Sign in

See inside any binary.

Drop a file — what it does, what it talks to, and whether it’s safe, in seconds. Nothing executes. Free for everyone.

Battle.net-Setup.exelsBearbettercap
100,215 binaries analyzed66 architectures91 firmware formats200+ CWE rules

Software ships as binaries. The tools that vet it read manifests, signatures, and hashes. We read the code.

Every upload, full report

Drop a binary. Get the reverse engineer's answer.

bettercap

#5b65f309 · 29.0 MB · first seen 10d ago

Malicious
OverviewStructureSystem Access35Network166Libraries14Functions31kStrings2.6kVulnerabilities19Lineage11

CVEs

19

Hardening

4 weak

Capabilities

35

Network

166

Behaviors

76

Functions

31k

Libraries

14

Imports

148

Secrets

None

Platform Linux (glibc)

Arch x86_64

Type executable

Signing Unsigned

A real report from the public corpus — every number is live. Open it →

The corpus

binaries. Every one mapped.

Each tile is that file’s real byte map — sections colored, structure laid out by the bytes themselves. Malware sits next to coreutils next to Mac apps with their App Store listings attached. Click any of them.

Live renders from the public corpus — Debian, Homebrew, winget, firmware images, and every upload.

Browse the corpus →

Recovered structure

Stripped, compiled, shipped. Still readable.

The engine lifts machine code to an intermediate language, names functions from a corpus of 1.3M signatures, and rebuilds the call graph. Below: Bear.app as it ships, and what comes back.

what ships

00000000  ca fe ba be 00 00 00 0200000008  01 00 00 07 00 00 00 0300000010  00 00 40 00 00 4a f0 b000000018  00 00 00 0e 01 00 00 0c00000020  00 00 00 00 00 4b 40 0000000028  00 40 53 40 00 00 00 0e00000030  00 00 00 00 00 00 00 0000000038  00 00 00 00 00 00 00 00

The first 64 bytes of Bear.app’s executable — cafebabe, a universal binary with two architecture slices.

what comes back

method -[SFAppDelegate setupAppTheme] 0x10005f084calls  objc_opt_new  BearThemeManager  -[SFAppDelegate setThemeManager:]  +[SFNotesPreferenceManager sharedPreferenceManager]  currentAppThemeName · loadThemeNamed:called by  -[SFAppDelegate applicationWillFinishLaunching:]

One of 13,091 functions recovered — classes, selectors, and call graph intact.

$openbinary reconstruct Bear.app --class SFAppDelegate→ Reconstructed 1 class, 161 methods as a Rust project

Who it’s for

One engine. Four jobs.

For machines

The same analysis, one POST away.

Everything on this site is an API. Send a binary, get the report back as JSON — fast enough to sit inline in a decision.

  • App firewalls & EDR — allow or block with the evidence attached, before the file runs.

  • CI & release gates — fail the build when a new capability, a weak mitigation, or a vulnerable library appears between versions.

  • AI agents — an MCP server and a query DSL over 50+ fields let agents triage binaries and ask their own follow-up questions.

api.openbinary.ai
$ curl -F binary=@drop.bin \
    https://api.openbinary.ai/api/v1/upload

{
  "sha256": "5b65f309…",
  "verdict": "malicious",
  "capabilities": ["opens_network",
      "loads_code_dynamically", …],
  "libraries": 14,
  "cves": 19
}

Beyond one file

Two builds. A thousand files. Or a whole fleet of them.

Diff whole releases

Compare two builds or two entire OS releases — files added and removed, contents changed, SBOM components bumped.

FreeBSD 11.4 → 14.3 → +383 / −435 files · 61 SBOM changes

Open that diff, live →

Unpack whole images

OS releases, distro images, firmware blobs — recursive unpack across 91 formats, a report for every file inside, one SBOM for the artifact.

FreeBSD · NetBSD · OpenBSD · AlmaLinux · firmware

Browse the package library →

Watch your fleet

Inventory every binary across your hosts — what runs where, what changed, and which machines carry the vulnerable version.

See plans →

EU Cyber Resilience Act

Know what ships in your firmware — before the EU asks.

The CRA makes binary-level transparency a legal requirement for every product with digital elements sold in the EU. Source scanners never see the shipped artifact — openbinary reads the artifact itself: unpack the image, identify every component, attach CVEs, export the machine-readable SBOM, diff it release over release.

How the check works →
Sep 11, 2026Reporting obligations begin — actively exploited vulnerabilities and severe incidents must be reported
Dec 11, 2027Full obligations — machine-readable SBOM, documented vulnerability handling, CE marking
€15M / 2.5%Maximum fines — €15 million or 2.5% of global turnover, whichever is higher

binaries analyzed

architectures

firmware formats

CWE detection rules

Free for everyone. No account needed.

Search the corpus, drop a binary, read the full report. Pro adds private workspaces, firmware analysis, every architecture, and the API.

See pricing

Static analysis — nothing ever executes · Pure-Rust engine · Built in the EU · On-prem and air-gapped deploys available