You guess the length of the last block (or iterate over possible lengths with trials of the attack). When you know it, you can easily predict the MD padding at the end of the hash to fill in the block. That fake padding (our code calls it "glue padding") actually ends up in the forged message; for instance, if you're signing URLs, you'll see it as gibberish in the middle of the URL. In practice, most code does not care about the gibberish "glue" bytes.