超级加密,就是不用软件给三菱PLC加密,而是给非法的寄存器写入值,你就读不到程序。
这个是我在三菱FX1S的PLC无数次实验,加密可以成功,这个有详细的过程讲解和简单的协议分析,知道这个的加密过程,逆向解密不是不可能的,大家都发表一下自己的看法与意见,高手就不要见笑,希望高手指正错误,三菱FX1N 2N的协议有所不同,只要弄懂我给你这么详细的解密过程,那是也可以的,这个就需要大家共同学习,讨论。3U 3G也需要大家来分析和捣鼓,不要那种衣来伸手,饭来张口哦,这种人你看了这帖子,也是白看,要反复的研究和琢磨。高手就不要扔砖头和臭鸡蛋,需要大家献上鲜花支持哦。
加密过程如下,说了这么多的废话,上主题:
第一次打开串口
[00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 9600 (此处设置波特率)
[00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7(通讯格式)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000001] IRP_MJ_WRITE Length: 0005, Data: 37 32 35 30 46(此处CMD的置位指令37H,32 35 30 46及是要置位的地址‘250F’操作位元件的)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000001] IRP_MJ_WRITE Length: 0002, Data: 31 37 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000008] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000008] IRP_MJ_WRITE Length: 0005, Data: 37 32 35 30 46(此处CMD的置位指令37H,32 35 30 46及是要置位的地址‘250F’
[00000008] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000008] IRP_MJ_WRITE Length: 0002, Data: 31 37 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000015] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000015] IRP_MJ_WRITE Length: 0011, Data: 31 38 30 30 30 30 32 30 30 30 30 (此处的CMD功能码31H,就是写入数据,38 30 30 30就是写入数据的首地址‘8000’30 32就是写入的操作位数这里是2位 那就是一个双字,30 30 30 30就是这个双字的数据为'0'
[00000015] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000016] IRP_MJ_WRITE Length: 0002, Data: 31 45 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000022] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000022] IRP_MJ_WRITE Length: 0011, Data: 31 38 30 30 30 30 32 30 30 30 30 (此处的CMD功能码31H,就是写入数据,38 30 30 30就是写入数据的首地址‘8000’30 32就是写入的操作位数这里是2位 那就是一个双字,30 30 30 30就是这个双字的数据为'0'
[00000023] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000023] IRP_MJ_WRITE Length: 0002, Data: 31 45 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000030] IRP_MJ_CLOSE Port Closed 关闭串口
第二次打开串口
[00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 9600
[00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
[00000000] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000000] IRP_MJ_WRITE Length: 0005, Data: 38 32 35 30 46 (此处CMD的复位指令38H,32 35 30 46及是要复位的地址‘250F’操作位元件的,这里把刚刚置位的205F的地址复位了)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000001] IRP_MJ_WRITE Length: 0002, Data: 31 38 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000007] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000007] IRP_MJ_WRITE Length: 0005, Data: 38 32 35 30 46 (此处CMD的复位指令38H,32 35 30 46及是要复位的地址‘250F’操作位元件的,这里把刚刚置位的250F的地址复位了)
[00000008] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000008] IRP_MJ_WRITE Length: 0002, Data: 31 38 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000010] IRP_MJ_CLOSE Port Closed
这个是我在三菱FX1S的PLC无数次实验,加密可以成功,这个有详细的过程讲解和简单的协议分析,知道这个的加密过程,逆向解密不是不可能的,大家都发表一下自己的看法与意见,高手就不要见笑,希望高手指正错误,三菱FX1N 2N的协议有所不同,只要弄懂我给你这么详细的解密过程,那是也可以的,这个就需要大家共同学习,讨论。3U 3G也需要大家来分析和捣鼓,不要那种衣来伸手,饭来张口哦,这种人你看了这帖子,也是白看,要反复的研究和琢磨。高手就不要扔砖头和臭鸡蛋,需要大家献上鲜花支持哦。
加密过程如下,说了这么多的废话,上主题:
第一次打开串口
[00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 9600 (此处设置波特率)
[00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7(通讯格式)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000001] IRP_MJ_WRITE Length: 0005, Data: 37 32 35 30 46(此处CMD的置位指令37H,32 35 30 46及是要置位的地址‘250F’操作位元件的)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000001] IRP_MJ_WRITE Length: 0002, Data: 31 37 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000008] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000008] IRP_MJ_WRITE Length: 0005, Data: 37 32 35 30 46(此处CMD的置位指令37H,32 35 30 46及是要置位的地址‘250F’
[00000008] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000008] IRP_MJ_WRITE Length: 0002, Data: 31 37 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000015] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000015] IRP_MJ_WRITE Length: 0011, Data: 31 38 30 30 30 30 32 30 30 30 30 (此处的CMD功能码31H,就是写入数据,38 30 30 30就是写入数据的首地址‘8000’30 32就是写入的操作位数这里是2位 那就是一个双字,30 30 30 30就是这个双字的数据为'0'
[00000015] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000016] IRP_MJ_WRITE Length: 0002, Data: 31 45 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000022] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000022] IRP_MJ_WRITE Length: 0011, Data: 31 38 30 30 30 30 32 30 30 30 30 (此处的CMD功能码31H,就是写入数据,38 30 30 30就是写入数据的首地址‘8000’30 32就是写入的操作位数这里是2位 那就是一个双字,30 30 30 30就是这个双字的数据为'0'
[00000023] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000023] IRP_MJ_WRITE Length: 0002, Data: 31 45 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000030] IRP_MJ_CLOSE Port Closed 关闭串口
第二次打开串口
[00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 9600
[00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
[00000000] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000000] IRP_MJ_WRITE Length: 0005, Data: 38 32 35 30 46 (此处CMD的复位指令38H,32 35 30 46及是要复位的地址‘250F’操作位元件的,这里把刚刚置位的205F的地址复位了)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000001] IRP_MJ_WRITE Length: 0002, Data: 31 38 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000007] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通讯起始符02H)
[00000007] IRP_MJ_WRITE Length: 0005, Data: 38 32 35 30 46 (此处CMD的复位指令38H,32 35 30 46及是要复位的地址‘250F’操作位元件的,这里把刚刚置位的250F的地址复位了)
[00000008] IRP_MJ_WRITE Length: 0001, Data: 03 (此处是終,及到这里结束的意思代码‘03H’)
[00000008] IRP_MJ_WRITE Length: 0002, Data: 31 38 (校验和,从37H到此处的03H的和,如果有溢出,取最后两位)
[00000010] IRP_MJ_CLOSE Port Closed
