GET /api/techniques/87/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 87,
"key": "disassembly-desynchronization",
"unprotect_id": "U0207",
"name": "Disassembly Desynchronization",
"description": "Disassembly desynchronization is a technique that is used to prevent disassemblers from accurately reconstructing the original instructions of a program. It involves the creative use of instructions and data in a way that breaks the normal, predictable sequence of instructions in a program. This can cause disassemblers to become \"desynchronized\" and generate incorrect disassembly output.\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\nadd eax, 0x00000004\r\n```\r\n\r\nA disassembler that is working correctly would recognize these instructions and generate the following disassembly output:\r\n\r\n```assembly\r\n0x00000000: mov eax, 0x12345678\r\n0x00000004: add eax, 0x00000004\r\n```\r\n\r\nHowever, if the programmer uses disassembly desynchronization techniques, they could rearrange the instructions in the program in a way that breaks the normal sequence of instructions. For example, they could insert some \"garbage\" instructions or data between the `mov` and `add` instructions, like this:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\nnop\r\nnop\r\nnop\r\nnop\r\nadd eax, 0x00000004\r\n```\r\n\r\nIn this case, a disassembler that uses a simple, linear sweep algorithm might become \"desynchronized\" when it encounters the nop instructions and generate incorrect disassembly output. This can make it difficult for an analyst to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.\r\n\r\nDisassembly desynchronization is a well-known anti-disassembly technique that is commonly used by malware authors and other attackers to make it more difficult to analyze and understand their programs. It can be used in conjunction with other anti-disassembly techniques, such as the call trick or the insertion of garbage bytes, to create even more effective and powerful exploits.",
"resources": "https://github.com/yellowbyte/analysis-of-anti-analysis/blob/master/research/the_return_of_disassembly_desynchronization/the_return_of_disassembly_desynchronization.md",
"creation_date": "2019-03-18T13:56:14Z",
"tags": "Disassembly desynchronization,\r\nGarbage instructions,\r\nNOP slide,\r\nLinear sweep,\r\nRecursive traversal,\r\nDisassembly output,\r\nDisassembly accuracy,\r\nInstruction sequence,",
"modification_date": "2023-10-04T10:44:39.272000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
