How to make mod menu for il2cpp and native games

New Products

TheLGL

Member
Mar 22, 2020
3
Hello, dear modders

We have make a better mod menu that is quite less complicated to work with and implement it in the APK file. The mod menu is based on Octowolve/Escanor and VanHoeven's template and is basically for Il2Cpp and other native Android games. It will support both KittyMemory and MSHook and support Android 4.2.x way up to Android R preview. Sound effects included. MSHook does not support ARM64 but KittyMemory support ARM64. ARM64 hook coming soon

This is how it looks like:

a94ce00e1d63422909d53eee2444a713.gif


This tutorial is not for newbies/noobs. You need basic knowledge of C++, Java, dalvik opcodes, and also ARM and ARM64 assembly, hex patching and hooking. If you don't have the knowledge, this tutorial will be hard for you, and I won't spoon feeding

Let's begin

----- For this tutorial you will need the following: -----
- Android Studio 3 and up: Download Android Studio and SDK tools | Android Developers

- Git (Optional) - If you want to clone a project though Android Studio: Git - Downloads

- Apktool:
--- Apktool.jar: Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps.
--- Or
--- APK Easy Tool: [TOOL][Windows] APK Easy Tool 1.56 / 1.57 beta-1 (29 nov. 2019)

- Notepad:
--- Notepad++ Downloads | Notepad++
--- Or
--- Sublime Text: Sublime Text - A sophisticated text editor for code, markup and prose

- Compress png - to compress your png file: Compress PNG Images Online

- Base64 encode - to encode your file: Base64 Encode and Decode - Online

- XMedia Recode - to convert your sound files to .ogg XMedia Recode - Download

- Template project: LGLTeam/Android-Mod-Menu

----- Download/clone template project: -----
Click on the green button Clone or download then Download ZIP

4dcce3bfd410d91f929758eb93a1f087.png


Or clone through Android Studio itself (Requires Git to be installed on your machine and be configured in Android Studio)

Click on "Check out project from Version Control" and "Git"

3a15258e9980d137d86082ab080cd703.png


Input the url of the git project and Clone

77d33c1ee32f9b02992b1feb982fe437.png


----- Install Android Studio: -----
If you have Android Studio installed, you can skip this steps

Setting up Android Studio takes just a few clicks.

See the user guide: Install Android Studio | Android Developers

----- Install NDK: -----
Open Android Studio, you will be welcomed

a3fb4e8e8d7522abfab9f53a41e7b6e6.png


At the bottom-right corner, click on Configure and SDK Manager

1ee756239e4c754c2b4ac12eb569ff19.png


Select Android SDK, check NDK (Side by side) and click OK. It will download and install

93255c767b4eedc9c31732ccad34f85b.png


----- Open an existing project, the mod menu template -----

Once you've downloaded all the necessary files, extract the template project to the folder without any spaces. If any folder has spaces, it will cause problem

On Android Studio on the welcome screen, choose "Open an existing Android Studio project"

Navigate to the extracted project and open it

71bf0df9a9d2231cd7acbb2517e1a5be.png


It will index and Gradle will sync the project fir the first time. Please wait for a while, it will take around 5 minutes depending your computer performance

After it's done, you can start working!

On the left side, you see the Project view. Default view is Android

5310c670e23b22bd59977a5259b2df3b.png


If this is somewhat confusing, change the view to Project

I will explain each of the files for you

FloatingModMenuService.java:
The codes of floating mod menu. You don't need to change much unless you want to redesign it. The codes are explained in the comments (//...)

MainActivity.java:
Starts the main activity. It won't be used if you implement the menu in the game

Sounds.java:
Basically the 'GTA V' sounds, have been converted to .ogg using XMedia Recode and encoded to base64. They are automatically decoded and stored into /data/data/(package name)/cache upon startup. See StaticActivity

StaticActivity.java:
To initialize by game activity's OnCreate
Checks if device running Android 6.0 or above and if have overlay permission checked. Sounds being written to the cache directory.
Start() will be called when implementing the menu to the game. We will explain later

- writeToFile:
Decode base64 and write to file to a target directory

main.cpp
In this file, you will mostly use it to edit features, credits, icon, and implement your code for KittyMemory or MS Hooking.

