1 now contains (vX, vY, 0, vW)
// we now have to normalize the vector in xmm1, as it's not really a length of 1, as x/y are smaller if z isn't 0. This is
// done with the formula: vX=vX/length, vY=vY/length. Length = sqrt(x*x+y*y). So first we'll calculate the length.
// this is simple, we multiply xmm1 with itself. Of course in another register as we need xmm1 later.
movaps xmm2, xmm1 // xmm2 now contains xmm1's values
mulps xmm2, xmm2 // multiply xmm2 with itself, which means vX=vX*vX, vY=vY*vY, 0*0, vW=vW*vW (but we don't care about that)
movaps xmm3, xmm2 // move the values of xmm2 in xmm3 so we can move vY*vY to the slot 0 to add it to vX*vX
shufps xmm3, xmm3, F1 // shuffle using 11 11 00 01 so end result is vY*vY, vX*vX, 0, vW*vW
addss xmm2, xmm3 // adds the slot 0 values of xmm3 and xmm2 which means xmm2 now contains vX*vX + vY*vY.
sqrtss xmm2, xmm2 // square root the slot 0 value, so it now contains sqrt(vX*vX + vY*vY).
shufps xmm2, xmm2, 0 // shuffle the sqrt result to all slots0, 1 and 2 so we can div x and y (and z, but will result in 0) in one go.
// so use 00 00 00 00 to avoid div by 0 in the next statement.
divps xmm1, xmm2 // div xmm1 with xmm2, which means vX/sqrt(vX*vX+vY*vY), vY/sqrt(vX*vX+vY*vY), 0, vW
pop rax
// Will multiply the camera vector with a scalar to size it up (if alt is pressed) or down (if ctrl is pressed)
// If no alt/ctrl is pressed, we size it with the scalar 2.0 to make moving around more pleasant
// in : xmm1 (vX, vY, vZ, vW)
// changes: xmm7
push rbx
cmp byte [_altPressed], 1
jne @f
// alt pressed. Multiply with 2.0
mov rbx, (float)1.0
jmp SizeLookVector_Calc
cmp byte [_ctrlPressed], 1
jne @f
// ctrl pressed. Multiply with 0.05
mov rbx, (float)0.01
jmp SizeLookVector_Calc
// default scalar sizing
mov rbx, (float)0.1
movd xmm7, rbx // load the factor to multiply with into xmm7. This is a scalar, xmm registers contain 4 of them
shufps xmm7, xmm7, 0 // so we shuffle the first element to be placed in all 4.
mulps xmm1, xmm7 // multiply the vector in xmm1 with the 4 values in xmm7, so vX=vX*xmm7[0], vY=vY*xmm7[1] etc.
pop rbx
// FoV code
cmp byte [_fovEnabled], 1
je @f
// not enabled, nothing to do.
push rax
push rbx
mov rax, [_cameraStruct]
add rax, 17c // FoV value is at offset 17c. Contains 0.7 for normal fov.
movss xmm0, [rax]
mov rbx, (float)0.01 // load the register with 0.01 float, and move it using this register into xmm1
movd xmm1, rbx
addss xmm0, xmm1 // add the 0.01 to the value.
movss [rax], xmm0 // store the new value back into the address.
pop rbx
pop rax
cmp byte [_fovEnabled], 1
je @f
// not enabled, nothing to do.
push rax
push rbx
mov rax, [_cameraStruct]
add rax, 17c // FoV value is at offset 17C
movss xmm0, [rax]
mov rbx, (float)0.01 // load the register with 0.01 float, and move it using this register into xmm1
movd xmm1, rbx
subss xmm0, xmm1 // sub the 0.01 from the value
movss [rax], xmm0 // store the new value back into the address.
pop rbx
pop rax
// Local data
dq 0
dd 0
db 0
db 0
db 0
dw 0
dw 0
// overwrite inside the Hitman process the following address with a jmp to our code which grabs the camera struct address
// which is in the register rbx.
