Dev:Cycript Tricks

Printing Ivars
Often just typing *varName works: Sometimes it does not... then you can do:

You may use this function to get as much ivar values as possible: To use:

Printing Methods
Function to get the methods:

Usage: You can also just look at the message property of the isa, e.g. to get rootViewControllers methods: UIApp.keyWindow.rootViewController.isa.messages

Get methods matching particular RegExp
Usage:

Getting Objective-C Objects from Addresses
Use new Instance(0xdeadbabe).

Replacing existing Objective-C methods
You can simulate MSHookMessage by replacing contents in the messages array, e.g. Note the func.call(this) construct. This binds the this in the original function to the user-specified one. If more than one variable is needed, use function(arg1, arg2, arg3, ...) {...func.call(self, arg1, arg2, arg3, ...);}, e.g.

Note that the subsequent arguments will not be automatically mapped to the corresponding Objective-C types, so instead of "foo" you will need to use [NSString stringWithString:"foo"].

Getting class methods
class.messages only contains instance methods. To hook class methods, you need to get to its metaclass. A simple way would be

Include other Cycript files
As of 0.9.274-1, there isn't a native file import feature. If cycript will be hooked into another process, since the data will be retained there, you can first load the other .cy file with this:

If cycript is launched standalone, inclusion can still be faked with a combination of cycript compiler and Javascript's eval</tt> function:

Using NSLog
Type in the console: NSLog_ = dlsym(RTLD_DEFAULT, "NSLog") NSLog = function { var types = 'v', args = [], count = arguments.length; for (var i = 0; i != count; ++i) { types += '@'; args.push(arguments[i]); } new Functor(NSLog_, types).apply(null, args); }

And then you can use NSLog as usual: cy# NSLog_ = dlsym(RTLD_DEFAULT, "NSLog") 0x31451329 cy# NSLog = function { var types = 'v', args = [], count = arguments.length; for (var i = 0; i != count; ++i) { types += '@'; args.push(arguments[i]); } new Functor(NSLog_, types).apply(null, args); } {} cy# NSLog("w ivars: %@", tryPrintIvars(w))

If you are attached to a process, the output is going to be in the syslog: Nov 17 20:26:01 iPhone3GS Foobar[551]: w ivars: {\n   contentView = <UIView: 0x233ea0; ....}

Using CGGeometry functions
In order to use functions from the CGGeometry class, you must type this in the cycript prompt:

Writing Cycript output to file
Cycript output is an NSString, so it is possible to call writeToFile and save it somewhere. Example:

You can use this, for example, to get a dump of SpringBoard's view tree.

Printing view hierarchy
The ?expand</tt> command toggles between line breaks being displayed as actual line breaks not just /n

Cycript scripts
Custom shell function that loads a cycript file: cyc { cycript -p $1 /var/root/common.cy > /dev/null; cycript -p $1; }

Usage: cyc ProcessName

Add this to /etc/profile.d/cycript.sh to make it available in all sessions.

"Warning: If you run this command multiple times against a process, the scripts will be loaded into the script multiple times. This could potentially have unexpected consequences depending on the scripts you are loading. It is not a proper way of doing this and saurik recommends against it."

Weak Classdump (Cycript based class-dump)
Link: https://github.com/limneos/weak_classdump

Usage: root# cycript -p Skype weak_classdump.cy; cycript -p Skype 'Added weak_classdump to "Skype" (1685)' cy# UIApp "<HellcatApplication: 0x1734e0>" cy# weak_classdump(HellcatApplication); "Wrote file to /tmp/HellcatApplication.h" cy# UIApp.delegate "<SkypeAppDelegate: 0x194db0>" cy# weak_classdump(SkypeAppDelegate,"/someDirWithWriteAccess/"); "Wrote file to /someDirWithWriteAccess/SkypeAppDelegate.h" root# cycript -p iapd weak_classdump.cy; cycript -p iapd 'Added weak_classdump to "iapd" (1127)' cy# weak_classdump(IAPPortManager) "Wrote file to /tmp/IAPPortManager.h" root# cycript -p MobilePhone weak_classdump.cy; cycript -p MobilePhone 'Added weak_classdump to "MobilePhone" (385)' "Dumping bundle... Check syslog. Will play lock sound when done."
 * 1) cy weak_classdump_bundle([NSBundle mainBundle],"/tmp/MobilePhone")