├── .gitignore ├── Instrumentation ├── CMakeLists.txt ├── feedback.c ├── hash.h ├── modules.c ├── modules.h ├── monitor_gx.c ├── readme.md ├── utils.c └── utils.h ├── LICENSE ├── Mitsubishi-Dispatcher ├── gen_template.py ├── json │ ├── mitsubishi_field_115.json │ ├── mitsubishi_field_153.json │ ├── mitsubishi_field_169.json │ ├── mitsubishi_field_171.json │ ├── mitsubishi_field_209.json │ ├── mitsubishi_field_28.json │ ├── mitsubishi_field_365.json │ ├── mitsubishi_field_41.json │ ├── mitsubishi_field_43.json │ ├── mitsubishi_field_45.json │ ├── mitsubishi_field_47.json │ ├── mitsubishi_field_49.json │ ├── mitsubishi_field_493.json │ ├── mitsubishi_field_51.json │ ├── mitsubishi_field_53.json │ ├── mitsubishi_field_55.json │ ├── mitsubishi_field_59.json │ ├── mitsubishi_field_61.json │ ├── mitsubishi_field_669.json │ ├── mitsubishi_field_69.json │ ├── mitsubishi_field_73.json │ ├── mitsubishi_field_75.json │ ├── mitsubishi_field_77.json │ ├── mitsubishi_field_81.json │ ├── mitsubishi_field_83.json │ └── mitsubishi_field_93.json ├── length │ ├── len_115.txt │ ├── len_153.txt │ ├── len_169.txt │ ├── len_171.txt │ ├── len_209.txt │ ├── len_28.txt │ ├── len_365.txt │ ├── len_41.txt │ ├── len_43.txt │ ├── len_45.txt │ ├── len_47.txt │ ├── len_49.txt │ ├── len_493.txt │ ├── len_51.txt │ ├── len_53.txt │ ├── len_55.txt │ ├── len_59.txt │ ├── len_61.txt │ ├── len_669.txt │ ├── len_69.txt │ ├── len_73.txt │ ├── len_75.txt │ ├── len_77.txt │ ├── len_81.txt │ ├── len_83.txt │ └── len_93.txt ├── length_cluster.py ├── length_fields_analysis.py ├── logs │ └── session.json ├── mutate_engine.py ├── pkts │ ├── load_write.txt │ ├── read_from_plc.txt │ ├── test_connect.txt │ └── write_title.txt ├── read_from_plc.py ├── receive_mutated_data.py ├── split_fields.py ├── state_filter.py ├── states │ ├── load_write.json │ ├── read_from_plc.json │ ├── test_connect.json │ └── write_title.json ├── template │ ├── read_from_plc.json │ ├── test_connect.json │ ├── write.json │ └── write_title.json ├── test_script.py ├── trace │ ├── 1.log_connect.txt │ ├── 2.log_read_from_plc.txt │ ├── 3.log_write.txt │ └── 4.log_title.txt └── utils.py ├── Mitsubishi-Proxies └── proxy │ ├── gui │ ├── driver.py │ ├── monitor_run_gxwork.py │ ├── utils │ │ ├── execute_drrun_real.exe │ │ ├── kill_gxworks.py │ │ ├── mit_arrange_plc.exe │ │ ├── mit_clear_plc_memory.exe │ │ ├── mit_connect_test.exe │ │ ├── mit_crash_detector.exe │ │ ├── mit_delete.exe │ │ ├── mit_execute_drrun.exe │ │ ├── mit_execute_drrun_real.exe │ │ ├── mit_format_plc_memory.exe │ │ ├── mit_launch.exe │ │ ├── mit_plc_user_data.exe │ │ ├── mit_read_from_plc.exe │ │ ├── mit_remote_operate.exe │ │ ├── mit_set_clock.exe │ │ ├── mit_write_title.exe │ │ ├── shm_monitor.exe │ │ └── sources │ │ │ ├── launch.au3 │ │ │ ├── mit_arrange_plc.au3 │ │ │ ├── mit_clear_plc_memory.au3 │ │ │ ├── mit_close.au3 │ │ │ ├── mit_connect_test.au3 │ │ │ ├── mit_delete.au3 │ │ │ ├── mit_format_plc_memory.au3 │ │ │ ├── mit_plc_user_data.au3 │ │ │ ├── mit_read_from_plc.au3 │ │ │ ├── mit_remote_operate.au3 │ │ │ ├── mit_set_clock.au3 │ │ │ └── mit_write_title.au3 │ └── watchdog.py │ └── network │ └── proxy.py ├── README.md └── img ├── system_architecture.pdf └── system_architecture.png /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /Instrumentation/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 2.6) 2 | 3 | if (${USE_COLOR}) 4 | add_definitions(-DUSE_COLOR) 5 | endif() 6 | 7 | if (${USE_DRSYMS}) 8 | add_definitions(-DUSE_DRSYMS) 9 | endif() 10 | 11 | if (${INTELPT}) 12 | add_definitions(-DINTELPT) 13 | endif() 14 | 15 | set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin) 16 | 17 | project(shm_monitor) 18 | add_executable(shm_monitor feedback.c hash.h) 19 | 20 | if (NOT "${DynamoRIO_DIR}" STREQUAL "") 21 | 22 | project(monitor) 23 | 24 | set(DynamoRIO_LOG_COMPATIBILITY on) 25 | 26 | find_package(DynamoRIO) 27 | if (NOT DynamoRIO_FOUND) 28 | message(FATAL_ERROR "DynamoRIO package required to build") 29 | endif(NOT DynamoRIO_FOUND) 30 | 31 | if (STATIC_LIBRARY) 32 | set(libtype STATIC) 33 | else() 34 | set(libtype SHARED) 35 | endif () 36 | 37 | add_library(monitor ${libtype} 38 | monitor_gx.c 39 | modules.c 40 | utils.c 41 | hash.h 42 | ) 43 | configure_DynamoRIO_client(monitor) 44 | use_DynamoRIO_extension(monitor drmgr) 45 | use_DynamoRIO_extension(monitor drx) 46 | use_DynamoRIO_extension(monitor drcontainers) 47 | use_DynamoRIO_extension(monitor drreg) 48 | use_DynamoRIO_extension(monitor drwrap) 49 | if (${USE_DRSYMS}) 50 | use_DynamoRIO_extension(monitor drsyms) 51 | endif() 52 | 53 | # VS2015 Fix 54 | if (NOT (MSVC_VERSION LESS 1900)) 55 | target_link_libraries(monitor "libucrt.lib") 56 | target_link_libraries(monitor "libvcruntime.lib") 57 | target_link_libraries(monitor "Ws2_32.lib") 58 | endif() 59 | 60 | endif() -------------------------------------------------------------------------------- /Instrumentation/feedback.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "hash.h" 6 | 7 | // idx:0 => read_flag 8 | // idx:2~ => bb_hit 9 | 10 | 11 | 12 | #define BUF_SIZE 65537 13 | 14 | int bb_count(unsigned char* map){ 15 | int count = 0; 16 | for (int i =1;i<65537;i++){ 17 | if (map[i]) count++; 18 | } 19 | return count; 20 | } 21 | 22 | void dump_bitmap(unsigned char *mem, int index){ 23 | char filename[50]; 24 | memset(filename,0,50); 25 | sprintf(filename, "bitmap_%d", index); 26 | FILE * out = fopen(filename, "wb"); 27 | if (out==NULL) 28 | { 29 | printf("Error in open file"); 30 | exit(1); 31 | } 32 | fwrite(mem,BUF_SIZE,1,out); 33 | fclose(out); 34 | // for (int i=1;i 3 | 4 | #define MAP_SIZE 65536 5 | #define HASH_CONST 0xa5b35705 6 | typedef unsigned int u32; 7 | typedef unsigned char u8; 8 | #define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) 9 | 10 | static inline u32 hash32(const void* key, u32 len, u32 seed) { 11 | 12 | const u32* data = (u32*)key; 13 | u32 h1 = seed ^ len; 14 | 15 | len >>= 2; 16 | 17 | while (len--) { 18 | 19 | u32 k1 = *data++; 20 | 21 | k1 *= 0xcc9e2d51; 22 | k1 = ROL32(k1, 15); 23 | k1 *= 0x1b873593; 24 | 25 | h1 ^= k1; 26 | h1 = ROL32(h1, 13); 27 | h1 = h1 * 5 + 0xe6546b64; 28 | 29 | } 30 | 31 | h1 ^= h1 >> 16; 32 | h1 *= 0x85ebca6b; 33 | h1 ^= h1 >> 13; 34 | h1 *= 0xc2b2ae35; 35 | h1 ^= h1 >> 16; 36 | 37 | return h1; 38 | 39 | } 40 | 41 | #define AREP4(_sym) (_sym), (_sym), (_sym), (_sym) 42 | #define AREP8(_sym) AREP4(_sym), AREP4(_sym) 43 | #define AREP16(_sym) AREP8(_sym), AREP8(_sym) 44 | #define AREP32(_sym) AREP16(_sym), AREP16(_sym) 45 | #define AREP64(_sym) AREP32(_sym), AREP32(_sym) 46 | #define AREP128(_sym) AREP64(_sym), AREP64(_sym) 47 | 48 | static const u8 simplify_lookup[256] = { 49 | 50 | /* 4 */ 1, 128, 128, 128, 51 | /* +4 */ AREP4(128), 52 | /* +8 */ AREP8(128), 53 | /* +16 */ AREP16(128), 54 | /* +32 */ AREP32(128), 55 | /* +64 */ AREP64(128), 56 | /* +128 */ AREP128(128) 57 | 58 | }; 59 | 60 | 61 | static void simplify_trace(u32* mem) { 62 | 63 | u32 i = MAP_SIZE >> 2; 64 | 65 | while (i--) { 66 | 67 | /* Optimize for sparse bitmaps. */ 68 | 69 | if (*mem) { 70 | 71 | u8* mem8 = (u8*)mem; 72 | 73 | mem8[0] = simplify_lookup[mem8[0]]; 74 | mem8[1] = simplify_lookup[mem8[1]]; 75 | mem8[2] = simplify_lookup[mem8[2]]; 76 | mem8[3] = simplify_lookup[mem8[3]]; 77 | 78 | } else *mem = 0x01010101; 79 | 80 | mem++; 81 | } 82 | 83 | } -------------------------------------------------------------------------------- /Instrumentation/modules.c: -------------------------------------------------------------------------------- 1 | /* *************************************************************************** 2 | * Copyright (c) 2012-2013 Google, Inc. All rights reserved. 3 | * ***************************************************************************/ 4 | 5 | /* 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 12 | * * Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * * Neither the name of Google, Inc. nor the names of its contributors may be 17 | * used to endorse or promote products derived from this software without 18 | * specific prior written permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL GOOGLE, INC. OR CONTRIBUTORS BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 30 | * DAMAGE. 31 | */ 32 | 33 | /* 34 | Utilities for keeping track of (un)loaded modules in DynamoRIO clients. 35 | Copied from the DyanmoRIO project, http://dynamorio.org/ 36 | */ 37 | 38 | #include "modules.h" 39 | #include "utils.h" 40 | 41 | #include 42 | 43 | /* we use direct map cache to avoid locking */ 44 | static inline void 45 | global_module_cache_add(module_entry_t **cache, module_entry_t *entry) 46 | { 47 | cache[entry->id % NUM_GLOBAL_MODULE_CACHE] = entry; 48 | } 49 | 50 | /* Maintains LRU order in thread-private caches. A new/recent entry is moved to 51 | * the front, and all other entries are shifted back to make place. For new 52 | * entries, shifting results in the oldest entry being discarded. 53 | */ 54 | static inline void 55 | thread_module_cache_adjust(module_entry_t **cache, 56 | module_entry_t *entry, 57 | uint pos, 58 | uint max_pos) 59 | { 60 | uint i; 61 | ASSERT(pos < max_pos, "wrong pos"); 62 | for (i = pos; i > 0; i--) 63 | cache[i] = cache[i-1]; 64 | cache[0] = entry; 65 | } 66 | 67 | static inline void 68 | thread_module_cache_add(module_entry_t **cache, uint cache_size, 69 | module_entry_t *entry) 70 | { 71 | thread_module_cache_adjust(cache, entry, cache_size - 1, cache_size); 72 | } 73 | 74 | static void 75 | module_table_entry_free(void *entry) 76 | { 77 | dr_free_module_data(((module_entry_t *)entry)->data); 78 | dr_global_free(entry, sizeof(module_entry_t)); 79 | } 80 | 81 | void module_table_load(module_table_t *table, const module_data_t *data) 82 | { 83 | module_entry_t *entry = NULL; 84 | module_data_t *mod; 85 | int i; 86 | /* Some apps repeatedly unload and reload the same module, 87 | * so we will try to re-use the old one. 88 | */ 89 | ASSERT(data != NULL, "data must not be NULL"); 90 | drvector_lock(&table->vector); 91 | /* Assuming most recently loaded entries are most likely to be unloaded, 92 | * we iterate the module table in a backward way for better performance. 93 | */ 94 | for (i = table->vector.entries-1; i >= 0; i--) { 95 | entry = drvector_get_entry(&table->vector, i); 96 | mod = entry->data; 97 | if (entry->unload && 98 | /* If the same module is re-loaded at the same address, 99 | * we will try to use the existing entry. 100 | */ 101 | mod->start == data->start && 102 | mod->end == data->end && 103 | mod->entry_point == data->entry_point && 104 | #ifdef WINDOWS 105 | mod->checksum == data->checksum && 106 | mod->timestamp == data->timestamp && 107 | #endif 108 | /* If a module w/ no name (there are some) is loaded, we will 109 | * keep making new entries. 110 | */ 111 | dr_module_preferred_name(data) != NULL && 112 | dr_module_preferred_name(mod) != NULL && 113 | strcmp(dr_module_preferred_name(data), 114 | dr_module_preferred_name(mod)) == 0) { 115 | entry->unload = false; 116 | break; 117 | } 118 | entry = NULL; 119 | } 120 | if (entry == NULL) { 121 | entry = dr_global_alloc(sizeof(*entry)); 122 | entry->id = table->vector.entries; 123 | entry->unload = false; 124 | entry->data = dr_copy_module_data(data); 125 | drvector_append(&table->vector, entry); 126 | } 127 | drvector_unlock(&table->vector); 128 | global_module_cache_add(table->cache, entry); 129 | } 130 | 131 | static inline bool 132 | pc_is_in_module(module_entry_t *entry, app_pc pc) 133 | { 134 | if (entry != NULL && !entry->unload && entry->data != NULL) { 135 | module_data_t *mod = entry->data; 136 | if (pc >= mod->start && pc < mod->end) 137 | return true; 138 | } 139 | return false; 140 | } 141 | 142 | module_entry_t * module_table_lookup(module_entry_t **cache, int cache_size, 143 | module_table_t *table, app_pc pc) 144 | { 145 | module_entry_t *entry; 146 | int i; 147 | 148 | /* We assume we never change an entry's data field, even on unload, 149 | * and thus it is ok to check its value without a lock. 150 | */ 151 | /* lookup thread module cache */ 152 | if (cache != NULL) { 153 | for (i = 0; i < cache_size; i++) { 154 | entry = cache[i]; 155 | if (pc_is_in_module(entry, pc)) { 156 | if (i > 0) 157 | thread_module_cache_adjust(cache, entry, i, cache_size); 158 | return entry; 159 | } 160 | } 161 | } 162 | /* lookup global module cache */ 163 | /* we use a direct map cache, so it is ok to access it without lock */ 164 | for (i = 0; i < NUM_GLOBAL_MODULE_CACHE; i++) { 165 | entry = table->cache[i]; 166 | if (pc_is_in_module(entry, pc)) 167 | return entry; 168 | } 169 | /* lookup module table */ 170 | entry = NULL; 171 | drvector_lock(&table->vector); 172 | for (i = table->vector.entries - 1; i >= 0; i--) { 173 | entry = drvector_get_entry(&table->vector, i); 174 | ASSERT(entry != NULL, "fail to get module entry"); 175 | if (pc_is_in_module(entry, pc)) { 176 | global_module_cache_add(table->cache, entry); 177 | if (cache != NULL) 178 | thread_module_cache_add(cache, cache_size, entry); 179 | break; 180 | } 181 | entry = NULL; 182 | } 183 | drvector_unlock(&table->vector); 184 | return entry; 185 | } 186 | 187 | void 188 | module_table_unload(module_table_t *table, const module_data_t *data) 189 | { 190 | module_entry_t *entry = module_table_lookup(NULL, 0, table, data->start); 191 | if (entry != NULL) { 192 | entry->unload = true; 193 | } else { 194 | ASSERT(false, "fail to find the module to be unloaded"); 195 | } 196 | } 197 | 198 | /* assuming caller holds the lock */ 199 | void module_table_entry_print(module_entry_t *entry, file_t log, bool print_all_info) 200 | { 201 | const char *name; 202 | module_data_t *data; 203 | const char *full_path = ""; 204 | data = entry->data; 205 | name = dr_module_preferred_name(data); 206 | if (data->full_path != NULL && data->full_path[0] != '\0') 207 | full_path = data->full_path; 208 | 209 | if (print_all_info) { 210 | dr_fprintf(log, "%3u, "PFX", "PFX", "PFX", %s, %s", 211 | entry->id, data->start, data->end, data->entry_point, 212 | (name == NULL || name[0] == '\0') ? "" : name, 213 | full_path); 214 | #ifdef WINDOWS 215 | dr_fprintf(log, ", 0x%08x, 0x%08x", data->checksum, data->timestamp); 216 | #endif /* WINDOWS */ 217 | dr_fprintf(log, "\n"); 218 | } else { 219 | dr_fprintf(log, " %u, %llu, %s\n", entry->id, 220 | (uint64)(data->end - data->start), full_path); 221 | } 222 | } 223 | 224 | void module_table_print(module_table_t *table, file_t log, bool print_all_info) 225 | { 226 | uint i; 227 | module_entry_t *entry; 228 | if (log == INVALID_FILE) { 229 | /* It is possible that failure on log file creation is caused by the 230 | * running process not having enough privilege, so this is not a 231 | * release-build fatal error 232 | */ 233 | ASSERT(false, "invalid log file"); 234 | return; 235 | } 236 | drvector_lock(&table->vector); 237 | dr_fprintf(log, "Module Table: %u\n", table->vector.entries); 238 | 239 | if (print_all_info) { 240 | dr_fprintf(log, "Module Table: id, base, end, entry, unload, name, path"); 241 | #ifdef WINDOWS 242 | dr_fprintf(log, ", checksum, timestamp"); 243 | #endif 244 | dr_fprintf(log, "\n"); 245 | } 246 | 247 | for (i = 0; i < table->vector.entries; i++) { 248 | entry = drvector_get_entry(&table->vector, i); 249 | module_table_entry_print(entry, log, print_all_info); 250 | } 251 | drvector_unlock(&table->vector); 252 | } 253 | 254 | module_table_t * 255 | module_table_create() 256 | { 257 | module_table_t *table = dr_global_alloc(sizeof(*table)); 258 | memset(table->cache, 0, sizeof(table->cache)); 259 | drvector_init(&table->vector, 16, false, module_table_entry_free); 260 | return table; 261 | } 262 | 263 | void 264 | module_table_destroy(module_table_t *table) 265 | { 266 | drvector_delete(&table->vector); 267 | dr_global_free(table, sizeof(*table)); 268 | } 269 | -------------------------------------------------------------------------------- /Instrumentation/modules.h: -------------------------------------------------------------------------------- 1 | /* *************************************************************************** 2 | * Copyright (c) 2012-2013 Google, Inc. All rights reserved. 3 | * ***************************************************************************/ 4 | 5 | /* 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 12 | * * Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * * Neither the name of Google, Inc. nor the names of its contributors may be 17 | * used to endorse or promote products derived from this software without 18 | * specific prior written permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL GOOGLE, INC. OR CONTRIBUTORS BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 30 | * DAMAGE. 31 | */ 32 | 33 | /* 34 | Utilities for keeping track of (un)loaded modules in DynamoRIO clients. 35 | Copied from the DyanmoRIO project, http://dynamorio.org/ 36 | */ 37 | 38 | #ifndef CLIENTS_COMMON_MODULES_H_ 39 | #define CLIENTS_COMMON_MODULES_H_ 40 | 41 | #include "dr_api.h" 42 | #include "drvector.h" 43 | 44 | #define NUM_GLOBAL_MODULE_CACHE 8 45 | 46 | typedef struct _module_entry_t { 47 | int id; 48 | bool unload; /* if the module is unloaded */ 49 | module_data_t *data; 50 | } module_entry_t; 51 | 52 | typedef struct _module_table_t { 53 | drvector_t vector; 54 | /* for quick query without lock, assuming pointer-aligned */ 55 | module_entry_t *cache[NUM_GLOBAL_MODULE_CACHE]; 56 | } module_table_t; 57 | 58 | void 59 | module_table_load(module_table_t *table, const module_data_t *data); 60 | 61 | /* To avoid data race, proper sychronization on module table is required for 62 | * accessing module table entry. 63 | */ 64 | module_entry_t * 65 | module_table_lookup(module_entry_t **cache, int cache_size, 66 | module_table_t *table, app_pc pc); 67 | 68 | /* To avoid data race, proper sychronization on module table is required for 69 | * accessing module table entry. 70 | */ 71 | void 72 | module_table_entry_print(module_entry_t *entry, file_t log, bool print_all_info); 73 | 74 | void 75 | module_table_unload(module_table_t *table, const module_data_t *data); 76 | 77 | void 78 | module_table_print(module_table_t *table, file_t log, bool print_all_info); 79 | 80 | module_table_t * 81 | module_table_create(); 82 | 83 | void 84 | module_table_destroy(module_table_t *table); 85 | 86 | #endif /* CLIENTS_COMMON_MODULES_H_ */ 87 | -------------------------------------------------------------------------------- /Instrumentation/readme.md: -------------------------------------------------------------------------------- 1 | ## Preface 2 | 3 | Our instrumentation is based on DynamoRIO & WinAFL. 4 | Here, we express our sincere thanks to the authors & developers of DynamoRIO and WinAFL. 5 | 6 | ## Compiling the project 7 | 8 | To run the fuzzing process, this step is `NOT` necessary. 9 | 10 | + Prepare the DynamoRIO framework 11 | Before compile the project, 12 | we need to download&install DynamoRIO framework, 13 | which can be seen from https://github.com/DynamoRIO/dynamorio 14 | 15 | + Preparing the compiler 16 | 17 | I used the Visual Studio 2015 for this. 18 | 19 | + Generating the DLL for instrumentation 20 | 21 | Once everything is OK, we can compile the project and generate the dll file. 22 | 23 | ``` 24 | mkdir build 25 | cd build 26 | cmake -DDynamoRIO_DIR=C:\Users\xxx\Documents\Test\DynamoRIO-Windows-7.1.0-1\cmake .. 27 | cmake --build . --config Release 28 | ``` 29 | Note that the path `C:\Users\xxx\Documents\Test\DynamoRIO-Windows-7.1.0-1\cmake` is your DynamoRIO environment. 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Instrumentation/utils.c: -------------------------------------------------------------------------------- 1 | /* ****************************************************************************** 2 | * Copyright (c) 2013-2018 Google, Inc. All rights reserved. 