Command reference
The authoritative source is always disrobe <command> --help. This page is a complete map of the command surface. [--out] and the standardized [--emit ...] selector are available on most passes; see the global flags for flags that apply everywhere.
Python
| Command | Purpose |
|---|---|
disrobe py decompile <pyc> | Decompile a .pyc to source. --backend native (the only supported value). --no-roundtrip skips the recompile-equivalence check. |
disrobe py disasm <pyc> | Per-instruction disassembly (1.0-3.15 + PyPy/MicroPython/Jython/IronPython/Brython). |
disrobe py deob <src> | Peel a source obfuscator. --cleanup runs a ruff-AST fold. |
disrobe py extract <archive> | Extract a wheel / sdist / egg / .whl / .zip / any archive. |
disrobe py sourcedefender <pye> | Decrypt a SourceDefender .pye envelope. |
disrobe pyarmor unpack <py> | Unpack PyArmor v6-v9-pro. --allow-dynamic permits the dynamic-hook fallback (trusted/sandboxed samples only). --dynamic-timeout <SECS>. --mode auto|standard|super. --target <PYVER>. --allow-bcc. --strict. --no-cextract / --cextract-only. --all-emits writes stubs for all 12 emit kinds. --cache <DIR>. |
disrobe pyinstaller extract <exe> | Extract a PyInstaller build (2.x-6.20+, AES decrypt). |
disrobe pyinstaller detect <exe> | Report cookie / Python version / TOC offsets without extracting. |
disrobe pyfreeze extract <exe> | Extract cx_Freeze / py2exe / shiv / pex / PyOxidizer / Briefcase. |
disrobe pyfreeze detect <exe> | Identify the freezer without extracting. |
disrobe nuitka detect|extract|symbols|decompile|const <input> | Nuitka flavor detect, --onefile extract, symbol scan, constants decompile, single .const decode. |
JavaScript / WebAssembly
| Command | Purpose |
|---|---|
disrobe js deob <js> | Deobfuscate (obfuscator.io, JS-Confuser, Jscrambler, esoteric encoders). |
disrobe js unbundle <js> | Split a bundle into per-module sources (11 bundlers). |
disrobe js v8 <blob> | Inspect V8 .jsc / Node SEA / nexe / nw.js / Electron .asar. |
disrobe wasm decompile <wasm> | Lift to --target json|rust|ts|wat|c. |
disrobe wasm deob <wasm> | Reverse Wasm obfuscator families. |
disrobe wasm component <wasm> | Parse a Component Model envelope. |
disrobe wasm gc-types <wasm> | Recover the GC type graph. |
JVM / Android / .NET
| Command | Purpose |
|---|---|
disrobe jvm decompile <class|jar|dex|apk> | Decompile via --backend cfr|vineflower|procyon|jadx. |
disrobe jvm extract <jar|apk> | Extract container + dump classfile inventory. |
disrobe jvm backends | Report JVM/Android backends on PATH. |
disrobe apk <apk> | Decode the binary AndroidManifest.xml, map resource ids to names, and dump each signer certificate's SHA-256. --out <DIR> writes the decoded manifest and resource table to disk. |
disrobe dotnet decompile <dll|exe> | Decompile via --backend ilspy|dnspy|dnspyex|de4dot. |
disrobe dotnet analyze <dll> | PE/CLR metadata, protector detection, R2R + NativeAOT probe. |
disrobe dotnet backends | Report .NET backends on PATH. |
Native
| Command | Purpose |
|---|---|
disrobe native decompile <bin> | Ghidra-headless decompile. --emit source,disasm,ast,cfg,ir,manifest,sourcemap,symbols,strings,imports,signatures,report. |
disrobe native symbols <bin> | Dump symbols, sections, segments, imports, and debug info. |
disrobe native identify <bin> | Fingerprint compiler / packer / protector / installer, each routed to its pass. |
disrobe native unpack [bin] | Detect + unpack UPX/kkrunchy/NSPack/Petite/MPRESS/MEW/FSG/ASPack/PECompact/Yoda's Crypter via in-house decoders + x86 stub emulator. Input is optional; --list shows all supported packers. |
