Cycript Tricks

From iPhone Development Wiki
Revision as of 17:53, 8 November 2009 by KennyTM~ (talk | contribs) (Replacing existing Objective-C methods)
Jump to: navigation, search

Printing Ivars

Often just typing *varName works:

cy# *controller
{isa:"PrefsRootController",_contentView:"<UIView: 0x10bd70; frame = (0 0; 320 460); autoresize = W+H; layer = <CALayer: 0x150120>>",_navBar:...

Sometimes it does not...

cy# *UIApp
{message:"hasProperty callback returned true for a property that doesn't exist.",name:"ReferenceError"}

then you can do:

cy# [i for (i in *UIApp)]

You may use this function to get as much ivar values as possible:

function tryPrintIvars(a){ var x={}; for(i in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x; }

To use:

cy# *a
{message:"hasProperty callback returned true for a property that doesn't exist.",name:"ReferenceError"}
cy# tryPrintIvars(a)
{isa:"SBWaveView",_layer:"<CALayer: 0x2a5160>",_tapInfo:null,_gestureInfo:null,_gestureRecognizers:...

Printing Methods

Function to get the methods:

function printMethods(className) {
  var count = new new Type("I");
  var methods = class_copyMethodList(objc_getClass(className), count);
  var methodsArray = [];
  for(var i = 0; i < *count; i++) {
    var method = methods[i];
    methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)});
  return methodsArray;


cy# printMethods("MailboxPrefsTableCell")

Get methods matching particular RegExp

function methodsMatching(cls, regexp) { return [[new Selector(m).type(cls), m] for (m in cls.messages) if (!regexp || regexp.test(m))]; }


cy# methodsMatching(NSRunLoop, /forKey:$/)

Getting Objective-C Objects from Addresses

Use new Instance(0xdeadbabe).

cy# var p = new Instance(0x8614390)
cy# p
["<SKPaymentTransaction: 0x8613d80>"]

Load frameworks

function loadFramework(fw) {
  var h="/System/Library/",t="Frameworks/"+fw+".framework";
  [[NSBundle bundleWithPath:h+t]||[NSBundle bundleWithPath:h+"Private"+t] load];

Replacing existing Objective-C methods

You can simulate MSHookMessage by replacing contents in the messages array, e.g.

cy# original_NSRunLoop_description = NSRunLoop.messages['description'];
cy# NSRunLoop.messages['description'] = function() { return, 80)+", etc."; }
cy# [NSRunLoop currentRunLoop]
"<CFRunLoop 0x205ee0 [0x381dbff4]>{locked = false, wait port = 0x1303, stopped = , etc."

Note the construct. This binds the self in the original function to the user-specified one. If more than one variable is needed, use, arg1, arg2, arg3, ...). Note that the subsequent arguments will not be automatically mapped to the corresponding Objective-C types, so instead of "foo" you will need to use [NSString stringWithString:"foo"].

Getting class methods

class.messages only contains instance methods. To hook class methods, you need to get to its metaclass. A simple way would be

cy# NSRunLoop->isa.messages['currentRunLoop'] = ...