How to mod games on device without using a PC


New User
Thread Author
I've been playing around with android in the past few days, and worked out a way to be able to make mods on my device without using a computer.
For iOS moddders it's not something new, but on android it can be a little more tricky and complex, but not impossible, so I'm sharing it with you guys.
This tutorial is not for beginners, be familiar with Linux system, you need to have basic modding skills, understanding how memory hacking, debuggers (LLDB in my case) and ARM64 work.

First I had to create a modding environment on my device, the following tools were essential:

- Rooted device

- Kali NetHunter installed with CHROOT (this is essential I will go into details later, modded kernel not necessary)

- GameGuardian

- LLDB (installed in kali system)

- MT FIle Manager

- Arm to Hex Converter

- apktool (optional, in case you don't have MT, install it via kali system)

- Hex Editor (optional in case you don't have MT)

- Something to sign the APK with (optional, MT does that too)

Kali NetHunter:
Kali is well known in hacking community. Pentesters favourite platform. Nethunter is Kali's mobile version for several network analysis and hacking, but in my case the most important part is, it creates a fully working Linux Subsystem on the device with terminal. Most CLI tools I would use on a Linux system work on android this way.
The Linux Subsystem is running on the top of the Android system, it has full access to android filesystem and processes. Don't need a modified kernel, CHROOT all that's needed for the Linux Subsystem.

Lets call it GG from now on, it is the best existing memory hack tool for android. Need no further explanation. (Shout out to @NoFearGG helped me big time figuring out some GG features)

My favourite debugger. I've tried to run it from Termux, it wouldn't attach to process, but Kali's LLDB worked just fine. Install it via apt from Kali terminal.

MT File Manager:
The most powerful tool for android modders. It contains Hex editor, Dex Editor (yes browse and rewrite small code without decompiling the apk, it works like a charm), Sign APK, and much more. Some features require VIP subscription, however there is v2.5 Modded on XDA developers (Current version is 2.9). I strongly recommend using this, but there are ways around it.

The rest is quite obvious, no need further explanation.

So modding environment is ready, lets hack.
I downloaded a simple game (Tiny Towers) for demonstration. I start the game, run GG. Open Nethunter terminal in Kali mode. Run LLDB. attach the game (GG displays the game's PID).
After I attached LLDB to the process I had to pass some signals to the process without lldb stopping every time. This is very important as it causes the game crash most of the times as there are way too many signal stops (e.g. SIGPWR) .
I could achieve this by using the "process handle" command. See what SIGXXX you're getting and pass them all to the process,

(lldb) pro hand -p true -s false SIGPWR
========== ===== ===== ======
SIGPWR      true   false  true

When done I just continued the process.

With GG I found the value I wanted to hack. I set a watchpoint on that memory address and when the value changed I got a hit. This is basic debugging, you know what to do here, not going into more details.
Now this part is very important and again I have NoFear to thank for this. When i had a watchpoint hit, i got a memory address, but i needed to figure out the actual offset in To do this I copy the watch hit address to GG. Hit goto in options (top right corner), paste the address then save it. Hit goto option again and hit the "XA" button under the address line. Here either find the relevant or in my case it didn't display it, so had to find that memory range where my watchpoint hit was. Save it, go to saved tab, select both address, and from options select "Calculate Offset, XOR" then select offset. the result will be the actual offset in
If its not clear I'm sure if you ask NoFear nicely, he will post a video.
I loaded the in MT's HEX editor, made my hex patches and tested the apk. Worked fine. I opened classes.dex in the apk with MT's hex editor (MT automatically decompiles and recompiles the dex on the go), added my toast message, saved it, MT recompiled dex and signed the apk automatically so I was good to go.

Thats pretty much it, if you have modding experience this won't be too hard, for newbies it will take some studying.

@Antiklor ( Sorting out my armhexconverter script <3 )
Top Bottom