Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Pegasus trojan from 2018 source code leak HTTP check-in. Decryption goes using TARGET_BUILDCHAIN_HASH 0x7393c9a643eb4a76
<?php
function hex_dump($data, $newline="\n")
{
static $from = '';
static $to = '';
static $width = 16; # number of bytes per line
static $pad = '.'; # padding for non-visible characters
if ($from==='')
{
for ($i=0; $i<=0xFF; $i++)
{
$from .= chr($i);
$to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
}
}
$hex = str_split(bin2hex($data), $width*2);
$chars = str_split(strtr($data, $from, $to), $width);
$offset = 0;
foreach ($hex as $i => $line)
{
echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;
$offset += $width;
}
}
$g_k = '7393c9a643eb4a76';
$pwd = '';
$mask = ~( 0xFFFFFFFF << 16); // wipe sign extension
$k = unpack('Nm_w/Nm_z', pack("H*", $g_k));
$len = 164;
// signed int -> unsigned
$k['m_w'] = (float)sprintf('%u', $k['m_w']);
$k['m_z'] = (float)sprintf('%u', $k['m_z']);
while ($len) {
$k['m_z'] = 36969 * ($k['m_z'] & 65535) + (($k['m_z'] >> 16) & $mask);
$k['m_w'] = 18000 * ($k['m_w'] & 65535) + (($k['m_w'] >> 16) & $mask);
$val = (($k['m_z'] << 16) + $k['m_w']) & 0xFF;
$pwd .= chr($val);
$len--;
}
$key = sha1($pwd, TRUE);
// Save only encrypted file content from HTTP checking to .bin file
$myfile = fopen("Pegasus_checking_encrypted.bin", "rb") or die("Unable to open file!");
$encrypted = fread($myfile,filesize("Pegasus_checking_encrypted.bin"));
fclose($myfile);
$clear = openssl_decrypt($encrypted, 'des', $key, 1);
echo hex_dump($clear);
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment