Welcome to the fifth installation in our Shellcode Signature Series—a collection of posts that disassemble shellcode and obfuscation techniques and write signatures to detect them. The fourth encoder we’ll explore in this series is Metasploit’s Zutto Dekiru payload encoder.
When looking through the code of Zutto Dekiru, it’s clear that it borrows many of Shikata Ga Nai’s techniques with a few modifications. Zutto Dekiru is the most robust of the two publicly available x64 encoders, and it provides a nice template from which other encoder authors can draw inspiration.