Cheat Engine

JohnT · Posted: Wed Jul 27, 2011 10:27 pm Post subject: GetAsyncKeyState in CE

Well i saw a script like that

pushfd
pushad
push '1'
call GetAsyncKeyState
shr ax,#15
cmp ax,1
popad
jne originalcode
add [eax+08],5000

originalcode:
popfd
cmp [eax+08],ebx
setg al

well i want to ask something
the call GetAsyncKeyState

the GetAsyncKeyState it has an address which when i restart a game it changes
Could someone tell me how to make it not to change because i need to put it in my trainer

Dark Byte · Posted: Wed Jul 27, 2011 10:36 pm Post subject:

if it is a cheat engine trainer you won't have to as ce knows what you mean with GetAsyncKeyState

But if you really want to find the base address of user32.dll in the target process and your own process (usually the same, but if your exe loads at the address user32.dll is loaded it will be different)

Now find the address of GetAsyncKeyState in your own app and substract the base address of your user32.dll base

add that difference to the target app's user32.dll and you'll have the address

Now adjust the relative call to point to the address you have calculated, or use a non relative call (10 bytes instead of just 5)

JohnT · Posted: Wed Jul 27, 2011 11:23 pm Post subject:

didnt get it

i enable the cheat and then i had those bytes
E8 91C05872

this address
7742C09A

this address in the begging of the GetAsyncKeyState ?
if yes then why when i go to address user32.dll it shows me ordinal xxx
with the address

77420000

Geri · Moderator Reputation: 111 Joined: 05 Feb 2010 Posts: 5636

If you want to see the address of GetAsyncKeyState, just open the memory view, right-click in the disassembler view or in the hex view, choose Go to address and type in "getasynckeystate" (lower case doesn't matter). CE will jump there.

Another method is to use the "Memory View -> View -> Enumerate DLLs and Symbols" option in CE. It will open up a new window where you can see the symbols that are detected by CE, inlcuding GetAsyncKeyState. Just press CTRL+F, type in the name and CE will jump there in the tree. Then if you double-click on it, it will jump there in the disassembler view.

Anyway, regardless which method do you use, the hex view will show the module name where the API is (as well as the DLL list with the address of the dll) and if you type in user32.dll in the goto address field, CE will jump there.

So on the attached picture, the base address of user32.dll is 7E360000 and GetAsyncKeyState is at 7E37A78F and if you calculate the offset, you get "USER32.dll"+1A78F.