Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep


With all the encoding cruft out of the way, the final method that needs to be overridden is encode_end. In this method, the state.context attribute is appended to the state.encoded. The purpose of the state.context attribute is to hold all of the encoded data blocks that are created over the course of encoding each block. The state.encoded attribute is the actual decoder including the stub header, the decode transformations, and finally, the encoded data blocks.

def encode_end(state)
   state.encoded += state.context

Once encoding completes, the result might be a disassembly that looks something like this:

$ echo -ne "\x42\x20\x80\x78\xcc\xcc\xcc\xcc"  | \
  ./msfencode -e x86/avoid_utf8_tolower -t raw | \
  ndisasm -u -
[*] x86/avoid_utf8_tolower succeeded, final size 47

00000000  6A02              push byte +0x2
00000002  6B3C240B          imul edi,[esp],byte +0xb
00000006  60                pusha
00000007  030C24            add ecx,[esp]
0000000A  6A11              push byte +0x11
0000000C  030C24            add ecx,[esp]
0000000F  6A04              push byte +0x4
00000011  683C0C190D        push dword 0xd190c3c
00000016  5F                pop edi
00000017  0139              add [ecx],edi
00000019  030C24            add ecx,[esp]
0000001C  68696A6060        push dword 0x60606a69
00000021  5F                pop edi
00000022  0139              add [ecx],edi
00000024  030C24            add ecx,[esp]
00000027  06                push es
00000028  1467              adc al,0x67
0000002A  6B63626C          imul esp,[ebx+0x62],byte +0x6c
0000002E  6C                insb