Summary

hi,

Is there a way with CyberChef to do like in Python with struct.unpack ?

I have a 16 characters string (128 bits) that breaks down as follows : yymmDDddHHMMSSss.
yy is the year, mm is the month, DD is the day of the week, dd is the day, HH is the hour, MM is the minutes, SS is the seconds and ss is the milliseconds (yes, it's a Windows SystemTime reg_binary value in registry ;-)).

with this string placed in the data variable, I convert/format the date as follows with Python :
print(datetime.datetime(*struct.unpack('HHxHHHHH', binascii.unhexelify(data))))

if it is possible, how to do the conversion with CyberChef ?

regards, lacsaP.

Thanks for your question! I believe the From Binary followed by the Parse DateTime operation would give the conversion you want

hi,

I didn't manage to do it with the two tools proposed.
however, I am getting close to the desired result with this recipe :

[
  { "op": "Subsection", "args": ["([0-9A-F]{2},?[0-9A-F]{2},?)", false, true, false] },
  { "op": "Swap endianness", "args": ["Hex", 4, false] },
  { "op": "From Base", "args": [16] },
  { "op": "Find / Replace", "args": [{ "option": "Regex", "string": "$" }, "-", false, false, false, false] },
  { "op": "Translate DateTime Format",
    "args": ["Standard date and time", "YYYY-MM----DD-hh-mm-ss----", "UTC", "YYYY/MM/DD hh:mm:ss", "UTC"],
    "disabled": true }
]

I get this 2022-3-1-21-22-32-58-291- with the following entries E6,07,03,00,01,00,15,00,16,00,20,00,3A,00,23,01 (original) and E607030001001500160020003A002301 (modified, eg. without comma).
the last operation is disabled because I can't get it out of the subsection and it doesn't produce the expected result, namely 2022/03/21 22:32:58.

regards, lacsaP.

{ "op": "Translate DateTime Format", "args": ["Standard date and time", "YYYY-M-D-D-H-m-s", "UTC", "YYYY/MM/DD HH:mm:ss", "UTC"] } produces the right result on the chain 2022-3-1-21-22-32-58-291- but not inside/with the subsection.