reference

Command reference

The authoritative source is always disrobe <command> --help. This page is a complete map of the command surface. [--out] and the standardized [--emit ...] selector are available on most passes; see the global flags for flags that apply everywhere.

Python

Command	Purpose
disrobe py decompile <pyc>	Decompile a .pyc to source. --backend native (the only supported value). --no-roundtrip skips the recompile-equivalence check.
disrobe py disasm <pyc>	Per-instruction disassembly (1.0-3.15 + PyPy/MicroPython/Jython/IronPython/Brython).
disrobe py deob <src>	Peel a source obfuscator. --cleanup runs a ruff-AST fold.
disrobe py extract <archive>	Extract a wheel / sdist / egg / .whl / .zip / any archive.
disrobe py sourcedefender <pye>	Decrypt a SourceDefender .pye envelope.
disrobe pyarmor unpack <py>	Unpack PyArmor v6-v9-pro. --allow-dynamic permits the dynamic-hook fallback (trusted/sandboxed samples only). --dynamic-timeout <SECS>. --mode auto|standard|super. --target <PYVER>. --allow-bcc. --strict. --no-cextract / --cextract-only. --all-emits writes stubs for all 12 emit kinds. --cache <DIR>.
disrobe pyinstaller extract <exe>	Extract a PyInstaller build (2.x-6.20+, AES decrypt).
disrobe pyinstaller detect <exe>	Report cookie / Python version / TOC offsets without extracting.
disrobe pyfreeze extract <exe>	Extract cx_Freeze / py2exe / shiv / pex / PyOxidizer / Briefcase.
disrobe pyfreeze detect <exe>	Identify the freezer without extracting.
disrobe nuitka detect|extract|symbols|decompile|const <input>	Nuitka flavor detect, --onefile extract, symbol scan, constants decompile, single .const decode.

JavaScript / WebAssembly

Command	Purpose
disrobe js deob <js>	Deobfuscate (obfuscator.io, JS-Confuser, Jscrambler, esoteric encoders).
disrobe js unbundle <js>	Split a bundle into per-module sources (11 bundlers).
disrobe js v8 <blob>	Inspect V8 .jsc / Node SEA / nexe / nw.js / Electron .asar.
disrobe wasm decompile <wasm>	Lift to --target json|rust|ts|wat|c.
disrobe wasm deob <wasm>	Reverse Wasm obfuscator families.
disrobe wasm component <wasm>	Parse a Component Model envelope.
disrobe wasm gc-types <wasm>	Recover the GC type graph.

JVM / Android / .NET

Command	Purpose
disrobe jvm decompile <class|jar|dex|apk>	Decompile via --backend cfr|vineflower|procyon|jadx.
disrobe jvm extract <jar|apk>	Extract container + dump classfile inventory.
disrobe jvm backends	Report JVM/Android backends on PATH.
disrobe apk <apk>	Decode the binary AndroidManifest.xml, map resource ids to names, and dump each signer certificate's SHA-256. --out <DIR> writes the decoded manifest and resource table to disk.
disrobe dotnet decompile <dll|exe>	Decompile via --backend ilspy|dnspy|dnspyex|de4dot.
disrobe dotnet analyze <dll>	PE/CLR metadata, protector detection, R2R + NativeAOT probe.
disrobe dotnet backends	Report .NET backends on PATH.

Native

Command	Purpose
disrobe native decompile <bin>	Ghidra-headless decompile. --emit source,disasm,ast,cfg,ir,manifest,sourcemap,symbols,strings,imports,signatures,report.
disrobe native symbols <bin>	Dump symbols, sections, segments, imports, and debug info.
disrobe native identify <bin>	Fingerprint compiler / packer / protector / installer, each routed to its pass.
disrobe native unpack [bin]	Detect + unpack UPX/kkrunchy/NSPack/Petite/MPRESS/MEW/FSG/ASPack/PECompact/Yoda's Crypter via in-house decoders + x86 stub emulator. Input is optional; --list shows all supported packers.
disrobe native devirt <bin>	Devirtualize the bytecode-VM tier: recover the handler table, lift to a re-executable IR + pseudo-code.
disrobe native export <bin>	Unpack, recover symbols, and export a backend-ready bundle: a rebuilt loadable PE + a Ghidra post-script / IDAPython / JSON symbol map. --format ghidra|ida|json (default ghidra).
disrobe native disasm <bin>	Per-function listing / --emit cfg-dot CFG / --emit json / --raw linear sweep (--syntax intel|at&t|nasm|masm). Accepts a .dr envelope.
disrobe native callgraph <bin>	Whole-program call graph as Graphviz DOT.
disrobe native patch <bin>	Rewrite bytes at a VA (or nop a span) and revalidate the image.
disrobe native sigmaker <bin>	Wildcarded byte signature from a function, uniqueness-tested.
disrobe native diff <a> <b>	Match functions across two builds by content + CFG fingerprint.
disrobe native entropy <bin>	4KB sliding-window Shannon entropy; ASCII heat-strip + byte histogram + packed-region runs. --format text|json|svg (default text), --svg <out> for a dark-theme entropy map with section overlays.
disrobe native signatures <bin>	Crypto-constant fingerprints (AES, SHA, ChaCha20). --flirt <sig> to match a FLIRT DB.
disrobe native fingerprint <bin>	Aggregate crypto-constant + FLIRT + string-xref sidecar at .disrobe/fingerprints/<stem>.json. --flirt <sig>.
disrobe native sbom <bin>	CycloneDX 1.5 SBOM from cargo-auditable metadata embedded in the binary.
disrobe native graph <bin>	Import/export table as Graphviz DOT.
disrobe query <bin|.dr> <q...>	Queryable IR: functions, calls-to <sym>, xrefs-to <sym>, string-decoders, complexity-over <n>, capability <network|crypto|filesystem|process>. Accepts a raw binary or a Disasm-rung .dr envelope.
disrobe capabilities <bin|.dr>	Rule engine over the IR, mapping behaviors to MITRE ATT&CK + MBC with per-match evidence.

