Pegasus trojan from 2018 source code leak HTTP check-in. Decryption goes using TARGET_BUILDCHAIN_HASH 0x7393c9a643eb4a76

Pegasus_checkin_decrypt.php

<?php

    function hex_dump($data, $newline="\n")
    {
      static $from = '';
      static $to = '';

      static $width = 16; # number of bytes per line

      static $pad = '.'; # padding for non-visible characters

      if ($from==='')
      {
        for ($i=0; $i<=0xFF; $i++)
        {
          $from .= chr($i);
          $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
        }
      }

      $hex = str_split(bin2hex($data), $width*2);
      $chars = str_split(strtr($data, $from, $to), $width);

      $offset = 0;
      foreach ($hex as $i => $line)
      {
        echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;
        $offset += $width;
      }
    }

    $g_k = '7393c9a643eb4a76';
    
    $pwd = '';
    
    $mask = ~( 0xFFFFFFFF << 16);   // wipe sign extension
    
    $k = unpack('Nm_w/Nm_z', pack("H*", $g_k));
    $len = 164;
    
    // signed int -> unsigned
    $k['m_w'] = (float)sprintf('%u', $k['m_w']);
    $k['m_z'] = (float)sprintf('%u', $k['m_z']);
    
    while ($len) {
        $k['m_z'] = 36969 * ($k['m_z'] & 65535) + (($k['m_z'] >> 16) & $mask);  
        $k['m_w'] = 18000 * ($k['m_w'] & 65535) + (($k['m_w'] >> 16) & $mask);  
        
        $val = (($k['m_z'] << 16) + $k['m_w']) & 0xFF;
        
        $pwd .= chr($val);
        
        $len--;
    }
    
    
    $key = sha1($pwd, TRUE);
    // Save only encrypted file content from HTTP checking to .bin file
    $myfile = fopen("Pegasus_checking_encrypted.bin", "rb") or die("Unable to open file!");
    $encrypted = fread($myfile,filesize("Pegasus_checking_encrypted.bin"));
    fclose($myfile);
    
    $clear = openssl_decrypt($encrypted, 'des', $key, 1);
    echo hex_dump($clear);


?>