This blog is the sixth installment of our Shellcode Signature Series, where we disassemble shellcode and obfuscation techniques and write signatures to detect them. In this post, we will be looking at the x86_jmp_call_additive payload encoder that in found within Metasploit. The encoder itself is one of the older encoders in Metasploit, but it uses a novel approach to rotate an XOR key that can be helpful to understand from a defender's perspective.
Understanding the x86 Jmp Call Additive Encoder
The x86 Jmp Call Additive encoder contains a statically generated decoding stub, with a substitution for the key and payload. This is a great encoder for a beginning reverse engineer to study since it is not as complex as an encoder like Zutto Dekiru.
The primary logic of the module is contained within the init function as shown in the ruby source: