Skip to content

Instantly share code, notes, and snippets.

@kirillwow
kirillwow / Pegasus_mailslot_decrypt.py
Created July 23, 2018 11:50
Pegasus trojan from 2018 source code leak SMB Mailslot credentials broadcasting.
import struct
import hashlib
_SERIALIZED_CREDS_BUFFER_LEN = 22
def decrypt_envelop(xored):
dwKey = struct.unpack("<I", xored[:4])[0]
print "dwKey: %08x" % dwKey
@kirillwow
kirillwow / Pegasus_checkin_decrypt.php
Created July 23, 2018 11:49
Pegasus trojan from 2018 source code leak HTTP check-in. Decryption goes using TARGET_BUILDCHAIN_HASH 0x7393c9a643eb4a76
<?php
function hex_dump($data, $newline="\n")
{
static $from = '';
static $to = '';
static $width = 16; # number of bytes per line
static $pad = '.'; # padding for non-visible characters