超級加密,便是不必軟件給三菱plc加密,而是給不合法的寄存器寫入值,你就讀不到程序。
這個是我在三菱FX1S的PLC無數次試驗,加密能夠成功,這個有具體的進程解說和簡略的協議剖析,知道這個的加密進程,逆向解密不是不可能的,我們都宣布一下自己的觀點與定見,高手就不要見笑,期望高手糾正過錯,三菱FX1N 2N的協議有所不同,只需弄懂我給你這么具體的解密進程,那是也能夠的,這個就需求我們一起學習,評論。3U 3G也需求我們來剖析和搗鼓,不要那種衣來伸手,飯來張口哦,這種人你看了這帖子,也是白看,要重復的研討和揣摩。高手就不要扔磚頭和臭雞蛋,需求我們獻上鮮花支撐哦。
加密進程如下,說了這么多的廢話,上主題:
第一次翻開串口
[00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 9600 (此處設置波特率)
[00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7(通訊格局)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通訊開始符02H)
[00000001] IRP_MJ_WRITE Length: 0005, Data: 37 32 35 30 46(此處CMD的置位指令37H,32 35 30 46及是要置位的地址‘250F’操作位元件的)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 03 (此處是終,及到這兒完畢的意思代碼‘03H’)
[00000001] IRP_MJ_WRITE Length: 0002, Data: 31 37 (校驗和,從37H到此處的03H的和,如果有溢出,取最終兩位)
[00000008] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通訊開始符02H)
[00000008] IRP_MJ_WRITE Length: 0005, Data: 37 32 35 30 46(此處CMD的置位指令37H,32 35 30 46及是要置位的地址‘250F’
[00000008] IRP_MJ_WRITE Length: 0001, Data: 03 (此處是終,及到這兒完畢的意思代碼‘03H’)
[00000008] IRP_MJ_WRITE Length: 0002, Data: 31 37 (校驗和,從37H到此處的03H的和,如果有溢出,取最終兩位)
[00000015] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通訊開始符02H)
[00000015] IRP_MJ_WRITE Length: 0011, Data: 31 38 30 30 30 30 32 30 30 30 30 (此處的CMD功用碼31H,便是寫入數據,38 30 30 30便是寫入數據的首地址‘8000’30 32便是寫入的操作位數這兒是2位 那便是一個雙字,30 30 30 30便是這個雙字的數據為'0'
[00000015] IRP_MJ_WRITE Length: 0001, Data: 03 (此處是終,及到這兒完畢的意思代碼‘03H’)
[00000016] IRP_MJ_WRITE Length: 0002, Data: 31 45 (校驗和,從37H到此處的03H的和,如果有溢出,取最終兩位)
[00000022] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通訊開始符02H)
[00000022] IRP_MJ_WRITE Length: 0011, Data: 31 38 30 30 30 30 32 30 30 30 30 (此處的CMD功用碼31H,便是寫入數據,38 30 30 30便是寫入數據的首地址‘8000’30 32便是寫入的操作位數這兒是2位 那便是一個雙字,30 30 30 30便是這個雙字的數據為'0'
[00000023] IRP_MJ_WRITE Length: 0001, Data: 03 (此處是終,及到這兒完畢的意思代碼‘03H’)
[00000023] IRP_MJ_WRITE Length: 0002, Data: 31 45 (校驗和,從37H到此處的03H的和,如果有溢出,取最終兩位)
[00000030] IRP_MJ_CLOSE Port Closed 封閉串口
第2次翻開串口
[00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 9600
[00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
[00000000] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通訊開始符02H)
[00000000] IRP_MJ_WRITE Length: 0005, Data: 38 32 35 30 46 (此處CMD的復位指令38H,32 35 30 46及是要復位的地址‘250F’操作位元件的,這兒把剛剛置位的205F的地址復位了)
[00000001] IRP_MJ_WRITE Length: 0001, Data: 03 (此處是終,及到這兒完畢的意思代碼‘03H’)
[00000001] IRP_MJ_WRITE Length: 0002, Data: 31 38 (校驗和,從37H到此處的03H的和,如果有溢出,取最終兩位)
[00000007] IRP_MJ_WRITE Length: 0001, Data: 02 ( "STX"通訊開始符02H)
[00000007] IRP_MJ_WRITE Length: 0005, Data: 38 32 35 30 46 (此處CMD的復位指令38H,32 35 30 46及是要復位的地址‘250F’操作位元件的,這兒把剛剛置位的250F的地址復位了)
[00000008] IRP_MJ_WRITE Length: 0001, Data: 03 (此處是終,及到這兒完畢的意思代碼‘03H’)
[00000008] IRP_MJ_WRITE Length: 0002, Data: 31 38 (校驗和,從37H到此處的03H的和,如果有溢出,取最終兩位)
[00000010] IRP_MJ_CLOSE Port Closed
