/Pegasus_checkin_decrypt.php
Created Jul 23, 2018
Pegasus trojan from 2018 source code leak HTTP check-in. Decryption goes using TARGET_BUILDCHAIN_HASH 0x7393c9a643eb4a76
| <?php | |
| function hex_dump($data, $newline="\n") | |
| { | |
| static $from = ''; | |
| static $to = ''; | |
| static $width = 16; # number of bytes per line | |
| static $pad = '.'; # padding for non-visible characters | |
| if ($from==='') | |
| { | |
| for ($i=0; $i<=0xFF; $i++) | |
| { | |
| $from .= chr($i); | |
| $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; | |
| } | |
| } | |
| $hex = str_split(bin2hex($data), $width*2); | |
| $chars = str_split(strtr($data, $from, $to), $width); | |
| $offset = 0; | |
| foreach ($hex as $i => $line) | |
| { | |
| echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; | |
| $offset += $width; | |
| } | |
| } | |
| $g_k = '7393c9a643eb4a76'; | |
| $pwd = ''; | |
| $mask = ~( 0xFFFFFFFF << 16); // wipe sign extension | |
| $k = unpack('Nm_w/Nm_z', pack("H*", $g_k)); | |
| $len = 164; | |
| // signed int -> unsigned | |
| $k['m_w'] = (float)sprintf('%u', $k['m_w']); | |
| $k['m_z'] = (float)sprintf('%u', $k['m_z']); | |
| while ($len) { | |
| $k['m_z'] = 36969 * ($k['m_z'] & 65535) + (($k['m_z'] >> 16) & $mask); | |
| $k['m_w'] = 18000 * ($k['m_w'] & 65535) + (($k['m_w'] >> 16) & $mask); | |
| $val = (($k['m_z'] << 16) + $k['m_w']) & 0xFF; | |
| $pwd .= chr($val); | |
| $len--; | |
| } | |
| $key = sha1($pwd, TRUE); | |
| // Save only encrypted file content from HTTP checking to .bin file | |
| $myfile = fopen("Pegasus_checking_encrypted.bin", "rb") or die("Unable to open file!"); | |
| $encrypted = fread($myfile,filesize("Pegasus_checking_encrypted.bin")); | |
| fclose($myfile); | |
| $clear = openssl_decrypt($encrypted, 'des', $key, 1); | |
| echo hex_dump($clear); | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment