Pegasus trojan from 2018 source code leak HTTP check-in. Decryption goes using TARGET_BUILDCHAIN_HASH 0x7393c9a643eb4a76
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
function hex_dump($data, $newline="\n") | |
{ | |
static $from = ''; | |
static $to = ''; | |
static $width = 16; # number of bytes per line | |
static $pad = '.'; # padding for non-visible characters | |
if ($from==='') | |
{ | |
for ($i=0; $i<=0xFF; $i++) | |
{ | |
$from .= chr($i); | |
$to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; | |
} | |
} | |
$hex = str_split(bin2hex($data), $width*2); | |
$chars = str_split(strtr($data, $from, $to), $width); | |
$offset = 0; | |
foreach ($hex as $i => $line) | |
{ | |
echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; | |
$offset += $width; | |
} | |
} | |
$g_k = '7393c9a643eb4a76'; | |
$pwd = ''; | |
$mask = ~( 0xFFFFFFFF << 16); // wipe sign extension | |
$k = unpack('Nm_w/Nm_z', pack("H*", $g_k)); | |
$len = 164; | |
// signed int -> unsigned | |
$k['m_w'] = (float)sprintf('%u', $k['m_w']); | |
$k['m_z'] = (float)sprintf('%u', $k['m_z']); | |
while ($len) { | |
$k['m_z'] = 36969 * ($k['m_z'] & 65535) + (($k['m_z'] >> 16) & $mask); | |
$k['m_w'] = 18000 * ($k['m_w'] & 65535) + (($k['m_w'] >> 16) & $mask); | |
$val = (($k['m_z'] << 16) + $k['m_w']) & 0xFF; | |
$pwd .= chr($val); | |
$len--; | |
} | |
$key = sha1($pwd, TRUE); | |
// Save only encrypted file content from HTTP checking to .bin file | |
$myfile = fopen("Pegasus_checking_encrypted.bin", "rb") or die("Unable to open file!"); | |
$encrypted = fread($myfile,filesize("Pegasus_checking_encrypted.bin")); | |
fclose($myfile); | |
$clear = openssl_decrypt($encrypted, 'des', $key, 1); | |
echo hex_dump($clear); | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment