三菱FX3U PLC解密軟件開發(fā)敘述

發(fā)布時間：2024-08-21

對于三菱plc大家都很熟悉了，而fx2n的密碼破解應(yīng)該大家都會了，在返回的數(shù)據(jù)中都能找到密碼，密碼是在軟件里比較的，而fx3u就不同了，fx3u有兩段密碼，看下圖：
第1段密就和fx2n的一樣，加的是明碼，第2段就不一樣了，密碼加上后都變了，算法也完全變了，但在網(wǎng)上有高手能做到直讀密碼，我們被fx3u這種plc的強大功能所吸引，對三菱plc大家都用習慣了，覺的用起來順手，在整個工控行業(yè)中用的比例很大，所以對破解這款plc產(chǎn)生的濃厚的性趣，fx3u有的可以2個口編程，一個是我們通常用的圓口，還有個可以擴展個232接口，我先試圓口，通過串口軟件監(jiān)控的數(shù)椐，以下是我調(diào)試監(jiān)控的數(shù)據(jù)。
#timefunctiondata(hex)
1[00000000]irp_mj_createportopened-gppw.exe
2[00000000]ioctl_serial_set_baud_ratebaudrate:115200
3[00000000]ioctl_serial_set_line_controlstopbits:1,parity:even,databits:7
4[00000001]irp_mj_writelength:0001,data:05
5[00000002]irp_mj_readlength:0001,data:06
6[00000002]irp_mj_writelength:0011,data:0230304530323032033643
7[00000003]irp_mj_readlength:0001,data:02
8[00000003]irp_mj_readlength:0001,data:42
9[00000003]irp_mj_readlength:0001,data:31
10[00000003]irp_mj_readlength:0001,data:35
11[00000003]irp_mj_readlength:0001,data:45
12[00000003]irp_mj_readlength:0001,data:03
13[00000003]irp_mj_readlength:0001,data:46
14[00000003]irp_mj_readlength:0001,data:30
15[00000004]irp_mj_writelength:0011,data:0230304543413032033845
16[00000004]irp_mj_readlength:0001,data:02
17[00000004]irp_mj_readlength:0001,data:37
18[00000004]irp_mj_readlength:0001,data:31
19[00000004]irp_mj_readlength:0001,data:33
20[00000004]irp_mj_readlength:0001,data:46
21[00000004]irp_mj_readlength:0001,data:03
22[00000004]irp_mj_readlength:0001,data:45
23[00000004]irp_mj_readlength:0001,data:34
24[00000005]irp_mj_writelength:0011,data:0230304530323032033643
25[00000006]irp_mj_readlength:0001,data:02
26[00000006]irp_mj_readlength:0001,data:42
27[00000006]irp_mj_readlength:0001,data:31
28[00000006]irp_mj_readlength:0001,data:35
29[00000006]irp_mj_readlength:0001,data:45
30[00000006]irp_mj_readlength:0001,data:03
31[00000006]irp_mj_readlength:0001,data:46
32[00000006]irp_mj_readlength:0001,data:30
33[00000006]irp_mj_writelength:0011,data:0230304543413032033845
34[00000007]irp_mj_readlength:0001,data:02
35[00000007]irp_mj_readlength:0001,data:37
36[00000007]irp_mj_readlength:0001,data:31
37[00000007]irp_mj_readlength:0001,data:33
38[00000007]irp_mj_readlength:0001,data:46
39[00000007]irp_mj_readlength:0001,data:03
40[00000007]irp_mj_readlength:0001,data:45
41[00000007]irp_mj_readlength:0001,data:34
42[00000015]irp_mj_closeportclosed
6、上述從串口監(jiān)控到的數(shù)據(jù)是十六進制的數(shù)據(jù)，還真不好看，先轉(zhuǎn)換成asc碼，就好看多了。
#timefunctiondata(string)
1[00000000]irp_mj_createportopened-gppw.exe
2[00000000]ioctl_serial_set_baud_ratebaudrate:115200
3[00000000]ioctl_serial_set_line_controlstopbits:1,parity:even,databits:7
4[00000001]irp_mj_writelength:0001,data:
5[00000002]irp_mj_readlength:0001,data:
6[00000002]irp_mj_writelength:0011,data:00e02026c
7[00000003]irp_mj_readlength:0001,data:
8[00000003]irp_mj_readlength:0001,data:b
9[00000003]irp_mj_readlength:0001,data:1
10[00000003]irp_mj_readlength:0001,data:5
11[00000003]irp_mj_readlength:0001,data:e
12[00000003]irp_mj_readlength:0001,data:
13[00000003]irp_mj_readlength:0001,data:f
14[00000003]irp_mj_readlength:0001,data:0
15[00000004]irp_mj_writelength:0011,data:00eca028e
16[00000004]irp_mj_readlength:0001,data:
17[00000004]irp_mj_readlength:0001,data:7
18[00000004]irp_mj_readlength:0001,data:1
19[00000004]irp_mj_readlength:0001,data:3
20[00000004]irp_mj_readlength:0001,data:f
21[00000004]irp_mj_readlength:0001,data:
22[00000004]irp_mj_readlength:0001,data:e
23[00000004]irp_mj_readlength:0001,data:4
24[00000005]irp_mj_writelength:0011,data:00e02026c
25[00000006]irp_mj_readlength:0001,data:
26[00000006]irp_mj_readlength:0001,data:b
27[00000006]irp_mj_readlength:0001,data:1
28[00000006]irp_mj_readlength:0001,data:5
29[00000006]irp_mj_readlength:0001,data:e
30[00000006]irp_mj_readlength:0001,data:
31[00000006]irp_mj_readlength:0001,data:f
32[00000006]irp_mj_readlength:0001,data:0
33[00000006]irp_mj_writelength:0011,data:00eca028e
34[00000007]irp_mj_readlength:0001,data:
35[00000007]irp_mj_readlength:0001,data:7
36[00000007]irp_mj_readlength:0001,data:1
37[00000007]irp_mj_readlength:0001,data:3
38[00000007]irp_mj_readlength:0001,data:f
39[00000007]irp_mj_readlength:0001,data:
40[00000007]irp_mj_readlength:0001,data:e
41[00000007]irp_mj_readlength:0001,data:4
42[00000015]irp_mj_closeportclosed
電腦發(fā)：00e0202’查詢d8001的值
plc回：b15e‘回復(fù)為5eb1，回復(fù)的數(shù)據(jù)高位在后、低位在前，所以要對調(diào)個位，
5eb1轉(zhuǎn)為10進數(shù)據(jù)值為：24241，24表示plc型號fx2n或3u，241表示版本號，
電腦發(fā)：00eca02碼’查詢d8101的值
plc回：713f‘回復(fù)為3f71轉(zhuǎn)為10進數(shù)據(jù)值為：16241，16表示plc型號為fx3u，241表示版本號
以上這一大段數(shù)據(jù)也就是編程軟件查詢一下plc的型號，以便接下來按相應(yīng)的通迅協(xié)議進行通迅。這些數(shù)據(jù)是花了大量時間測試出來的，
這次就講到這里，望朋友多多指點。