decompile is a Docker-first static reverse-engineering CLI.
Install the small host command, run decompile ./file, and the heavy reverse-engineering tools run inside the Docker image. The host does not need Ghidra, JADX, apktool, ILSpy, or binutils installed.
AI enhancement runs on the host after extraction, using your host GitHub CLI/Copilot login. GitHub credentials are not mounted into Docker.
curl -fsSL https://admin12121.github.io/decompile/install.sh | sudo bashOther package targets:
pip install decompile
decompile --update
yay -S decompileDocker is required for the normal published workflow.
decompile ./crackme
decompile --no-ai ./crackme
decompile --image docker.io/admin12121/decompile:stable ./crackme
decompile --local ./crackmeDefault output goes to:
./crackme.ghidra-out/
You can choose the output directory:
decompile ./crackme ./outdecompile detects the input format, chooses the matching static toolchain, and writes useful reverse-engineering output into one directory.
Supported routes:
| Input | Tooling | Output |
|---|---|---|
| ELF, PE, EXE, DLL, SYS, Mach-O | Ghidra headless, objdump, optional AI cleanup | ASM, pseudocode C, enhanced C, summary |
| APK, AAB, DEX | JADX, apktool | Java/Kotlin source, resources, summary |
JAR, WAR, EAR, .class |
JADX | Java source, summary |
| .NET EXE/DLL | ilspycmd | C# source, summary |
IPA, .app bundle |
IPA/app extraction plus native analysis | Native output and app metadata |
Native binary output:
summary.txt
metadata.json
disassembly.asm
pseudocode.c
enhanced.c
Android, Java, and .NET output usually includes:
summary.txt
metadata.json
source/
resources/
summary.txt is the human report. It includes file type, architecture, entropy, sections, imports, symbols, strings, tool exit status, and decompiler details when available.
metadata.json is the machine-readable version for scripts and future UI work.
Published installs use this image by default:
docker.io/admin12121/decompile:stable
The image is pulled only when it is missing locally. Normal runs reuse the local image and do not check the registry.
Update manually:
decompile --updateUse a custom image:
decompile --image ghcr.io/you/decompile:dev ./fileRun host tools directly:
decompile --local ./fileInside Docker:
- input is mounted read-only
- output is mounted read-write
- the container runs as your current UID/GID
- network is disabled during analysis
- GitHub/Copilot credentials are not mounted
- temporary projects and scratch files are removed
- native analysis keeps temporary objdump data only long enough for the host AI phase
For native binaries, enhanced.c can be generated from pseudocode, disassembly, objdump context, and summary data.
Use this when you want cleaner function names, variables, and reconstructed C-like output:
decompile ./fileThis phase runs on the host with:
gh
gh copilot
Disable it for malware, private samples, offline work, or reproducible local-only output:
decompile --no-ai ./fileWhen AI is enabled, analysis context may be sent to GitHub Copilot through the host gh command. The Docker container still runs without network access and without GitHub auth.
decompile <file-or-bundle> [output-dir]
decompile --no-ai <file-or-bundle> [output-dir]
decompile <file-or-bundle> --model <model> [output-dir]
decompile <file-or-bundle> --effort <low|medium|high|xhigh> [output-dir]
decompile --update [--image <image>]
decompile doctor [--image <image>]
decompile --image <image> <file-or-bundle> [output-dir]
decompile --local <file-or-bundle> [output-dir]
decompile --type <native|apk|aab|dex|jar|class|dotnet|ipa|app-bundle> <file> [output-dir]
Check the host, Docker, image, GitHub auth, bundled resources, and local tools:
decompile doctorUseful environment variables:
DECOMPILE_DOCKER_IMAGE override the Docker image
DECOMPILE_USE_DOCKER=0 run local host tools
DECOMPILE_NO_AI=1 skip AI enhancement
DECOMPILE_KEEP_DEBUG=1 keep objdump and prompt/debug files
GHIDRA_TIMEOUT=120 per-function decompile timeout
DECOMPILE_COPILOT_MODEL optional host Copilot model
DECOMPILE_COPILOT_EFFORT optional low, medium, high, xhigh
This is static analysis only. It does not run the target, debug it, emulate it, unpack it, or bypass runtime protections.
Packed binaries, heavy obfuscation, anti-disassembly tricks, encrypted IPA files, and protected mobile apps can still produce weak or incomplete output.
Docker isolation reduces host writes, but it is not a malware sandbox. Do not execute unknown samples with this tool.
Build the Docker image:
docker build -t decompile:latest .Use the local image:
decompile --image decompile:latest ./sampleBuild Python release artifacts:
python3 -m build