Pegasus trojan from 2018 source code leak HTTP check-in. Decryption goes using TARGET_BUILDCHAIN_HASH 0x7393c9a643eb4a76
<?php | |
function hex_dump($data, $newline="\n") | |
{ | |
static $from = ''; | |
static $to = ''; | |
static $width = 16; # number of bytes per line | |
static $pad = '.'; # padding for non-visible characters | |
if ($from==='') | |
{ | |
for ($i=0; $i<=0xFF; $i++) | |
{ | |
$from .= chr($i); | |
$to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; | |
} | |
} | |
$hex = str_split(bin2hex($data), $width*2); | |
$chars = str_split(strtr($data, $from, $to), $width); | |
$offset = 0; | |
foreach ($hex as $i => $line) | |
{ | |
echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; | |
$offset += $width; | |
} | |
} | |
$g_k = '7393c9a643eb4a76'; | |
$pwd = ''; | |
$mask = ~( 0xFFFFFFFF << 16); // wipe sign extension | |
$k = unpack('Nm_w/Nm_z', pack("H*", $g_k)); | |
$len = 164; | |
// signed int -> unsigned | |
$k['m_w'] = (float)sprintf('%u', $k['m_w']); | |
$k['m_z'] = (float)sprintf('%u', $k['m_z']); | |
while ($len) { | |
$k['m_z'] = 36969 * ($k['m_z'] & 65535) + (($k['m_z'] >> 16) & $mask); | |
$k['m_w'] = 18000 * ($k['m_w'] & 65535) + (($k['m_w'] >> 16) & $mask); | |
$val = (($k['m_z'] << 16) + $k['m_w']) & 0xFF; | |
$pwd .= chr($val); | |
$len--; | |
} | |
$key = sha1($pwd, TRUE); | |
// Save only encrypted file content from HTTP checking to .bin file | |
$myfile = fopen("Pegasus_checking_encrypted.bin", "rb") or die("Unable to open file!"); | |
$encrypted = fread($myfile,filesize("Pegasus_checking_encrypted.bin")); | |
fclose($myfile); | |
$clear = openssl_decrypt($encrypted, 'des', $key, 1); | |
echo hex_dump($clear); | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment