Cycript is an awesome interactive console for exploring and modifying running applications on iOS, Mac, and Android. It was created by @saurik and essentially consists of four parts:

Its readline-based user interface; Compiler that takes cylang as input and produces plain JavaScript as output; A runtime that executes the plain JavaScript on JavaScriptCore, providing a set of APIs expected by the compiled scripts, plus some facilities for injecting itself into remote processes; A couple of “user-space” modules written in cylang.

Here at NowSecure we are huge fans of Cycript. I personally love the user experience and how the language takes JavaScript and blends in C, C++, and Objective-C. However, having worked on solving just the runtime part of this picture for many years with Frida, I couldn’t help but recognize that Frida solves the runtime part of this problem and enables portability across additional platforms that it supports. Cycript could then be run on Windows and QNX, and also run fully featured on Linux and Android. It could also hook functions on embedded systems with MIPS processors and more. In addition, moving away from its closed-source Cydia Substrate library could boost performance.

So I asked myself “What if we replaced Cycript’s runtime with Frida?”. It seemed to me that Cycript is trying to do too much on its own. It handles user interface, a compiler fluent in both JavaScript and its own syntactic extensions, and then adds injection implementation and dynamic instrumentation to the mix.

Just the injection and instrumentation capabilities alone require Cycript to maintain complex code for every OS and every architecture. Considering the tool also needs to provide a decent user experience and focus on the compiler, it’s understandable that Cycript supports only a subset of the OSes and architectures supported by Frida. Frida has focused on these two areas exclusively for years. After all, Frida is a toolkit for building portable dynamic instrumentation tools (a great example of which is Cycript).

On the flip-side, if Frida were to invent its own language and compiler for its interactive console, frida-repl, it would be a massive duplication of efforts. Also, Cycript’s user experience is so good that perhaps it should replace Frida’s interactive console.

So, after some late nights and countless cups of coffee, I am really excited to show you the result:

This is our fork where we took Cycript and replaced its runtime with a brand new runtime powered by Frida, allowing Cycript to run on all the platforms and architectures supported by Frida. We didn’t touch any other aspects of Cycript or did so with minimal changes.

We went out of our way to avoid touching the compiler, and also left the user interface mostly untouched, only adding extra CLI switches for things like device selection. We did, however, mostly rewrite the Cydia Substrate module so existing scripts relying on this will get the portability and performance boost offered by Frida’s instrumentation core.

Our hope is that @saurik might eventually merge our changes upstream, so we can all work together on building a portable and open platform for dynamic instrumentation. If this doesn’t actually happen, we will be maintaining our fork and intend to stay in sync with user interface and language improvements made upstream.

So without further ado, here’s our Cycript fork powered by Frida:

https://github.com/nowsecure/cycript

Please do check out the README for more details, and go to the releases page to grab binaries.

Enjoy!