search

gchq / CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
https://gchq.github.io/CyberChef
Apache License 2.0
29.41k stars 3.29k forks source link

Operation request: struct.unpack as in Python #1333

Open patatetom opened 2 years ago

patatetom commented 2 years ago

Summary

hi,

Is there a way with CyberChef to do like in Python with struct.unpack ?

I have a 16 characters string (128 bits) that breaks down as follows : yymmDDddHHMMSSss. yy is the year, mm is the month, DD is the day of the week, dd is the day, HH is the hour, MM is the minutes, SS is the seconds and ss is the milliseconds (yes, it's a Windows SystemTime reg_binary value in registry ;-)).

with this string placed in the data variable, I convert/format the date as follows with Python : print(datetime.datetime(*struct.unpack('HHxHHHHH', binascii.unhexelify(data))))

if it is possible, how to do the conversion with CyberChef ?

regards, lacsaP.

mt3571 commented 2 years ago

Thanks for your question! I believe the From Binary followed by the Parse DateTime operation would give the conversion you want

patatetom commented 2 years ago

hi,

I didn't manage to do it with the two tools proposed. however, I am getting close to the desired result with this recipe :

[
  { "op": "Subsection", "args": ["([0-9A-F]{2},?[0-9A-F]{2},?)", false, true, false] },
  { "op": "Swap endianness", "args": ["Hex", 4, false] },
  { "op": "From Base", "args": [16] },
  { "op": "Find / Replace", "args": [{ "option": "Regex", "string": "$" }, "-", false, false, false, false] },
  { "op": "Translate DateTime Format",
    "args": ["Standard date and time", "YYYY-MM----DD-hh-mm-ss----", "UTC", "YYYY/MM/DD hh:mm:ss", "UTC"],
    "disabled": true }
]

I get this 2022-3-1-21-22-32-58-291- with the following entries E6,07,03,00,01,00,15,00,16,00,20,00,3A,00,23,01 (original) and E607030001001500160020003A002301 (modified, eg. without comma). the last operation is disabled because I can't get it out of the subsection and it doesn't produce the expected result, namely 2022/03/21 22:32:58.

regards, lacsaP.

patatetom commented 2 years ago

{ "op": "Translate DateTime Format", "args": ["Standard date and time", "YYYY-M-D-D-H-m-s", "UTC", "YYYY/MM/DD HH:mm:ss", "UTC"] } produces the right result on the chain 2022-3-1-21-22-32-58-291- but not inside/with the subsection.