disrobe native devirt <bin> | Devirtualize the bytecode-VM tier: recover the handler table, lift to a re-executable IR + pseudo-code. |
disrobe native export <bin> | Unpack, recover symbols, and export a backend-ready bundle: a rebuilt loadable PE + a Ghidra post-script / IDAPython / JSON symbol map. --format ghidra|ida|json (default ghidra). |
disrobe native disasm <bin> | Per-function listing / --emit cfg-dot CFG / --emit json / --raw linear sweep (--syntax intel|at&t|nasm|masm). Accepts a .dr envelope. |
disrobe native callgraph <bin> | Whole-program call graph as Graphviz DOT. |
disrobe native patch <bin> | Rewrite bytes at a VA (or nop a span) and revalidate the image. |
disrobe native sigmaker <bin> | Wildcarded byte signature from a function, uniqueness-tested. |
disrobe native diff <a> <b> | Match functions across two builds by content + CFG fingerprint. |
disrobe native entropy <bin> | 4KB sliding-window Shannon entropy; ASCII heat-strip + byte histogram + packed-region runs. --format text|json|svg (default text), --svg <out> for a dark-theme entropy map with section overlays. |
disrobe native signatures <bin> | Crypto-constant fingerprints (AES, SHA, ChaCha20). --flirt <sig> to match a FLIRT DB. |
disrobe native fingerprint <bin> | Aggregate crypto-constant + FLIRT + string-xref sidecar at .disrobe/fingerprints/<stem>.json. --flirt <sig>. |
disrobe native sbom <bin> | CycloneDX 1.5 SBOM from cargo-auditable metadata embedded in the binary. |
disrobe native graph <bin> | Import/export table as Graphviz DOT. |
disrobe query <bin|.dr> <q...> | Queryable IR: functions, calls-to <sym>, xrefs-to <sym>, string-decoders, complexity-over <n>, capability <network|crypto|filesystem|process>. Accepts a raw binary or a Disasm-rung .dr envelope. |
disrobe capabilities <bin|.dr> | Rule engine over the IR, mapping behaviors to MITRE ATT&CK + MBC with per-match evidence. |
Other languages
| Command | Purpose |
|---|---|
disrobe go recover|info <bin> | Go symbol recovery / build fingerprint. |
disrobe lua decompile|deobfuscate|detect <chunk> | Lua decompile / obfuscator peel / dialect detect. |
disrobe php decode|deobfuscate|extract <input> | Encoder decode / eval-chain peel / Phar extract. |
disrobe ruby decompile|detect <input> | Ruby artifact analysis / flavor detection. |
disrobe beam parse|lift|disasm <beam> | BEAM chunk parse / Core Erlang lift / Code disasm. |
disrobe pickle disasm|decompile|safety|trace|polyglot|model-detect <input> | Pickle static analysis suite. |
disrobe swift classdump|shield-undo|confidential-decrypt <input> | Swift/ObjC class-dump, SwiftShield rename-undo, Confidential XOR-decrypt. |
disrobe macho dump|classdump|slices <input> | Mach-O / fat / .ipa inspection. |
disrobe as3 disasm|tags <swf> | AS3 DoABC disasm / SWF tag list. |
disrobe hermes decompile|disasm|info <bundle> | Hermes JS-surface lift / disasm / header. |
disrobe flutter dump|decompile|kernel|disasm|map <input> | Flutter Dart AOT + kernel inspection. |
disrobe mobile detect|extract|hermes|flutter <input> | Mobile runtime pipeline. |
Chain, envelope, and forensics
| Command | Purpose |
|---|---|
disrobe detect <input> | Run every obfuscator/packer catalog detector against a file and report each hit (pass, obfuscator, confidence, markers). |
disrobe auto <input> | Auto-detect + chain. --max-depth <N> (default 8), --capture-stages, --emit recovery, --dry-run. A directory input is batch-processed recursively (--include <GLOB>, --exclude <GLOB>, --batch-max-depth <N>, --jobs <N>) into an aggregate manifest.json. |
