Android Mod Menu Implementation

So I have a public mod menu template on Github and you may wonder how to implement it after you wrote the code.

That’s pretty simple, tho you will need basic knowledge with Smali.

When you build the app with Android Studio and there are no errors you will get this little popup

Build Pop Up

Click on locate. There you will find a file called app-debug.apk.
Use apktool to decompile this .apk and the .apk you want to implement the mod menu in.

apktool d app-debug.apk
apktool d the-target.apk

I will use Bullet Force for this tutorial.

After apktool is done open both paths of the decompiled apks

You will now see the general structure of the apks.

So what do we hava to do now?
Here is a small list:

  1. Copy all the needed assets from our app to the target app

  2. Copy the libs from our app into the target app

  3. Copy app-permissions from our app’s AndroidManifest to the target app’s AndroidManifest

  4. Add the smali files and make corresponding changes in there

Now lets begin with the first step.
You will find some (if you use my template) png files in the assets folder.
Just drag and drop them into the targets app assets folder. Done.

For the next step we will move the libs into the target app. So just open both lib folders from both app’s


Like this

Now look at the folder names. We dont want to mix them up. So only the libs from our armeabi-v7a
will get into the folder armeabi-v7a from the target app.

Like this. So 2nd step done.

For the next step we need to open both AndroidManifest.xml from both apps.
You will find the in the apps root folder


Left is our app and right the target app.

We will see that our app only needs one permission.
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
Just copy this small line into the target app’s AndroidManifest.

You can now close our app’s AndroidManifest file and leave the target app’s AndroidManifest open.

Because now we get to our last step. To move the smali files and make corresponding changes in them. For this we need to know where the launcher activity of the target app is located. Why? Because we are only interested in code that is executed and not dead code somewhere in the app.

So how do we find the launcher acitivity of the app. You can determine the launcher activity by looking at the application’s manifest. The launcher activity will have the following MAIN and LAUNCHER intents listed.

<activity android:name=".LauncherActivity">
	<intent-filter>
    	<action android:name="android.intent.action.MAIN" />
        <category android:name="android.intent.category.LAUNCHER" />
    </intent-filter>
</activity>

So in the target app Im using in looks like this:


In the activity tag you can find the launcher activity path and name.

android:name="com.trophit.MyUnityPlayerActivity"
Think of it like a path. Switch the “.” with “/” and add a “.smali” at the end and you will get this:
"com/trophit/MyUnityPlayerActivity.smali"

Some apps have multiple smali folders like smali1, smali 2 etc etc. Just search through them and find this file.

Open this one and open the launcher activity or our own app the same way.

Now we have to copy some code from our launcher activity to the launcher acitvity from the target app.

So we will firstly copy 1 line of code from our onCreate function into the target app’s onCreate

like this.

After we hve done this we have to copy to more functions and a field.
the Start function , the onActivityResult function and the field CODE_DRAW_…

I’ve collapsed them in this picture so they fit in one picture.

After you have done this we still have 2 things to do.

Firstly we have to rename some things in the target app’s launcher acitivty.
For this we use Visual Studio Code’s replace feature found under
Edit > Replace

You will have to replace
com/dark/force/MainActivity //this will always be the same
With the path of the target app’s launcher activity which we determined earlier.
com/trophit/MyUnityPlayerActivity
Just do a replace all and you are done. You can now save and close the smali file.

The last thing to do is to move our smali files to the target app’s smali file.

If you have found the target app’s launcher activity file in a folder called smali2 you would have to copy the “com” folder of our app into the smali2 folder of the target app. if you have found the target app’s launcher acitivty file in a folder called smali3 you would have to copy the “com” folder of our app in there yada yada yada.

Now you can rebuild the target app with apktool, sign it and install it on your device.

Congrats. You have successfully implemented a mod menu.

3 Likes

Sir, why does the togle get stuck when I click on it?
when i use old ndk still :slightly_frowning_face: :slightly_frowning_face:

You are probably not checking the address you are writing too. Or remove the patch code and just leave the toggle as it as. If it still freezes something else is the problem

1 Like