三菱FX3U PLC解密软件开发叙述

对于三菱plc大家都很熟悉了，而fx2n的密码破解应该大家都会了，在返回的数据中都能找到密码，密码是在软件里比较的，而fx3u就不同了，fx3u有两段密码，看下图：
第1段密就和fx2n的一样，加的是明码，第2段就不一样了，密码加上后都变了，算法也完全变了，但在网上有高手能做到直读密码，我们被fx3u这种plc的强大功能所吸引，对三菱plc大家都用习惯了，觉的用起来顺手，在整个工控行业中用的比例很大，所以对破解这款plc产生的浓厚的性趣，fx3u有的可以2个口编程，一个是我们通常用的圆口，还有个可以扩展个232接口，我先试圆口，通过串口软件监控的数椐，以下是我调试监控的数据。
#timefunctiondata(hex)
1[00000000]irp_mj_createportopened-gppw.exe
2[00000000]ioctl_serial_set_baud_ratebaudrate:115200
3[00000000]ioctl_serial_set_line_controlstopbits:1,parity:even,databits:7
4[00000001]irp_mj_writelength:0001,data:05
5[00000002]irp_mj_readlength:0001,data:06
6[00000002]irp_mj_writelength:0011,data:0230304530323032033643
7[00000003]irp_mj_readlength:0001,data:02
8[00000003]irp_mj_readlength:0001,data:42
9[00000003]irp_mj_readlength:0001,data:31
10[00000003]irp_mj_readlength:0001,data:35
11[00000003]irp_mj_readlength:0001,data:45
12[00000003]irp_mj_readlength:0001,data:03
13[00000003]irp_mj_readlength:0001,data:46
14[00000003]irp_mj_readlength:0001,data:30
15[00000004]irp_mj_writelength:0011,data:0230304543413032033845
16[00000004]irp_mj_readlength:0001,data:02
17[00000004]irp_mj_readlength:0001,data:37
18[00000004]irp_mj_readlength:0001,data:31
19[00000004]irp_mj_readlength:0001,data:33
20[00000004]irp_mj_readlength:0001,data:46
21[00000004]irp_mj_readlength:0001,data:03
22[00000004]irp_mj_readlength:0001,data:45
23[00000004]irp_mj_readlength:0001,data:34
24[00000005]irp_mj_writelength:0011,data:0230304530323032033643
25[00000006]irp_mj_readlength:0001,data:02
26[00000006]irp_mj_readlength:0001,data:42
27[00000006]irp_mj_readlength:0001,data:31
28[00000006]irp_mj_readlength:0001,data:35
29[00000006]irp_mj_readlength:0001,data:45
30[00000006]irp_mj_readlength:0001,data:03
31[00000006]irp_mj_readlength:0001,data:46
32[00000006]irp_mj_readlength:0001,data:30
33[00000006]irp_mj_writelength:0011,data:0230304543413032033845
34[00000007]irp_mj_readlength:0001,data:02
35[00000007]irp_mj_readlength:0001,data:37
36[00000007]irp_mj_readlength:0001,data:31
37[00000007]irp_mj_readlength:0001,data:33
38[00000007]irp_mj_readlength:0001,data:46
39[00000007]irp_mj_readlength:0001,data:03
40[00000007]irp_mj_readlength:0001,data:45
41[00000007]irp_mj_readlength:0001,data:34
42[00000015]irp_mj_closeportclosed
6、上述从串口监控到的数据是十六进制的数据，还真不好看，先转换成asc码，就好看多了。
#timefunctiondata(string)
1[00000000]irp_mj_createportopened-gppw.exe
2[00000000]ioctl_serial_set_baud_ratebaudrate:115200
3[00000000]ioctl_serial_set_line_controlstopbits:1,parity:even,databits:7
4[00000001]irp_mj_writelength:0001,data:
5[00000002]irp_mj_readlength:0001,data:
6[00000002]irp_mj_writelength:0011,data:00e02026c
7[00000003]irp_mj_readlength:0001,data:
8[00000003]irp_mj_readlength:0001,data:b
9[00000003]irp_mj_readlength:0001,data:1
10[00000003]irp_mj_readlength:0001,data:5
11[00000003]irp_mj_readlength:0001,data:e
12[00000003]irp_mj_readlength:0001,data:
13[00000003]irp_mj_readlength:0001,data:f
14[00000003]irp_mj_readlength:0001,data:0
15[00000004]irp_mj_writelength:0011,data:00eca028e
16[00000004]irp_mj_readlength:0001,data:
17[00000004]irp_mj_readlength:0001,data:7
18[00000004]irp_mj_readlength:0001,data:1
19[00000004]irp_mj_readlength:0001,data:3
20[00000004]irp_mj_readlength:0001,data:f
21[00000004]irp_mj_readlength:0001,data:
22[00000004]irp_mj_readlength:0001,data:e
23[00000004]irp_mj_readlength:0001,data:4
24[00000005]irp_mj_writelength:0011,data:00e02026c
25[00000006]irp_mj_readlength:0001,data:
26[00000006]irp_mj_readlength:0001,data:b
27[00000006]irp_mj_readlength:0001,data:1
28[00000006]irp_mj_readlength:0001,data:5
29[00000006]irp_mj_readlength:0001,data:e
30[00000006]irp_mj_readlength:0001,data:
31[00000006]irp_mj_readlength:0001,data:f
32[00000006]irp_mj_readlength:0001,data:0
33[00000006]irp_mj_writelength:0011,data:00eca028e
34[00000007]irp_mj_readlength:0001,data:
35[00000007]irp_mj_readlength:0001,data:7
36[00000007]irp_mj_readlength:0001,data:1
37[00000007]irp_mj_readlength:0001,data:3
38[00000007]irp_mj_readlength:0001,data:f
39[00000007]irp_mj_readlength:0001,data:
40[00000007]irp_mj_readlength:0001,data:e
41[00000007]irp_mj_readlength:0001,data:4
42[00000015]irp_mj_closeportclosed
电脑发：00e0202’查询d8001的值
plc回：b15e‘回复为5eb1，回复的数据高位在后、低位在前，所以要对调个位，
5eb1转为10进数据值为：24241，24表示plc型号fx2n或3u，241表示版本号，
电脑发：00eca02码’查询d8101的值
plc回：713f‘回复为3f71转为10进数据值为：16241，16表示plc型号为fx3u，241表示版本号
以上这一大段数据也就是编程软件查询一下plc的型号，以便接下来按相应的通迅协议进行通迅。这些数据是花了大量时间测试出来的，
这次就讲到这里，望朋友多多指点。