INTRO
I'm trying to reverse engineer a binary data file containing sms messagges.
The file is named ems.idx4 and was created with a software named LG PhoneManager around 5 years ago as a backup archive of sms messagges for a LG mobile.
I don't know which language was used to write LG PhoneManager, but in the binary file I read strings like "CObTree", "CFolder", "CMessage": maybe this clue means nothing, maybe it suggests that Cobol/.net/whatever language was used.
PROBLEM
I decoded the entire structure of the binary file, which is quite plain tho.
The only part I couldn't decode is date and time of single messagges.
I identified the binary part where date and time are encoded and I got a few decoded examples (thanks to the content of the message).
Binary data in hex:
[0x10] D0 74 C4 FE 3F 42 E3 40 F1 64 [0x7] 2 [0x13] 1 [0x6] 6C [0x2] is 2007/12/25 some time after 23:58 GMT+1
[0x10] 2B 25 CA 19 2F 43 E3 40 F1 64 [0x7] 2 [0x13] 1 [0x6] 6C [0x2] is 2008/01/02 some time after 10:48 GMT+1
[0x10] AA C0 2C 6E 35 43 E3 40 F1 64 [0x7] 2 [0x13] 1 [0x6] 6C [0x2] is 2008/01/02 some time after 16:03 GMT+1
[0x10] EE 04 71 F2 B6 43 E3 40 F1 64 [0x7] 2 [0x13] 1 [0x6] 6C [0x2] is 2008/01/06 some time after 14:31 GMT+1
[0x10] 60 2C F9 45 4E 4F E3 40 F1 64 [0x7] 2 [0x13] 1 [0x6] 6C [0x2] is 2008/04/08 some time after 10:32 GMT+1
[0x10] 5D 84 01 14 74 64 E3 40 F1 64 [0x7] 2 [0x13] 1 [0x6] 6C [0x2] is 2008/11/11 some time after 14:53 GMT+1
where [0xN] means a sequence of N zeros.
Any idea?
UPDATE
Using this tool: http://www.digital-detective.co.uk/freetools/decode.asp
I realized it is Windows 64 bit OLE date / time format.
According to that tool:
D0 74 C4 FE 3F 42 E3 40 means exactly 26/12/2007 00:59
Any idea what the math behind this Windows 64 bit OLE date / time format?
Ok, I found my way!
The first 8 bytes after [0x10] are a OLE date in little endian hex.
I converted them to a regular datetime in python with:
import datetime
import math
from struct import unpack
def ole_date_bin_to_datetime(ole_date_bin):
"""
Converts a OLE date from a binary 8 bytes little endian hex form to a datetime
"""
#Conversion to OLE date float, where:
# - integer part: days from epoch (1899/12/30 00:00)
# - decimal part: percentage of the day, where 0,5 is midday
date_float = unpack('<d', ole_date_bin)[0]
date_decimal, date_integer = math.modf(date_float)
date_decimal = abs(date_decimal)
date_integer = int(date_integer)
#Calculate the result
res = datetime.datetime(1899, 12, 30) + datetime.timedelta(days=date_integer) #adding days to epoch
res = res + datetime.timedelta(seconds = 86400*date_decimal) #adding percentage of the day
return res
if __name__ == "__main__":
print ole_date_bin_to_datetime('\xd0\x74\xc4\xfe\x3f\x42\xe3\x40')