Noted Sherlock

gitingua · January 25, 2024, 9:04pm

help
Noted Sherlock

What’s the timestamp in UTC when attacker last modified the program source file?

I don’t know. I’ll try all possible options. tell me where to look

afalfa · January 26, 2024, 3:20am

Stuck on the same question. Is LootAndPurge not the source file?

Sentinel · January 26, 2024, 3:33pm

were you able to figure it out like i have been banging my head now against the wall for this so any clue or direct answer would be helpfull

wise · January 26, 2024, 8:33pm

I am also stuck here.

Sentinel · January 27, 2024, 10:50am

here is the code for the answere
import datetime

These are the two parts of the timestamp

timestamp_low = -1354503710
timestamp_high = 31047188

Combine the two parts to get the full timestamp

full_timestamp = (timestamp_high << 32) | (timestamp_low & 0xFFFFFFFF)

The timestamp is in 100-nanosecond intervals since January 1, 1601

Convert it to seconds and then to a datetime object

timestamp_seconds = full_timestamp / 10**7
timestamp = datetime.datetime(1601, 1, 1) + datetime.timedelta(seconds=timestamp_seconds)

print(timestamp)

afalfa · January 27, 2024, 6:52pm

■■■■, I had the right idea at least. I tried converting the high and low into an 18-digit LDAP timestamp, but didn’t get the right answer. The rest of the questions were dead simple in comparison lol. Thanks for sharing Sentinel.

(What I tired unsuccessfully):
high = 31047188 (from originalFileLastModifTimestampHigh)
low = -1354503710 = -X (so X = 1354503710) (from originalFileLastModifTimestamp)
2^32 = 4294967296
full value = high * 2^32 + (2^32 - X) = 31047188 * 4294967296 + (4294967296 - 1354503710).

SpaceMoehre · January 31, 2024, 1:28pm

pastebin seems down atm and the wayback machine didnt copy the note… any idea where else it could be found?

Faelian · February 2, 2024, 8:32pm

Thanks, I don’t think I would have get it without your help.

bl4ckf0xy.cx · February 7, 2024, 4:47am

need help with this, i do not understand what is << or | or this & 0xFFFFFFFF on the equation can some one explain it, thanks

Sentinel · February 7, 2024, 5:18am

this is used to combine or merge the lower bits and higher bits of the timestamp. The note pad session has divided the timestamp in to two separate variable because of its size and that is the trick here

bl4ckf0xy.cx · February 7, 2024, 5:23am

thanks Sentinel, i think i m doing something wrong here, i got the value 2018-07-24 14:56:51 but it is not possible that date, its 5 year later,i’ll try to figure out this one

Sentinel · February 7, 2024, 5:37am

good honestly you just have to execute the code on python to get the answer no need to change anything I think

bl4ckf0xy.cx · February 7, 2024, 5:51am

solved thanks Sentinel

Topic		Replies	Views
Official Coder Discussion Machines	96	7004	August 17, 2024
Fragility- Sherlock labs Machines machines	47	2010	January 22, 2025
Heartbreaker-Continuum Sherlocks Machines	14	685	November 23, 2024
Official Timelapse Discussion Machines	270	22997	December 26, 2023
Official TrueSecrets Discussion Challenges	26	4336	November 3, 2023

Noted Sherlock

These are the two parts of the timestamp

Combine the two parts to get the full timestamp

The timestamp is in 100-nanosecond intervals since January 1, 1601

Convert it to seconds and then to a datetime object

Related topics