<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Schich</title>
    <description>The latest articles on DEV Community by Schich (@schich).</description>
    <link>https://dev.to/schich</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4030858%2Fb52a19dd-868c-4ff2-8ca9-891f7620240d.png</url>
      <title>DEV Community: Schich</title>
      <link>https://dev.to/schich</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/schich"/>
    <language>en</language>
    <item>
      <title>A stealthy and efficient way for Just In Time payload decryption</title>
      <dc:creator>Schich</dc:creator>
      <pubDate>Wed, 15 Jul 2026 18:00:56 +0000</pubDate>
      <link>https://dev.to/schich/a-stealthy-and-efficient-way-for-just-in-time-payload-decryption-3e0o</link>
      <guid>https://dev.to/schich/a-stealthy-and-efficient-way-for-just-in-time-payload-decryption-3e0o</guid>
      <description>&lt;p&gt;I found A way to implement Just in time decryption into my stager project for redteaming. All just in time decryptors I found either decrypted the payload instruction after instruction (which is incredibly slow) or completely in total at start of payload execution (which gives basically no benefit). &lt;br&gt;
Lucky-Spark decrypts a sliding windows of memory pages to keep performance high and still provide protection against memory detection and reverse engineering.&lt;br&gt;
I want to share my code here to maybe help you with your pentest or readteaming project or to show you how to encrypt your "legitimate" project to secure your intellectual property.&lt;/p&gt;

&lt;p&gt;The project is not vibe coded and can be found here: &lt;/p&gt;


&lt;div class="ltag-github-readme-tag"&gt;
  &lt;div class="readme-overview"&gt;
    &lt;h2&gt;
      &lt;img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"&gt;
      &lt;a href="https://github.com/Schich" rel="noopener noreferrer"&gt;
        Schich
      &lt;/a&gt; / &lt;a href="https://github.com/Schich/Lucky-Spark" rel="noopener noreferrer"&gt;
        Lucky-Spark
      &lt;/a&gt;
    &lt;/h2&gt;
    &lt;h3&gt;
      A stealthy stager designed for shellcode payloads staged with http/https like Sliver, or on github raw.
    &lt;/h3&gt;
  &lt;/div&gt;
  &lt;div class="ltag-github-body"&gt;
    
&lt;div id="readme" class="md"&gt;&lt;div class="markdown-heading"&gt;
&lt;h1 class="heading-element"&gt;LUCKY-SPARK&lt;/h1&gt;
&lt;/div&gt;
&lt;p&gt;⟪ &lt;strong&gt;LUCKY-SPARK&lt;/strong&gt; ⟫ is a stager designed for shellcode payloads staged with http/https like sliver or on github raw. It uses modern obfuscation and evaion methods like sliding window just-in-time decryption of the payload and cpu instruction patching
By default it creates an executable masquarading as the filezilla ftp client.&lt;/p&gt;

&lt;div class="markdown-heading"&gt;
&lt;h2 class="heading-element"&gt;Features&lt;/h2&gt;
&lt;/div&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Staged Sliver Payload Loader&lt;/strong&gt;  Downloads and executes a Sliver payload from a specified server.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;JIT Shellcode Decryption&lt;/strong&gt;  Decrypts only a sliding windows of the payload to minimise exposure.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Fiber-based Execution&lt;/strong&gt;  Runs shellcode within fibers for improved stealth and complicating analysis.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Dynamic API Resolution&lt;/strong&gt;  Suspicious or detection-prone Windows API functions are dynamically loaded at runtime.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;String Obfuscation&lt;/strong&gt;  Sensitive strings (e.g., URLs, user agents) are encrypted using an &lt;strong&gt;affine cipher&lt;/strong&gt; and stored obfuscated in the compiled binary.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cpu instruction patching&lt;/strong&gt;  The aes cpu instructions re hidden behind unsuspicious cpu instructions like pmulqd and patched after execution.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Automatic Disguise&lt;/strong&gt;  EXE is…&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
  &lt;/div&gt;
  &lt;div class="gh-btn-container"&gt;&lt;a class="gh-btn" href="https://github.com/Schich/Lucky-Spark" rel="noopener noreferrer"&gt;View on GitHub&lt;/a&gt;&lt;/div&gt;
&lt;/div&gt;


</description>
      <category>pentest</category>
      <category>crypto</category>
      <category>cybersecurity</category>
      <category>showdev</category>
    </item>
  </channel>
</rss>
