Docker-isolated static reverse engineering orchestrator
Project description
decompile
decompile is a Docker-first static reverse-engineering CLI.
Install the small host command, run decompile ./file, and the heavy reverse-engineering tools run inside the Docker image. The host does not need Ghidra, JADX, apktool, ILSpy, or binutils installed.
AI enhancement runs on the host after extraction, using your host GitHub CLI/Copilot login. GitHub credentials are not mounted into Docker.
Install
curl -fsSL https://admin12121.github.io/decompile/install.sh | sudo bash
Other package targets:
pip install decompile
decompile --update
yay -S decompile
Docker is required for the normal published workflow.
Quick Start
decompile ./crackme
decompile --no-ai ./crackme
decompile --image docker.io/admin12121/decompile:stable ./crackme
decompile --local ./crackme
Default output goes to:
./crackme.ghidra-out/
You can choose the output directory:
decompile ./crackme ./out
What It Does
decompile detects the input format, chooses the matching static toolchain, and writes useful reverse-engineering output into one directory.
Supported routes:
| Input | Tooling | Output |
|---|---|---|
| ELF, PE, EXE, DLL, SYS, Mach-O | Ghidra headless, objdump, optional AI cleanup | ASM, pseudocode C, enhanced C, summary |
| APK, AAB, DEX | JADX, apktool | Java/Kotlin source, resources, summary |
JAR, WAR, EAR, .class |
JADX | Java source, summary |
| .NET EXE/DLL | ilspycmd | C# source, summary |
IPA, .app bundle |
IPA/app extraction plus native analysis | Native output and app metadata |
Native binary output:
summary.txt
metadata.json
disassembly.asm
pseudocode.c
enhanced.c
Android, Java, and .NET output usually includes:
summary.txt
metadata.json
source/
resources/
summary.txt is the human report. It includes file type, architecture, entropy, sections, imports, symbols, strings, tool exit status, and decompiler details when available.
metadata.json is the machine-readable version for scripts and future UI work.
Docker Model
Published installs use this image by default:
docker.io/admin12121/decompile:stable
The image is pulled only when it is missing locally. Normal runs reuse the local image and do not check the registry.
Update manually:
decompile --update
Use a custom image:
decompile --image ghcr.io/you/decompile:dev ./file
Run host tools directly:
decompile --local ./file
Inside Docker:
- input is mounted read-only
- output is mounted read-write
- the container runs as your current UID/GID
- network is disabled during analysis
- GitHub/Copilot credentials are not mounted
- temporary projects and scratch files are removed
- native analysis keeps temporary objdump data only long enough for the host AI phase
AI Enhancement
For native binaries, enhanced.c can be generated from pseudocode, disassembly, objdump context, and summary data.
Use this when you want cleaner function names, variables, and reconstructed C-like output:
decompile ./file
This phase runs on the host with:
gh
gh copilot
jq
Disable it for malware, private samples, offline work, or reproducible local-only output:
decompile --no-ai ./file
When AI is enabled, analysis context may be sent to GitHub Copilot through the host gh command. The Docker container still runs without network access and without GitHub auth.
Options
decompile <file-or-bundle> [output-dir]
decompile --no-ai <file-or-bundle> [output-dir]
decompile --update [--image <image>]
decompile doctor [--image <image>]
decompile --image <image> <file-or-bundle> [output-dir]
decompile --local <file-or-bundle> [output-dir]
decompile --type <native|apk|aab|dex|jar|class|dotnet|ipa|app-bundle> <file> [output-dir]
Check the host, Docker, image, GitHub auth, bundled resources, and local tools:
decompile doctor
Useful environment variables:
DECOMPILE_DOCKER_IMAGE override the Docker image
DECOMPILE_USE_DOCKER=0 run local host tools
DECOMPILE_NO_AI=1 skip AI enhancement
DECOMPILE_KEEP_DEBUG=1 keep objdump and prompt/debug files
GHIDRA_TIMEOUT=120 per-function decompile timeout
DECOMPILE_COPILOT_MODEL optional host Copilot model
DECOMPILE_COPILOT_EFFORT low, medium, high, xhigh
Limits
This is static analysis only. It does not run the target, debug it, emulate it, unpack it, or bypass runtime protections.
Packed binaries, heavy obfuscation, anti-disassembly tricks, encrypted IPA files, and protected mobile apps can still produce weak or incomplete output.
Docker isolation reduces host writes, but it is not a malware sandbox. Do not execute unknown samples with this tool.
Development
Build the Docker image:
docker build -t decompile:latest .
Use the local image:
decompile --image decompile:latest ./sample
Build Python release artifacts:
python3 -m build
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file decompile-0.1.1.tar.gz.
File metadata
- Download URL: decompile-0.1.1.tar.gz
- Upload date:
- Size: 32.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fa6ab68cd77b52421d01b1c7f90fff5f35e8613cb64f26c80c1665df99fa9875
|
|
| MD5 |
84c44444b468727e4cdaa60afb10e66d
|
|
| BLAKE2b-256 |
ab561ebcc011ac4cd00e1ff4d6ab990385ea71915a22936d1d264e6d031497bf
|
File details
Details for the file decompile-0.1.1-py3-none-any.whl.
File metadata
- Download URL: decompile-0.1.1-py3-none-any.whl
- Upload date:
- Size: 24.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
89a18221e782efa9b228c40893f983606739d76c0de20d729e4ac721478ebe83
|
|
| MD5 |
ff565a675b408c5009d1bf620fa9c5b5
|
|
| BLAKE2b-256 |
e17bff39fe73423b25617f0249b9dd9c404255bdc38189aa1626e76b9b1a1469
|