// Remember this is compiled to a long jmp so will take up 14 bytes!
jmp GrabCameraStructAddress
// Lock camera overwrite. Remember this is compiled to a long jmp so will take up 14 bytes!
jmp PerformLockCamera
dq 0
dd 1
db 0
db 0
db 0
dw 0
dw 0
// ALWAYS replace overwritten memory of all subnodes here, as the user can leave them ON and disable this one
// which will result in a crash if we don't overwrite them back to normal.
// Camera
movss [rbx+00000090],xmm0
movss xmm0,[rsp+58]
movss [rbx+00000098],xmm0
movss [rbx+00000094],xmm1
// Lock Camera:
movaps xmm0,[rax]
movups [rbx+00000080],xmm0
movss xmm0,[rsp+50]
// Fov
//je hitman.CAkRegisteredObj::~CAkRegisteredObj+425C6A
//movss xmm0,[hitman.Ordinal277+1303614]
je hitman.exe+44E48B9
movss xmm0,[hitman.exe+1312714]
movss [rcx+0000017C],xmm0
// unregister symbols, as they're no longer needed
<Action>Toggle Activation</Action>
<Description>"Lock mouse. Toggle: F5"</Description>
<VariableType>Auto Assembler Script</VariableType>
db 1 // sets flag in main script's thread data
db 0 // resets flag in main script's thread data
<Action>Toggle Activation</Action>
<Description>"FOV. Toggle: HOME"</Description>
<VariableType>Auto Assembler Script</VariableType>
db 1 // sets flag in main script's thread data
db 90 90
db 90 90 90 90 90 90 90 90
db 0 // resets flag in main script's thread data
// original fov write code.
je hitman.exe+44E48B9
movss xmm0,[hitman.exe+1312714]
movss [rcx+0000017C],xmm0
<Action>Toggle Activation</Action>
<Description>"Num+/-: change FOV. Num*: reset"</Description>
<LastState Value="" RealAddress="00000000"/>
<Description>"Free camera. Toggle: END. Num2/8:Y, Num4/6:X, Num3/9:Z"</Description>
<VariableType>Auto Assembler Script</VariableType>
db 1 // sets flag in main script's thread data
db 90 90 90 90 90 90 90 90
db 90 90 90 90 90 90 90 90
db 0 // resets flag in main script's thread data
// original camera y/z write code. X write code is re-instated through the flag in the main script and when main
// script is disabled.
movss [rbx+00000098],xmm0
movss [rbx+00000094],xmm1
<Action>Toggle Activation</Action>
<Description>"Alt: speed up. Ctrl: Slow down"</Description>
<LastState Value="" RealAddress="00000000"/>
<Description>"Game Speed [F3]"</Description>
<VariableType>Auto Assembler Script</VariableType>
aobscanmodule(timeAOB,hitman.exe,F3 0F 59 43 48 F3 0F 59 05)
mov [gameSpeed],rbx
mulss xmm0,[rbx+48]
jmp exit
jmp returnhere
dq 0
jmp newmem
mulss xmm0,[rbx+48]
<Description>"Resume [F4]"</Description>
<LastState Value="" RealAddress="00000000"/>
<Description>"Pause [F3]"</Description>
<LastState Value="" RealAddress="00000000"/>
<Description>"Game Speed"</Description>
<Action>Set Value</Action>
<Action>Set Value</Action>
<LastState Value="" RealAddress="00000000"/>
<Description>"By -= Jim2Point0 &amp; Otis / Infuse Project =-"</Description>
<LastState Value="" RealAddress="00000000"/>
<LastState Value="" RealAddress="00000000"/>
<Description>"For game version: 1.7.0"</Description>
<LastState Value="" RealAddress="00000000"/>
<Description>Camera Z</Description>
<Description>Camera X</Description>
<Description>Camera Y</Description>
<Description>FOV 2</Description>
<Description>FOV 1</Description>
<Description>Rotation Matrix?</Description>
<Comments>Info about this table:
Copy link

Updated camera for v1.7.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment