TimeDate stamp in Property Edit
Posted: 04 Nov 2010 01:51
Hello Maël!
I hope you won't mind my posting a non-HxD question here.
I'm not a programmer, but just a self-taught computer hardware/software hobbyist, and I've enjoyed trying out your HxD Hex Editor and your Property Edit program. I've even started a small list of questions and suggestions re HxD (and maybe re Property Edit) that I hope to post at some point, but that file is on another computer which is down right now with a failed motherboard.
I've been trying to learn a bit about various programming and computer forensic issues, and in particular have been looking at various date formats/encodings. I noticed that Property Edit will reveal a PE Header TimeDate stamp which, if I understand correctly, usually represents when the executable was compiled. I've also been playing around with Digital Detective's DCode v4.02a (Nov 2, 2009) to check various TimeDate stamps. Recently, for example, I used both Property Edit and DCode to clarify the version, or at least the compilation TimeDate, of another developer's updated executable that still showed the same internal versioning information as the previous version.
However, as I was looking at this, I happened to use Property Edit to look at the Property Edit v2.5.0.0 executable itself (PropEdit.exe, md5=c53c32d441799600d516bca9e2e95ea6, sha1=1fa0e81c8237e9095f83f595d1772a440a10f8f4) and found a TimeDate stamp of 708992537, which as near as I can figure doesn't correspond to any TimeDate stamp format included with DCode, or any other I can discover.
More specifically, the PropEdit.exe Modified TimeDate stamp inside the ZIP file downloaded from your site is the file is Thu, Jul 12 2007 01.57.42pm PDT (local time) on my system or Thu, Jul 12 2007 20.57.42pm UTC (not, BTW, Jan 26, 2005 as indicated on your webpage ). The PropEdit.exe PE Header TimeDate stamp as revealed in Property Edit (708992537) probably most resembles a Unix Epoch format, but that format converts to Fri, 19 Jun 1992 22.22.17 UTC, which makes no sense, nor do any of the other conversions I've attempted.
Here's a summary of the results for all the TimeDate formats included in DCode (presented as code so I could get the columns to line up, and including my own local time in addition to UTC, which I hope doesn't confuse things):
As you can see, none of the format conversions are remotely close to the PropEdit.exe July 12, 2007 Modified date. I'm sure there's a simple answer to this puzzle (e.g., Delphi uses yet another TimeDate stamp I haven,t been able to discover, or PropEdit.exe was compiled on a machine with an inaccurate system date, or...???), but I've run into a dead-end trying to figure it out myself... ...So I thought I'd ask you if you might be able to clarify it for me.
While I'm at it, I might also ask if you know of any good resources for getting a good overview of all the PEInfo Property Edit reveals.
I will very much appreciate any help or guidance you're able to offer!
Thanks!
I hope you won't mind my posting a non-HxD question here.
I'm not a programmer, but just a self-taught computer hardware/software hobbyist, and I've enjoyed trying out your HxD Hex Editor and your Property Edit program. I've even started a small list of questions and suggestions re HxD (and maybe re Property Edit) that I hope to post at some point, but that file is on another computer which is down right now with a failed motherboard.
I've been trying to learn a bit about various programming and computer forensic issues, and in particular have been looking at various date formats/encodings. I noticed that Property Edit will reveal a PE Header TimeDate stamp which, if I understand correctly, usually represents when the executable was compiled. I've also been playing around with Digital Detective's DCode v4.02a (Nov 2, 2009) to check various TimeDate stamps. Recently, for example, I used both Property Edit and DCode to clarify the version, or at least the compilation TimeDate, of another developer's updated executable that still showed the same internal versioning information as the previous version.
However, as I was looking at this, I happened to use Property Edit to look at the Property Edit v2.5.0.0 executable itself (PropEdit.exe, md5=c53c32d441799600d516bca9e2e95ea6, sha1=1fa0e81c8237e9095f83f595d1772a440a10f8f4) and found a TimeDate stamp of 708992537, which as near as I can figure doesn't correspond to any TimeDate stamp format included with DCode, or any other I can discover.
More specifically, the PropEdit.exe Modified TimeDate stamp inside the ZIP file downloaded from your site is the file is Thu, Jul 12 2007 01.57.42pm PDT (local time) on my system or Thu, Jul 12 2007 20.57.42pm UTC (not, BTW, Jan 26, 2005 as indicated on your webpage ). The PropEdit.exe PE Header TimeDate stamp as revealed in Property Edit (708992537) probably most resembles a Unix Epoch format, but that format converts to Fri, 19 Jun 1992 22.22.17 UTC, which makes no sense, nor do any of the other conversions I've attempted.
Here's a summary of the results for all the TimeDate formats included in DCode (presented as code so I could get the columns to line up, and including my own local time in addition to UTC, which I hope doesn't confuse things):
Code: Select all
PropEdit.exe (708992537)
Modified Thu, Jul 12 2007 01.57.42pm Local PDT
Format DCodeExample Modified Thu, Jul 12 2007 20.57.42pm UTC
====== ============ ==============================================
Win 64bit Hex LE FF03D2315FE1C701 Invalid
Win 64bit Hex BE 01C7E15F31D202FF Invalid
Win Cookie (Lo,Hi) 1713586176,30212469 Invalid
Win Filetime CD4E55C3:01C7DD3E Invalid
Win OLR (64bit Double) FBE8DF975D3FE340 Invalid
Win 128bit SYSTEM Structure D9070B00010002000600090013000000 Invalid
Unix 32bit Hex LE A2C3B446 Sat, 07 Jun 2014 03.39.28 UTC
...or: Fri, 06 Jun 2014 20.39.28 -0700
Unix 32bit Hex BE 46C3B400 Tue, 30 Oct 2029 14.14.43 UTC
...or: Tue, 30 Oct 2029 07.14.43 -0700
Unix Numeric 1170245478 Fri, 19 Jun 1992 22.22.17 UTC
...or: Fri, 19 Jun 1992 15.22.17 -0700
Unix Millisecond 1176469232719 Invalid
Google Chrome 12883423549317375 Invalid
MAC Absolute 219216022 Tue, 20 Jun 2023 22.22.17 UTC
...or: Tue, 20 Jun 2023 15.22.17 -0700
DOS 32bit Hex 3561A436 Sat, 18 Dec 2021 17.11.32 Local
DOS wFatDate wFatTime A4363561 Mon, 16 Nov 2048 10.28.36 Local
HFS 32bit Hex LE CD4E55C3 Sun, 06 Jun 1948 03.39.28 Local
HFS 32bit Hex BE C3554ECD Wed, 30 Oct 1963 14.14.43 Local
HFS+ 32bit Hex LE CD4E55C3 Sun, 06 Jun 1948 03.39.28 UTC
...or: Sat, 05 Jun 1948 20.39.28 -0700
HFS+ 32bit Hex BE C3554ECD Wed, 30 Oct 1963 14.14.43 UTC
...or: Wed, 30 Oct 1963 07.14.43 -0700
While I'm at it, I might also ask if you know of any good resources for getting a good overview of all the PEInfo Property Edit reveals.
I will very much appreciate any help or guidance you're able to offer!
Thanks!