- Title: Big text

- Heading: Little text

- Delay: Delaying before the menu appearing. The number is milliseconds. Example 4000 ms is 4 secs

- Icon: Compressed image that is encoded to base64

- IconSize: Mod menu icon size

- Toast: To get text from c++ in order to show toast in java

- Changes: Get changes of toggles, seekbars, spinner and buttons to do modding. Features MUST be count from 0

- getFeatureList: Here you add the mod features

Usage:
Code:
Toggle_[feature name]
SeekBar_[feature name]_[min value]_[max value]
Spinner_[feature name]_[Items e.g. item1_item2_item3]
Button_[feature name]
Button_OnOff_[feature name]
InputValue_[feature name]

Example:
Code:
Toggle_God mode
Spinner_Weapons_AK47_9mm_Knife
Button_OnOff_God mode

Do not forget to count your features from 0 and remember them

- hack_thread:
Here you add your code for hacking with KittyMemory or Hooking. I will not teach, you must have learned it already

- JNI_OnLoad:
Initialize when the library loads

Android.mk
The make file for the c++ compiler. In that file, you can change the lib name on the LOCAL_MODULE line
When you change the lib name, change also on System.loadLibrary("") under OnCreate method on FloatingModMenuService.java
Both must have same name

KittyMemory usage:
Code:
MemoryPatch::createWithHex([Lib Name], [offset], "[hex. With or without spaces]");
[Struct].get_CurrBytes().Modify();
[Struct].get_CurrBytes().Restore();

[Struct].get_TargetAddress();
[Struct].get_PatchSize();
[Struct].get_CurrBytes().c_str();

Example: MJx0/KittyMemory

Hook usage:
ARM64:
Code:
A64HookFunction((void *) getAbsoluteAddress([Lib Name], [offset]), (void *) [function], (void **) &[old function]);

ARMv7/x86:
Code:
MSHookFunction((void *) getAbsoluteAddress([Lib Name], [offset]), (void *) [function], (void **) &[old function]);

Other than that, find out yourself. It's a lot easier if you already have the knowledge
Most codes have the comments that will explain for you
Have fun!

----- Testing the mod menu -----

If you have your device with adb* enabled, connected your PC or your emulator with adb enabled. Android Studio will detect and you can click Play to run your app onto your device/emulator

7b75320abc412e0b61f01d417518169f.png


* To use adb, you must enable USB debugging in the device system settings, under Developer options.

On Android 4.2 and higher, the Developer options screen is hidden by default. To make it visible, go to Settings > About phone and tap Build number seven times. Return to the previous screen to find Developer options at the bottom.

On some devices, the Developer options screen might be located or named differently.

----- Implementing the menu in the target game-----

After you finished the menu, you can build the project to APK file.

Build -> Build Bundle(s) / APK(s) -> Build APK(s)

If no errors occured, you did everything right and build will succed. You will be notified that it build successfully

e3d9e547a6ff9c84971fd5cb77983880.png


Click on locate to show you the location of build.apk. It is stored at (your-project)\app\build\outputs\apk\ app-debug.apk

e2724e5b6f55789c22d224c1ebaa686c.png


Now you will need to decompile app-debug.apk. Decompile the target game as well

Open the game's androidmanifest.xml
Add the permission besides other permissions

XML:
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>

4f28924f7b7c47d63c4837bfe5b1e883.png


And add the service below the application tag (change the package name if you had changed it)

XML:
<service
           android:name="uk.lgl.modmenu.FloatingModMenuService"
            android:enabled="true"
            android:exported="false"/>

f9c021a5fac01b499aee84e5ffeb1eea.png


Save the AndroidManifest.xml file

Now we are looking for main activity, it is ususally written under application tag. The activity name may be different. If you spotted android:name="android.intent.action.MAIN" you will immediately know this is main activity

Be sure to enable Word wrap so it is easier to read

4b67a90c882b34d57b200e6e6916172f.png


Or open the apk in APK Easy Tool and look for main activity

d64ffc398eaeebda8ad4516df5901421.png


In this case, the path to main activity was com.funcube.loa.MainActivity. I would navigate to (decompiled game)/smali/com/funcube/loa/ and you will see MainActivity.smali. If the game have multi dex, find out which smali folder has the main activity, it should be in one of these folders.

