Skip to content

mcp

Jump to bottom
1-3-7 edited this page Jun 17, 2026 · 1 revision

MCP server

disrobe ships a Model Context Protocol server so an AI agent (Claude, Cursor, and other MCP clients) can drive deobfuscation and decompilation directly as tools. It speaks MCP over stdio via rmcp.

Every tool takes inline base64 bytes and returns structured JSON. The server never reads a file from disk based on client input; there is no path parameter on any tool. This is the same hard rule the HTTP/gRPC/LSP transports enforce; see the security posture.

Running it

Two equivalent entry points:

disrobe serve --mcp     # the CLI's MCP companion over stdio
disrobe-mcp             # the standalone MCP binary

Registering with Claude Code

claude mcp add disrobe -- disrobe serve --mcp

Or register the standalone binary:

claude mcp add disrobe -- disrobe-mcp

Registering with a generic MCP client

Most clients accept a JSON server entry. Point command at disrobe (or disrobe-mcp) and run over stdio:

{
  "mcpServers": {
    "disrobe": {
      "command": "disrobe",
      "args": ["serve", "--mcp"]
    }
  }
}

Tool catalog

Tool Input Output
auto bytes_b64, optional max_depth Chain verdict, detected formats, and per-pass recovery summary. Auto-detects and chains disrobe's Python + native-packer passes.
decompile bytes_b64, optional max_depth Every terminal recovered-source artifact (language-keyed text), for example a .pyc decompiled to Python.
ioc bytes_b64 Indicators of compromise: URLs, domains, IPs, emails, paths, registry keys, wallet addresses, crypto constants (one decode layer of base64/hex).
behavior bytes_b64, optional imports Static capability summary across network, filesystem, process-exec, registry-persistence, crypto, anti-analysis, and dynamic-code categories, with MITRE ATT&CK ids.
strings bytes_b64, optional min_len, decode Printable ASCII + UTF-16 strings, optionally decoding base64/rot/stack-string obfuscation, tagged with their encoding.
verify bytes_b64 Verify a .dr envelope: blake3 root hash, rung, hot/cold sizes.
rename old, new, optional note Append a symbol-rename record to .disrobe/notes/renames.json.
annot target Regenerate and validate an annotation sidecar under .disrobe/annotations/.
provenance_lookup map_json, line Look up the provenance entry for a line in a provenance-map document.

The auto and decompile tools cover disrobe's Python and native-packer surface (PyArmor, PyInstaller, SourceDefender, Nuitka, PyFreeze, .pyc disassembly + decompilation, native packers, and container formats), the highest-value chain for an agent triaging an unknown blob. For the full language matrix, drive the CLI or the HTTP daemon.

Example call

A client calls decompile with the base64 of a .pyc and receives the recovered Python:

{
  "name": "decompile",
  "arguments": { "bytes_b64": "4w0NCgAAAAA..." }
}
{
  "schema": "disrobe.decompile/v1",
  "verdict": "Complete",
  "recovered": [
    { "pass": "py.decompile", "language": "Python", "formatted": true, "source": "x = a + b\n..." }
  ]
}

Security posture

The server performs pure static analysis by default and never executes the supplied bytes. It rejects empty or malformed base64 with a typed error, and rejects unknown JSON fields on every tool. Because no tool accepts a filesystem path, there is no way to make the server read an arbitrary file via a client-controlled string. See the forensics and malware-safety posture and the threat model.

This wiki is generated from docs/src in the disrobe repository by scripts/wiki_sync.py. Edit the docs there, not the wiki pages here.

Getting started

Architecture

Reverse-engineering toolkit

Language and format guides

Reference

Integrations

Project

Clone this wiki locally