Read what a compiled binary does.

deglyph loads a PE, ELF, or Mach-O and recovers its functions, even when the binary exports nothing. Read the disassembly, walk the call graph, ask an assistant about a function, or scan a release build for secrets in CI. All from your terminal.

Install deglyph View source
Never executes the binary Python 3.10+ GPLv3
The deglyph terminal interface: a function tree on the left with encode_frame selected, and annotated x86-64 disassembly on the right with resolved, clickable call targets
Built on LIEF container parsing Capstone disassembly Textual interface

Ask an assistant what a function does

Select a function and ask in plain language. The assistant finds the answer in the binary and cites the addresses, which stay clickable in its reply.

It reads the binary to answer

Ask where a binary parses a header, builds a frame, or opens a socket. The assistant calls read-only tools (find, disassemble, analyze, xrefs, search) to locate and explain the code, then answers with the addresses it found. It is opt-in: nothing is sent until you ask.

  • Bring your own key or run a local model; the assistant ships with deglyph
  • Speaks any OpenAI-compatible endpoint, including a local Ollama or LM Studio
  • Each function's conversation is saved with your annotations and resumes next time
deglyph assistant transcript: the user asks what crc16 computes and who calls it; the assistant runs disassemble, analyze and xrefs, then explains it is a reflected CRC-16 with polynomial 0x8408 called by encode_frame at 0x140001596

Audit your own release binary in CI

Run deglyph scan on a file or a directory and gate the build on what it finds.

Secrets, hardening, drift

It flags embedded secrets, the hardening posture of the binary, risky imports, linked libraries, and drift against a baseline build. Output is text, Markdown, HTML, or SARIF for GitHub code scanning, and any finding at or above the gate sets a non-zero exit.

secrets hardening drift SARIF 2.1.0 SBOM
deglyph scan output flagging a credential string, a no-stack-canary warning, control flow guard and signature notes, and a memory-protection import, ending with exit 1

deglyph sbom PATH emits a CycloneDX or SPDX bill of materials from the same load.

What the interface does

Function recovery, navigation, disassembly, and structure recovery, in the terminal.

Recover functions

Exports, symbols, imports, and the entrypoint. For stripped binaries that export nothing, functions found by scanning .text for call targets, named sub_<addr>.

Read disassembly

Branch and call targets resolve to names and are clickable, so you can jump straight to a callee. Move the cursor and the listing follows. Press d.

Walk the call graph

A clickable node view centered on any function, callers above and callees below. Click a node to recenter. Press c, or x for recursive caller and callee trees.

Read pseudo-C

A heuristic, instruction-by-instruction C-like view: registers as variables, mov as assignment, calls as name(...). An annotation of the assembly, x86 only. Press p.

Search and strings

Byte patterns with ?? wildcards, ASCII and UTF-16 strings, and immediate constants referenced in code. Press s for a built-in strings(1).

Recover structure

Detectors report immediate stores (magic values, header fields), call-argument immediates (opcodes, flags), and CRC and checksum loops with the named polynomial. Press a.

Magic values and opcodes

The analysis view runs three detectors over x86 operands. It reports the immediate stores that initialize a buffer, the constants passed to a shared routine right before a call, and the CRC loop with its candidate polynomial and a name for well-known ones. The detectors point at the instructions; the disassembly is one key away to confirm.

  • Immediate stores expose header fields, flags, and sizes
  • Call-argument immediates surface mode selectors and command codes
  • CRC detector names CRC-16/CCITT, MODBUS, CRC-32, and others
deglyph Analysis tab for encode_frame, showing immediate stores of 0xaa and 0x04, the call-argument immediate passed to crc16, referenced data, and the CRC/checksum detector

Follow a wrapper to the real work

Exported functions are often thin stubs that validate arguments and jump to the routine that does the work. Press f and deglyph resolves the chain, then move through the binary by following calls rather than scrolling a table. The filter is a subsequence match, so encfr finds encode_frame.

  • Wrapper-to-implementation chain resolved with one key
  • Browser-style back and forward jump history, [ and ]
  • Recursive caller and callee trees, cycle-safe and bounded
deglyph call graph for encode_frame, showing set_volume and main as callers and crc16 and send_frame as callees, with addresses

Even when the binary exports nothing

The table lists exports, symbols, imports, and the entrypoint. For a stripped binary, deglyph scans .text for call targets and turns them into navigable sub_<address> entries on a background worker. Format and architecture are detected from the file, across PE32, PE32+, ELF, Mach-O, and fat binaries.

  • PE, ELF, Mach-O, and fat binaries, with --fmt and --arch overrides
  • Kind filter (t) cycles all, code, export, sub, import
  • Rename (n), note (;), and bookmark (b) persist across sessions
deglyph open on a Mach-O arm64 binary, the recovered function tree on the left listing crc16, send_frame, encode_frame, set_volume, check_license and main, with arm64 disassembly on the right

Install deglyph

The only requirement on the host is Python 3.10 or newer.

# install the package and the `deglyph` command
# (the AI assistant and C++ demangling are included)
$ pip install deglyph

# add a key to use the assistant, then open a binary
$ deglyph path/to/library.dll

Run deglyph with no file to open the welcome screen.

# the launcher builds an isolated venv on first run,
# so the only requirement on the host is Python
$ ./deglyph.sh path/to/library.dll

# or open the welcome screen with no file
$ ./deglyph.sh

On Windows use deglyph.bat. The first launch prints creating virtual environment, then opens the interface.

$ git clone https://github.com/deglyph-re/cli.git
$ cd cli
$ python3 -m venv .venv && . .venv/bin/activate
$ pip install -e .
$ deglyph path/to/library.dll

GPLv3. The full source is on GitHub; there is no closed-source fork.

# .github/workflows/scan.yml
- uses: deglyph-re/cli@v1
  with:
    path: ./dist/app
    format: sarif      # upload to code scanning
    fail-on: warning   # gate the build

Findings appear in the Security tab and gate the build. See the README for the full workflow.

Keyboard shortcuts

Each view and the common actions have a single-key binding.

/Focus the filter (subsequence match)
tCycle the kind filter (all, code, export, sub, import)
dDisassembly, with clickable branch and call targets
xCross-references: wrapper chain, caller and callee trees
aAnalysis: immediate stores, call args, CRC loops
pPseudo-C, a heuristic C-like view
cCall graph, a clickable node navigator
iAssistant: ask about the selection
sStrings: browse every string in the binary
fFollow the selection to its implementation
n ; bRename, note, bookmark (all persist)
[ ]Navigate jump history back and forward

Read a binary in your terminal

Load a PE, ELF, or Mach-O, recover its functions, and read it. deglyph never executes the binary it analyzes.

Install deglyph View on GitHub