WPeGPT

May 27, 2026 · View on GitHub

English | 中文

Note

WPeChatGPT has been renamed to WPeGPT starting from v3.0 with a complete architectural redesign. Existing installations are unaffected.

WPeGPT

An IDA plugin that integrates AI (LLM) models into binary analysis workflows. WPeGPT sends decompiled pseudocode from IDA to an AI model and writes analysis results back as IDA comments. Supports multiple AI providers (OpenAI, DeepSeek, and any OpenAI-compatible API).

Inspired by Gepetto.

AI's analysis results are for reference only — otherwise we analysts would be out of work on the spot. XD

Features

Interactive Analysis (IDA Plugin)

FeatureDescription
Function AnalysisAnalyze purpose, usage environment, and behavior of a function
Variable RenameAI-suggested renaming of function variables
Python RestoreReconstruct small functions (e.g., XOR decryption) in Python
Vulnerability FindingIdentify potential vulnerabilities in the current function
Exploit GenerationAttempt to generate a PoC exploit for vulnerable functions

Automated Analysis (WPeServer + Controller)

v3.0 introduces a TCP-based architecture for fully automated, headless binary analysis:

  • WPeServer — An embedded TCP server inside IDA that accepts commands from an external controller. Supports multiple concurrent IDA instances.

  • Three-Phase Analysis Pipeline — Targeted segmented intelligent analysis.

  • Three Analysis Modes:

    ModeDescriptionTime
    lightGlobal Scan + Critical Path Function Analysis~2-5 min
    fullGlobal Scan + Critical Path + Full Function Analysis~10-30 min
    vulnCritical Path Function Vulnerability Analysis~5-20 min
  • Intelligent String Classification — Automatically categorizes strings into 10 categories: networking, keylogging, crypto, injection, persistence, antianalysis, dropper, code execution, memory/file ops, installer framework.

  • Network IoC Extraction — Extracts IPs, domains, URLs, and ports. Auto-detects and attempts to decrypt encrypted C2 addresses.

  • Function Suspiciousness Scoring — Ranks functions by keyword matching, caller/callee relationships, size, and stdlib filtering to prioritize AI analysis.

  • Shellcode Loader Detection — Pattern-based detection of shellcode execution techniques.

  • Structured Reports — Outputs both JSON and Markdown reports to <binary_name>_WPeAI_Results/.

Update History

VersionDateComment
1.02023-02-28Based on Gepetto.
1.12023-03-021. Delete the function of analyzing encryption and decryption.
2. Increase the function of python restore function.
3. Modified some details.
1.22023-03-031. Added the function of finding binary vulnerabilities in functions.
2. Increase the function of trying to automatically generate the corresponding EXP.
3. Modified some details.
(The upload was not tested due to the OpenAI server lag)
2.02023-03-061. Complete the testing of v1.2 version vulnerability related functions.
2. Switch to the latest gpt-3.5-turbo model released by OpenAI.
2.12023-03-07Fix the timed out issue of OpenAI-API. (See section About OpenAI-API Error Reporting)
2.32023-04-23Add the Auto-WPeGPT v0.1 to support automatic analysis of binary files.
(Package anytree needs to be added from this version, use requirements.txt or pip install anytree)
2.42023-11-101. Changed some display details.
2. Update Auto-WPeGPT v0.2.
2.52024-08-071. Add support for other models, you can set this using the MODEL variable. @tpsnt
2. Support for the new version of the python openai package. (Need to update your openai package)
2.62025-02-17Add support for DeepSeek, you need to set the variable PLUGIN_NAME to WPeChat-DeepSeek and fill the API KEY into variable model_api_key.
(The default model is DeepSeek-V3. If you want to use the R1 model, modify variable MODEL = 'deepseek-reasoner'.)
3.02026-05-27Renamed to WPeGPT. Complete architectural redesign:
1. Split into modular architecture (WPeGPT.py + config.py + wpe_ai_controller.py).
2. Introduced WPeServer (TCP command server) for external AI-driven automation.
3. Three-phase analysis pipeline (global scan → critical path → full scan).
4. Three analysis modes (light / full / vuln).
5. Intelligent string classification (10 categories) and network IoC extraction.
6. Function suspiciousness scoring system with stdlib filtering.
7. Shellcode loader detection.
8. Structured JSON + Markdown report generation.

Install

1. Install Dependencies

pip install -r ./requirements.txt

2. Configure

Edit WPeGPT_Config/config.py:

  • Set your API_KEY
  • Set API_BASE_URL
  • Set MODEL
  • Set ZH_CN = True for Chinese (default), False for English
  • Optionally configure ANALYSIS_MODE, MAX_WORKERS, and other options

3. Install Plugin

Copy WPeGPT.py and the WPeGPT_Config/ folder to your IDA plugins/ directory, then restart IDA.

NOTE: IDA must be configured to use Python 3.

Usage

Interactive Mode (IDA Plugin)

  • Keyboard Shortcuts:

    ShortcutAction
    Ctrl+Alt+GFunction analysis
    Ctrl+Alt+RRename function variables
    Ctrl+Alt+EVulnerability finding
    Ctrl+Alt+WLight auto analysis
  • Right-click in the pseudocode window for context menu.

  

  • Menu bar: Edit → WPeGPT

  

Automated Mode (Headless Analysis)

Use the wpegpt-analyzer Skill, or run Menu bar: Edit → WPeGPT → Auto-WPeGPT

Reports are saved to <binary_name>_WPeAI_Results/.

Example

How to use:

  

Function analysis results:

  

Vulnerability finding:

  

About OpenAI-API Errors

If you experience connection issues while behind a proxy:

  • Check your urllib3 version — v1.26 has known proxy issues. Fix with:
    pip uninstall urllib3
    pip install urllib3==1.25.11
    
  • Configure FORWARD_PROXY in config.py (e.g., http://127.0.0.1:7890).
  • Or use a reverse proxy by setting API_BASE_URL.

Contact

If you encounter issues or have questions, please open a GitHub Issue or send an email.