Skip to main content
Kong produces output in three formats. By default, it generates both source and json. Use -f to select specific formats.

Source format (-f source)

An annotated C file with recovered function names, types, and documentation. Each function gets a JSDoc-style comment block: 
/* ============================================================
 * Binary:   libc.so.6
 * Arch:     x86-64
 * Format:   ELF
 * Compiler: GCC
 * Functions: 2842 total, 2314 analyzed, 528 skipped, 0 errors
 * Renamed:   1847 | Confirmed: 467
 * LLM calls: 2314
 * Duration:  47m 3.2s
 * Cost:      $123.45
 * ============================================================ */

/**
 * @name  parse_http_header
 * @brief Parses an HTTP request header into components
 * @confidence 92%
 * @classification networking
 * @address 0x00401a30
 */
void parse_http_header(char *header, int max_size) {
    // ... decompiled body ...
}
Functions are grouped by classification: Crypto, Networking, I/O, Memory Management, String Operations, Math, Initialization, Cleanup, Handlers, Parsers, Utilities, and General.

JSON format (-f json)

A structured analysis.json file with full metadata. The top-level schema: 
{
  "binary": {
    "name": "binary",
    "path": "/path/to/binary",
    "arch": "x86-64",
    "format": "ELF",
    "endianness": "little",
    "word_size": 8,
    "compiler": "GCC"
  },
  "stats": {
    "total_functions": 2842,
    "analyzed": 2314,
    "named": 2314,
    "renamed": 1847,
    "confirmed": 467,
    "signature_matches": 156,
    "high_confidence": 2100,
    "medium_confidence": 180,
    "low_confidence": 34,
    "skipped": 528,
    "errors": 0,
    "llm_calls": 2314,
    "duration_seconds": 2823.2,
    "cost_usd": 123.45
  },
  "functions": [
    {
      "address": "0x00401a30",
      "original_name": "FUN_00401a30",
      "name": "parse_http_header",
      "signature": "void parse_http_header(char *header, int max_size)",
      "confidence": 92,
      "classification": "networking",
      "comments": "Parses an HTTP request header into components",
      "reasoning": "String references to HTTP methods and header fields...",
      "obfuscation_techniques": [],
      "deobfuscation_tool_calls": 0
    }
  ]
}

Key fields

  • signature_matches in stats — how many functions were identified by signature matching without LLM analysis
  • obfuscation_techniques in each function — list of detected techniques (e.g., ["cff", "bogus_cf"])
  • deobfuscation_tool_calls — number of tool calls the LLM made during deobfuscation

Ghidra writeback (-f ghidra)

Writes recovered names, types, and signatures directly into the Ghidra program database. No output file is produced — the Ghidra project is modified in place. This is useful when you want to continue manual analysis in Ghidra with Kong’s recovered symbols already applied. Open the Ghidra project after analysis and you’ll see the renamed functions, typed parameters, and struct definitions.
Ghidra writeback modifies the Ghidra project. If you want to preserve the original state, make a copy of the project before running with -f ghidra.

Further reading

Last modified on March 20, 2026