3 | * Copyright (c) 2011 Massachusetts Institute of Technology All rights reserved. 4 | * Copyright (c) 2008 VMware, Inc. All rights reserved. 5 | * ******************************************************************************/ 6 | 7 | /* 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 11 | * * Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 14 | * * Redistributions in binary form must reproduce the above copyright notice, 15 | * this list of conditions and the following disclaimer in the documentation 16 | * and/or other materials provided with the distribution. 17 | * 18 | * * Neither the name of Google, Inc. nor the names of its contributors may be 19 | * used to endorse or promote products derived from this software without 20 | * specific prior written permission. 21 | * 22 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 | * ARE DISCLAIMED. IN NO EVENT SHALL GOOGLE, INC. OR CONTRIBUTORS BE LIABLE 26 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 28 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 32 | * DAMAGE. 33 | */ 34 | 35 | #include "utils.h" 36 | #include "drx.h" 37 | #include 38 | #ifdef WINDOWS 39 | # include 40 | #endif 41 | 42 | 43 | 44 | file_t 45 | log_file_open(client_id_t id, void *drcontext, const char *path, const char *name, 46 | uint flags) 47 | { 48 | file_t log; 49 | char log_dir[MAXIMUM_PATH]; 50 | char buf[MAXIMUM_PATH]; 51 | size_t len; 52 | char *dirsep; 53 | 54 | DR_ASSERT(name != NULL); 55 | len = dr_snprintf(log_dir, BUFFER_SIZE_ELEMENTS(log_dir), "%s", 56 | path == NULL ? dr_get_client_path(id) : path); 57 | DR_ASSERT(len > 0); 58 | NULL_TERMINATE_BUFFER(log_dir); 59 | dirsep = log_dir + len - 1; 60 | if (path == NULL /* removing client lib */ || 61 | /* path does not have a trailing / and is too large to add it */ 62 | (*dirsep != '/' IF_WINDOWS(&&*dirsep != '\\') && 63 | len == BUFFER_SIZE_ELEMENTS(log_dir) - 1)) { 64 | for (dirsep = log_dir + len; *dirsep != '/' IF_WINDOWS(&&*dirsep != '\\'); 65 | dirsep--) 66 | DR_ASSERT(dirsep > log_dir); 67 | } 68 | /* remove trailing / if necessary */ 69 | if (*dirsep == '/' IF_WINDOWS(|| *dirsep == '\\')) 70 | *dirsep = 0; 71 | else if (sizeof(log_dir) > (dirsep + 1 - log_dir) / sizeof(log_dir[0])) 72 | *(dirsep + 1) = 0; 73 | NULL_TERMINATE_BUFFER(log_dir); 74 | /* we do not need call drx_init before using drx_open_unique_appid_file */ 75 | log = drx_open_unique_appid_file(log_dir, dr_get_process_id(), name, "log", flags, 76 | buf, BUFFER_SIZE_ELEMENTS(buf)); 77 | if (log != INVALID_FILE) { 78 | char msg[MAXIMUM_PATH]; 79 | len = dr_snprintf(msg, BUFFER_SIZE_ELEMENTS(msg), "Data file %s created", buf); 80 | DR_ASSERT(len > 0); 81 | NULL_TERMINATE_BUFFER(msg); 82 | dr_log(drcontext, DR_LOG_ALL, 1, "%s", msg); 83 | #ifdef SHOW_RESULTS 84 | DISPLAY_STRING(msg); 85 | # ifdef WINDOWS 86 | if (dr_is_notify_on()) { 87 | /* assuming dr_enable_console_printing() is called in the initialization */ 88 | dr_fprintf(STDERR, "%s\n", msg); 89 | } 90 | # endif /* WINDOWS */ 91 | #endif /* SHOW_RESULTS */ 92 | } 93 | return log; 94 | } 95 | 96 | void 97 | log_file_close(file_t log) 98 | { 99 | dr_close_file(log); 100 | } 101 | 102 | FILE * 103 | log_stream_from_file(file_t f) 104 | { 105 | #ifdef WINDOWS 106 | int fd = _open_osfhandle((intptr_t)f, 0); 107 | if (fd == -1) 108 | return NULL; 109 | return _fdopen(fd, "w"); 110 | #else 111 | return fdopen(f, "w"); 112 | #endif 113 | } 114 | 115 | void 116 | log_stream_close(FILE *f) 117 | { 118 | fclose(f); /* closes underlying fd too for all platforms */ 119 | } 120 | 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /Instrumentation/utils.h: -------------------------------------------------------------------------------- 1 | /* *************************************************************************** 2 | * Copyright (c) 2012-2013 Google, Inc. All rights reserved. 3 | * ***************************************************************************/ 4 | 5 | /* 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 12 | * * Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * * Neither the name of Google, Inc. nor the names of its contributors may be 17 | * used to endorse or promote products derived from this software without 18 | * specific prior written permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL GOOGLE, INC. OR CONTRIBUTORS BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 30 | * DAMAGE. 31 | */ 32 | 33 | /* 34 | DynamoRIO utility macros. Copied from the DyanmoRIO project, 35 | http://dynamorio.org/ 36 | */ 37 | 38 | 39 | #ifndef CLIENTS_COMMON_UTILS_H_ 40 | #define CLIENTS_COMMON_UTILS_H_ 41 | 42 | #include "dr_api.h" 43 | #include "stdio.h" 44 | 45 | 46 | #ifdef DEBUG 47 | # define ASSERT(x, msg) DR_ASSERT_MSG(x, msg) 48 | # define IF_DEBUG(x) x 49 | #else 50 | # define ASSERT(x, msg) /* nothing */ 51 | # define IF_DEBUG(x) /* nothing */ 52 | #endif 53 | 54 | /* XXX: should be moved to DR API headers? */ 55 | #define BUFFER_SIZE_BYTES(buf) sizeof(buf) 56 | #define BUFFER_SIZE_ELEMENTS(buf) (BUFFER_SIZE_BYTES(buf) / sizeof((buf)[0])) 57 | #define BUFFER_LAST_ELEMENT(buf) (buf)[BUFFER_SIZE_ELEMENTS(buf) - 1] 58 | #define NULL_TERMINATE_BUFFER(buf) BUFFER_LAST_ELEMENT(buf) = 0 59 | #define ALIGNED(x, alignment) ((((ptr_uint_t)x) & ((alignment)-1)) == 0) 60 | #define TESTANY(mask, var) (((mask) & (var)) != 0) 61 | #define TEST TESTANY 62 | 63 | #ifdef WINDOWS 64 | # define IF_WINDOWS(x) x 65 | # define IF_UNIX_ELSE(x,y) y 66 | #else 67 | # define IF_WINDOWS(x) 68 | # define IF_UNIX_ELSE(x,y) x 69 | #endif 70 | 71 | /* Checks for both debug and release builds: */ 72 | #define USAGE_CHECK(x, msg) DR_ASSERT_MSG(x, msg) 73 | 74 | static inline generic_func_t 75 | cast_to_func(void *p) 76 | { 77 | #ifdef WINDOWS 78 | # pragma warning(push) 79 | # pragma warning(disable : 4055) 80 | #endif 81 | return (generic_func_t) p; 82 | #ifdef WINDOWS 83 | # pragma warning(pop) 84 | #endif 85 | } 86 | 87 | #endif /* CLIENTS_COMMON_UTILS_H_ */ 88 | file_t 89 | log_file_open(client_id_t id, void *drcontext, const char *path, const char *name, 90 | uint flags); 91 | 92 | /* close a log file opened by log_file_open */ 93 | void 94 | log_file_close(file_t log); 95 | 96 | /* Converts a raw file descriptor into a FILE stream. */ 97 | FILE * 98 | log_stream_from_file(file_t f); 99 | 100 | /* log_file_close does *not* need to be called when calling this on a 101 | * stream converted from a file descriptor. 102 | */ 103 | void 104 | log_stream_close(FILE *f); 105 | 106 | 107 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 boofish 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/gen_template.py: -------------------------------------------------------------------------------- 1 | from binascii import * 2 | import os 3 | import json 4 | import random 5 | 6 | def is_str(field): 7 | for item in field: 8 | if ord(item)<0x7f and ord(item)>=0x20: 9 | continue 10 | else: 11 | return False 12 | return True 13 | 14 | def generate_template(m_dict, fields, idx): 15 | t_arr = [] 16 | for field in fields: 17 | if len(field)==0: 18 | continue 19 | if len(field)<=4: 20 | anno = ('number',b2a_hex(field)) 21 | t_arr.append(anno) 22 | else: 23 | if is_str(field): 24 | anno = ('str',b2a_hex(field)) 25 | t_arr.append(anno) 26 | elif len(field)==1: 27 | anno = ('binary',b2a_hex(field)) # not handle 28 | t_arr.append(anno) 29 | else: 30 | anno = ('binary',b2a_hex(field)) 31 | t_arr.append(anno) 32 | m_dict[idx] = t_arr 33 | 34 | 35 | def load_data(filename): 36 | lines = open(filename,'rb').readlines() 37 | return [a2b_hex(item.strip('\r\n')) for item in lines] 38 | 39 | 40 | def load_rule(filename): 41 | t_dict = json.loads(open(filename,'r').read()) 42 | return t_dict['1'] 43 | 44 | def dump_format(filename): 45 | print(filename) 46 | tag = filename[filename.rfind('/')+1:filename.rfind('_')] 47 | outfile = './template/{}.json'.format(tag) 48 | 49 | fp = open(outfile, 'w') 50 | 51 | dataList = load_data(filename) 52 | m_dict = {} 53 | 54 | idx = 0 55 | 56 | for item in dataList: 57 | length = len(item) 58 | 59 | rule_file_name = "./json/mitsubishi_field_{}.json".format(length) 60 | if os.path.exists(rule_file_name): 61 | rule = load_rule(rule_file_name) 62 | else: 63 | rule = None 64 | 65 | fields = [] 66 | if rule is not None: 67 | start = 0 68 | for r in rule: 69 | field_len = len(r)/2 70 | end = start + field_len 71 | fields.append(item[start:end]) 72 | start = end 73 | fields = rearrange_fields(fields) 74 | generate_template(m_dict,fields,idx) 75 | 76 | # print(b2a_hex(item[4]),len(item),len(fields),[b2a_hex(t) for t in fields]) 77 | # print([b2a_hex(t) for t in fields]) 78 | else: 79 | print(len(item),'no rule') 80 | generate_template(m_dict,[item],idx) 81 | idx += 1 82 | fp.write(json.dumps(m_dict,indent=1)) 83 | fp.close() 84 | 85 | def rearrange_fields(fields,min_len=5): 86 | ret = [] 87 | for item in fields: 88 | ret += split_strings(item,min_len) 89 | return ret 90 | 91 | 92 | def split_strings(s, min_len=5): 93 | result = [] 94 | tmp = '' 95 | idx = 0 96 | for item in s: 97 | 98 | if ord(item)<0x7f and ord(item)>=0x20: 99 | tmp += item 100 | 101 | else: 102 | if len(tmp) >= min_len: 103 | result.append((idx,tmp)) 104 | tmp = '' 105 | 106 | else: 107 | 108 | tmp = '' 109 | idx += 1 110 | if len(tmp) > min_len: 111 | result.append((idx,tmp)) 112 | # print(result) 113 | ret = [] 114 | next_idx = 0 115 | for item in result: 116 | idx = item[0] 117 | tmp_str = item[1] 118 | # if len(s[next_idx:idx-len(tmp_str)]) >0: 119 | ret.append(s[next_idx:idx-len(tmp_str)]) 120 | ret.append(s[idx-len(tmp_str):idx]) 121 | next_idx = idx 122 | remaing = s[next_idx:] 123 | if len(remaing)>0: 124 | ret.append(remaing) 125 | return ret 126 | 127 | 128 | def main(): 129 | the_dict = {} 130 | base_dir = './pkts/' 131 | filenames = os.listdir(base_dir) 132 | for file in filenames: 133 | fileItem = base_dir + file 134 | dump_format(fileItem) 135 | 136 | 137 | if __name__ == '__main__': 138 | # genData() 139 | main() 140 | # filename = './pkts/read_from_plc.txt' 141 | # dump_format(filename) 142 | 143 | 144 | 145 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_115.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "dd", 5 | "0000111107000000e40300ffff030000", 6 | "5e", 7 | "009c000c0800000000030400000000", 8 | "18280c", 9 | "000000", 10 | "480040", 11 | "00", 12 | "2201616263", 13 | "20", 14 | "20", 15 | "20", 16 | "20", 17 | "20", 18 | "20", 19 | "20", 20 | "20", 21 | "20", 22 | "20202020202020", 23 | "20", 24 | "202020202020202020", 25 | "20", 26 | "20200407", 27 | "00", 28 | "80ffffffffffffffffffffffffffffffffffffffffffffffff000000ff00000000" 29 | ] 30 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_171.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "9c", 5 | "0000111107000000e40300ffff030000", 6 | "96", 7 | "009c000c08000000000304000000000b05", 8 | "23", 9 | "000000", 10 | "0000000000000000000000000000000000000000000000000000000000000000", 11 | "00", 12 | "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 13 | ], 14 | "2": [ 15 | "d700", 16 | "c2", 17 | "0000111107000000e40300ffff030000", 18 | "96", 19 | "009c000c08000000000304000000000b05", 20 | "23", 21 | "000000", 22 | "0000000000000000000000000000000000000000000000000000000000000000", 23 | "00", 24 | "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 25 | ], 26 | "3": [ 27 | "d700", 28 | "f5", 29 | "0000111107000000e40300ffff030000", 30 | "96", 31 | "009c000c08000000000304000000000b05", 32 | "24", 33 | "000000", 34 | "0000000000000000000000000000000000000000000000000000000000000000", 35 | "00", 36 | "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 37 | ], 38 | "4": [ 39 | "d700", 40 | "2b", 41 | "0000111107000000e40300ffff030000", 42 | "96", 43 | "009c000c08000000000304000000000b05", 44 | "1f", 45 | "000000", 46 | "0000000000000000000000000000000000000000000000000000000000000000", 47 | "00", 48 | "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 49 | ], 50 | "5": [ 51 | "d700", 52 | "21", 53 | "0000111107000000e40300ffff030000", 54 | "96", 55 | "009c000c08000000000304000000000b05", 56 | "1f", 57 | "000000", 58 | "0000000000000000000000000000000000000000000000000000000000000000", 59 | "00", 60 | "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 61 | ], 62 | "6": [ 63 | "d700", 64 | "61", 65 | "0000111107000000e40300ffff030000", 66 | "96", 67 | "009c000c08000000000304000000000b05", 68 | "1f", 69 | "000000", 70 | "0000000000000000000000000000000000000000000000000000000000000000", 71 | "00", 72 | "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 73 | ], 74 | "7": [ 75 | "d700", 76 | "a2", 77 | "0000111107000000e40300ffff030000", 78 | "96", 79 | "009c000c08000000000304000000000b05", 80 | "1f", 81 | "000000", 82 | "0000000000000000000000000000000000000000000000000000000000000000", 83 | "00", 84 | "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 85 | ], 86 | "8": [ 87 | "d700", 88 | "b7", 89 | "0000111107000000e40300ffff030000", 90 | "96", 91 | "009c000c08000000000304000000000b05", 92 | "23", 93 | "000000", 94 | "0000000000000000000000000000000000000000000000000000000000000000", 95 | "00", 96 | "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 97 | ] 98 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_365.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "35", 5 | "0000111107000000e40300ffff030000", 6 | "5801", 7 | "9c000c0800000000030400000000", 8 | "181828", 9 | "000000", 10 | "05000500514e", 11 | "202020202020", 12 | "51535906000000000000000000", 13 | "00", 14 | "b20286500200001000000000000000", 15 | "00", 16 | "00000000000000000000000000000000000000000000000000", 17 | "00", 18 | "574f524b", 19 | "20202020", 20 | "51535906000000", 21 | "00", 22 | "000000000000b2028650020400100000000000000000000000", 23 | "00", 24 | "000000000000000000000000000000", 25 | "00", 26 | "0000000000005452414345", 27 | "202020", 28 | "5153590600000000000000", 29 | "00", 30 | "0000b2028650020800100000000000", 31 | "00", 32 | "000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020" 33 | ], 34 | "2": [ 35 | "d700", 36 | "2b", 37 | "0000111107000000e40300ffff030000", 38 | "5801", 39 | "9c000c0800000000030400000000", 40 | "181828", 41 | "000000", 42 | "05000500514e", 43 | "202020202020", 44 | "51535906000000000000000000", 45 | "00", 46 | "b20286500200001000000000000000", 47 | "00", 48 | "00000000000000000000000000000000000000000000000000", 49 | "00", 50 | "574f524b", 51 | "20202020", 52 | "51535906000000", 53 | "00", 54 | "000000000000b2028650020400100000000000000000000000", 55 | "00", 56 | "000000000000000000000000000000", 57 | "00", 58 | "0000000000005452414345", 59 | "202020", 60 | "5153590600000000000000", 61 | "00", 62 | "0000b2028650020800100000000000", 63 | "00", 64 | "000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020" 65 | ], 66 | "3": [ 67 | "d700", 68 | "6b", 69 | "0000111107000000e40300ffff030000", 70 | "5801", 71 | "9c000c0800000000030400000000", 72 | "181828", 73 | "000000", 74 | "05000500514e", 75 | "202020202020", 76 | "51535906000000000000000000", 77 | "00", 78 | "b20286500200001000000000000000", 79 | "00", 80 | "00000000000000000000000000000000000000000000000000", 81 | "00", 82 | "574f524b", 83 | "20202020", 84 | "51535906000000", 85 | "00", 86 | "000000000000b2028650020400100000000000000000000000", 87 | "00", 88 | "000000000000000000000000000000", 89 | "00", 90 | "0000000000005452414345", 91 | "202020", 92 | "5153590600000000000000", 93 | "00", 94 | "0000b2028650020800100000000000", 95 | "00", 96 | "000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020" 97 | ], 98 | "4": [ 99 | "d700", 100 | "cf", 101 | "0000111107000000e40300ffff030000", 102 | "5801", 103 | "9c000c0800000000030400000000", 104 | "18180b", 105 | "000000", 106 | "05000500514e", 107 | "202020202020", 108 | "51535906000000000000000000", 109 | "00", 110 | "b20286500200001000000000000000", 111 | "00", 112 | "00000000000000000000000000000000000000000000000000", 113 | "00", 114 | "574f524b", 115 | "20202020", 116 | "51535906000000", 117 | "00", 118 | "000000000000b2028650020400100000000000000000000000", 119 | "00", 120 | "000000000000000000000000000000", 121 | "00", 122 | "0000000000005452414345", 123 | "202020", 124 | "5153590600000000000000", 125 | "00", 126 | "0000b2028650020800100000000000", 127 | "00", 128 | "000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020" 129 | ], 130 | "5": [ 131 | "d700", 132 | "f3", 133 | "0000111107000000e40300ffff030000", 134 | "5801", 135 | "9c000c0800000000030400000000", 136 | "18180b", 137 | "000000", 138 | "05000500514e", 139 | "202020202020", 140 | "51535906000000000000000000", 141 | "00", 142 | "b20286500200001000000000000000", 143 | "00", 144 | "00000000000000000000000000000000000000000000000000", 145 | "00", 146 | "574f524b", 147 | "20202020", 148 | "51535906000000", 149 | "00", 150 | "000000000000b2028650020400100000000000000000000000", 151 | "00", 152 | "000000000000000000000000000000", 153 | "00", 154 | "0000000000005452414345", 155 | "202020", 156 | "5153590600000000000000", 157 | "00", 158 | "0000b2028650020800100000000000", 159 | "00", 160 | "000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020" 161 | ] 162 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_41.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "aa", 5 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 6 | "0b0309", 7 | "000000" 8 | ], 9 | "2": [ 10 | "d700", 11 | "ab", 12 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 13 | "08010a", 14 | "000000" 15 | ], 16 | "3": [ 17 | "d700", 18 | "21", 19 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 20 | "0b0309", 21 | "000000" 22 | ], 23 | "4": [ 24 | "d700", 25 | "22", 26 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 27 | "08010a", 28 | "000000" 29 | ], 30 | "5": [ 31 | "d700", 32 | "eb", 33 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 34 | "0b0309", 35 | "000000" 36 | ], 37 | "6": [ 38 | "d700", 39 | "ec", 40 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 41 | "08010a", 42 | "000000" 43 | ], 44 | "7": [ 45 | "d700", 46 | "2e", 47 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 48 | "100247", 49 | "000000" 50 | ], 51 | "8": [ 52 | "d700", 53 | "81", 54 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 55 | "110309", 56 | "000000" 57 | ], 58 | "9": [ 59 | "d700", 60 | "de", 61 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 62 | "182a0d", 63 | "000000" 64 | ], 65 | "10": [ 66 | "d700", 67 | "ff", 68 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 69 | "18260f", 70 | "000000" 71 | ], 72 | "11": [ 73 | "d700", 74 | "00", 75 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 76 | "183710", 77 | "000000" 78 | ], 79 | "12": [ 80 | "d700", 81 | "15", 82 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 83 | "183609", 84 | "000000" 85 | ], 86 | "13": [ 87 | "d700", 88 | "39", 89 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 90 | "18040a", 91 | "000000" 92 | ], 93 | "14": [ 94 | "d700", 95 | "51", 96 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 97 | "180109", 98 | "000000" 99 | ], 100 | "15": [ 101 | "d700", 102 | "87", 103 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 104 | "140509", 105 | "000000" 106 | ], 107 | "16": [ 108 | "d700", 109 | "eb", 110 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 111 | "18200c", 112 | "000000" 113 | ], 114 | "17": [ 115 | "d700", 116 | "ef", 117 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 118 | "182610", 119 | "000000" 120 | ], 121 | "18": [ 122 | "d700", 123 | "f0", 124 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 125 | "183711", 126 | "000000" 127 | ], 128 | "19": [ 129 | "d700", 130 | "ff", 131 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 132 | "18360c", 133 | "000000" 134 | ], 135 | "20": [ 136 | "d700", 137 | "aa", 138 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 139 | "0b0309", 140 | "000000" 141 | ], 142 | "21": [ 143 | "d700", 144 | "ab", 145 | "0000111107000000e40300ffff03000014009c000c0800000000030400000000", 146 | "08010a", 147 | "000000" 148 | ] 149 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_47.