-
-
Notifications
You must be signed in to change notification settings - Fork 0
ruby
disrobe is the only active Ruby bytecode decompiler with a measured fidelity grade. It analyzes every major Ruby artifact format and decompiles YARV and mruby bytecode toward source, verified by a recompile-equivalence oracle on a real MRI interpreter.
| Layer | Coverage |
|---|---|
| Flavors detected | MRI source, YARV binary (YARB magic), mruby RITE, JRuby .class, TruffleRuby AOT, Ruby2Exe, Ocra |
| YARV | IBF reader (iseqs, object table, literals) plus a decompiler driven by per-version opcode tables for Ruby 2.6 through 3.4 |
| mruby | RITE reader covering format versions 0001-0007, 0030, 0200, and 0300, with irep disassembly and decompilation |
| Fidelity | 100% opcode-multiset equivalence on a greeter fixture; 85% on a mixed-construct megafile (gate floor, CI-enforced); approximately 90% genuinely recoverable, the remainder an oracle artifact from comment-stripping magic pragmas |
| Output | Analysis JSON plus a .rb source file carrying the decompiled body and a YARV disassembly trailer |
disrobe ruby decompile app.bin --out app-ruby.json
disrobe ruby detect app.bindecompile sniffs the flavor, runs the matching reader and decompiler, and writes the analysis JSON (default ./out/<stem>-ruby.json) plus a .rb source file beside it. detect reports the flavor and exits without writing output.
Output shape (illustrative):
ruby decompile: OK
input: app.bin
flavor: YarvBinary
yarv header: major=3 minor=4
yarv iseqs: 12
yarv bodies: 12
yarv objects: 34
yarv literals:18
yarv insns: 97
yarv decomp: Lossless
yarv stmts: 23
decompiled: ./out/app.rb (yarv)
wrote: ./out/app-ruby.json
For MRI source the summary reports token and definition counts. For YARV it adds the IBF header fields, iseq and object counts, instruction count, decompile fidelity, and statement count. For mruby it reports the compiler version string, irep count, instruction count, and whether a body was recovered.
A committed recompile-equivalence oracle compiles the recovered YARV source on the matching interpreter and diffs the opcode multiset. The gate asserts 100% equivalence on the greeter fixture and at least 85% on the megafile fixture; both run in CI. The roughly 5-point megafile gap is an oracle artifact: the oracle strips comment lines before recompiling, discarding the original's magic pragmas (# frozen_string_literal: true and similar), which shifts a handful of string and array literals to non-frozen opcodes.
Ruby2Exe and Ocra self-extracting packages are detected as their own flavors so the chain layer can route the embedded payload onward. JRuby .class files and TruffleRuby AOT images are classified but not decompiled here: JVM-class material belongs to the JVM guide, and AOT-compiled native code has no recoverable Ruby body.
This wiki is generated from docs/src in the disrobe repository by scripts/wiki_sync.py. Edit the docs there, not the wiki pages here.
Getting started
Architecture
- Overview
- The five-rung IR ladder
- Passes and the capability model
- The chain runner
- The .dr envelope
- LLM sidecar and provenance
Reverse-engineering toolkit
Language and format guides
- Python
- JavaScript / TypeScript
- WebAssembly
- JVM and Android
- .NET / CIL
- Native (PE / ELF / Mach-O)
- Go
- Lua
- PHP
- Ruby
- BEAM (Erlang / Elixir)
- Swift / Objective-C
- ActionScript 3 / Flash
- Mobile (Hermes / Flutter)
- Python pickle
- Shell / PowerShell
- Containers and archives
Reference
- CLI overview
- Global flags
- Command reference
- Project configuration
- Batch directory processing
- Run reports
- Analysis-depth commands
- Diff and guard tooling
- The daemon: HTTP, gRPC, LSP, MCP
- Use it as a library
- Python bindings
- The browser playground
- Forensics and malware-safety posture
- Threat model
Integrations
Project