What it does WPeGPT is an IDA Pro plugin that sends decompiled function pseudocode to LLMs (OpenAI, DeepSeek, or any OpenAI-compatible API) and injects the results back as comments inside your IDA database. It can rename variables, flag vulnerabilities, even attempt Python rewrites of small functions, and—new in v3.0—run fully automated headless analysis via an embedded TCP server called WPeServer.

The interesting bit The v3.0 redesign splits the project into interactive plugin and automated pipeline. The “suspiciousness scoring” system ranks functions by keyword matching, caller/callee relationships, and size to avoid wasting API tokens on stdlib noise. There’s also a 10-category string classifier that auto-tags networking, crypto, injection, and persistence strings, plus network IoC extraction that tries to decrypt encrypted C2 addresses.

Key highlights

• Interactive shortcuts: Ctrl+Alt+G for function analysis, Ctrl+Alt+E for vulnerability finding, Ctrl+Alt+R for AI-suggested variable renames
• Three automated modes: light (~2–5 min), full (~10–30 min), vuln (~5–20 min)
• WPeServer TCP architecture supports multiple concurrent IDA instances controlled externally
• Outputs structured JSON and Markdown reports to <binary_name>_WPeAI_Results/
• Inspired by Gepetto; explicitly warns “AI’s analysis results are for reference only”

Caveats

• Requires IDA configured for Python 3; proxy users may need to pin urllib3==1.25.11
• The “exploit generation” feature is described as “attempt to generate”—expect aspirational, not guaranteed
• DeepSeek support requires manual variable tweaks in config.py rather than clean provider switching

Verdict Malware analysts and reverse engineers who already live in IDA and have API budget to burn should try this. If you don’t own an IDA license or your threat model doesn’t involve staring at decompiled C, skip it.