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "00", 5 | "0000111107000000e40300ffff030000", 6 | "1a", 7 | "009c000c0800000000030400000000", 8 | "040109", 9 | "000000", 10 | "e80f6e3b0000" 11 | ], 12 | "2": [ 13 | "d700", 14 | "40", 15 | "0000111107000000e40300ffff030000", 16 | "1a", 17 | "009c000c0800000000030400000000", 18 | "040109", 19 | "000000", 20 | "e80f6e3b0000" 21 | ], 22 | "3": [ 23 | "d700", 24 | "36", 25 | "0000111107000000e40300ffff030000", 26 | "1a", 27 | "009c000c0800000000030400000000", 28 | "040109", 29 | "000000", 30 | "e80f6e3b0000" 31 | ], 32 | "4": [ 33 | "d700", 34 | "16", 35 | "0000111107000000e40300ffff030000", 36 | "1a", 37 | "009c000c0800000000030400000000", 38 | "04030a", 39 | "000000", 40 | "000064000000" 41 | ], 42 | "5": [ 43 | "d700", 44 | "00", 45 | "0000111107000000e40300ffff030000", 46 | "1a", 47 | "009c000c0800000000030400000000", 48 | "04030e", 49 | "000000", 50 | "000064000000" 51 | ], 52 | "6": [ 53 | "d700", 54 | "14", 55 | "0000111107000000e40300ffff030000", 56 | "1a", 57 | "009c000c0800000000030400000000", 58 | "040109", 59 | "000000", 60 | "e80f6e3b0000" 61 | ], 62 | "7": [ 63 | "d700", 64 | "1e", 65 | "0000111107000000e40300ffff030000", 66 | "1a", 67 | "009c000c0800000000030400000000", 68 | "040109", 69 | "000000", 70 | "e80f6e3b0000" 71 | ] 72 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_49.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "9d", 5 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 6 | "040105", 7 | "000000", 8 | "005905", 9 | "00", 10 | "0e000000" 11 | ], 12 | "2": [ 13 | "d700", 14 | "9e", 15 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 16 | "040106", 17 | "000000", 18 | "000000", 19 | "00", 20 | "00000000" 21 | ], 22 | "3": [ 23 | "d700", 24 | "a6", 25 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 26 | "040105", 27 | "000000", 28 | "005905", 29 | "00", 30 | "0e000000" 31 | ], 32 | "4": [ 33 | "d700", 34 | "a7", 35 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 36 | "040106", 37 | "000000", 38 | "000000", 39 | "00", 40 | "00000000" 41 | ], 42 | "5": [ 43 | "d700", 44 | "14", 45 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 46 | "040105", 47 | "000000", 48 | "005905", 49 | "00", 50 | "0e000000" 51 | ], 52 | "6": [ 53 | "d700", 54 | "15", 55 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 56 | "040106", 57 | "000000", 58 | "000000", 59 | "00", 60 | "00000000" 61 | ], 62 | "7": [ 63 | "d700", 64 | "1d", 65 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 66 | "040105", 67 | "000000", 68 | "005905", 69 | "00", 70 | "0e000000" 71 | ], 72 | "8": [ 73 | "d700", 74 | "1e", 75 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 76 | "040106", 77 | "000000", 78 | "000000", 79 | "00", 80 | "00000000" 81 | ], 82 | "9": [ 83 | "d700", 84 | "5f", 85 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 86 | "010409", 87 | "000000", 88 | "200428", 89 | "00", 90 | "21250220" 91 | ], 92 | "10": [ 93 | "d700", 94 | "69", 95 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 96 | "010409", 97 | "000000", 98 | "200428", 99 | "00", 100 | "21310220" 101 | ], 102 | "11": [ 103 | "d700", 104 | "80", 105 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 106 | "010409", 107 | "000000", 108 | "200428", 109 | "00", 110 | "22190220" 111 | ], 112 | "12": [ 113 | "d700", 114 | "8a", 115 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 116 | "010409", 117 | "000000", 118 | "200428", 119 | "00", 120 | "22250220" 121 | ], 122 | "13": [ 123 | "d700", 124 | "de", 125 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 126 | "040105", 127 | "000000", 128 | "005905", 129 | "00", 130 | "0e000000" 131 | ], 132 | "14": [ 133 | "d700", 134 | "df", 135 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 136 | "040106", 137 | "000000", 138 | "000000", 139 | "00", 140 | "00000000" 141 | ], 142 | "15": [ 143 | "d700", 144 | "e7", 145 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 146 | "040105", 147 | "000000", 148 | "005905", 149 | "00", 150 | "0e000000" 151 | ], 152 | "16": [ 153 | "d700", 154 | "e8", 155 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 156 | "040106", 157 | "000000", 158 | "000000", 159 | "00", 160 | "00000000" 161 | ], 162 | "17": [ 163 | "d700", 164 | "61", 165 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 166 | "010409", 167 | "000000", 168 | "200407", 169 | "00", 170 | "12220220" 171 | ], 172 | "18": [ 173 | "d700", 174 | "6b", 175 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 176 | "010409", 177 | "000000", 178 | "200407", 179 | "00", 180 | "12280220" 181 | ], 182 | "19": [ 183 | "d700", 184 | "8b", 185 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 186 | "010409", 187 | "000000", 188 | "200406", 189 | "00", 190 | "13290120" 191 | ], 192 | "20": [ 193 | "d700", 194 | "9d", 195 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 196 | "040105", 197 | "000000", 198 | "005905", 199 | "00", 200 | "0e000000" 201 | ], 202 | "21": [ 203 | "d700", 204 | "9e", 205 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 206 | "040106", 207 | "000000", 208 | "000000", 209 | "00", 210 | "00000000" 211 | ], 212 | "22": [ 213 | "d700", 214 | "a6", 215 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 216 | "040105", 217 | "000000", 218 | "005905", 219 | "00", 220 | "0e000000" 221 | ], 222 | "23": [ 223 | "d700", 224 | "a7", 225 | "0000111107000000e40300ffff0300001c009c000c0800000000030400000000", 226 | "040106", 227 | "000000", 228 | "000000", 229 | "00", 230 | "00000000" 231 | ] 232 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_493.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "ac", 5 | "0000111107000000e40300ffff030000", 6 | "d8", 7 | "019c000c08000000000304000000001818", 8 | "28", 9 | "000000", 10 | "07", 11 | "00", 12 | "07", 13 | "00514e2020202020205153590600000000000000000000", 14 | "a970ec2c", 15 | "0200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000", 16 | "a970ec2c", 17 | "020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000", 18 | "a970ec2c", 19 | "02080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000", 20 | "a970ec2c", 21 | "020c001000000000000000000000000000000000000000000000000000000000000000000000", 22 | "50", 23 | "41", 24 | "52414d", 25 | "2020205150", 26 | "41", 27 | "2000000000000000000000", 28 | "c7a531", 29 | "500210", 30 | "8c02", 31 | "00002020202020202020202020202020202020202020202020202020202020202020", 32 | "4d41494e202020205150472000000000000000000000c8a53150c410700800002020202020202020202020202020202020202020202020202020202020202020513036202020202044415420000000000000000000006fa63150b210480000006162632020202020202020202020202020202020202020202020202020202020" 33 | ], 34 | "2": [ 35 | "d700", 36 | "cf", 37 | "0000111107000000e40300ffff030000", 38 | "d8", 39 | "019c000c08000000000304000000001818", 40 | "0b", 41 | "000000", 42 | "07", 43 | "00", 44 | "07", 45 | "00514e2020202020205153590600000000000000000000", 46 | "a970ec2c", 47 | "0200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000", 48 | "a970ec2c", 49 | "020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000", 50 | "a970ec2c", 51 | "02080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000", 52 | "a970ec2c", 53 | "020c001000000000000000000000000000000000000000000000000000000000000000000000", 54 | "50", 55 | "41", 56 | "52414d", 57 | "2020205150", 58 | "41", 59 | "2000000000000000000000", 60 | "c7a531", 61 | "500210", 62 | "8c02", 63 | "00002020202020202020202020202020202020202020202020202020202020202020", 64 | "4d41494e202020205150472000000000000000000000c8a53150c410700800002020202020202020202020202020202020202020202020202020202020202020513036202020202044415420000000000000000000006fa63150b210480000006162632020202020202020202020202020202020202020202020202020202020" 65 | ], 66 | "3": [ 67 | "d700", 68 | "ec", 69 | "0000111107000000e40300ffff030000", 70 | "d8", 71 | "019c000c08000000000304000000001818", 72 | "0b", 73 | "000000", 74 | "07", 75 | "00", 76 | "07", 77 | "00514e2020202020205153590600000000000000000000", 78 | "a970ec2c", 79 | "0200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000", 80 | "a970ec2c", 81 | "020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000", 82 | "a970ec2c", 83 | "02080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000", 84 | "a970ec2c", 85 | "020c001000000000000000000000000000000000000000000000000000000000000000000000", 86 | "50", 87 | "41", 88 | "52414d", 89 | "2020205150", 90 | "41", 91 | "2000000000000000000000", 92 | "c7a531", 93 | "500210", 94 | "8c02", 95 | "00002020202020202020202020202020202020202020202020202020202020202020", 96 | "4d41494e202020205150472000000000000000000000c8a53150c410700800002020202020202020202020202020202020202020202020202020202020202020513036202020202044415420000000000000000000006fa63150b210480000006162632020202020202020202020202020202020202020202020202020202020" 97 | ] 98 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_53.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "9d", 5 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 6 | "24", 7 | "00000001000101", 8 | "02", 9 | "00000000000000" 10 | ], 11 | "2": [ 12 | "d700", 13 | "c3", 14 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 15 | "24", 16 | "00000001000101", 17 | "02", 18 | "00000000000000" 19 | ], 20 | "3": [ 21 | "d700", 22 | "f6", 23 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 24 | "25", 25 | "00000001000101", 26 | "02", 27 | "00000000000000" 28 | ], 29 | "4": [ 30 | "d700", 31 | "2c", 32 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 33 | "20", 34 | "00000001000101", 35 | "02", 36 | "00000000000000" 37 | ], 38 | "5": [ 39 | "d700", 40 | "22", 41 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 42 | "20", 43 | "00000001000101", 44 | "02", 45 | "00000000000000" 46 | ], 47 | "6": [ 48 | "d700", 49 | "62", 50 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 51 | "20", 52 | "00000001000101", 53 | "02", 54 | "00000000000000" 55 | ], 56 | "7": [ 57 | "d700", 58 | "77", 59 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 60 | "09", 61 | "00000001000101", 62 | "02", 63 | "00000000000000" 64 | ], 65 | "8": [ 66 | "d700", 67 | "82", 68 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 69 | "09", 70 | "00000001000101", 71 | "02", 72 | "00000000000000" 73 | ], 74 | "9": [ 75 | "d700", 76 | "97", 77 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 78 | "09", 79 | "00000001000101", 80 | "02", 81 | "00000000000000" 82 | ], 83 | "10": [ 84 | "d700", 85 | "a0", 86 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 87 | "08", 88 | "00000001000101", 89 | "02", 90 | "00000000000000" 91 | ], 92 | "11": [ 93 | "d700", 94 | "ee", 95 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 96 | "09", 97 | "00000001000101", 98 | "02", 99 | "00000000000000" 100 | ], 101 | "12": [ 102 | "d700", 103 | "f9", 104 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 105 | "09", 106 | "00000001000101", 107 | "02", 108 | "00000000000000" 109 | ], 110 | "13": [ 111 | "d700", 112 | "0e", 113 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 114 | "09", 115 | "00000001000101", 116 | "02", 117 | "00000000000000" 118 | ], 119 | "14": [ 120 | "d700", 121 | "17", 122 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 123 | "08", 124 | "00000001000101", 125 | "02", 126 | "00000000000000" 127 | ], 128 | "15": [ 129 | "d700", 130 | "54", 131 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 132 | "09", 133 | "00000001000101", 134 | "02", 135 | "00000000000000" 136 | ], 137 | "16": [ 138 | "d700", 139 | "75", 140 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 141 | "09", 142 | "00000001000101", 143 | "02", 144 | "00000000000000" 145 | ], 146 | "17": [ 147 | "d700", 148 | "c2", 149 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 150 | "09", 151 | "00000001000101", 152 | "02", 153 | "00000000000000" 154 | ], 155 | "18": [ 156 | "d700", 157 | "e6", 158 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 159 | "09", 160 | "00000001000101", 161 | "02", 162 | "00000000000000" 163 | ], 164 | "19": [ 165 | "d700", 166 | "0a", 167 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 168 | "09", 169 | "00000001000101", 170 | "02", 171 | "00000000000000" 172 | ], 173 | "20": [ 174 | "d700", 175 | "17", 176 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 177 | "09", 178 | "00000001000101", 179 | "02", 180 | "00000000000000" 181 | ], 182 | "21": [ 183 | "d700", 184 | "24", 185 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 186 | "09", 187 | "00000001000101", 188 | "02", 189 | "00000000000000" 190 | ], 191 | "22": [ 192 | "d700", 193 | "3b", 194 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 195 | "09", 196 | "00000001000101", 197 | "02", 198 | "00000000000000" 199 | ], 200 | "23": [ 201 | "d700", 202 | "24", 203 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 204 | "09", 205 | "00000001000101", 206 | "02", 207 | "00000000000000" 208 | ], 209 | "24": [ 210 | "d700", 211 | "5d", 212 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 213 | "09", 214 | "00000001000101", 215 | "02", 216 | "00000000000000" 217 | ], 218 | "25": [ 219 | "d700", 220 | "46", 221 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 222 | "09", 223 | "00000001000101", 224 | "02", 225 | "00000000000000" 226 | ], 227 | "26": [ 228 | "d700", 229 | "68", 230 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 231 | "09", 232 | "00000001000101", 233 | "02", 234 | "00000000000000" 235 | ], 236 | "27": [ 237 | "d700", 238 | "75", 239 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 240 | "09", 241 | "00000001000101", 242 | "02", 243 | "00000000000000" 244 | ], 245 | "28": [ 246 | "d700", 247 | "81", 248 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 249 | "09", 250 | "00000001000101", 251 | "00", 252 | "00000000000000" 253 | ], 254 | "29": [ 255 | "d700", 256 | "a3", 257 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 258 | "20", 259 | "00000001000101", 260 | "00", 261 | "00000000000000" 262 | ], 263 | "30": [ 264 | "d700", 265 | "b8", 266 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 267 | "09", 268 | "00000001000101", 269 | "00", 270 | "00000000000000" 271 | ], 272 | "31": [ 273 | "d700", 274 | "c3", 275 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 276 | "09", 277 | "00000001000101", 278 | "00", 279 | "00000000000000" 280 | ], 281 | "32": [ 282 | "d700", 283 | "d8", 284 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 285 | "09", 286 | "00000001000101", 287 | "00", 288 | "00000000000000" 289 | ], 290 | "33": [ 291 | "d700", 292 | "e1", 293 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 294 | "08", 295 | "00000001000101", 296 | "00", 297 | "00000000000000" 298 | ], 299 | "34": [ 300 | "d700", 301 | "56", 302 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 303 | "09", 304 | "00000001000101", 305 | "00", 306 | "00000000000000" 307 | ], 308 | "35": [ 309 | "d700", 310 | "77", 311 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 312 | "09", 313 | "00000001000101", 314 | "00", 315 | "00000000000000" 316 | ], 317 | "36": [ 318 | "d700", 319 | "c2", 320 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 321 | "09", 322 | "00000001000101", 323 | "00", 324 | "00000000000000" 325 | ], 326 | "37": [ 327 | "d700", 328 | "2b", 329 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 330 | "09", 331 | "00000001000101", 332 | "00", 333 | "00000000000000" 334 | ], 335 | "38": [ 336 | "d700", 337 | "44", 338 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 339 | "09", 340 | "00000001000101", 341 | "00", 342 | "00000000000000" 343 | ], 344 | "39": [ 345 | "d700", 346 | "5c", 347 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 348 | "09", 349 | "00000001000101", 350 | "00", 351 | "00000000000000" 352 | ], 353 | "40": [ 354 | "d700", 355 | "92", 356 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 357 | "09", 358 | "00000001000101", 359 | "00", 360 | "00000000000000" 361 | ], 362 | "41": [ 363 | "d700", 364 | "b8", 365 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 366 | "24", 367 | "00000001000101", 368 | "00", 369 | "00000000000000" 370 | ], 371 | "42": [ 372 | "d700", 373 | "77", 374 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 375 | "09", 376 | "00000001000101", 377 | "02", 378 | "00000000000000" 379 | ], 380 | "43": [ 381 | "d700", 382 | "82", 383 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 384 | "09", 385 | "00000001000101", 386 | "02", 387 | "00000000000000" 388 | ], 389 | "44": [ 390 | "d700", 391 | "97", 392 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 393 | "09", 394 | "00000001000101", 395 | "02", 396 | "00000000000000" 397 | ], 398 | "45": [ 399 | "d700", 400 | "a0", 401 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 402 | "08", 403 | "00000001000101", 404 | "02", 405 | "00000000000000" 406 | ], 407 | "46": [ 408 | "d700", 409 | "0b", 410 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05", 411 | "09", 412 | "00000001000101", 413 | "00", 414 | "00000000000000" 415 | ] 416 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_55.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "2f", 5 | "0000111107000000e40300ffff030000", 6 | "22", 7 | "009c000c0800000000030400000000", 8 | "180b23", 9 | "000000", 10 | "04", 11 | "00", 12 | "7c007b", 13 | "0000", 14 | "f0", 15 | "0000", 16 | "e6ed0000" 17 | ], 18 | "2": [ 19 | "d700", 20 | "25", 21 | "0000111107000000e40300ffff030000", 22 | "22", 23 | "009c000c0800000000030400000000", 24 | "180b23", 25 | "000000", 26 | "04", 27 | "00", 28 | "7c007b", 29 | "0000", 30 | "f0", 31 | "0000", 32 | "e6ed0000" 33 | ], 34 | "3": [ 35 | "d700", 36 | "65", 37 | "0000111107000000e40300ffff030000", 38 | "22", 39 | "009c000c0800000000030400000000", 40 | "180b23", 41 | "000000", 42 | "04", 43 | "00", 44 | "7c007b", 45 | "0000", 46 | "f0", 47 | "0000", 48 | "e6ed0000" 49 | ], 50 | "4": [ 51 | "d700", 52 | "a6", 53 | "0000111107000000e40300ffff030000", 54 | "22", 55 | "009c000c0800000000030400000000", 56 | "180b23", 57 | "000000", 58 | "04", 59 | "00", 60 | "7c0079", 61 | "0000", 62 | "f0", 63 | "0000", 64 | "2fed0000" 65 | ], 66 | "5": [ 67 | "d700", 68 | "0a", 69 | "0000111107000000e40300ffff030000", 70 | "22", 71 | "009c000c0800000000030400000000", 72 | "180b09", 73 | "000000", 74 | "04", 75 | "00", 76 | "7c007b", 77 | "0000", 78 | "f0", 79 | "0000", 80 | "e6ed0000" 81 | ] 82 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_59.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "82", 5 | "0000111107000000e40300ffff030000", 6 | "26", 7 | "009c000c0800000000030400000000", 8 | "04010a", 9 | "000000", 10 | "08", 11 | "00", 12 | "837d1f0b6afe4010f43bff1f7f210100" 13 | ], 14 | "2": [ 15 | "d700", 16 | "a8", 17 | "0000111107000000e40300ffff030000", 18 | "26", 19 | "009c000c0800000000030400000000", 20 | "04010a", 21 | "000000", 22 | "08", 23 | "00", 24 | "837d1f0b6afe4010f43bff1f7f210100" 25 | ], 26 | "3": [ 27 | "d700", 28 | "ce", 29 | "0000111107000000e40300ffff030000", 30 | "26", 31 | "009c000c0800000000030400000000", 32 | "04010a", 33 | "000000", 34 | "08", 35 | "00", 36 | "837d1f0b6afe4010f43bff1f7f210100" 37 | ], 38 | "4": [ 39 | "d700", 40 | "da", 41 | "0000111107000000e40300ffff030000", 42 | "26", 43 | "009c000c0800000000030400000000", 44 | "04010a", 45 | "000000", 46 | "08", 47 | "00", 48 | "837d1f0b6afe4010f43bff1f7f210100" 49 | ], 50 | "5": [ 51 | "d700", 52 | "2e", 53 | "0000111107000000e40300ffff030000", 54 | "26", 55 | "009c000c0800000000030400000000", 56 | "040122", 57 | "000000", 58 | "08", 59 | "00", 60 | "837d1f0b6afe4010f43bff1f7f210100" 61 | ], 62 | "6": [ 63 | "d700", 64 | "24", 65 | "0000111107000000e40300ffff030000", 66 | "26", 67 | "009c000c0800000000030400000000", 68 | "040122", 69 | "000000", 70 | "08", 71 | "00", 72 | "837d1f0b6afe4010f43bff1f7f210100" 73 | ], 74 | "7": [ 75 | "d700", 76 | "64", 77 | "0000111107000000e40300ffff030000", 78 | "26", 79 | "009c000c0800000000030400000000", 80 | "040122", 81 | "000000", 82 | "08", 83 | "00", 84 | "837d1f0b6afe4010f43bff1f7f210100" 85 | ], 86 | "8": [ 87 | "d700", 88 | "a5", 89 | "0000111107000000e40300ffff030000", 90 | "26", 91 | "009c000c0800000000030400000000", 92 | "040122", 93 | "000000", 94 | "08", 95 | "00", 96 | "837d1f0b6afe4010f43bff1f7f210100" 97 | ], 98 | "9": [ 99 | "d700", 100 | "73", 101 | "0000111107000000e40300ffff030000", 102 | "26", 103 | "009c000c0800000000030400000000", 104 | "040309", 105 | "000000", 106 | "00", 107 | "00", 108 | "00002200000000000000b70000003c02" 109 | ], 110 | "10": [ 111 | "d700", 112 | "7d", 113 | "0000111107000000e40300ffff030000", 114 | "26", 115 | "009c000c0800000000030400000000", 116 | "040309", 117 | "000000", 118 | "00", 119 | "00", 120 | "00002200000000000000b70000003c02" 121 | ], 122 | "11": [ 123 | "d700", 124 | "9d", 125 | "0000111107000000e40300ffff030000", 126 | "26", 127 | "009c000c0800000000030400000000", 128 | "04010a", 129 | "000000", 130 | "08", 131 | "00", 132 | "837d1f0b6afe4010f43bff1f7f210100" 133 | ], 134 | "12": [ 135 | "d700", 136 | "c3", 137 | "0000111107000000e40300ffff030000", 138 | "26", 139 | "009c000c0800000000030400000000", 140 | "04010a", 141 | "000000", 142 | "08", 143 | "00", 144 | "837d1f0b6afe4010f43bff1f7f210100" 145 | ], 146 | "13": [ 147 | "d700", 148 | "d0", 149 | "0000111107000000e40300ffff030000", 150 | "26", 151 | "009c000c0800000000030400000000", 152 | "04010a", 153 | "000000", 154 | "08", 155 | "00", 156 | "837d1f0b6afe4010f43bff1f7f210100" 157 | ], 158 | "14": [ 159 | "d700", 160 | "d2", 161 | "0000111107000000e40300ffff030000", 162 | "26", 163 | "009c000c0800000000030400000000", 164 | "04030c", 165 | "000000", 166 | "00", 167 | "00", 168 | "00002200000000000000b70000003c02" 169 | ], 170 | "15": [ 171 | "d700", 172 | "fa", 173 | "0000111107000000e40300ffff030000", 174 | "26", 175 | "009c000c0800000000030400000000", 176 | "040309", 177 | "000000", 178 | "00", 179 | "00", 180 | "00002200000000000000b70000003c02" 181 | ] 182 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_61.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "a9", 5 | "0000111107000000e40300ffff030000", 6 | "28", 7 | "009c000c0800000000030400000000", 8 | "0b0108", 9 | "000000", 10 | "04", 11 | "00", 12 | "4d4f4e49544f522051303004000000000000" 13 | ], 14 | "2": [ 15 | "d700", 16 | "20", 17 | "0000111107000000e40300ffff030000", 18 | "28", 19 | "009c000c0800000000030400000000", 20 | "0b0108", 21 | "000000", 22 | "04", 23 | "00", 24 | "4d4f4e49544f522051303004000000000000" 25 | ], 26 | "3": [ 27 | "d700", 28 | "ea", 29 | "0000111107000000e40300ffff030000", 30 | "28", 31 | "009c000c0800000000030400000000", 32 | "0b0108", 33 | "000000", 34 | "04", 35 | "00", 36 | "4d4f4e49544f522051303004000000000000" 37 | ], 38 | "4": [ 39 | "d700", 40 | "a9", 41 | "0000111107000000e40300ffff030000", 42 | "28", 43 | "009c000c0800000000030400000000", 44 | "0b0108", 45 | "000000", 46 | "04", 47 | "00", 48 | "4d4f4e49544f522051303004000000000000" 49 | ] 50 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_73.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "8a", 5 | "0000111107000000e40300ffff030000", 6 | "34", 7 | "009c000c0800000000030400000000", 8 | "0b0511", 9 | "000000", 10 | "00", 11 | "00", 12 | "0000", 13 | "0000000000000000", 14 | "00", 15 | "000000000000000000", 16 | "00", 17 | "00", 18 | "0000000000000000" 19 | ], 20 | "2": [ 21 | "d700", 22 | "b0", 23 | "0000111107000000e40300ffff030000", 24 | "34", 25 | "009c000c0800000000030400000000", 26 | "0b0511", 27 | "000000", 28 | "00", 29 | "00", 30 | "0000", 31 | "0000000000000000", 32 | "00", 33 | "000000000000000000", 34 | "00", 35 | "00", 36 | "0000000000000000" 37 | ], 38 | "3": [ 39 | "d700", 40 | "e3", 41 | "0000111107000000e40300ffff030000", 42 | "34", 43 | "009c000c0800000000030400000000", 44 | "0b0512", 45 | "000000", 46 | "00", 47 | "00", 48 | "0000", 49 | "0000000000000000", 50 | "00", 51 | "000000000000000000", 52 | "00", 53 | "00", 54 | "0000000000000000" 55 | ], 56 | "4": [ 57 | "d700", 58 | "19", 59 | "0000111107000000e40300ffff030000", 60 | "34", 61 | "009c000c0800000000030400000000", 62 | "0b050d", 63 | "000000", 64 | "00", 65 | "00", 66 | "0000", 67 | "0000000000000000", 68 | "00", 69 | "000000000000000000", 70 | "00", 71 | "00", 72 | "0000000000000000" 73 | ], 74 | "5": [ 75 | "d700", 76 | "0f", 77 | "0000111107000000e40300ffff030000", 78 | "34", 79 | "009c000c0800000000030400000000", 80 | "0b050d", 81 | "000000", 82 | "00", 83 | "00", 84 | "0000", 85 | "0000000000000000", 86 | "00", 87 | "000000000000000000", 88 | "00", 89 | "00", 90 | "0000000000000000" 91 | ], 92 | "6": [ 93 | "d700", 94 | "4f", 95 | "0000111107000000e40300ffff030000", 96 | "34", 97 | "009c000c0800000000030400000000", 98 | "0b050d", 99 | "000000", 100 | "00", 101 | "00", 102 | "0000", 103 | "0000000000000000", 104 | "00", 105 | "000000000000000000", 106 | "00", 107 | "00", 108 | "0000000000000000" 109 | ], 110 | "7": [ 111 | "d700", 112 | "90", 113 | "0000111107000000e40300ffff030000", 114 | "34", 115 | "009c000c0800000000030400000000", 116 | "0b050d", 117 | "000000", 118 | "00", 119 | "00", 120 | "0000", 121 | "0000000000000000", 122 | "00", 123 | "000000000000000000", 124 | "00", 125 | "00", 126 | "0000000000000000" 127 | ], 128 | "8": [ 129 | "d700", 130 | "a5", 131 | "0000111107000000e40300ffff030000", 132 | "34", 133 | "009c000c0800000000030400000000", 134 | "0b0511", 135 | "000000", 136 | "00", 137 | "00", 138 | "0000", 139 | "0000000000000000", 140 | "00", 141 | "000000000000000000", 142 | "00", 143 | "00", 144 | "0000000000000000" 145 | ] 146 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_75.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "dc", 5 | "0000111107000000e40300ffff030000", 6 | "36", 7 | "009c000c0800000000030400000000", 8 | "18100b", 9 | "000000", 10 | "01", 11 | "00", 12 | "513036202020202044415420", 13 | "00000000000000000000", 14 | "6fa63150b21048", 15 | "00", 16 | "0000" 17 | ], 18 | "2": [ 19 | "d700", 20 | "fa", 21 | "0000111107000000e40300ffff030000", 22 | "36", 23 | "009c000c0800000000030400000000", 24 | "18100a", 25 | "000000", 26 | "01", 27 | "00", 28 | "513036202020202044415420", 29 | "00000000000000000000", 30 | "6fa63150b21048", 31 | "00", 32 | "0000" 33 | ], 34 | "3": [ 35 | "d700", 36 | "fd", 37 | "0000111107000000e40300ffff030000", 38 | "36", 39 | "009c000c0800000000030400000000", 40 | "18100d", 41 | "000000", 42 | "01", 43 | "00", 44 | "513036202020202044415420", 45 | "00000000000000000000", 46 | "6fa63150b21048", 47 | "00", 48 | "0000" 49 | ] 50 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_81.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "8d", 5 | "0000111107000000e40300ffff030000", 6 | "3c", 7 | "009c000c0800000000030400000000", 8 | "04", 9 | "01", 10 | "09", 11 | "000000", 12 | "020000000490310000800100800004000000", 13 | "00", 14 | "000000000000000000010610", 15 | "00", 16 | "0002020800010002" 17 | ], 18 | "2": [ 19 | "d700", 20 | "04", 21 | "0000111107000000e40300ffff030000", 22 | "3c", 23 | "009c000c0800000000030400000000", 24 | "04", 25 | "01", 26 | "09", 27 | "000000", 28 | "020000000490310000800100800004000000", 29 | "00", 30 | "000000000000000000010610", 31 | "00", 32 | "0002020800010002" 33 | ], 34 | "3": [ 35 | "d700", 36 | "ce", 37 | "0000111107000000e40300ffff030000", 38 | "3c", 39 | "009c000c0800000000030400000000", 40 | "04", 41 | "01", 42 | "09", 43 | "000000", 44 | "020000000490310000800100800004000000", 45 | "00", 46 | "000000000000000000010610", 47 | "00", 48 | "0002020800010002" 49 | ], 50 | "4": [ 51 | "d700", 52 | "8d", 53 | "0000111107000000e40300ffff030000", 54 | "3c", 55 | "009c000c0800000000030400000000", 56 | "04", 57 | "01", 58 | "09", 59 | "000000", 60 | "020000000490310000800100800004000000", 61 | "00", 62 | "000000000000000000010610", 63 | "00", 64 | "0002020800010002" 65 | ] 66 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/json/mitsubishi_field_83.json: -------------------------------------------------------------------------------- 1 | { 2 | "1": [ 3 | "d700", 4 | "9b", 5 | "0000111107000000e40300ffff030000", 6 | "3e", 7 | "009c000c0800000000030400000000", 8 | "0b0522", 9 | "000000", 10 | "42205032182004105130365544454843505520202020202020", 11 | "00", 12 | "32303130323030303030303030303000" 13 | ], 14 | "2": [ 15 | "d700", 16 | "c1", 17 | "0000111107000000e40300ffff030000", 18 | "3e", 19 | "009c000c0800000000030400000000", 20 | "0b0522", 21 | "000000", 22 | "42205032182004105130365544454843505520202020202020", 23 | "00", 24 | "32303130323030303030303030303000" 25 | ], 26 | "3": [ 27 | "d700", 28 | "f4", 29 | "0000111107000000e40300ffff030000", 30 | "3e", 31 | "009c000c0800000000030400000000", 32 | "0b0523", 33 | "000000", 34 | "42205032182004105130365544454843505520202020202020", 35 | "00", 36 | "32303130323030303030303030303000" 37 | ], 38 | "4": [ 39 | "d700", 40 | "2a", 41 | "0000111107000000e40300ffff030000", 42 | "3e", 43 | "009c000c0800000000030400000000", 44 | "0b051e", 45 | "000000", 46 | "42205032182004105130365544454843505520202020202020", 47 | "00", 48 | "32303130323030303030303030303000" 49 | ], 50 | "5": [ 51 | "d700", 52 | "20", 53 | "0000111107000000e40300ffff030000", 54 | "3e", 55 | "009c000c0800000000030400000000", 56 | "0b051e", 57 | "000000", 58 | "42205032182004105130365544454843505520202020202020", 59 | "00", 60 | "32303130323030303030303030303000" 61 | ], 62 | "6": [ 63 | "d700", 64 | "60", 65 | "0000111107000000e40300ffff030000", 66 | "3e", 67 | "009c000c0800000000030400000000", 68 | "0b051e", 69 | "000000", 70 | "42205032182004105130365544454843505520202020202020", 71 | "00", 72 | "32303130323030303030303030303000" 73 | ], 74 | "7": [ 75 | "d700", 76 | "a1", 77 | "0000111107000000e40300ffff030000", 78 | "3e", 79 | "009c000c0800000000030400000000", 80 | "0b051e", 81 | "000000", 82 | "42205032182004105130365544454843505520202020202020", 83 | "00", 84 | "32303130323030303030303030303000" 85 | ], 86 | "8": [ 87 | "d700", 88 | "b6", 89 | "0000111107000000e40300ffff030000", 90 | "3e", 91 | "009c000c0800000000030400000000", 92 | "0b0522", 93 | "000000", 94 | "42205032182004105130365544454843505520202020202020", 95 | "00", 96 | "32303130323030303030303030303000" 97 | ] 98 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_115.txt: -------------------------------------------------------------------------------- 1 | d700dd0000111107000000e40300ffff0300005e009c000c080000000003040000000018280c000000480040002201616263202020202020202020202020202020202020202020202020202020202004070080ffffffffffffffffffffffffffffffffffffffffffffffff000000ff00000000 2 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_169.txt: -------------------------------------------------------------------------------- 1 | d700860000111107000000e40300ffff03000094009c000c08000000000304000000000b050c0000000480000000000000000000000000000004000000000000000000000000000000000001000200030004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2 | d700870000111107000000e40300ffff03000094009c000c08000000000304000000000b050e0000000000000000000000000000000000000000000000000000000000000000000000001400140014001400140034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034 3 | d700880000111107000000e40300ffff03000094009c000c08000000000304000000000b050f000000003400340034003400340034003400340034003400340034003400340034003400000100020003000400ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 4 | d700890000111107000000e40300ffff03000094009c000c08000000000304000000000b0510000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 5 | d700ac0000111107000000e40300ffff03000094009c000c08000000000304000000000b050c0000000480000000000000000000000000000004000000000000000000000000000000000001000200030004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 6 | d700ad0000111107000000e40300ffff03000094009c000c08000000000304000000000b050e0000000000000000000000000000000000000000000000000000000000000000000000001400140014001400140034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034 7 | d700ae0000111107000000e40300ffff03000094009c000c08000000000304000000000b050f000000003400340034003400340034003400340034003400340034003400340034003400000100020003000400ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 8 | d700af0000111107000000e40300ffff03000094009c000c08000000000304000000000b0510000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 9 | d700df0000111107000000e40300ffff03000094009c000c08000000000304000000000b050d0000000480000000000000000000000000000004000000000000000000000000000000000001000200030004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 10 | d700e00000111107000000e40300ffff03000094009c000c08000000000304000000000b050f0000000000000000000000000000000000000000000000000000000000000000000000001400140014001400140034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034 11 | d700e10000111107000000e40300ffff03000094009c000c08000000000304000000000b0510000000003400340034003400340034003400340034003400340034003400340034003400000100020003000400ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 12 | d700e20000111107000000e40300ffff03000094009c000c08000000000304000000000b0511000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 13 | d700150000111107000000e40300ffff03000094009c000c08000000000304000000000b05090000000480000000000000000000000000000004000000000000000000000000000000000001000200030004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 14 | d700160000111107000000e40300ffff03000094009c000c08000000000304000000000b050a0000000000000000000000000000000000000000000000000000000000000000000000001400140014001400140034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034 15 | d700170000111107000000e40300ffff03000094009c000c08000000000304000000000b050b000000003400340034003400340034003400340034003400340034003400340034003400000100020003000400ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 16 | d700180000111107000000e40300ffff03000094009c000c08000000000304000000000b050c000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 17 | d7000b0000111107000000e40300ffff03000094009c000c08000000000304000000000b05090000000480000000000000000000000000000004000000000000000000000000000000000001000200030004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 18 | d7000c0000111107000000e40300ffff03000094009c000c08000000000304000000000b050a0000000000000000000000000000000000000000000000000000000000000000000000001400140014001400140034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034 19 | d7000d0000111107000000e40300ffff03000094009c000c08000000000304000000000b050b000000003400340034003400340034003400340034003400340034003400340034003400000100020003000400ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 20 | d7000e0000111107000000e40300ffff03000094009c000c08000000000304000000000b050c000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 21 | d7004b0000111107000000e40300ffff03000094009c000c08000000000304000000000b05090000000480000000000000000000000000000004000000000000000000000000000000000001000200030004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 22 | d7004c0000111107000000e40300ffff03000094009c000c08000000000304000000000b050a0000000000000000000000000000000000000000000000000000000000000000000000001400140014001400140034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034 23 | d7004d0000111107000000e40300ffff03000094009c000c08000000000304000000000b050b000000003400340034003400340034003400340034003400340034003400340034003400000100020003000400ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 24 | d7004e0000111107000000e40300ffff03000094009c000c08000000000304000000000b050c000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 25 | d7008c0000111107000000e40300ffff03000094009c000c08000000000304000000000b05090000000480000000000000000000000000000004000000000000000000000000000000000001000200030004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 26 | d7008d0000111107000000e40300ffff03000094009c000c08000000000304000000000b050a0000000000000000000000000000000000000000000000000000000000000000000000001400140014001400140034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034 27 | d7008e0000111107000000e40300ffff03000094009c000c08000000000304000000000b050b000000003400340034003400340034003400340034003400340034003400340034003400000100020003000400ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 28 | d7008f0000111107000000e40300ffff03000094009c000c08000000000304000000000b050c000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 29 | d700a10000111107000000e40300ffff03000094009c000c08000000000304000000000b050c0000000480000000000000000000000000000004000000000000000000000000000000000001000200030004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 30 | d700a20000111107000000e40300ffff03000094009c000c08000000000304000000000b050e0000000000000000000000000000000000000000000000000000000000000000000000001400140014001400140034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034003400340034 31 | d700a30000111107000000e40300ffff03000094009c000c08000000000304000000000b050f000000003400340034003400340034003400340034003400340034003400340034003400000100020003000400ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 32 | d700a40000111107000000e40300ffff03000094009c000c08000000000304000000000b0510000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 33 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_171.txt: -------------------------------------------------------------------------------- 1 | d7009c0000111107000000e40300ffff03000096009c000c08000000000304000000000b052300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2 | d700c20000111107000000e40300ffff03000096009c000c08000000000304000000000b052300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3 | d700f50000111107000000e40300ffff03000096009c000c08000000000304000000000b052400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 4 | d7002b0000111107000000e40300ffff03000096009c000c08000000000304000000000b051f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 5 | d700210000111107000000e40300ffff03000096009c000c08000000000304000000000b051f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 6 | d700610000111107000000e40300ffff03000096009c000c08000000000304000000000b051f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 7 | d700a20000111107000000e40300ffff03000096009c000c08000000000304000000000b051f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 8 | d700b70000111107000000e40300ffff03000096009c000c08000000000304000000000b052300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 9 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_365.txt: -------------------------------------------------------------------------------- 1 | d700350000111107000000e40300ffff03000058019c000c080000000003040000000018182800000005000500514e2020202020205153590600000000000000000000b20286500200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000b2028650020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000b202865002080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020 2 | d7002b0000111107000000e40300ffff03000058019c000c080000000003040000000018182800000005000500514e2020202020205153590600000000000000000000b20286500200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000b2028650020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000b202865002080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020 