Open the main acitivity's smali file, search for OnCreate method and paste this code inside (change the package name if you had changed it)

Code:
    invoke-static {p0}, Luk/lgl/modmenu/StaticActivity;->Start(Landroid/content/Context;)V

1b1869789dbd0a0389e43045cdbed92c.png


Save the file

Copy your mod menu from decompiled app-debug.apk smali to the game's smali folder. Example mine is uk.lgl.modmenu, I copy the "uk" folder from app-debug (app-debug\smali\uk) to the game's decompiled directory (game name)\smali

862ab56d79d0dc4dc5ef99b8228e4e22.png


Very important for multi dex games. Let's say if main activity is located in smali_classes2, I would put my mod menu in smali_classes2

Copy the library file (.so) from app-debug.apk to the target game. Make sure to copy .so to the correct architecture
armeabi-v7a is armeabi-v7a, arm64-v8a is arm64-v8a, and so on.
Putting the .so on a wrong architecture will result a crash

c927cdc16a66f0fcca1316a1f75a0d7e.png


Now compile and sign the apk

If compile fail, read the log and look up at Google

If the mod menu appears and the hack are working, congratz!

If you face any problem, be sure to check the logcat, and if it was native related, write the log such as LOGD("whatever"); in your cpp codes, recompile and capture the logcat. See what part of your code faced the problem. Logcat will also tell you if hooking fails (lib crash)

Thanks for reading the tutorial, if you need any help, feel free to ask. Note I may only help for experience modders only =D

Do not forget to check my template again. I may change it anytime =D

----- Credits/Acknowledgements -----
Thanks to the following individuals whose code helped me develop this mod menu
* Octowolve/Escanor - Mod menu: z3r0Sec/Substrate-Template-With-Mod-Menu
and Hooking: z3r0Sec/Substrate-Hooking-Example
* VanHoevenTR - Mod menu - LGLTeam/VanHoevenTR_Android_Mod_Menu
* MrIkso - Mod menu - MrIkso/FloatingModMenu
* MJx0 A.K.A Ruit - KittyMemory MJx0/KittyMemory
* Rprop - ARM64InlineHook - Rprop/And64InlineHook
* Google - Android UI sounds
* Material.io - https://material.io/design/sound/sound-resources.html#

The following websites were also very helpful
* Stackoverflow - Stack Overflow - Where Developers Learn, Share, & Build Careers
* Guided hacking - https://guidedhacking.com/forums/android-game-hacking.438/
 

Attachments

  • 1585567345793.png
    1585567345793.png
    5.9 KB · Views: 168
  • 1585567355914.png
    1585567355914.png
    32.2 KB · Views: 170
  • 1585567372721.png
    1585567372721.png
    7.6 KB · Views: 150
  • 1585567381345.png
    1585567381345.png
    5.7 KB · Views: 155
  • 1585567386363.png
    1585567386363.png
    22.1 KB · Views: 169
  • 1585567402403.png
    1585567402403.png
    7 KB · Views: 159
  • 1585567407358.png
    1585567407358.png
    7.8 KB · Views: 166
  • 1585567415993.png
    1585567415993.png
    4.3 KB · Views: 153
  • 1585567420278.png
    1585567420278.png
    4.6 KB · Views: 141
  • 1585567427136.png
    1585567427136.png
    12.7 KB · Views: 139
  • 4f28924f7b7c47d63c4837bfe5b1e883.png
    4f28924f7b7c47d63c4837bfe5b1e883.png
    13.1 KB · Views: 146
  • f9c021a5fac01b499aee84e5ffeb1eea.png
    f9c021a5fac01b499aee84e5ffeb1eea.png
    13.9 KB · Views: 154
  • 4b67a90c882b34d57b200e6e6916172f.png
    4b67a90c882b34d57b200e6e6916172f.png
    18.1 KB · Views: 156
  • d64ffc398eaeebda8ad4516df5901421.png
    d64ffc398eaeebda8ad4516df5901421.png
    11.9 KB · Views: 158
  • 1b1869789dbd0a0389e43045cdbed92c.png
    1b1869789dbd0a0389e43045cdbed92c.png
    8.3 KB · Views: 150
  • 862ab56d79d0dc4dc5ef99b8228e4e22.png
    862ab56d79d0dc4dc5ef99b8228e4e22.png
    30.2 KB · Views: 148
  • c927cdc16a66f0fcca1316a1f75a0d7e.png
    c927cdc16a66f0fcca1316a1f75a0d7e.png
    35.4 KB · Views: 162
  • 04efac60751723be082e1628f45c4e6d.png
    04efac60751723be082e1628f45c4e6d.png
    320 KB · Views: 180
Last edited:

TheLGL

Member
Mar 22, 2020
3
Mod menu template updated
- Added Value Input
- Added ARM64InlineHook
- Updated KittyMemory
- Some Improvements