Disassembly Desynchronization

Created the Monday 18 March 2019. Updated 1 year, 9 months ago.

Disassembly desynchronization is a technique that is used to prevent disassemblers from accurately reconstructing the original instructions of a program. It involves the creative use of instructions and data in a way that breaks the normal, predictable sequence of instructions in a program. This can cause disassemblers to become "desynchronized" and generate incorrect disassembly output.

For example, suppose a program contains the following instructions:

mov eax, 0x12345678
add eax, 0x00000004

A disassembler that is working correctly would recognize these instructions and generate the following disassembly output:

0x00000000: mov eax, 0x12345678
0x00000004: add eax, 0x00000004

However, if the programmer uses disassembly desynchronization techniques, they could rearrange the instructions in the program in a way that breaks the normal sequence of instructions. For example, they could insert some "garbage" instructions or data between the mov and add instructions, like this:

mov eax, 0x12345678
nop
nop
nop
nop
add eax, 0x00000004

In this case, a disassembler that uses a simple, linear sweep algorithm might become "desynchronized" when it encounters the nop instructions and generate incorrect disassembly output. This can make it difficult for an analyst to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.

Disassembly desynchronization is a well-known anti-disassembly technique that is commonly used by malware authors and other attackers to make it more difficult to analyze and understand their programs. It can be used in conjunction with other anti-disassembly techniques, such as the call trick or the insertion of garbage bytes, to create even more effective and powerful exploits.

Technique Identifier

U0207

Technique Tags

Disassembly desynchronization Garbage instructions NOP slide Linear sweep Recursive traversal Disassembly output Disassembly accuracy Instruction sequence

Code Snippets

Description

This code contains the original instructions mov eax, 0x12345678 and add eax, 0x00000004, but it also includes some "garbage" instructions (the nop instructions) between these two instructions. This breaks the normal sequence of instructions and can cause a disassembler to generate incorrect disassembly output.

#include <stdio.h>

int main() {
    // Original instructions
    __asm__("mov eax, 0x12345678\n"
            "add eax, 0x00000004\n");

    // "Garbage" instructions that break the normal sequence of instructions
    __asm__("nop\n"
            "nop\n"
            "nop\n"
            "nop\n");

    // More original instructions
    __asm__("mov ebx, 0x87654321\n"
            "sub ebx, 0x00000004\n");

    return 0;
}

About Author Open Snippet

Author: Unprotect / Target Platform: Windows

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

analysis-of-anti-analysis/the_return_of_disassembly_desynchronization.md at master · yellowbyte/analysis-of-anti-analysis · GitHub