Creating a new encoding schema for msf

[ShadowMaster]

Hi, guys. In my travels and adventures into the exciting world of pentesting, I've come across something I feel is cool. So here's the deal.
I've looked through the encoding tools in the msframework, those that were described in Metasploit: The Penetration Tester's Guide, and those that were described in Grey Hat Hacking...
What I've noticed is that they pretty much all follow the same standard: XOR against a key, with the final exploit looking like this:
encrypted shellcode->decryption loop->decrypted shellcode
The program decrypts itself then jumps to the new shellcode and runs.
All very nice and pretty. But...
This won't bypass systems using advanced IPS/IDS to monitor packets, and it also won't pass validation on a printable charset only lookup.
So, Hacking: A Guide to Exploitation gives a solution that I have yet to see implemented. Namely, self-building shellcode. Meaning, the shellcode builds itself using only printable chars.
Something like this: Since PUSH EAX, SUB EAX, and a few others all correspond to printable ASCII chars, we can zero out EAX, then subtract by way of rollover to get EAX to the instruction set we want, then push it to the stack. This usually only takes 3 SUB's for each 4 bytes to push to stack. By subtracting to the last four bytes of SC(shellcode) then pushing to stack, and moving on to the next four, until all is pushed to stack, we can bypass all those mentioned protection systems.
The next step would either be to SUB to 4 NOP's and PUSH EAX until the SC overwrites itself and slides down to the payload, or just to JMP to the actual payload immediately.
To set the actual subtraction to the correct only printable bytes usually doesn't take more than three instructions since the ascii charset can be used to subtract, obviously. Looking something like this:
SUB EAX,0x41434547 (f - D C B A or something very similar I hexdumped this from SUB EAX,0x41424344 compiled with NASM)
SUB EAX,0x...
SUB EAX,0x...
PUSH EAX (the last four bytes)

SUB EAX,0x...
SUB EAX,0x...
SUB EAX,0x...
PUSH EAX (the next four bytes)
until all the SC is written. All this being contained within a printable string.
What I want to do is write a metasploit module to take a given payload, and make it self-building.
What I want from the community is :
1)Advice.
I've never written a metasploit module, programmed in ruby, or done anything like this really. I want to know if it's a good idea, if it's implementable, and if people are interested.
2)Help
I'm willing to put in work, but I don't know enough to do this on my own. Please help, people.
3)Practical concerns
Will this work? What is the best way to implement it?
4)General suggestions and improvements
Self-explanatory

I understand that this may only be practical on non-exe(i.e. only standard network) exploits, but if it helps the success of even those, why not do it.
Let me know.

[ShadowMaster]

Yeah, to AND EAX x2 for each four bytes is a little stupid. So I actually don't want to do that. Since when EAX is originally zeroed out, and then SUB'ed to the proper value then pushed, we already know it's value, it's only a matter of figuring out which values to sub from the new EAX to get to the next four bytes. You should only have to zero it out once.
As for the tutorial, that technique is similar, but I want this more like a POC for non-SEH, ASLR etc protected things. When this works POC, then we would take it to the next level and make it work as a standard module with all the other goodies.

[ShadowMaster]

While I would love to get started and post updates, several problems remain. 1) I have not magically gained ruby programming knowledge in the last 72 hours. 2) I have not gained through any means, arcane or otherwise, a design for the module. 3) Sorcerous familiars have not been conjured to offer help with the design, implementation, and coding of the module. 4) I have not been granted any epiphanies in regards to the most practical way to do any of this. 5) Nobody has offered the help of his/her coven of hackers to assist me in this endeavor. I refer you back to my first post. I need help with this. So if people are willing to collaborate with me, then I would love to continue. Until then, we must wait with bated breath for willing volunteers.

[j1tsky]

Which language are you suggesting?

Im up for python.

[ShadowMaster]

We can start with a POC python module, but the end game is to port it directly into the MSF. For that it needs to be in ruby...
If people are interested, I'll use this thread to continue posting, and upload a script that'll figure out what to SUB from EAX based on EAX(current) to EAX(desired).

EDIT: Due to appearant lack of interest, I've scrapped this project and moved on to a more useful one.