← Glossary

Reverse Engineering Glossary

Reading code that was built to resist reading — how obfuscation works, why every layer is reversible, and the techniques used to recover the original logic.

How Does Deobfuscation Work?

Deobfuscation is the process of turning deliberately unreadable code back into something a human can read and reason about.

How Do You Devirtualize an Obfuscated JavaScript VM?

Devirtualization is the process of recovering a readable program from JavaScript that has been compiled into a tiny interpreter — a virtual machine — bundled inside the script itse.

What Is Lua Bytecode Virtualization?

Lua bytecode virtualization is an obfuscation technique that replaces Lua's standard virtual machine with a custom, secret one, so the compiled script can only be run by an interpr.

What Are Common Lua Obfuscation Techniques?

Lua obfuscation is the practice of rewriting a script so it still runs identically but actively resists reverse-engineering tools, ranging from cheap constant-hiding tricks up to f.

What Is Dual-VM Lua Obfuscation?

Dual-VM Lua obfuscation runs your program through two stacked virtual machines - a deserialization VM that decodes an encrypted blob into an instruction stream, and a "real" VM tha.

What Is a Deserialization VM?

A deserialization VM is the outer virtual machine in a stacked virtualizer that turns an encrypted data blob into the instruction stream the real VM executes, while enforcing anti-.

What Is Polymorphic (Self-Modifying) Bytecode?

Polymorphic bytecode is virtual-machine code that rewrites its own instructions at runtime before executing them, so the statically dumped instruction stream is intentionally misle.

What Is Dynamic IAT Resolution (Import Hashing)?

Dynamic IAT resolution (import hashing) is an anti-analysis technique where a binary hides which OS APIs it uses by resolving them at runtime from numeric hashes instead of listing.

How Do You Instrument a Browser to Study Anti-Bot Scripts?

Instrumenting a browser means adding observation points so you can watch exactly which APIs a page calls -- which is how researchers study fingerprinting and anti-bot scripts.

Why Can't a Browser Extension Hook Page JavaScript?

A browser extension content script runs in an "isolated world" -- a separate JavaScript execution context that shares the DOM with the page but has its own global object.

What Is Page.addScriptToEvaluateOnNewDocument?

addScriptToEvaluateOnNewDocument is a Chrome DevTools Protocol (CDP) command that registers JavaScript to run in the page's own context immediately after a document is created, bef.

Why Do JS Hooks Miss Out-of-Process Iframes (OOPIF)?

An out-of-process iframe (OOPIF) is a cross-origin frame that Chromium runs in its own renderer process, with its own isolated JavaScript context.

How Does toString() Reveal a Hooked Function?

Calling toString() on a native browser function returns a fixed marker -- "function name() { [native code] }" -- while a JavaScript wrapper returns its actual source code.

What Is Engine-Level (Blink) Browser Instrumentation?

Engine-level instrumentation means adding observation points inside the browser's C++ rendering engine (Blink), below the JavaScript layer, instead of patching functions in JavaScr.