Pegasus trojan from 2018 source code leak HTTP check-in. Decryption goes using TARGET_BUILDCHAIN_HASH 0x7393c9a643eb4a76

## Pegasus_checkin_decrypt.php
<?php

    function hex_dump($data, $newline="\n")
    {
      static $from = '';
      static $to = '';

      static $width = 16; # number of bytes per line

      static $pad = '.'; # padding for non-visible characters

      if ($from==='')
      {
        for ($i=0; $i<=0xFF; $i++)
        {
          $from .= chr($i);
          $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
        }
      }

      $hex = str_split(bin2hex($data), $width*2);
      $chars = str_split(strtr($data, $from, $to), $width);

      $offset = 0;
      foreach ($hex as $i => $line)
      {
        echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;
        $offset += $width;
      }
    }

    $g_k = '7393c9a643eb4a76';

    $pwd = '';

    $mask = ~( 0xFFFFFFFF << 16);   // wipe sign extension

    $k = unpack('Nm_w/Nm_z', pack("H*", $g_k));
    $len = 164;

    // signed int -> unsigned
    $k['m_w'] = (float)sprintf('%u', $k['m_w']);
    $k['m_z'] = (float)sprintf('%u', $k['m_z']);

    while ($len) {
        $k['m_z'] = 36969 * ($k['m_z'] & 65535) + (($k['m_z'] >> 16) & $mask);
        $k['m_w'] = 18000 * ($k['m_w'] & 65535) + (($k['m_w'] >> 16) & $mask);

        $val = (($k['m_z'] << 16) + $k['m_w']) & 0xFF;

        $pwd .= chr($val);

        $len--;
    }


    $key = sha1($pwd, TRUE);
    // Save only encrypted file content from HTTP checking to .bin file
    $myfile = fopen("Pegasus_checking_encrypted.bin", "rb") or die("Unable to open file!");
    $encrypted = fread($myfile,filesize("Pegasus_checking_encrypted.bin"));
    fclose($myfile);

    $clear = openssl_decrypt($encrypted, 'des', $key, 1);
    echo hex_dump($clear);


?>
	<?php

	function hex_dump($data, $newline="\n")
	{
	static $from = '';
	static $to = '';

	static $width = 16; # number of bytes per line

	static $pad = '.'; # padding for non-visible characters

	if ($from==='')
	{
	for ($i=0; $i<=0xFF; $i++)
	{
	$from .= chr($i);
	$to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
	}
	}

	$hex = str_split(bin2hex($data), $width*2);
	$chars = str_split(strtr($data, $from, $to), $width);

	$offset = 0;
	foreach ($hex as $i => $line)
	{
	echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;
	$offset += $width;
	}
	}

	$g_k = '7393c9a643eb4a76';

	$pwd = '';

	$mask = ~( 0xFFFFFFFF << 16); // wipe sign extension

	$k = unpack('Nm_w/Nm_z', pack("H*", $g_k));
	$len = 164;

	// signed int -> unsigned
	$k['m_w'] = (float)sprintf('%u', $k['m_w']);
	$k['m_z'] = (float)sprintf('%u', $k['m_z']);

	while ($len) {
	$k['m_z'] = 36969 * ($k['m_z'] & 65535) + (($k['m_z'] >> 16) & $mask);
	$k['m_w'] = 18000 * ($k['m_w'] & 65535) + (($k['m_w'] >> 16) & $mask);

	$val = (($k['m_z'] << 16) + $k['m_w']) & 0xFF;

	$pwd .= chr($val);

	$len--;
	}


	$key = sha1($pwd, TRUE);
	// Save only encrypted file content from HTTP checking to .bin file
	$myfile = fopen("Pegasus_checking_encrypted.bin", "rb") or die("Unable to open file!");
	$encrypted = fread($myfile,filesize("Pegasus_checking_encrypted.bin"));
	fclose($myfile);

	$clear = openssl_decrypt($encrypted, 'des', $key, 1);
	echo hex_dump($clear);


	?>