Skip to content
Reverse Engineering

Glossary

RSP Register

RSP is the 64-bit x86-64 stack pointer, always pointing at the top of the current call stack and managed by push, pop, call, and ret.

RSP is the 64-bit stack pointer in the x86-64 architecture, the extension of ESP. It always holds the address of the top of the current stack, which on x86 grows downward toward lower addresses. The CPU updates RSP automatically: push subtracts 8 and stores, pop loads and adds 8, call pushes the return address, and ret pops it.

RSP is not an argument or return register in any convention, and it is implicitly preserved — every function is expected to leave it exactly as it found it. Both the System V AMD64 ABI and the Microsoft x64 ABI require 16-byte stack alignment at the point of a call, and Windows additionally mandates 32 bytes of "shadow space" reserved by the caller.

Mechanics

asm
push rbp             ; RSP -= 8, store old rbp
mov  rbp, rsp        ; frame pointer = current top
sub  rsp, 0x20       ; reserve 32 bytes of locals
; ... function body ...
leave                ; mov rsp, rbp ; pop rbp
ret                  ; pop return address into RIP

Its sub-registers esp, sp, and spl exist but are almost never used directly, since touching the stack pointer narrowly would corrupt alignment.

Why it matters in reverse engineering

RSP is your anchor for reading the stack: locals, spilled registers, and stack-passed arguments are all addressed relative to it (or to RBP). Tracking sub rsp, N reveals a frame's size, and a mismatched RSP at ret is a classic sign of stack corruption or an exploit.

See the general register concept and the assembly reference. Stack-layout differences are discussed in x86 vs x64 assembly. It works alongside the RBP register, the optional frame pointer.