万胜解密网

万胜解密网联系电话

三菱FX3U PLC解密 分析数据太重要

发布时间:2011-09-24 09:18|来源:万胜PLC解密网|点击:

提起三菱FX3U PLC大家都知道,是三菱公司推出来的新版PLC,功能特强大,可运用于各行各业,保密强度高,听说三菱FX3U PLC解密人很少,于是好奇地买个三菱FX3U PLC,第1眼看到这款PLC。外官看做的很不错,其他的就不多说了,先学习下协仪,相信大家都搞过FX2N的,其实三菱FX3U PLC就是三菱FX2N PLC的升级版。

三菱FX3U PLC图示

先做个调试软件,查找了三菱FX3U PLC手册,协仪更本没公开,经过长时间的调,此时从串口监控到的数据是:

三菱FX3U PLC解密软件图示

# Time Function Data ( Hex )

1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 1152003 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 74 [00000001] IRP_MJ_WRITE Length: 0001, Data: 05 5 [00000002] IRP_MJ_READ Length: 0001, Data: 06 6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43 7 [00000003] IRP_MJ_READ Length: 0001, Data: 02 8 [00000003] IRP_MJ_READ Length: 0001, Data: 42 9 [00000003] IRP_MJ_READ Length: 0001, Data: 31 10 [00000003] IRP_MJ_READ Length: 0001, Data: 35 11 [00000003] IRP_MJ_READ Length: 0001, Data: 45 12 [00000003] IRP_MJ_READ Length: 0001, Data: 03 13 [00000003] IRP_MJ_READ Length: 0001, Data: 46 14 [00000003] IRP_MJ_READ Length: 0001, Data: 30 15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45 16 [00000004] IRP_MJ_READ Length: 0001, Data: 02 17 [00000004] IRP_MJ_READ Length: 0001, Data: 37 18 [00000004] IRP_MJ_READ Length: 0001, Data: 31 19 [00000004] IRP_MJ_READ Length: 0001, Data: 33 20 [00000004] IRP_MJ_READ Length: 0001, Data: 46 21 [00000004] IRP_MJ_READ Length: 0001, Data: 03 22 [00000004] IRP_MJ_READ Length: 0001, Data: 45 23 [00000004] IRP_MJ_READ Length: 0001, Data: 34 24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43 25 [00000006] IRP_MJ_READ Length: 0001, Data: 02 26 [00000006] IRP_MJ_READ Length: 0001, Data: 42 27 [00000006] IRP_MJ_READ Length: 0001, Data: 31 28 [00000006] IRP_MJ_READ Length: 0001, Data: 35 29 [00000006] IRP_MJ_READ Length: 0001, Data: 45 30 [00000006] IRP_MJ_READ Length: 0001, Data: 03 31 [00000006] IRP_MJ_READ Length: 0001, Data: 46 32 [00000006] IRP_MJ_READ Length: 0001, Data: 30 33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45 34 [00000007] IRP_MJ_READ Length: 0001, Data: 02 35 [00000007] IRP_MJ_READ Length: 0001, Data: 37 36 [00000007] IRP_MJ_READ Length: 0001, Data: 31 37 [00000007] IRP_MJ_READ Length: 0001, Data: 33 38 [00000007] IRP_MJ_READ Length: 0001, Data: 46 39 [00000007] IRP_MJ_READ Length: 0001, Data: 03 40 [00000007] IRP_MJ_READ Length: 0001, Data: 45 41 [00000007] IRP_MJ_READ Length: 0001, Data: 34 42 [00000015] IRP_MJ_CLOSE Port Closed

此时是三菱FX3U PLC解密最重要一步了,需花大量时间来分析这些数据,上述从串口监控到的数据是十六进制的数据,转换成ASC码。

# Time Function Data ( String )

1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 1152003 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 74 [00000001] IRP_MJ_WRITE Length: 0001, Data: 5 [00000002] IRP_MJ_READ Length: 0001, Data: 6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 00E02026C7 [00000003] IRP_MJ_READ Length: 0001, Data: 8 [00000003] IRP_MJ_READ Length: 0001, Data: B9 [00000003] IRP_MJ_READ Length: 0001, Data: 110 [00000003] IRP_MJ_READ Length: 0001, Data: 511 [00000003] IRP_MJ_READ Length: 0001, Data: E12 [00000003] IRP_MJ_READ Length: 0001, Data: 13 [00000003] IRP_MJ_READ Length: 0001, Data: F14 [00000003] IRP_MJ_READ Length: 0001, Data: 015 [00000004] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E16 [00000004] IRP_MJ_READ Length: 0001, Data: 17 [00000004] IRP_MJ_READ Length: 0001, Data: 718 [00000004] IRP_MJ_READ Length: 0001, Data: 119 [00000004] IRP_MJ_READ Length: 0001, Data: 320 [00000004] IRP_MJ_READ Length: 0001, Data: F21 [00000004] IRP_MJ_READ Length: 0001, Data: 22 [00000004] IRP_MJ_READ Length: 0001, Data: E23 [00000004] IRP_MJ_READ Length: 0001, Data: 424 [00000005] IRP_MJ_WRITE Length: 0011, Data: 00E02026C25 [00000006] IRP_MJ_READ Length: 0001, Data: 26 [00000006] IRP_MJ_READ Length: 0001, Data: B27 [00000006] IRP_MJ_READ Length: 0001, Data: 128 [00000006] IRP_MJ_READ Length: 0001, Data: 529 [00000006] IRP_MJ_READ Length: 0001, Data: E30 [00000006] IRP_MJ_READ Length: 0001, Data: 31 [00000006] IRP_MJ_READ Length: 0001, Data: F32 [00000006] IRP_MJ_READ Length: 0001, Data: 033 [00000006] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E34 [00000007] IRP_MJ_READ Length: 0001, Data: 35 [00000007] IRP_MJ_READ Length: 0001, Data: 736 [00000007] IRP_MJ_READ Length: 0001, Data: 137 [00000007] IRP_MJ_READ Length: 0001, Data: 338 [00000007] IRP_MJ_READ Length: 0001, Data: F39 [00000007] IRP_MJ_READ Length: 0001, Data: 40 [00000007] IRP_MJ_READ Length: 0001, Data: E41 [00000007] IRP_MJ_READ Length: 0001, Data: 442 [00000015] IRP_MJ_CLOSE Port Closed

从上面数据看到,其实只有四个回合的数据通信,其中还有两个回合是一模一样的重复的数据。

分析如下:

电脑发:00E0202 ’查询D8001的值,PLC回:B15E ‘回复为5EB1,回复的数据高位在后、低位在前,所以要对调个位,5EB1转为10进数据值为:24241,24表示PLC型号FX2N或3U,241表示版本号,电脑发:00ECA02码 ’查询D8101的值,PLC回:713F ‘回复为3F71转为10进数据值为:16241,16表示PLC型号为FX3U,241表示版本号。

PLC的密码标志位都找到了,所以说搞工控这行,只要你有东西试再加上时间,肯定能搞出来,本人搞FX3U不到3个月时间,在偶然的一次调试中发现了这款PLC的漏洞,试了很多次加密,发命令给PLC,密码就返回来了,三菱FX3U PLC解密成功了。

更多