3 | d7006b0000111107000000e40300ffff03000058019c000c080000000003040000000018182800000005000500514e2020202020205153590600000000000000000000b20286500200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000b2028650020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000b202865002080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020 4 | d700cf0000111107000000e40300ffff03000058019c000c080000000003040000000018180b00000005000500514e2020202020205153590600000000000000000000b20286500200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000b2028650020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000b202865002080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020 5 | d700f30000111107000000e40300ffff03000058019c000c080000000003040000000018180b00000005000500514e2020202020205153590600000000000000000000b20286500200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000b2028650020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000b202865002080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020 6 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_41.txt: -------------------------------------------------------------------------------- 1 | d700aa0000111107000000e40300ffff03000014009c000c08000000000304000000000b0309000000 2 | d700ab0000111107000000e40300ffff03000014009c000c080000000003040000000008010a000000 3 | d700210000111107000000e40300ffff03000014009c000c08000000000304000000000b0309000000 4 | d700220000111107000000e40300ffff03000014009c000c080000000003040000000008010a000000 5 | d700eb0000111107000000e40300ffff03000014009c000c08000000000304000000000b0309000000 6 | d700ec0000111107000000e40300ffff03000014009c000c080000000003040000000008010a000000 7 | d7002e0000111107000000e40300ffff03000014009c000c0800000000030400000000100247000000 8 | d700810000111107000000e40300ffff03000014009c000c0800000000030400000000110309000000 9 | d700de0000111107000000e40300ffff03000014009c000c0800000000030400000000182a0d000000 10 | d700ff0000111107000000e40300ffff03000014009c000c080000000003040000000018260f000000 11 | d700000000111107000000e40300ffff03000014009c000c0800000000030400000000183710000000 12 | d700150000111107000000e40300ffff03000014009c000c0800000000030400000000183609000000 13 | d700390000111107000000e40300ffff03000014009c000c080000000003040000000018040a000000 14 | d700510000111107000000e40300ffff03000014009c000c0800000000030400000000180109000000 15 | d700870000111107000000e40300ffff03000014009c000c0800000000030400000000140509000000 16 | d700eb0000111107000000e40300ffff03000014009c000c080000000003040000000018200c000000 17 | d700ef0000111107000000e40300ffff03000014009c000c0800000000030400000000182610000000 18 | d700f00000111107000000e40300ffff03000014009c000c0800000000030400000000183711000000 19 | d700ff0000111107000000e40300ffff03000014009c000c080000000003040000000018360c000000 20 | d700aa0000111107000000e40300ffff03000014009c000c08000000000304000000000b0309000000 21 | d700ab0000111107000000e40300ffff03000014009c000c080000000003040000000008010a000000 22 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_47.txt: -------------------------------------------------------------------------------- 1 | d700000000111107000000e40300ffff0300001a009c000c0800000000030400000000040109000000e80f6e3b0000 2 | d700400000111107000000e40300ffff0300001a009c000c0800000000030400000000040109000000e80f6e3b0000 3 | d700360000111107000000e40300ffff0300001a009c000c0800000000030400000000040109000000e80f6e3b0000 4 | d700160000111107000000e40300ffff0300001a009c000c080000000003040000000004030a000000000064000000 5 | d700000000111107000000e40300ffff0300001a009c000c080000000003040000000004030e000000000064000000 6 | d700140000111107000000e40300ffff0300001a009c000c0800000000030400000000040109000000e80f6e3b0000 7 | d7001e0000111107000000e40300ffff0300001a009c000c0800000000030400000000040109000000e80f6e3b0000 8 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_49.txt: -------------------------------------------------------------------------------- 1 | d7009d0000111107000000e40300ffff0300001c009c000c0800000000030400000000040105000000005905000e000000 2 | d7009e0000111107000000e40300ffff0300001c009c000c08000000000304000000000401060000000000000000000000 3 | d700a60000111107000000e40300ffff0300001c009c000c0800000000030400000000040105000000005905000e000000 4 | d700a70000111107000000e40300ffff0300001c009c000c08000000000304000000000401060000000000000000000000 5 | d700140000111107000000e40300ffff0300001c009c000c0800000000030400000000040105000000005905000e000000 6 | d700150000111107000000e40300ffff0300001c009c000c08000000000304000000000401060000000000000000000000 7 | d7001d0000111107000000e40300ffff0300001c009c000c0800000000030400000000040105000000005905000e000000 8 | d7001e0000111107000000e40300ffff0300001c009c000c08000000000304000000000401060000000000000000000000 9 | d7005f0000111107000000e40300ffff0300001c009c000c08000000000304000000000104090000002004280021250220 10 | d700690000111107000000e40300ffff0300001c009c000c08000000000304000000000104090000002004280021310220 11 | d700800000111107000000e40300ffff0300001c009c000c08000000000304000000000104090000002004280022190220 12 | d7008a0000111107000000e40300ffff0300001c009c000c08000000000304000000000104090000002004280022250220 13 | d700de0000111107000000e40300ffff0300001c009c000c0800000000030400000000040105000000005905000e000000 14 | d700df0000111107000000e40300ffff0300001c009c000c08000000000304000000000401060000000000000000000000 15 | d700e70000111107000000e40300ffff0300001c009c000c0800000000030400000000040105000000005905000e000000 16 | d700e80000111107000000e40300ffff0300001c009c000c08000000000304000000000401060000000000000000000000 17 | d700610000111107000000e40300ffff0300001c009c000c08000000000304000000000104090000002004070012220220 18 | d7006b0000111107000000e40300ffff0300001c009c000c08000000000304000000000104090000002004070012280220 19 | d7008b0000111107000000e40300ffff0300001c009c000c08000000000304000000000104090000002004060013290120 20 | d7009d0000111107000000e40300ffff0300001c009c000c0800000000030400000000040105000000005905000e000000 21 | d7009e0000111107000000e40300ffff0300001c009c000c08000000000304000000000401060000000000000000000000 22 | d700a60000111107000000e40300ffff0300001c009c000c0800000000030400000000040105000000005905000e000000 23 | d700a70000111107000000e40300ffff0300001c009c000c08000000000304000000000401060000000000000000000000 24 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_493.txt: -------------------------------------------------------------------------------- 1 | d700ac0000111107000000e40300ffff030000d8019c000c080000000003040000000018182800000007000700514e2020202020205153590600000000000000000000a970ec2c0200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000a970ec2c020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000a970ec2c02080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000a970ec2c020c001000000000000000000000000000000000000000000000000000000000000000000000504152414d2020205150412000000000000000000000c7a5315002108c02000020202020202020202020202020202020202020202020202020202020202020204d41494e202020205150472000000000000000000000c8a53150c410700800002020202020202020202020202020202020202020202020202020202020202020513036202020202044415420000000000000000000006fa63150b210480000006162632020202020202020202020202020202020202020202020202020202020 2 | d700cf0000111107000000e40300ffff030000d8019c000c080000000003040000000018180b00000007000700514e2020202020205153590600000000000000000000a970ec2c0200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000a970ec2c020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000a970ec2c02080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000a970ec2c020c001000000000000000000000000000000000000000000000000000000000000000000000504152414d2020205150412000000000000000000000c7a5315002108c02000020202020202020202020202020202020202020202020202020202020202020204d41494e202020205150472000000000000000000000c8a53150c410700800002020202020202020202020202020202020202020202020202020202020202020513036202020202044415420000000000000000000006fa63150b210480000006162632020202020202020202020202020202020202020202020202020202020 3 | d700ec0000111107000000e40300ffff030000d8019c000c080000000003040000000018180b00000007000700514e2020202020205153590600000000000000000000a970ec2c0200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000a970ec2c020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000a970ec2c02080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000a970ec2c020c001000000000000000000000000000000000000000000000000000000000000000000000504152414d2020205150412000000000000000000000c7a5315002108c02000020202020202020202020202020202020202020202020202020202020202020204d41494e202020205150472000000000000000000000c8a53150c410700800002020202020202020202020202020202020202020202020202020202020202020513036202020202044415420000000000000000000006fa63150b210480000006162632020202020202020202020202020202020202020202020202020202020 4 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_53.txt: -------------------------------------------------------------------------------- 1 | d7009d0000111107000000e40300ffff03000020009c000c08000000000304000000000b0524000000010001010200000000000000 2 | d700c30000111107000000e40300ffff03000020009c000c08000000000304000000000b0524000000010001010200000000000000 3 | d700f60000111107000000e40300ffff03000020009c000c08000000000304000000000b0525000000010001010200000000000000 4 | d7002c0000111107000000e40300ffff03000020009c000c08000000000304000000000b0520000000010001010200000000000000 5 | d700220000111107000000e40300ffff03000020009c000c08000000000304000000000b0520000000010001010200000000000000 6 | d700620000111107000000e40300ffff03000020009c000c08000000000304000000000b0520000000010001010200000000000000 7 | d700770000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 8 | d700820000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 9 | d700970000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 10 | d700a00000111107000000e40300ffff03000020009c000c08000000000304000000000b0508000000010001010200000000000000 11 | d700ee0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 12 | d700f90000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 13 | d7000e0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 14 | d700170000111107000000e40300ffff03000020009c000c08000000000304000000000b0508000000010001010200000000000000 15 | d700540000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 16 | d700750000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 17 | d700c20000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 18 | d700e60000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 19 | d7000a0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 20 | d700170000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 21 | d700240000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 22 | d7003b0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 23 | d700240000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 24 | d7005d0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 25 | d700460000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 26 | d700680000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 27 | d700750000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 28 | d700810000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 29 | d700a30000111107000000e40300ffff03000020009c000c08000000000304000000000b0520000000010001010000000000000000 30 | d700b80000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 31 | d700c30000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 32 | d700d80000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 33 | d700e10000111107000000e40300ffff03000020009c000c08000000000304000000000b0508000000010001010000000000000000 34 | d700560000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 35 | d700770000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 36 | d700c20000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 37 | d7002b0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 38 | d700440000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 39 | d7005c0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 40 | d700920000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 41 | d700b80000111107000000e40300ffff03000020009c000c08000000000304000000000b0524000000010001010000000000000000 42 | d700770000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 43 | d700820000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 44 | d700970000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 45 | d700a00000111107000000e40300ffff03000020009c000c08000000000304000000000b0508000000010001010200000000000000 46 | d7000b0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 47 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_55.txt: -------------------------------------------------------------------------------- 1 | d7002f0000111107000000e40300ffff03000022009c000c0800000000030400000000180b2300000004007c007b0000f00000e6ed0000 2 | d700250000111107000000e40300ffff03000022009c000c0800000000030400000000180b2300000004007c007b0000f00000e6ed0000 3 | d700650000111107000000e40300ffff03000022009c000c0800000000030400000000180b2300000004007c007b0000f00000e6ed0000 4 | d700a60000111107000000e40300ffff03000022009c000c0800000000030400000000180b2300000004007c00790000f000002fed0000 5 | d7000a0000111107000000e40300ffff03000022009c000c0800000000030400000000180b0900000004007c007b0000f00000e6ed0000 6 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_59.txt: -------------------------------------------------------------------------------- 1 | d700820000111107000000e40300ffff03000026009c000c080000000003040000000004010a0000000800837d1f0b6afe4010f43bff1f7f210100 2 | d700a80000111107000000e40300ffff03000026009c000c080000000003040000000004010a0000000800837d1f0b6afe4010f43bff1f7f210100 3 | d700ce0000111107000000e40300ffff03000026009c000c080000000003040000000004010a0000000800837d1f0b6afe4010f43bff1f7f210100 4 | d700da0000111107000000e40300ffff03000026009c000c080000000003040000000004010a0000000800837d1f0b6afe4010f43bff1f7f210100 5 | d7002e0000111107000000e40300ffff03000026009c000c08000000000304000000000401220000000800837d1f0b6afe4010f43bff1f7f210100 6 | d700240000111107000000e40300ffff03000026009c000c08000000000304000000000401220000000800837d1f0b6afe4010f43bff1f7f210100 7 | d700640000111107000000e40300ffff03000026009c000c08000000000304000000000401220000000800837d1f0b6afe4010f43bff1f7f210100 8 | d700a50000111107000000e40300ffff03000026009c000c08000000000304000000000401220000000800837d1f0b6afe4010f43bff1f7f210100 9 | d700730000111107000000e40300ffff03000026009c000c0800000000030400000000040309000000000000002200000000000000b70000003c02 10 | d7007d0000111107000000e40300ffff03000026009c000c0800000000030400000000040309000000000000002200000000000000b70000003c02 11 | d7009d0000111107000000e40300ffff03000026009c000c080000000003040000000004010a0000000800837d1f0b6afe4010f43bff1f7f210100 12 | d700c30000111107000000e40300ffff03000026009c000c080000000003040000000004010a0000000800837d1f0b6afe4010f43bff1f7f210100 13 | d700d00000111107000000e40300ffff03000026009c000c080000000003040000000004010a0000000800837d1f0b6afe4010f43bff1f7f210100 14 | d700d20000111107000000e40300ffff03000026009c000c080000000003040000000004030c000000000000002200000000000000b70000003c02 15 | d700fa0000111107000000e40300ffff03000026009c000c0800000000030400000000040309000000000000002200000000000000b70000003c02 16 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_61.txt: -------------------------------------------------------------------------------- 1 | d700a90000111107000000e40300ffff03000028009c000c08000000000304000000000b010800000004004d4f4e49544f522051303004000000000000 2 | d700200000111107000000e40300ffff03000028009c000c08000000000304000000000b010800000004004d4f4e49544f522051303004000000000000 3 | d700ea0000111107000000e40300ffff03000028009c000c08000000000304000000000b010800000004004d4f4e49544f522051303004000000000000 4 | d700a90000111107000000e40300ffff03000028009c000c08000000000304000000000b010800000004004d4f4e49544f522051303004000000000000 5 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_73.txt: -------------------------------------------------------------------------------- 1 | d7008a0000111107000000e40300ffff03000034009c000c08000000000304000000000b05110000000000000000000000000000000000000000000000000000000000000000000000 2 | d700b00000111107000000e40300ffff03000034009c000c08000000000304000000000b05110000000000000000000000000000000000000000000000000000000000000000000000 3 | d700e30000111107000000e40300ffff03000034009c000c08000000000304000000000b05120000000000000000000000000000000000000000000000000000000000000000000000 4 | d700190000111107000000e40300ffff03000034009c000c08000000000304000000000b050d0000000000000000000000000000000000000000000000000000000000000000000000 5 | d7000f0000111107000000e40300ffff03000034009c000c08000000000304000000000b050d0000000000000000000000000000000000000000000000000000000000000000000000 6 | d7004f0000111107000000e40300ffff03000034009c000c08000000000304000000000b050d0000000000000000000000000000000000000000000000000000000000000000000000 7 | d700900000111107000000e40300ffff03000034009c000c08000000000304000000000b050d0000000000000000000000000000000000000000000000000000000000000000000000 8 | d700a50000111107000000e40300ffff03000034009c000c08000000000304000000000b05110000000000000000000000000000000000000000000000000000000000000000000000 9 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_75.txt: -------------------------------------------------------------------------------- 1 | d700dc0000111107000000e40300ffff03000036009c000c080000000003040000000018100b0000000100513036202020202044415420000000000000000000006fa63150b21048000000 2 | d700fa0000111107000000e40300ffff03000036009c000c080000000003040000000018100a0000000100513036202020202044415420000000000000000000006fa63150b21048000000 3 | d700fd0000111107000000e40300ffff03000036009c000c080000000003040000000018100d0000000100513036202020202044415420000000000000000000006fa63150b21048000000 4 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_81.txt: -------------------------------------------------------------------------------- 1 | d7008d0000111107000000e40300ffff0300003c009c000c080000000003040000000004010900000002000000049031000080010080000400000000000000000000000000010610000002020800010002 2 | d700040000111107000000e40300ffff0300003c009c000c080000000003040000000004010900000002000000049031000080010080000400000000000000000000000000010610000002020800010002 3 | d700ce0000111107000000e40300ffff0300003c009c000c080000000003040000000004010900000002000000049031000080010080000400000000000000000000000000010610000002020800010002 4 | d7008d0000111107000000e40300ffff0300003c009c000c080000000003040000000004010900000002000000049031000080010080000400000000000000000000000000010610000002020800010002 5 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length/len_83.txt: -------------------------------------------------------------------------------- 1 | d7009b0000111107000000e40300ffff0300003e009c000c08000000000304000000000b0522000000422050321820041051303655444548435055202020202020200032303130323030303030303030303000 2 | d700c10000111107000000e40300ffff0300003e009c000c08000000000304000000000b0522000000422050321820041051303655444548435055202020202020200032303130323030303030303030303000 3 | d700f40000111107000000e40300ffff0300003e009c000c08000000000304000000000b0523000000422050321820041051303655444548435055202020202020200032303130323030303030303030303000 4 | d7002a0000111107000000e40300ffff0300003e009c000c08000000000304000000000b051e000000422050321820041051303655444548435055202020202020200032303130323030303030303030303000 