Skip to content

Glossary

Plain-language definitions of SEO terms used across the blog.

Virtualization Obfuscation
An advanced obfuscation technique that translates native instructions into a custom bytecode executed by an embedded interpreter, defeating standard disassemblers.
Symbolic Execution
A program analysis technique that executes code with symbolic (abstract) values instead of concrete inputs, exploring multiple paths simultaneously.
NOP Sled
A sequence of NOP (no-operation) instructions prepended to shellcode so that imprecise jumps still land in executable payload territory.
Patching
Modifying the bytes of a binary on disk or in memory to change its behavior — for example to bypass a license check or disable anti-debug code.
Entropy
A measure of randomness in binary data — high entropy in a section indicates compression or encryption, a hallmark of packed malware.
YARA
A pattern-matching tool and rule language used to identify and classify malware samples based on textual or binary signatures.
Dynamic Analysis
Analyzing a binary by actually running it, observing its behavior in real time using debuggers, sandboxes, and system monitoring tools.
Static Analysis
Examining a binary without executing it — using disassemblers, decompilers, and file-format parsers to understand its structure and logic.
Sandbox
An isolated execution environment that runs a suspicious binary, monitors its behavior, and prevents it from affecting the real system.
Gadget
A short sequence of existing instructions ending in a RET (or similar) used as a building block in Return-Oriented Programming chains.
R8-R15 Registers
R8 through R15 are the eight extended 64-bit x86-64 general-purpose registers added in AMD64, used for argument passing and extra scratch space.
Return-Oriented Programming (ROP)
An exploitation technique that chains small existing code snippets ending in RET instructions to execute arbitrary logic without injecting new code.
Shellcode
Self-contained position-independent machine code injected and executed in a target process, typically as an exploit payload.
Obfuscation
Intentional transformation of code or data to make it harder to understand, while preserving the original program's behavior.
Packer
A tool that compresses or encrypts an executable and wraps it with a stub that decompresses/decrypts it at runtime before transferring control to the original code.
Basic Block
A maximal straight-line sequence of instructions with a single entry point and a single exit (branch or return) — the node unit of a CFG.
Control Flow Graph (CFG)
A directed graph representing all possible execution paths through a function, with nodes as basic blocks and edges as branches.
RFLAGS Register
RFLAGS is the 64-bit x86-64 status register holding condition flags like ZF, CF, SF, and OF that drive conditional branches.
Single-Stepping
Executing one instruction at a time in a debugger to observe the exact effect of each operation on registers and memory.
Breakpoint
An instruction or hardware trigger in a debugger that pauses execution when the program reaches a specific address or condition.
API Hooking
Intercepting calls to API or library functions at runtime to monitor, modify, or redirect their behavior.
System Call
A controlled transition from user space to the OS kernel to request a privileged operation such as reading a file or allocating memory.
Endianness
The byte order in which multi-byte integers are stored in memory: little-endian (LSB first) or big-endian (MSB first).
RIP Register
RIP is the 64-bit x86-64 instruction pointer, holding the address of the next instruction and enabling position-independent RIP-relative addressing.
Stripped Binary
An executable from which the symbol table and debug information have been removed, making reverse engineering significantly harder.
Symbol Table
A section of a binary that maps function and variable names to their addresses, present in debug or non-stripped builds.
Relocation
The process of adjusting hardcoded addresses in a binary when it is loaded at a different base address than the one assumed at compile time.
Import Address Table (IAT)
A table inside a PE binary filled by the Windows loader with the runtime addresses of imported DLL functions.
RBP Register
RBP is the 64-bit x86-64 base/frame pointer, anchoring a stable reference to a function's stack frame for locals and arguments.
Original Entry Point (OEP)
The entry point of an executable before a packer or protector modified it — the address where the original code starts after unpacking.
Entry Point
The virtual address where the OS loader transfers control to a binary after loading it into memory.
ELF Format
Executable and Linkable Format — the standard binary file format on Linux and most Unix-like systems for executables, shared libraries, and object files.
RSP Register
RSP is the 64-bit x86-64 stack pointer, always pointing at the top of the current call stack and managed by push, pop, call, and ret.
PE Format
Portable Executable — the binary file format used by Windows executables (.exe, .dll, .sys) that defines headers, sections, and import tables.
Instruction Set Architecture (ISA)
The complete specification of a processor's instructions, registers, and addressing modes that software can rely on.
ABI
Application Binary Interface — the low-level contract covering calling conventions, data layout, and system call mechanics between compiled components.
RDI Register
RDI is the 64-bit x86-64 destination-index register, the destination pointer for string ops and the first function argument on System V.
Calling Convention
The agreed rules for how a function call passes arguments, returns values, and manages the stack and registers.
Heap
The region of memory used for dynamic allocations (malloc/new), managed by the runtime allocator rather than the CPU automatically.
RSI Register
RSI is the 64-bit x86-64 source-index register, used as the source pointer in string operations and as a function argument on System V.
Stack
A LIFO memory region that grows downward, used for return addresses, local variables, and saved registers during function calls.
Register
A small, ultra-fast storage location built directly into the CPU, used to hold operands, addresses, and CPU state during execution.
Operand
The argument(s) to an assembly instruction — the registers, memory addresses, or immediate values it acts upon.
Mnemonic
The short human-readable name for a CPU instruction, such as MOV, PUSH, or CALL, used in assembly language.
RDX Register
RDX is the 64-bit x86-64 data register, an argument register that also holds the high half of multiply and divide results.
Opcode
The numeric byte(s) in machine code that identify which operation the CPU should execute.
Debugger
A tool that lets an analyst pause, inspect, and modify a running process — the cornerstone of dynamic analysis.
Decompiler
A tool that attempts to reconstruct high-level source code (C, pseudocode) from compiled binary machine code.
RCX Register
RCX is the 64-bit x86-64 counter register, used for loop and shift counts and to pass function arguments in both major calling conventions.
Disassembler
A tool that converts raw binary machine code back into human-readable assembly language mnemonics.
RBX Register
RBX is a 64-bit x86-64 general-purpose register, traditionally a base pointer and a callee-saved register preserved across function calls.
RAX Register
RAX is the 64-bit x86-64 accumulator register, holding function return values and the implicit operand for many arithmetic instructions.