disrobe chain <input> | Explicit pipeline. --chain 'auto:8' or 'pyarmor+py-decompile', --chain-pin <ver>, --capture-stages. |
disrobe diff <left> <right> | Structurally diff two chain.json documents (passes, stage BLAKE3 hashes, sizes, verdicts). |
disrobe guard verify <subject> --reference <ref> | Verify a subject chain.json's per-stage output hashes against a committed reference. |
disrobe guard check <path> [--root <subtree>...] | Deny writes to ground-truth stage paths (out/**/stages, out/**/final, .disrobe-stage-lock). --root adds extra protected subtrees (repeatable). |
disrobe envelope create|inspect|verify|diff|migrate-check <dr> | .dr envelope operations. |
disrobe verify <dr> | Alias for disrobe envelope verify. |
disrobe scan <path> | Scan raw bytes for leaked credentials. |
disrobe ioc <path> [--format text|json|sarif] [--defang] | Extract indicators of compromise (URLs, IPs, domains, emails, paths, registry keys, wallets, crypto constants); decodes one base64/hex layer. |
disrobe strings <path> [--min-len N] [--no-decode] | Cross-format string extraction: ASCII + UTF-16LE, with single-byte XOR / base64 / ROT-n / stack-string deobfuscation. |
disrobe behavior <path> | Behavior / capability summary across 7 categories, tagged with MITRE ATT&CK technique ids. |
disrobe yara parse <path> | Parse a YARA ruleset into a typed AST (read-only, no matching). |
disrobe yara generate <input> [--name N] [--sha256 H] [--date D] | Generate a candidate YARA rule from an artifact; output round-trips through the parser. |
disrobe status | Summarize ./out/: per-stage counts, sizes, manifests. |
disrobe context --out <dir> | Summarize a recovery report (status, confidence, verdict, provenance). |
disrobe report <dir-or-input> [--format text|json|markdown|html] | Consolidate a completed run (or raw input) into a forensic summary: identity, topology, per-stage verdicts/scores, artifact inventory, timings. --format html emits a self-contained, offline, dark-theme report (inline SVG bars, IOC + ATT&CK tables, XSS-escaped). |
Workspace, agents, and meta
| Command | Purpose |
|---|---|
disrobe init [--ide claude|cursor|windsurf|aider] [--force] | Scaffold a .disrobe/ workspace. |
disrobe config [show] | Print the resolved .disrobe.toml config (honors --json). See project configuration. |
disrobe config init [--out <path>] [--force] | Write a documented .disrobe.toml template. |
disrobe annot refresh|regenerate | Rebuild a symbol annotation file. |
disrobe rename <old> <new> [--note] | Record an append-only rename. |
disrobe passes | List every registered pass with a one-line capability summary. |
disrobe explain <code> | Look up a DR-* error code and print its description and common fixes. |
disrobe doctor [--auto-install] [-y] | Probe ~50 optional external tools; report installed, missing, or stale. |
disrobe install <tool> [--list] [-y] [--dry-run] | Install one optional tool via the native package manager. |
disrobe install-deps [<dep>] [--all] [--dry-run] | Install heavyweight deps (Ghidra) from upstream releases. |
disrobe serve [--bind <ADDR>] [--stdio|--mcp|--grpc] | Run the daemon. See the daemon. |
disrobe completions <shell> [--install] [--rc-file <PATH>] | Generate shell completions (bash, zsh, fish, PowerShell, elvish). |
disrobe man [--out <dir>] | Generate man pages (one .1 per subcommand). |
disrobe bug-report [--out <PATH|->] | Collect environment, manifests, and tooling versions into a markdown bug report. |
disrobe self-update [--check-only] [--dry-run] | Print self-update guidance (source-only distribution; no network by default). |