Other languages

Command	Purpose
disrobe go recover|info <bin>	Go symbol recovery / build fingerprint.
disrobe lua decompile|deobfuscate|detect <chunk>	Lua decompile / obfuscator peel / dialect detect.
disrobe php decode|deobfuscate|extract <input>	Encoder decode / eval-chain peel / Phar extract.
disrobe ruby decompile|detect <input>	Ruby artifact analysis / flavor detection.
disrobe beam parse|lift|disasm <beam>	BEAM chunk parse / Core Erlang lift / Code disasm.
disrobe pickle disasm|decompile|safety|trace|polyglot|model-detect <input>	Pickle static analysis suite.
disrobe swift classdump|shield-undo|confidential-decrypt <input>	Swift/ObjC class-dump, SwiftShield rename-undo, Confidential XOR-decrypt.
disrobe macho dump|classdump|slices <input>	Mach-O / fat / .ipa inspection.
disrobe as3 disasm|tags <swf>	AS3 DoABC disasm / SWF tag list.
disrobe hermes decompile|disasm|info <bundle>	Hermes JS-surface lift / disasm / header.
disrobe flutter dump|decompile|kernel|disasm|map <input>	Flutter Dart AOT + kernel inspection.
disrobe mobile detect|extract|hermes|flutter <input>	Mobile runtime pipeline.

Chain, envelope, and forensics

Command	Purpose
disrobe detect <input>	Run every obfuscator/packer catalog detector against a file and report each hit (pass, obfuscator, confidence, markers).
disrobe auto <input>	Auto-detect + chain. --max-depth <N> (default 8), --capture-stages, --emit recovery, --dry-run. A directory input is batch-processed recursively (--include <GLOB>, --exclude <GLOB>, --batch-max-depth <N>, --jobs <N>) into an aggregate manifest.json.
disrobe chain <input>	Explicit pipeline. --chain 'auto:8' or 'pyarmor+py-decompile', --chain-pin <ver>, --capture-stages.
disrobe diff <left> <right>	Structurally diff two chain.json documents (passes, stage BLAKE3 hashes, sizes, verdicts).
disrobe guard verify <subject> --reference <ref>	Verify a subject chain.json's per-stage output hashes against a committed reference.
disrobe guard check <path> [--root <subtree>...]	Deny writes to ground-truth stage paths (out/**/stages, out/**/final, .disrobe-stage-lock). --root adds extra protected subtrees (repeatable).
disrobe envelope create|inspect|verify|diff|migrate-check <dr>	.dr envelope operations.
disrobe verify <dr>	Alias for disrobe envelope verify.
disrobe scan <path>	Scan raw bytes for leaked credentials.
disrobe ioc <path> [--format text|json|sarif] [--defang]	Extract indicators of compromise (URLs, IPs, domains, emails, paths, registry keys, wallets, crypto constants); decodes one base64/hex layer.
disrobe strings <path> [--min-len N] [--no-decode]	Cross-format string extraction: ASCII + UTF-16LE, with single-byte XOR / base64 / ROT-n / stack-string deobfuscation.
disrobe behavior <path>	Behavior / capability summary across 7 categories, tagged with MITRE ATT&CK technique ids.
disrobe yara parse <path>	Parse a YARA ruleset into a typed AST (read-only, no matching).
disrobe yara generate <input> [--name N] [--sha256 H] [--date D]	Generate a candidate YARA rule from an artifact; output round-trips through the parser.
disrobe status	Summarize ./out/: per-stage counts, sizes, manifests.
disrobe context --out <dir>	Summarize a recovery report (status, confidence, verdict, provenance).
disrobe report <dir-or-input> [--format text|json|markdown|html]	Consolidate a completed run (or raw input) into a forensic summary: identity, topology, per-stage verdicts/scores, artifact inventory, timings. --format html emits a self-contained, offline, dark-theme report (inline SVG bars, IOC + ATT&CK tables, XSS-escaped).

Workspace, agents, and meta

Command	Purpose
disrobe init [--ide claude|cursor|windsurf|aider] [--force]	Scaffold a .disrobe/ workspace.
disrobe config [show]	Print the resolved .disrobe.toml config (honors --json). See project configuration.
disrobe config init [--out <path>] [--force]	Write a documented .disrobe.toml template.
disrobe annot refresh|regenerate	Rebuild a symbol annotation file.
disrobe rename <old> <new> [--note]	Record an append-only rename.
disrobe passes	List every registered pass with a one-line capability summary.
disrobe explain <code>	Look up a DR-* error code and print its description and common fixes.
disrobe doctor [--auto-install] [-y]	Probe ~50 optional external tools; report installed, missing, or stale.
disrobe install <tool> [--list] [-y] [--dry-run]	Install one optional tool via the native package manager.
disrobe install-deps [<dep>] [--all] [--dry-run]	Install heavyweight deps (Ghidra) from upstream releases.
disrobe serve [--bind <ADDR>] [--stdio|--mcp|--grpc]	Run the daemon. See the daemon.
disrobe completions <shell> [--install] [--rc-file <PATH>]	Generate shell completions (bash, zsh, fish, PowerShell, elvish).
disrobe man [--out <dir>]	Generate man pages (one .1 per subcommand).
disrobe bug-report [--out <PATH|->]	Collect environment, manifests, and tooling versions into a markdown bug report.
disrobe self-update [--check-only] [--dry-run]	Print self-update guidance (source-only distribution; no network by default).