5 | d700200000111107000000e40300ffff0300003e009c000c08000000000304000000000b051e000000422050321820041051303655444548435055202020202020200032303130323030303030303030303000 6 | d700600000111107000000e40300ffff0300003e009c000c08000000000304000000000b051e000000422050321820041051303655444548435055202020202020200032303130323030303030303030303000 7 | d700a10000111107000000e40300ffff0300003e009c000c08000000000304000000000b051e000000422050321820041051303655444548435055202020202020200032303130323030303030303030303000 8 | d700b60000111107000000e40300ffff0300003e009c000c08000000000304000000000b0522000000422050321820041051303655444548435055202020202020200032303130323030303030303030303000 9 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length_cluster.py: -------------------------------------------------------------------------------- 1 | import os 2 | from state_filter import load_data 3 | from binascii import b2a_hex 4 | 5 | def main(): 6 | length_dict = {} 7 | 8 | files = os.listdir('./pkts') 9 | 10 | for filename in files: 11 | fileItem = './pkts/'+filename 12 | lines = load_data(fileItem) 13 | for line in lines: 14 | length = len(line) 15 | # print(length) 16 | if length in length_dict.keys(): 17 | length_dict[length].append(line) 18 | else: 19 | length_dict[length] = [line] 20 | 21 | length_list = sorted(list(length_dict.keys())) 22 | 23 | for i in length_list: 24 | filename = './length/len_{}.txt'.format(i) 25 | fp = open(filename, 'w') 26 | pkts = length_dict[i] 27 | for pkt in pkts: 28 | fp.write(b2a_hex(pkt)+'\n') 29 | fp.close() 30 | 31 | 32 | # print(files[0]) 33 | 34 | if __name__ == '__main__': 35 | main() -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/length_fields_analysis.py: -------------------------------------------------------------------------------- 1 | from binascii import * 2 | from struct import * 3 | import random 4 | 5 | def maxk(arraylist,k): # max K element of a List 6 | maxlist=[] 7 | maxlist_id=range(0,k) 8 | m=[maxlist,maxlist_id] 9 | for i in maxlist_id: 10 | maxlist.append(arraylist[i]) 11 | 12 | for i in range(k,len(arraylist)): 13 | if arraylist[i]>min(maxlist): 14 | mm=maxlist.index(min(maxlist)) 15 | del m[0][mm] 16 | del m[1][mm] 17 | m[0].append(arraylist[i]) 18 | m[1].append(i) 19 | return m 20 | 21 | 22 | def load_data(filename): 23 | data_t = open(filename,'r').readlines() 24 | # resp_data = [] 25 | the_dict = {} 26 | for item in data_t: 27 | data_item = a2b_hex(item.strip('\r\n')) 28 | the_dict[len(data_item)] = data_item 29 | return the_dict 30 | 31 | 32 | def main(): 33 | 34 | filename = './pkts/read_from_plc.txt' 35 | # filename = 'omoron.txt' 36 | # the_dict = read_pkt(filename) 37 | the_dict = load_data(filename) 38 | the_key = sorted(the_dict.keys()) 39 | print('key count:',len(the_key)) 40 | key_count = len(the_key) 41 | 42 | handle_dict = {} 43 | for key in the_key: 44 | item = the_dict[key] 45 | # item = a2b_hex(item) 46 | # print(item) 47 | content = [] 48 | for byte in item: 49 | value = unpack('B',byte)[0] 50 | content.append(value-key) 51 | handle_dict[key] = content 52 | 53 | max_length = the_key[-1] 54 | offset = [0]*max_length 55 | 56 | for key in the_key: 57 | baseline = handle_dict[key] # every length packet can be a base 58 | for _,content in handle_dict.items(): 59 | for i in range(0,max_length): 60 | try: 61 | if content[i] == baseline[i]: 62 | offset[i] += 1 63 | except Exception as e: 64 | # print(e) 65 | break 66 | 67 | ave_offset = [item/key_count for item in offset] 68 | # ave_offset = offset 69 | 70 | # maxlist,max_index = maxk(ave_offset,2) 71 | # print(maxlist,max_index) 72 | # print(max_index) 73 | maxlist,max_index = maxk(ave_offset,1) 74 | print('index=>',maxlist) 75 | print('max_index=>',max_index[0]) 76 | print('relation:') 77 | for key in the_key: 78 | baseline = handle_dict[key] 79 | fixed_rel = baseline[max_index[0]] 80 | print('value=len+fixed;len:{},fixed:{}'.format(key,fixed_rel)) 81 | 82 | 83 | if __name__ == '__main__': 84 | main() -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/logs/session.json: -------------------------------------------------------------------------------- 1 | { 2 | "34": 0, 3 | "35": 0, 4 | "4": 0, 5 | "38": 0, 6 | "6": 0, 7 | "7": 0, 8 | "8": 0, 9 | "9": 0, 10 | "10": 0, 11 | "39": 0, 12 | "13": 0, 13 | "47": 0, 14 | "17": 0, 15 | "18": 0, 16 | "-1": 7.505000114440918, 17 | "36": 0, 18 | "-2": 0 19 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/mutate_engine.py: -------------------------------------------------------------------------------- 1 | from boofuzz import * 2 | import sys 3 | import json 4 | from binascii import * 5 | import logging 6 | import time 7 | from struct import * 8 | 9 | ITEM_MUTATE_COUNT = 5 10 | 11 | 12 | def _mutate_bytes(v): 13 | tag = 'mutate_bytes' 14 | s_initialize(tag) 15 | if len(v) == 1: 16 | s_byte(value=ord(v)) 17 | elif len(v)==2: 18 | s_word(value=int(b2a_hex(v),16)) 19 | elif len(v)==3: 20 | s_random(value=v,min_length=0,max_length=len(v)+2) 21 | elif len(v)==4: 22 | s_dword(value=int(b2a_hex(v),16)) 23 | else: 24 | logging.debug('Error in _mutate_bytes:{}'.format(len(v))) 25 | 26 | data = s_get(tag) 27 | blocks.REQUESTS={} 28 | return data 29 | 30 | 31 | def _mutate_str(v,max_length=0x1060): 32 | tag = 'mutate_str' 33 | s_initialize(tag) 34 | s_string(value=v,max_len=max_length) 35 | 36 | data = s_get(tag) 37 | 38 | blocks.REQUESTS={} 39 | return data 40 | 41 | 42 | def _mutate_binary(v): 43 | tag = 'mutate_binary' 44 | 45 | s_initialize(tag) 46 | s_random(value=v,min_length=0,max_length=len(v)) 47 | 48 | data = s_get(tag) 49 | blocks.REQUESTS={} 50 | return data 51 | 52 | 53 | def mutate(field): ## field = (type,value) such as ('number','\x03') 54 | if field[0] == 'number': 55 | # print('in mutate',field) 56 | ret = _mutate_bytes(field[1]) 57 | elif field[0] == 'str': 58 | ret = _mutate_str(field[1]) 59 | else: 60 | ret = _mutate_binary(field[1]) 61 | return ret 62 | 63 | 64 | def gendata(idx, dataModel): 65 | field = dataModel[idx] 66 | # logging.debug(field) 67 | mutate_field_array = mutate(field) 68 | # print(mutate_field_array) 69 | result = [] 70 | for mutateItem in mutate_field_array: 71 | composed = [] # composed mutate dataItem, which can be sent to target 72 | for i in range(0,len(dataModel)): 73 | if i == idx: 74 | # FIXME: add length constraint for string mutation 75 | composed.append(mutateItem) 76 | else: 77 | composed.append(dataModel[i][1]) # dataModel[i] is a field, which is organized as (type, data) 78 | 79 | result.append(''.join(composed)) 80 | return result 81 | 82 | 83 | # only for protocol of gxworks_2 84 | # different protocol will have different encode method 85 | 86 | def encode(data): # complete constraint in datastream and between communication 87 | length = len(data) 88 | if length>=21: 89 | bin_data = pack('H',(length-21)) 90 | else: 91 | bin_data = '\x00\x00' 92 | return data[:19]+bin_data+data[21:] 93 | 94 | def mutateDataItem(dataModel): 95 | new_dataModel = [] 96 | mutate_array = [] 97 | for model in dataModel: #field 98 | t = model[0] 99 | v = a2b_hex(model[1]) 100 | new_dataModel.append((t,v)) 101 | 102 | field_count = len(new_dataModel) 103 | for i in range(0,field_count): 104 | data_list = gendata(i,new_dataModel) 105 | for d in data_list: 106 | mutate_array.append(encode(d)) 107 | return mutate_array 108 | 109 | 110 | def _build_mutateModel(idx,dataModel,inner_business_dict): 111 | if idx in inner_business_dict.keys(): 112 | return None 113 | 114 | seed_array = [] 115 | for model in dataModel: 116 | # t = model[0] # type 117 | # v = a2b_hex(model[1]) # origin data 118 | 119 | mutate_seed = mutate(model) 120 | seed_array.append(mutate_seed) 121 | inner_business_dict[idx] = seed_array 122 | return None 123 | 124 | def _get_mutate_data(seed): 125 | result = [] 126 | count = 0 127 | while seed.mutate(): 128 | data = seed.render() 129 | result.append(data) 130 | count +=1 131 | if count == 1: 132 | break 133 | 134 | return result 135 | 136 | """ 137 | given a specific dataModel, mutate one field defined by idx, get the mutate data of the field 138 | idx : field idx of dataModel 139 | dataModel: generated by the packet 140 | seed : corresponding to the field 141 | """ 142 | 143 | def _gen_data_from_field(idx, dataModel, seed): 144 | field = dataModel[idx] 145 | mutate_field_array = _get_mutate_data(seed) 146 | result = [] 147 | if len(mutate_field_array) != 0: 148 | for mutateItem in mutate_field_array: 149 | composed = [] 150 | for i in range(0,len(dataModel)): 151 | if i==idx: 152 | composed.append(mutateItem) 153 | else: 154 | # print(dataModel[i][1]) 155 | composed.append(dataModel[i][1]) # dataModel[i] is a field, which is organized as (type, data) 156 | # print(composed) 157 | result.append(''.join(composed)) 158 | return result 159 | 160 | 161 | """ 162 | idx: the sequence of datastreams 163 | inner_business_dict: store seeds of corresponding dataModel 164 | dataModel: specific fields+ of a packet,each field is like (type,value) 165 | """ 166 | 167 | def get_data_list(idx,inner_business_dict,dataModel): # should build mutateModel first 168 | idx = int(idx) 169 | if idx not in inner_business_dict.keys(): 170 | print('index : {}'.format(idx)) 171 | print('keys:{}'.format(inner_business_dict.keys())) 172 | logging.debug('have not built the dataModel') 173 | sys.exit(0) 174 | mutate_seeds = inner_business_dict[idx] 175 | result = [] 176 | model = dataModel[int(idx)] 177 | for i in range(len(mutate_seeds)): 178 | seed = mutate_seeds[i] 179 | data_list = _gen_data_from_field(i,model,seed) 180 | if len(data_list) !=0: 181 | result += data_list 182 | return result 183 | 184 | 185 | def global_test(): 186 | global_business_dict = {} 187 | filename = './template/test_connect.json' 188 | 189 | global_business_dict[filename] = {} 190 | 191 | # build according to need 192 | 193 | def build_business_model(filename): 194 | m_dict = json.loads(open(filename,'r').read()) # dataModel 195 | keys = sorted([int(k) for k in list(m_dict.keys())]) 196 | inner_seed_dict = {} 197 | inner_model = [] 198 | for k in keys: #all keys 199 | dataModel = [(item[0],a2b_hex(item[1])) for item in m_dict[str(k)]] 200 | _build_mutateModel(k,dataModel,inner_seed_dict) 201 | # inner_model_dict[k] = dataModel 202 | inner_model.append(dataModel) 203 | 204 | return (inner_seed_dict,inner_model) 205 | 206 | def test_model_bak(): 207 | filename = './template/test_connect.json' 208 | model = build_business_model(filename) 209 | start = time.time() 210 | # state = [str(item) for item in range(0,len(model[1]))] 211 | state = ["0"] 212 | data_count = 0 213 | print(state) 214 | # sys.exit(1) 215 | iteration_cnt = 0 216 | while True: 217 | iteration_cnt += 1 218 | for s in state: 219 | dataList = get_data_list(s,model[0],model[1]) 220 | 221 | if len(dataList)==0: 222 | print('dataList is 0') 223 | logging.debug(data_count) 224 | sys.exit(0) 225 | break 226 | for d in dataList: 227 | data_count += 1 228 | # if len(d) >= 4160: 229 | # logging.debug('data:{}'.format(b2a_hex(encode(d)))) 230 | # logging.debug(data_count) 231 | # sys.exit(0) 232 | logging.debug("length:{}".format(len(d))) 233 | 234 | # print(b2a_hex(encode(d))) 235 | # print('data_count:{}'.format(data_count)) 236 | if data_count == 50000 or iteration_cnt>=50000: 237 | break 238 | 239 | end = time.time() 240 | print('consume:{}'.format(end-start)) 241 | 242 | def test_model(): 243 | filename = './template/test_connect.json' 244 | model = build_business_model(filename) 245 | start = time.time() 246 | state = [str(item) for item in range(0,len(model[1]))] 247 | data_count = 0 248 | print(state) 249 | # sys.exit(1) 250 | while True: 251 | for s in state: 252 | if s =="1": 253 | # continue 254 | # logging.debug("is 1") 255 | dataList = get_data_list(s,model[0],model[1]) 256 | for item in dataList: 257 | logging.debug(len(item)) 258 | 259 | if len(dataList)==0: 260 | print('dataList is 0') 261 | logging.debug(data_count) 262 | sys.exit(0) 263 | break 264 | for d in dataList: 265 | data_count += 1 266 | if data_count == 255: 267 | sys.exit(0) 268 | # print(b2a_hex(encode(d))) 269 | # print('data_count:{}'.format(data_count)) 270 | if data_count == 50000: 271 | break 272 | 273 | end = time.time() 274 | print('consume:{}'.format(end-start)) 275 | 276 | 277 | def build_business(filename,inner_business_dict): 278 | # filename = './template/business_connect_close.json' 279 | m_dict = json.loads(open(filename,'r').read()) # a total inner buiness 280 | # inner_business_dict = {} 281 | 282 | keys = sorted(list(m_dict.keys())) 283 | count = 0 284 | 285 | for k in keys: # key corresponding to state 286 | dataModel = m_dict[k] 287 | new_dataModel = [] 288 | for model in dataModel: 289 | t = model[0] 290 | v = a2b_hex(model[1]) 291 | new_dataModel.append((t,v)) 292 | _build_mutateModel(k,new_dataModel,inner_business_dict) 293 | data_list = get_data_list(k,inner_business_dict,new_dataModel) # this function is the center 294 | # for data in data_list: 295 | # print(b2a_hex(data)) 296 | # data_list = get_data_list(k,inner_business_dict,new_dataModel) 297 | for data in data_list: 298 | print(b2a_hex(data)) 299 | count += 1 300 | if count==5: 301 | break 302 | 303 | 304 | def main(): 305 | filename = './template/test_connect.json' 306 | filename = './template/read_from_plc.json' 307 | m_dict = json.loads(open(filename,'r').read()) 308 | # print(m_dict) 309 | t_start = time.time() 310 | keys = sorted(list(m_dict.keys())) 311 | mutate_array = [] 312 | count = 0 313 | for k in keys: 314 | count += 1 315 | # print(k) 316 | dataModel = m_dict[k] 317 | new_dataModel = [] 318 | for model in dataModel: 319 | t = model[0] 320 | v = a2b_hex(model[1]) 321 | new_dataModel.append((t,v)) 322 | # logging.debug('field in dataModel:{}'.format(len(dataModel))) 323 | length = len(dataModel) 324 | for i in range(0,length): 325 | data_list = gendata(i,new_dataModel) 326 | for d in data_list: 327 | mutate_array.append(d) 328 | print(b2a_hex(encode(d))) 329 | 330 | if count==3: 331 | break 332 | # break 333 | print(len(mutate_array)) 334 | t_end = time.time() 335 | print(t_end-t_start) 336 | 337 | 338 | if __name__ == '__main__': 339 | logging.basicConfig(level=logging.DEBUG) 340 | # main() 341 | # test_model() 342 | test_model_bak() -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/pkts/test_connect.txt: -------------------------------------------------------------------------------- 1 | da0000ff6a020c000100ea0200100202bc5f7d2e04eda099a8571003 2 | d700010000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200327104117052002000101ea02 3 | da0000ff6a020c000100ea0200100202a9cfb866fedaab6a733b1003 4 | d700020000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200327104117052002000101ea02 5 | d700030000111107000000e40300ffff0300001e009c000c080640000003040000000004010200000001002003272138080520 6 | da0000ff6a020c000100ea02001002024c832112b97697c1c22f1003 7 | d700040000111107000000e40300ffff03000016009c000c08000000000304000000000114030000007100 8 | d700050000111107000000e40300ffff03000048009c000c080000000003040000000004010200000000200000002000000020002000200020002000080008000800200008000000040030002000081400000000000030000000200000 9 | d700060000111107000000e40300ffff03000018009c000c08000000000304000000000401040000004e000000 10 | d700070000111107000000e40300ffff03000088029c000c08000000000304000000000401050000004e0000000000000000000000000000000000000000020500010000000000000000000000000000000000000000000000000000000006050016000000500605002300000000080500d50d00000018050005010000101905001c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001a050014000000001c0500990a00000027050008000000002905000c000000002b05001b000000002d05000d080000000000000000000000000000000000000000000000000000006305008e000000003d05006d010000000000000000000000000000000000000000000000000000003f05002100000000000000000000000041050015000000004305000100000000450500400000000000000000000000004905000c000000000000000000000000530500230000000000000000000000005905000e000000005d050009000000000000000000000000610500010000000000000000000000000000000000000000000000000000000064050023000000000000000000000000000000000000000000000000000000000000000000000000000000000000000068070000980000001008000304000000800800e801000000820800720100000084080016000000008508004a0100000000000000000000008808001d00000000000000000000000000000000000000008e080028000100008f09006c03000000970900010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000990900050000000000000000000000000000000000000000f00900b9030000 11 | d700080000111107000000e40300ffff03000030009c000c08000000000304000000000401060000000100ff07000000000000000002000000000000000000010040805480 12 | d700090000111107000000e40300ffff03000016009c000c08000000000304000000000401070000000800 13 | d7000a0000111107000000e40300ffff0300001e009c000c08000000000304000000000401080000006afe4010f43bff1f7f21 14 | d7000b0000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010000000000000000 15 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/pkts/write_title.txt: -------------------------------------------------------------------------------- 1 | da0000ff6a020c000100ea0200100202bc06f667f5f00cb134551003 2 | d700b80000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200330120215012002000101ea02 3 | da0000ff6a020c000100ea0200100202a4e011262225cc41c6591003 4 | d700b90000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200330120215012002000101ea02 5 | d700ba0000111107000000e40300ffff0300001e009c000c080640000003040000000004010200000001002004280024520220 6 | da0000ff6a020c000100ea02001002025ca567664c4af46458191003 7 | d700bb0000111107000000e40300ffff03000016009c000c08000000000304000000000114030000006d00 8 | d700bc0000111107000000e40300ffff03000048009c000c080000000003040000000004010200000000200000002000000020002000200020002000080008000800200008000000040030002000081400000000000030000000200000 9 | d700bd0000111107000000e40300ffff03000018009c000c08000000000304000000000401040000004e000000 10 | d700be0000111107000000e40300ffff03000088029c000c08000000000304000000000401050000004e0000000000000000000000000000000000000000020500010000000000000000000000000000000000000000000000000000000006050016000000500605002300000000080500d50d00000018050005010000101905001c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001a050014000000001c0500990a00000027050008000000002905000c000000002b05001b000000002d05000d080000000000000000000000000000000000000000000000000000006305008e000000003d05006d010000000000000000000000000000000000000000000000000000003f05002100000000000000000000000041050015000000004305000100000000450500400000000000000000000000004905000c000000000000000000000000530500230000000000000000000000005905000e000000005d050009000000000000000000000000610500010000000000000000000000000000000000000000000000000000000064050023000000000000000000000000000000000000000000000000000000000000000000000000000000000000000068070000980000001008000304000000800800e801000000820800720100000084080016000000008508004a0100000000000000000000008808001d00000000000000000000000000000000000000008e080028000100008f09006c03000000970900010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000990900050000000000000000000000000000000000000000f00900b9030000 11 | d700bf0000111107000000e40300ffff03000030009c000c08000000000304000000000401060000000100ff07000000000000000002000000000000000000010040805480 12 | d700c00000111107000000e40300ffff03000016009c000c08000000000304000000000401070000000800 13 | d700c10000111107000000e40300ffff0300001e009c000c08000000000304000000000401080000006afe4010f43bff1f7f21 14 | d700c20000111107000000e40300ffff03000020009c000c08000000000304000000000b0509000000010001010200000000000000 15 | da0000ff6a020c000100ea02001002024dd4532899e444bb6d961003 16 | d700c30000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200330120215012002000101ea02 17 | da0000ff6a020c000100ea02001002026cf2d224d55bd9243ec11003 18 | d700c40000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200330120215012002000101ea02 19 | d700c50000111107000000e40300ffff0300001e009c000c080640000003040000000004010200000001002004280024590220 20 | da0000ff6a020c000100ea0200100202e9b707644bd4b0736b121003 21 | d700c60000111107000000e40300ffff03000016009c000c0800000000030400000000011403000000c500 22 | d700c70000111107000000e40300ffff03000048009c000c080000000003040000000004010200000000200000002000000020002000200020002000080008000800200008000000040030002000081400000000000030000000200000 23 | d700c80000111107000000e40300ffff03000018009c000c08000000000304000000000401040000004e000000 24 | d700c90000111107000000e40300ffff03000088029c000c08000000000304000000000401050000004e0000000000000000000000000000000000000000020500010000000000000000000000000000000000000000000000000000000006050016000000500605002300000000080500d50d00000018050005010000101905001c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001a050014000000001c0500990a00000027050008000000002905000c000000002b05001b000000002d05000d080000000000000000000000000000000000000000000000000000006305008e000000003d05006d010000000000000000000000000000000000000000000000000000003f05002100000000000000000000000041050015000000004305000100000000450500400000000000000000000000004905000c000000000000000000000000530500230000000000000000000000005905000e000000005d050009000000000000000000000000610500010000000000000000000000000000000000000000000000000000000064050023000000000000000000000000000000000000000000000000000000000000000000000000000000000000000068070000980000001008000304000000800800e801000000820800720100000084080016000000008508004a0100000000000000000000008808001d00000000000000000000000000000000000000008e080028000100008f09006c03000000970900010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000990900050000000000000000000000000000000000000000f00900b9030000 25 | d700ca0000111107000000e40300ffff03000030009c000c08000000000304000000000401060000000100ff07000000000000000002000000000000000000010040805480 26 | d700cb0000111107000000e40300ffff03000016009c000c08000000000304000000000401070000000800 27 | d700cc0000111107000000e40300ffff0300001e009c000c08000000000304000000000401080000006afe4010f43bff1f7f21 28 | d700cd0000111107000000e40300ffff03000018009c000c080000000003040000000018180900000005000000 29 | d700ce0000111107000000e40300ffff03000018009c000c080000000003040000000018180a00000005000000 30 | d700cf0000111107000000e40300ffff03000058019c000c080000000003040000000018180b00000005000500514e2020202020205153590600000000000000000000b20286500200001000000000000000000000000000000000000000000000000000000000000000000000574f524b202020205153590600000000000000000000b2028650020400100000000000000000000000000000000000000000000000000000000000000000000054524143452020205153590600000000000000000000b202865002080010000000000000000000000000000000000000000000000000000000000000000000004d4f4e49544f52205130300600000000000000000000b2028650020c0010000000000000000000000000000000000000000000000000000000000000000000004d41494e2020202051504720000000000000000000000fbb86500210680800002020202020202020202020202020202020202020202020202020202020202020 31 | da0000ff6a020c000100ea0200100202898cf22a38bfaa4452891003 32 | d700d00000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200330120215012002000101ea02 33 | da0000ff6a020c000100ea020010020289b5d62adff826105a101003 34 | d700d10000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200330120215012002000101ea02 35 | d700d20000111107000000e40300ffff0300001e009c000c080640000003040000000004010200000001002004280025070220 36 | da0000ff6a020c000100ea02001002020d6e2c6a6b1bc962f9a81003 37 | d700d30000111107000000e40300ffff03000016009c000c0800000000030400000000011403000000a600 38 | d700d40000111107000000e40300ffff03000048009c000c080000000003040000000004010200000000200000002000000020002000200020002000080008000800200008000000040030002000081400000000000030000000200000 39 | d700d50000111107000000e40300ffff03000018009c000c08000000000304000000000401040000004e000000 40 | d700d60000111107000000e40300ffff03000088029c000c08000000000304000000000401050000004e0000000000000000000000000000000000000000020500010000000000000000000000000000000000000000000000000000000006050016000000500605002300000000080500d50d00000018050005010000101905001c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001a050014000000001c0500990a00000027050008000000002905000c000000002b05001b000000002d05000d080000000000000000000000000000000000000000000000000000006305008e000000003d05006d010000000000000000000000000000000000000000000000000000003f05002100000000000000000000000041050015000000004305000100000000450500400000000000000000000000004905000c000000000000000000000000530500230000000000000000000000005905000e000000005d050009000000000000000000000000610500010000000000000000000000000000000000000000000000000000000064050023000000000000000000000000000000000000000000000000000000000000000000000000000000000000000068070000980000001008000304000000800800e801000000820800720100000084080016000000008508004a0100000000000000000000008808001d00000000000000000000000000000000000000008e080028000100008f09006c03000000970900010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000990900050000000000000000000000000000000000000000f00900b9030000 41 | d700d70000111107000000e40300ffff03000030009c000c08000000000304000000000401060000000100ff07000000000000000002000000000000000000010040805480 42 | d700d80000111107000000e40300ffff03000016009c000c08000000000304000000000401070000000800 43 | d700d90000111107000000e40300ffff0300001e009c000c08000000000304000000000401080000006afe4010f43bff1f7f21 44 | d700da0000111107000000e40300ffff0300001e009c000c08c541000003040000000018270900000001002004280025120220 45 | da0000ff6a020c000100ea02001002026c98db52e58842a07de61003 46 | d700db0000111107000000e40300ffff03000038009c000c0800000000030400000000010101000000513036554445484350552020202020206a020008baba200330120215012002000101ea02 47 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/receive_mutated_data.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | import json 4 | import logging 5 | from binascii import b2a_hex,a2b_hex 6 | import subprocess 7 | from struct import pack 8 | import sys 9 | import os 10 | import threading 11 | import random 12 | import bisect 13 | import collections 14 | from utils import * 15 | 16 | agent_ip = "10.10.2.151" 17 | bitmap_proxy_ip = "10.10.2.151" 18 | bitmap_proxy_port = 20012 19 | 20 | agent_port = 10000 21 | MUTATED_HEAD_LEN = 9 22 | MUTATED_CONTENT_LEN = 13999 23 | 24 | def get_mutated_data(): 25 | logging.debug("in get_mutated_data") 26 | global agent_sock 27 | try: 28 | logging.debug("send @mutated completed!") 29 | agent_sock.send("@mutated:") 30 | # agent_sock.setdefaulttimeout(10) 31 | 32 | print("send ") 33 | recv = "" 34 | total_len = MUTATED_CONTENT_LEN + MUTATED_HEAD_LEN 35 | while len(recv) < total_len: 36 | recv += agent_sock.recv(total_len) 37 | return recv[9:] 38 | except Exception as e: 39 | logging.debug('error in get_mutated_data:{}'.format(e)) 40 | if agent_sock is not None: 41 | agent_sock.close() 42 | addr1 = (agent_ip,agent_port) # for agent 43 | agent_sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 44 | agent_sock.connect(addr1) 45 | 46 | # agent_sock.setdefaulttimeout(2) 47 | logging.debug("reconnect to driver server!") 48 | agent_sock.send("@mutated:") 49 | recv = "" 50 | total_len = MUTATED_CONTENT_LEN + MUTATED_HEAD_LEN 51 | while len(recv) < total_len: 52 | recv += agent_sock.recv(total_len) 53 | return recv[9:] 54 | 55 | def set_agent_bitmap(bitmap): 56 | global agent_sock 57 | the_bitmap = "@bitmap:{}".format(bitmap) 58 | # print(len()) 59 | 60 | try: 61 | agent_sock.send(the_bitmap) 62 | 63 | return True 64 | except Exception as e: 65 | logging.debug('error in set_agent_bitmap:{}'.format(e)) 66 | if agent_sock is not None: 67 | agent_sock.close() 68 | addr1 = (agent_ip,agent_port) # for agent 69 | agent_sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 70 | agent_sock.connect(addr1) 71 | agent_sock.setdefaulttimeout(10) 72 | logging.debug("reconnect to driver server!") 73 | agent_sock.send(the_bitmap) 74 | return True 75 | 76 | def get_bitmap(): 77 | global bitmap_proxy_sock 78 | logging.debug("get_bitmap") 79 | cmd = "bitmap" 80 | try: 81 | bitmap_proxy_sock.send(cmd) 82 | recv = "" 83 | while len(recv)<65537: 84 | recv += bitmap_proxy_sock.recv(65537) 85 | return recv 86 | except Exception as e: 87 | logging.debug("error in get_bitmap:{}".format(e)) 88 | if bitmap_proxy_sock is not None: 89 | bitmap_proxy_sock.close() 90 | socket.setdefaulttimeout(2) 91 | addr = (bitmap_proxy_ip, bitmap_proxy_port) # for bitmap 92 | bitmap_proxy_sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 93 | bitmap_proxy_sock.connect(addr) 94 | bitmap_proxy_sock.send(cmd) 95 | recv = '' 96 | while len(recv)!=65537: 97 | recv += bitmap_proxy_sock.recv(65537) 98 | return recv 99 | 100 | def the_loop(): 101 | # time.sleep(0.1) 102 | target_filename = "./pkts/business_1_reopen_1588086528.txt" 103 | tar_data_stream = load_data(target_filename) 104 | 105 | mutated = get_mutated_data() 106 | logging.debug(len(mutated)) 107 | logging.debug("received:{}".format(b2a_hex(mutated[:9]))) 108 | 109 | # mutated = mutated[9:] 110 | state, mutated = get_states(tar_data_stream, mutated) 111 | if len(mutated) == 0: 112 | mutated = '\x00'*5 113 | logging.debug("state:{}, mutated:{}, length:{}".format(state,b2a_hex(mutated[:10]), len(mutated))) 114 | # mutated = mutated.strip('\x00') 115 | # splited = mutated.split("[*****]") # split the packets according to states 116 | # count = 0 117 | # if len(splited) == 1: # total mutated, no split 118 | # print(b2a_hex(splited[0][:50])) 119 | # print("over") 120 | # else: 121 | # for item in splited[:-1]: 122 | # count += 1 123 | # print(count, b2a_hex(item)) 124 | # print("over") 125 | # get_mutated_data() 126 | time.sleep(1) 127 | bitmap = get_bitmap() 128 | set_agent_bitmap(bitmap[1:]) 129 | print("len(bitmap)",len(bitmap)) 130 | 131 | def get_states(data_stream, mutated): 132 | ''' 133 | data_strem is the origin data_stream of inputs 134 | return: res_state, res_mutated 135 | ''' 136 | res_state = 0 137 | res_mutated = None 138 | mutated = mutated.strip("\x00") 139 | logging.debug("striped len:{}".format(len(mutated))) 140 | splited = mutated.split("[*****]") 141 | logging.debug("splited len:{}".format(len(splited))) 142 | 143 | if len(splited) != 1: 144 | splited = splited[:-1] 145 | 146 | if len(splited) == 1: 147 | res_state = 0 148 | res_mutated = splited[0] 149 | else: 150 | length = len(splited) 151 | print(len(splited),len(data_stream)) 152 | 153 | for i in range(0,length): 154 | if splited[i] == data_stream[i]: 155 | res_state += 1 156 | else: 157 | res_mutated = splited[i] 158 | # for item in splited: 159 | # if data_stream.find(item)>=0: 160 | # res_state += 1 161 | # else: 162 | # res_mutated = item 163 | if res_mutated is None: # there is no mutation 164 | res_mutated = splited[-1] 165 | 166 | return res_state, res_mutated 167 | 168 | 169 | def init_agent(): 170 | global agent_sock, bitmap_proxy_sock 171 | agent_sock = None 172 | bitmap_proxy_sock = None 173 | logging.basicConfig(level=logging.DEBUG) 174 | 175 | def main(): 176 | global agent_sock, bitmap_proxy_sock 177 | agent_sock = None 178 | bitmap_proxy_sock = None 179 | logging.basicConfig(level=logging.DEBUG) 180 | 181 | 182 | if __name__ == '__main__': 183 | 184 | main() 185 | while True: 186 | the_loop() 187 | # main() 188 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/split_fields.py: -------------------------------------------------------------------------------- 1 | from binascii import * 2 | from netzob.all import * 3 | import json 4 | import os 5 | import re 6 | # from cluster import * 7 | 8 | 9 | def load_data(filename): 10 | data_lines = open(filename, 'rb').readlines() 11 | return [a2b_hex(item.strip('\r\n')) for item in data_lines] 12 | 13 | 14 | def generate_json(base_dir, length, dataItem): 15 | datalist = dataItem[0][:300] 16 | datacnt = dataItem[1] 17 | 18 | outName = base_dir + 'Mitsubishi_field_{}.json'.format(length) 19 | 20 | fp = open(outName, 'w') 21 | result_dict = {} 22 | 23 | messages = [RawMessage(data=sample) for sample in datalist] 24 | symbol = Symbol(messages=messages) 25 | # Format.splitAligned(symbol,doInternalSlick=False) 26 | Format.splitStatic(symbol) 27 | 28 | idx_count = 0 29 | for item in symbol.getCells(): 30 | idx_count += 1 31 | # result_dict[idx_count] = b2a_hex(item) 32 | arr = [] 33 | count = 0 34 | for field in item: 35 | if len(field) > 0: 36 | arr.append(b2a_hex(field)) 37 | result_dict[idx_count] = arr 38 | if idx_count >= datacnt: 39 | break 40 | 41 | json_str = json.dumps(result_dict,indent=1) 42 | fp.write(json_str) 43 | fp.close() 44 | 45 | def get_length(filenames): 46 | length_list = [] 47 | for name in filenames: 48 | number = re.findall('\d+',name)[0] 49 | length_list.append(int(number)) 50 | return length_list 51 | 52 | def main(): 53 | base_dir = './packets/' 54 | filenames = os.listdir(base_dir) 55 | len_list = sorted(get_length(filenames)) 56 | data_dict = {} 57 | for i in range(0,len(len_list)): 58 | length = len_list[i] 59 | filename = base_dir + 'len_{}.txt'.format(length) 60 | data = load_data(filename) 61 | data_dict[length] = [data, len(data)] # second item is count of the data 62 | 63 | if len(data)<20: 64 | length_1 = len_list[i-1] 65 | filename_1 = base_dir + 'len_{}.txt'.format(length_1) 66 | data += load_data(filename_1) 67 | length_2 = len_list[i+1] 68 | filename_2 = base_dir + 'len_{}.txt'.format(length_2) 69 | data + load_data(filename_2) 70 | 71 | for k, v in data_dict.items(): 72 | # base_dir, length, dataItem 73 | try: 74 | generate_json('./out/', k, v) 75 | print('Success of length {}'.format(k)) 76 | except Exception as e: 77 | print('Attention: length of {} error!'.format(k)) 78 | 79 | if __name__ == '__main__': 80 | main() -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/state_filter.py: -------------------------------------------------------------------------------- 1 | from binascii import * 2 | import random 3 | import bisect 4 | import collections 5 | import json 6 | 7 | """ 8 | State management and state selection. 9 | an input state has three attributes, 10 | and we choose states according to (depth, #bb, data_richiness (length)) 11 | """ 12 | 13 | def similar_pkt_pair(pkt1, pkt2): 14 | length = len(pkt1) 15 | same_cnt = 0 16 | for i in range(0,length): 17 | if pkt1[i] == pkt2[i]: 18 | same_cnt += 1 19 | t_ratio = (same_cnt + 0.0)/length 20 | return t_ratio 21 | 22 | def similar_bb_cnt_pair(bb_cnt1, bb_cnt2): 23 | diff = abs(bb_cnt1 - bb_cnt2) 24 | bb_cnt = max(bb_cnt1,bb_cnt2) 25 | t_ratio = (bb_cnt - diff + 0.0)/ bb_cnt 26 | 27 | return t_ratio 28 | 29 | def load_data(filename): 30 | data_t = open(filename,'r').readlines() 31 | # print(filename) 32 | resp_data = [] 33 | for item in data_t: 34 | if item.find('=') >= 0: 35 | pass 36 | else: 37 | resp_data.append(a2b_hex(item.strip('\r\n'))) 38 | return resp_data 39 | 40 | def load_bbcount(filename): 41 | data = open(filename,'r').readlines() 42 | bb_count = [] 43 | for item in data: 44 | idx1= item.find('bb_count:') 45 | idx2 = item.find(',',idx1) 46 | count = item[idx1+9:idx2] 47 | bb_count.append(int(count,16)) 48 | return bb_count 49 | 50 | def cdf(weights): 51 | total = sum(weights) 52 | result = [] 53 | cumsum = 0 54 | for w in weights: 55 | cumsum += w 56 | result.append(cumsum/total) 57 | return result 58 | 59 | def choice(population, weights): 60 | assert len(population) == len(weights) 61 | cdf_vals = cdf(weights) 62 | x = random.random() 63 | idx = bisect.bisect(cdf_vals,x) 64 | return population[idx] 65 | 66 | def gen_states(tracefile,pkt_file,out_file): 67 | global ratio 68 | 69 | filename = './trace/'+ tracefile 70 | bb_count = load_bbcount(filename) 71 | filename = './pkts/'+pkt_file 72 | pkts = load_data(filename) 73 | 74 | global history_dict, history_tuples, global_state_cnt, totoal_cnt 75 | state = [] 76 | idx = 0 77 | item_cnt = len(bb_count) 78 | same_flag = False 79 | for i in range(0,item_cnt): 80 | cur_tuple = (pkts[i], bb_count[i]) 81 | totoal_cnt += 1 82 | pkt_len = len(cur_tuple[0]) 83 | try: 84 | his_tuples_list = history_tuples[pkt_len] 85 | for i_tuple in his_tuples_list: 86 | i_pkt = i_tuple[0] 87 | i_bbcnt = i_tuple[1] 88 | pkt_sim = similar_pkt_pair(cur_tuple[0],i_pkt) 89 | bb_sim = similar_bb_cnt_pair(cur_tuple[1],i_bbcnt) 90 | if bb_sim*pkt_sim > ratio: 91 | # it is a similar tuple in history 92 | # print("they are same states") 93 | same_flag = True 94 | # print(b2a_hex(cur_tuple[0])) 95 | break 96 | # no similar in history 97 | if not same_flag: 98 | history_tuples[pkt_len].append(cur_tuple) 99 | global_state_cnt += 1 100 | else: 101 | same_flag = False 102 | except Exception as e: 103 | history_tuples[pkt_len] = [cur_tuple] 104 | # print(b2a_hex(cur_tuple[0])) 105 | global_state_cnt += 1 106 | 107 | for i in range(0,len(bb_count)): 108 | item = pkts[i] # packet 109 | length = len(item) # packet length 110 | bb_c = bb_count[i] 111 | 112 | if length in history_dict.keys(): 113 | v = history_dict[length] 114 | if bb_c in v: # use 100% as 115 | continue 116 | else: 117 | v.append(bb_c) 118 | state.append(i) 119 | else: 120 | history_dict[length] = [bb_c] 121 | state.append(i) 122 | 123 | cnt = 0 124 | states = [] 125 | baseline = [0,0,0] 126 | for s in state: 127 | cnt += 1 128 | attr = (bb_count[s],len(pkts[s]),cnt) 129 | states.append(attr) 130 | baseline[0]+=bb_count[s] 131 | baseline[1]+=len(pkts[s]) 132 | baseline[2]+=cnt 133 | 134 | weights = [] 135 | for st in states: 136 | w = (st[0]+0.0)/baseline[0] + (st[1]+0.0)/baseline[1] + (st[2]+0.0)/baseline[2] 137 | weights.append(w/3) 138 | # print(weights) 139 | s = 0 140 | for i in weights: 141 | s+=i 142 | # print("total weights:{}".format(s)) 143 | population = state 144 | 145 | the_dict = {} 146 | the_dict['name'] = out_file[:-5] 147 | the_dict['state'] = state 148 | the_dict['weights'] = weights 149 | filename = out_file 150 | fp = open('./states/'+out_file,'w') 151 | fp.write(json.dumps(the_dict,indent=1)) 152 | fp.close() 153 | return len(state) 154 | 155 | def test_state_choice(): 156 | the_dict = json.loads(open('./states/read_from_plc.json','r').read()) 157 | w = the_dict['weights'] 158 | s = the_dict['state'] 159 | # for i in range(0,200): 160 | # state = choice(s,w) 161 | # print(state,type(state)) 162 | counts = {} 163 | population = s 164 | weights = w 165 | 166 | for i in range(100000): 167 | try: 168 | counts[choice(population,weights)] += 1 169 | except: 170 | counts[choice(population,weights)] = 1 171 | 172 | print([(item+0.0)/sum(counts.values()) for item in counts.values()]) 173 | 174 | if __name__ == '__main__': 175 | test_state_choice() 176 | global history_dict, history_tuples, global_state_cnt, totoal_cnt,ratio 177 | history_dict = {} 178 | history_tuples = {} 179 | global_state_cnt = 0 180 | totoal_cnt = 0 181 | 182 | file_list = [('1.log_connect.txt','test_connect.txt','test_connect.json')] 183 | item = ('2.log_read_from_plc.txt', 'read_from_plc.txt','read_from_plc.json') 184 | file_list.append(item) 185 | item = ('3.log_write.txt','load_write.txt','load_write.json') 186 | file_list.append(item) 187 | item = ('4.log_title.txt','write_title.txt','write_title.json') 188 | file_list.append(item) 189 | 190 | state_cnt = 0 191 | ratio = 0.8 192 | for item in file_list: 193 | state_cnt += gen_states(item[0],item[1],item[2]) 194 | # print("{}->state_cnt:{}".format(ratio,global_state_cnt)) 195 | 196 | 197 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/states/load_write.json: -------------------------------------------------------------------------------- 1 | { 2 | "state": [], 3 | "weights": [], 4 | "name": "load_write" 5 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/states/read_from_plc.json: -------------------------------------------------------------------------------- 1 | { 2 | "state": [ 3 | 4, 4 | 6, 5 | 7, 6 | 8, 7 | 9, 8 | 10, 9 | 13, 10 | 17, 11 | 18, 12 | 34, 13 | 35, 14 | 36, 15 | 38, 16 | 39, 17 | 47 18 | ], 19 | "weights": [ 20 | 0.032702763932940644, 21 | 0.03427226501535518, 22 | 0.0446017721391532, 23 | 0.04012988974475155, 24 | 0.1371532497608619, 25 | 0.04931027538639682, 26 | 0.06719151185621508, 27 | 0.05546996928963399, 28 | 0.07878845088858683, 29 | 0.0625358707143936, 30 | 0.078604692141167, 31 | 0.063560388662337, 32 | 0.06724437396163722, 33 | 0.06941801339173337, 34 | 0.11901651311483663 35 | ], 36 | "name": "read_from_plc" 37 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/states/test_connect.json: -------------------------------------------------------------------------------- 1 | { 2 | "state": [ 3 | 0, 4 | 1, 5 | 2, 6 | 3, 7 | 4, 8 | 5, 9 | 6, 10 | 7, 11 | 8, 12 | 9, 13 | 10, 14 | 11, 15 | 12, 16 | 13 17 | ], 18 | "weights": [ 19 | 0.015380396528301662, 20 | 0.03060912024411025, 21 | 0.04495160831000352, 22 | 0.058573537580730035, 23 | 0.05259757203169579, 24 | 0.05279210936753659, 25 | 0.05747609983846883, 26 | 0.08794757416840127, 27 | 0.0665744747329587, 28 | 0.22363718306888433, 29 | 0.07989893641947683, 30 | 0.07579756438970499, 31 | 0.08373294901809998, 32 | 0.0700308743016272 33 | ], 34 | "name": "test_connect" 35 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/states/write_title.json: -------------------------------------------------------------------------------- 1 | { 2 | "state": [ 3 | 0, 4 | 1, 5 | 2, 6 | 3, 7 | 5, 8 | 6, 9 | 7, 10 | 8, 11 | 9, 12 | 10, 13 | 11, 14 | 12, 15 | 13, 16 | 26, 17 | 27, 18 | 28, 19 | 29, 20 | 42, 21 | 43, 22 | 44 23 | ], 24 | "weights": [ 25 | 0.024477069942252183, 26 | 0.02644860583075175, 27 | 0.027436449643148494, 28 | 0.03684515223418531, 29 | 0.029343625694811235, 30 | 0.03224081974680126, 31 | 0.05229555269741412, 32 | 0.037624335638547786, 33 | 0.14690640645722544, 34 | 0.04542483825867316, 35 | 0.042449131016881664, 36 | 0.04706104968267128, 37 | 0.03801559672260658, 38 | 0.052794420822456084, 39 | 0.05086376776742679, 40 | 0.051231469670389475, 41 | 0.0998622343192536, 42 | 0.05507829489053275, 43 | 0.05700038854804501, 44 | 0.04660079041592602 45 | ], 46 | "name": "write_title" 47 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/template/test_connect.json: -------------------------------------------------------------------------------- 1 | { 2 | "0": [ 3 | [ 4 | "binary", 5 | "da0000ff6a020c000100ea0200100202" 6 | ], 7 | [ 8 | "binary", 9 | "bc5f7d2e04eda099a857" 10 | ], 11 | [ 12 | "number", 13 | "1003" 14 | ] 15 | ], 16 | "1": [ 17 | [ 18 | "number", 19 | "d700" 20 | ], 21 | [ 22 | "number", 23 | "01" 24 | ], 25 | [ 26 | "binary", 27 | "0000111107000000e40300ffff03000038009c000c08000000000304000000000101" 28 | ], 29 | [ 30 | "number", 31 | "01" 32 | ], 33 | [ 34 | "number", 35 | "000000" 36 | ], 37 | [ 38 | "str", 39 | "513036554445484350552020202020206a" 40 | ], 41 | [ 42 | "binary", 43 | "020008baba2003" 44 | ], 45 | [ 46 | "binary", 47 | "2710411705" 48 | ], 49 | [ 50 | "binary", 51 | "2002000101ea02" 52 | ] 53 | ], 54 | "2": [ 55 | [ 56 | "binary", 57 | "da0000ff6a020c000100ea0200100202" 58 | ], 59 | [ 60 | "binary", 61 | "a9cfb866fedaab6a733b" 62 | ], 63 | [ 64 | "number", 65 | "1003" 66 | ] 67 | ], 68 | "3": [ 69 | [ 70 | "number", 71 | "d700" 72 | ], 73 | [ 74 | "number", 75 | "02" 76 | ], 77 | [ 78 | "binary", 79 | "0000111107000000e40300ffff03000038009c000c08000000000304000000000101" 80 | ], 81 | [ 82 | "number", 83 | "01" 84 | ], 85 | [ 86 | "number", 87 | "000000" 88 | ], 89 | [ 90 | "str", 91 | "513036554445484350552020202020206a" 92 | ], 93 | [ 94 | "binary", 95 | "020008baba2003" 96 | ], 97 | [ 98 | "binary", 99 | "2710411705" 100 | ], 101 | [ 102 | "binary", 103 | "2002000101ea02" 104 | ] 105 | ], 106 | "4": [ 107 | [ 108 | "number", 109 | "d700" 110 | ], 111 | [ 112 | "number", 113 | "03" 114 | ], 115 | [ 116 | "binary", 117 | "0000111107000000e40300ffff0300001e009c000c08" 118 | ], 119 | [ 120 | "number", 121 | "0640" 122 | ], 123 | [ 124 | "binary", 125 | "0000030400000000" 126 | ], 127 | [ 128 | "number", 129 | "040102" 130 | ], 131 | [ 132 | "number", 133 | "000000" 134 | ], 135 | [ 136 | "binary", 137 | "01002003272138080520" 138 | ] 139 | ], 140 | "5": [ 141 | [ 142 | "binary", 143 | "da0000ff6a020c000100ea0200100202" 144 | ], 145 | [ 146 | "binary", 147 | "4c832112b97697c1c22f" 148 | ], 149 | [ 150 | "number", 151 | "1003" 152 | ] 153 | ], 154 | "6": [ 155 | [ 156 | "number", 157 | "d700" 158 | ], 159 | [ 160 | "number", 161 | "04" 162 | ], 163 | [ 164 | "binary", 165 | "0000111107000000e40300ffff03000016009c000c0800000000030400000000" 166 | ], 167 | [ 168 | "number", 169 | "011403" 170 | ], 171 | [ 172 | "number", 173 | "000000" 174 | ], 175 | [ 176 | "number", 177 | "7100" 178 | ] 179 | ], 180 | "7": [ 181 | [ 182 | "number", 183 | "d700" 184 | ], 185 | [ 186 | "number", 187 | "05" 188 | ], 189 | [ 190 | "binary", 191 | "0000111107000000e40300ffff03000048009c000c08000000000304000000000401" 192 | ], 193 | [ 194 | "number", 195 | "02" 196 | ], 197 | [ 198 | "binary", 199 | "00000000200000002000000020002000200020002000080008000800200008000000040030002000081400000000000030000000200000" 200 | ] 201 | ], 202 | "8": [ 203 | [ 204 | "number", 205 | "d700" 206 | ], 207 | [ 208 | "number", 209 | "06" 210 | ], 211 | [ 212 | "binary", 213 | "0000111107000000e40300ffff03000018009c000c0800000000030400000000" 214 | ], 215 | [ 216 | "number", 217 | "040104" 218 | ], 219 | [ 220 | "number", 221 | "000000" 222 | ], 223 | [ 224 | "number", 225 | "4e" 226 | ], 227 | [ 228 | "number", 229 | "000000" 230 | ] 231 | ], 232 | "9": [ 233 | [ 234 | "number", 235 | "d700" 236 | ], 237 | [ 238 | "number", 239 | "07" 240 | ], 241 | [ 242 | "binary", 243 | "0000111107000000e40300ffff03000088029c000c08000000000304000000000401" 244 | ], 245 | [ 246 | "number", 247 | "05" 248 | ], 249 | [ 250 | "binary", 251 | "0000004e0000000000000000000000000000000000000000020500010000000000000000000000000000000000000000000000000000000006050016000000500605002300000000080500d50d00000018050005010000101905001c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001a050014000000001c0500990a00000027050008000000002905000c000000002b05001b000000002d05000d080000000000000000000000000000000000000000000000000000006305008e000000003d05006d010000000000000000000000000000000000000000000000000000003f05002100000000000000000000000041050015000000004305000100000000450500400000000000000000000000004905000c000000000000000000000000530500230000000000000000000000005905000e000000005d050009000000000000000000000000610500010000000000000000000000000000000000000000000000000000000064050023000000000000000000000000000000000000000000000000000000000000000000000000000000000000000068070000980000001008000304000000800800e801000000820800720100000084080016000000008508004a0100000000000000000000008808001d00000000000000000000000000000000000000008e080028000100008f09006c03000000970900010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000990900050000000000000000000000000000000000000000f00900b9030000" 252 | ] 253 | ], 254 | "10": [ 255 | [ 256 | "number", 257 | "d700" 258 | ], 259 | [ 260 | "number", 261 | "08" 262 | ], 263 | [ 264 | "binary", 265 | "0000111107000000e40300ffff03000030009c000c08000000000304000000000401" 266 | ], 267 | [ 268 | "number", 269 | "06" 270 | ], 271 | [ 272 | "binary", 273 | "0000000100ff07000000000000000002000000000000000000010040805480" 274 | ] 275 | ], 276 | "11": [ 277 | [ 278 | "number", 279 | "d700" 280 | ], 281 | [ 282 | "number", 283 | "09" 284 | ], 285 | [ 286 | "binary", 287 | "0000111107000000e40300ffff03000016009c000c0800000000030400000000" 288 | ], 289 | [ 290 | "number", 291 | "040107" 292 | ], 293 | [ 294 | "number", 295 | "000000" 296 | ], 297 | [ 298 | "number", 299 | "0800" 300 | ] 301 | ], 302 | "12": [ 303 | [ 304 | "number", 305 | "d700" 306 | ], 307 | [ 308 | "number", 309 | "0a" 310 | ], 311 | [ 312 | "binary", 313 | "0000111107000000e40300ffff0300001e009c000c08" 314 | ], 315 | [ 316 | "number", 317 | "0000" 318 | ], 319 | [ 320 | "binary", 321 | "0000030400000000" 322 | ], 323 | [ 324 | "number", 325 | "040108" 326 | ], 327 | [ 328 | "number", 329 | "000000" 330 | ], 331 | [ 332 | "binary", 333 | "6afe4010f43bff1f7f21" 334 | ] 335 | ], 336 | "13": [ 337 | [ 338 | "number", 339 | "d700" 340 | ], 341 | [ 342 | "number", 343 | "0b" 344 | ], 345 | [ 346 | "binary", 347 | "0000111107000000e40300ffff03000020009c000c08000000000304000000000b05" 348 | ], 349 | [ 350 | "number", 351 | "09" 352 | ], 353 | [ 354 | "binary", 355 | "00000001000101" 356 | ], 357 | [ 358 | "number", 359 | "00" 360 | ], 361 | [ 362 | "binary", 363 | "00000000000000" 364 | ] 365 | ] 366 | } -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/test_script.py: -------------------------------------------------------------------------------- 1 | import os 2 | import logging 3 | from utils import load_data 4 | from binascii import * 5 | from struct import * 6 | 7 | def re_arrange_pkts(): 8 | base_dir = './pkts/' 9 | files = os.listdir(base_dir) 10 | for file in files: 11 | filename = base_dir + file 12 | data = open(filename,'rb').readlines() 13 | dataout = [] 14 | for item in data: 15 | if item.find('=')<0: 16 | dataout.append(item.strip('\r\n')) 17 | fp = open(filename,'w') 18 | for item in dataout: 19 | fp.write(item+'\n') 20 | fp.close() 21 | 22 | def encode(data): # complete constraint in datastream and between communication 23 | length = len(data) 24 | if length>=21: 25 | bin_data = pack('H',(length-21)) 26 | else: 27 | bin_data = '\x00\x00' 28 | return data[:19]+bin_data+data[21:] 29 | 30 | def main(): 31 | logging.basicConfig(level=logging.DEBUG) 32 | filename = './pkts/read_from_plc.txt' 33 | lines = load_data(filename) 34 | for item in lines: 35 | logging.debug('origin:{}'.format(b2a_hex(item))) 36 | logging.debug('update:{}'.format(b2a_hex(encode(item)))) 37 | 38 | 39 | if __name__ == '__main__': 40 | main() -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/trace/1.log_connect.txt: -------------------------------------------------------------------------------- 1 | idx:0,bb_count:8b,bb_hash:2a7322e9 2 | idx:1,bb_count:8b,bb_hash:2a7322e9 3 | idx:2,bb_count:2ea,bb_hash:163290ff 4 | idx:3,bb_count:2c0,bb_hash:f5805f50 5 | idx:4,bb_count:278,bb_hash:5a73d768 6 | idx:5,bb_count:2be,bb_hash:8c960193 7 | idx:6,bb_count:285,bb_hash:c5a32826 8 | idx:7,bb_count:40d,bb_hash:6507f719 9 | idx:8,bb_count:2c0,bb_hash:77a9d761 10 | idx:9,bb_count:2ca,bb_hash:969fa212 11 | idx:10,bb_count:2dc,bb_hash:3358691d 12 | idx:11,bb_count:2c5,bb_hash:6483b716 13 | idx:12,bb_count:30e,bb_hash:74ef578c 14 | idx:13,bb_count:148,bb_hash:543bf346 15 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/trace/2.log_read_from_plc.txt: -------------------------------------------------------------------------------- 1 | idx:0,bb_count:8b,bb_hash:2a7322e9 2 | idx:1,bb_count:8b,bb_hash:2a7322e9 3 | idx:2,bb_count:8b,bb_hash:2a7322e9 4 | idx:3,bb_count:8b,bb_hash:2a7322e9 5 | idx:4,bb_count:8b,bb_hash:2a7322e9 6 | idx:5,bb_count:8b,bb_hash:2a7322e9 7 | idx:6,bb_count:8b,bb_hash:2a7322e9 8 | idx:7,bb_count:8b,bb_hash:2a7322e9 9 | idx:8,bb_count:8b,bb_hash:2a7322e9 10 | idx:9,bb_count:8b,bb_hash:2a7322e9 11 | idx:10,bb_count:8b,bb_hash:2a7322e9 12 | idx:11,bb_count:8b,bb_hash:2a7322e9 13 | idx:12,bb_count:8b,bb_hash:2a7322e9 14 | idx:13,bb_count:8b,bb_hash:2a7322e9 15 | idx:14,bb_count:8b,bb_hash:2a7322e9 16 | idx:15,bb_count:8b,bb_hash:2a7322e9 17 | idx:16,bb_count:8b,bb_hash:2a7322e9 18 | idx:17,bb_count:8b,bb_hash:2a7322e9 19 | idx:18,bb_count:8b,bb_hash:2a7322e9 20 | idx:19,bb_count:8b,bb_hash:2a7322e9 21 | idx:20,bb_count:8b,bb_hash:2a7322e9 22 | idx:21,bb_count:8b,bb_hash:2a7322e9 23 | idx:22,bb_count:8b,bb_hash:2a7322e9 24 | idx:23,bb_count:8b,bb_hash:2a7322e9 25 | idx:24,bb_count:8b,bb_hash:2a7322e9 26 | idx:25,bb_count:8b,bb_hash:2a7322e9 27 | idx:26,bb_count:8b,bb_hash:2a7322e9 28 | idx:27,bb_count:8b,bb_hash:2a7322e9 29 | idx:28,bb_count:8b,bb_hash:2a7322e9 30 | idx:29,bb_count:8b,bb_hash:2a7322e9 31 | idx:30,bb_count:8b,bb_hash:2a7322e9 32 | idx:31,bb_count:8b,bb_hash:2a7322e9 33 | idx:32,bb_count:8b,bb_hash:2a7322e9 34 | idx:33,bb_count:8b,bb_hash:2a7322e9 35 | idx:34,bb_count:8b,bb_hash:2a7322e9 36 | idx:35,bb_count:8b,bb_hash:2a7322e9 37 | idx:36,bb_count:8b,bb_hash:2a7322e9 38 | idx:37,bb_count:8b,bb_hash:2a7322e9 39 | idx:38,bb_count:8b,bb_hash:2a7322e9 40 | idx:39,bb_count:8b,bb_hash:2a7322e9 41 | idx:40,bb_count:8b,bb_hash:2a7322e9 42 | idx:41,bb_count:8b,bb_hash:2a7322e9 43 | idx:42,bb_count:8b,bb_hash:2a7322e9 44 | idx:43,bb_count:8b,bb_hash:2a7322e9 45 | idx:44,bb_count:8b,bb_hash:2a7322e9 46 | idx:45,bb_count:8b,bb_hash:2a7322e9 47 | idx:46,bb_count:8b,bb_hash:2a7322e9 48 | idx:47,bb_count:8b,bb_hash:2a7322e9 49 | idx:48,bb_count:8b,bb_hash:2a7322e9 50 | idx:49,bb_count:8b,bb_hash:2a7322e9 51 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/trace/3.log_write.txt: -------------------------------------------------------------------------------- 1 | idx:0,bb_count:8b,bb_hash:2a7322e9 2 | idx:1,bb_count:8b,bb_hash:2a7322e9 3 | idx:2,bb_count:8b,bb_hash:2a7322e9 4 | idx:3,bb_count:8b,bb_hash:2a7322e9 5 | idx:4,bb_count:8b,bb_hash:2a7322e9 6 | idx:5,bb_count:8b,bb_hash:2a7322e9 7 | idx:6,bb_count:8b,bb_hash:2a7322e9 8 | idx:7,bb_count:8b,bb_hash:2a7322e9 9 | idx:8,bb_count:8b,bb_hash:2a7322e9 10 | idx:9,bb_count:8b,bb_hash:2a7322e9 11 | idx:10,bb_count:8b,bb_hash:2a7322e9 12 | idx:11,bb_count:8b,bb_hash:2a7322e9 13 | idx:12,bb_count:8b,bb_hash:2a7322e9 14 | idx:13,bb_count:8b,bb_hash:2a7322e9 15 | idx:14,bb_count:8b,bb_hash:2a7322e9 16 | idx:15,bb_count:8b,bb_hash:2a7322e9 17 | idx:16,bb_count:8b,bb_hash:2a7322e9 18 | idx:17,bb_count:8b,bb_hash:2a7322e9 19 | idx:18,bb_count:8b,bb_hash:2a7322e9 20 | idx:19,bb_count:8b,bb_hash:2a7322e9 21 | idx:20,bb_count:8b,bb_hash:2a7322e9 22 | idx:21,bb_count:8b,bb_hash:2a7322e9 23 | idx:22,bb_count:8b,bb_hash:2a7322e9 24 | idx:23,bb_count:8b,bb_hash:2a7322e9 25 | idx:24,bb_count:8b,bb_hash:2a7322e9 26 | idx:25,bb_count:8b,bb_hash:2a7322e9 27 | idx:26,bb_count:8b,bb_hash:2a7322e9 28 | idx:27,bb_count:8b,bb_hash:2a7322e9 29 | idx:28,bb_count:8b,bb_hash:2a7322e9 30 | idx:29,bb_count:8b,bb_hash:2a7322e9 31 | idx:30,bb_count:8b,bb_hash:2a7322e9 32 | idx:31,bb_count:8b,bb_hash:2a7322e9 33 | idx:32,bb_count:8b,bb_hash:2a7322e9 34 | idx:33,bb_count:8b,bb_hash:2a7322e9 35 | idx:34,bb_count:8b,bb_hash:2a7322e9 36 | idx:35,bb_count:8b,bb_hash:2a7322e9 37 | idx:36,bb_count:8b,bb_hash:2a7322e9 38 | idx:37,bb_count:8b,bb_hash:2a7322e9 39 | idx:38,bb_count:8b,bb_hash:2a7322e9 40 | idx:39,bb_count:8b,bb_hash:2a7322e9 41 | idx:40,bb_count:8b,bb_hash:2a7322e9 42 | idx:41,bb_count:8b,bb_hash:2a7322e9 43 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/trace/4.log_title.txt: -------------------------------------------------------------------------------- 1 | idx:0,bb_count:2f4,bb_hash:5a55cf4b 2 | idx:1,bb_count:1a4,bb_hash:d4cf2cd0 3 | idx:2,bb_count:2eb,bb_hash:3bd62b63 4 | idx:3,bb_count:2d2,bb_hash:b35e6b1c 5 | idx:4,bb_count:278,bb_hash:5a73d768 6 | idx:5,bb_count:2b6,bb_hash:1f14f146 7 | idx:6,bb_count:281,bb_hash:815320e2 8 | idx:7,bb_count:41e,bb_hash:3ccc8403 9 | idx:8,bb_count:2cf,bb_hash:cbf972c9 10 | idx:9,bb_count:2e3,bb_hash:102eefcd 11 | idx:10,bb_count:2e4,bb_hash:d074d77b 12 | idx:11,bb_count:2e0,bb_hash:a3a436d6 13 | idx:12,bb_count:325,bb_hash:d7bad9fa 14 | idx:13,bb_count:15a,bb_hash:a58ae306 15 | idx:14,bb_count:2f4,bb_hash:5a55cf4b 16 | idx:15,bb_count:1a4,bb_hash:4ad09866 17 | idx:16,bb_count:2eb,bb_hash:3bd62b63 18 | idx:17,bb_count:2d2,bb_hash:b35e6b1c 19 | idx:18,bb_count:278,bb_hash:5a73d768 20 | idx:19,bb_count:2b6,bb_hash:1f14f146 21 | idx:20,bb_count:281,bb_hash:815320e2 22 | idx:21,bb_count:41e,bb_hash:3ccc8403 23 | idx:22,bb_count:2cf,bb_hash:cbf972c9 24 | idx:23,bb_count:2e3,bb_hash:102eefcd 25 | idx:24,bb_count:2e4,bb_hash:d074d77b 26 | idx:25,bb_count:2e0,bb_hash:a3a436d6 27 | idx:26,bb_count:390,bb_hash:8ea3ecb8 28 | idx:27,bb_count:328,bb_hash:2e770a7a 29 | idx:28,bb_count:2f5,bb_hash:d5dbeb17 30 | idx:29,bb_count:1a9,bb_hash:8c8fb365 31 | idx:30,bb_count:2f4,bb_hash:5a55cf4b 32 | idx:31,bb_count:1a4,bb_hash:4ad09866 33 | idx:32,bb_count:2eb,bb_hash:3bd62b63 34 | idx:33,bb_count:2d2,bb_hash:b35e6b1c 35 | idx:34,bb_count:278,bb_hash:5a73d768 36 | idx:35,bb_count:2b6,bb_hash:1f14f146 37 | idx:36,bb_count:281,bb_hash:815320e2 38 | idx:37,bb_count:41e,bb_hash:3ccc8403 39 | idx:38,bb_count:2cf,bb_hash:cbf972c9 40 | idx:39,bb_count:2e3,bb_hash:102eefcd 41 | idx:40,bb_count:2e4,bb_hash:d074d77b 42 | idx:41,bb_count:2e0,bb_hash:a3a436d6 43 | idx:42,bb_count:2e6,bb_hash:1b6efe43 44 | idx:43,bb_count:2f4,bb_hash:5a55cf4b 45 | idx:44,bb_count:1a4,bb_hash:4ad09866 46 | -------------------------------------------------------------------------------- /Mitsubishi-Dispatcher/utils.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | import json 4 | import logging 5 | from binascii import b2a_hex,a2b_hex 6 | import subprocess 7 | from struct import pack 8 | import sys 9 | import os 10 | import threading 11 | import random 12 | import bisect 13 | import collections 14 | 15 | 16 | def check_stats(sock): 17 | sock.send("@stat:--") 18 | #logging.debug("sending stat cmd over...") 19 | time.sleep(0.01) 20 | recv = sock.recv(1024) 21 | logging.debug("stat:{}".format(recv)) 22 | return json.loads(recv) 23 | 24 | def forward_data(sock): 25 | sock.send("@fwrd:--") 26 | logging.debug("sending fwrd cmd over...") 27 | time.sleep(0.01) 28 | 29 | def extract_recv_data(sock): 30 | sock.send("@recv:") 31 | #logging.debug("sending recv cmd over...") 32 | time.sleep(0.01) 33 | recv = sock.recv(1024) 34 | # logging.debug("recv:{}".format(b2a_hex(recv))) 35 | return recv 36 | 37 | def modify_data(sock,data): 38 | sock.send("@mdfy:{}".format(data)) 39 | # logging.debug("sending mdfy cmd over") 40 | time.sleep(0.01) 41 | 42 | def fuzzing_start(sock): 43 | sock.send("@fuzz:--") 44 | #logging.debug("sending fuzz cmd over...") 45 | time.sleep(0.01) 46 | 47 | def close_sock(sock): 48 | sock.send("@clos:--") 49 | time.sleep(0.01) 50 | 51 | def cdf(weights): 52 | total = sum(weights) 53 | result = [] 54 | cumsum = 0 55 | for w in weights: 56 | cumsum += w 57 | result.append(cumsum/total) 58 | return result 59 | 60 | def choice(population, weights): 61 | assert len(population) == len(weights) 62 | cdf_vals = cdf(weights) 63 | x = random.random() 64 | idx = bisect.bisect(cdf_vals,x) 65 | return population[idx] 66 | 67 | def select_one_state(state_dict): 68 | w = state_dict['weights'] 69 | s = state_dict['state'] 70 | return choice(s,w) 71 | 72 | def load_data(filename): 73 | data_t = open(filename,'r').readlines() 74 | # print(filename) 75 | resp_data = [] 76 | for item in data_t: 77 | # if item.find('server:') >= 0: 78 | # print([item.strip('\r\n')]) 79 | if item.find('=') >= 0: 80 | pass 81 | else: 82 | resp_data.append(a2b_hex(item.strip('\r\n'))) 83 | return resp_data 84 | 85 | -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/driver.py: -------------------------------------------------------------------------------- 1 | # coding=utf-8 2 | import socket 3 | import select 4 | from multiprocessing import Process 5 | import thread 6 | import sys 7 | import Queue 8 | import logging # reconstruct the code after 9 | import json 10 | from binascii import b2a_hex 11 | import time 12 | from binascii import * 13 | import os 14 | import win32evtlog 15 | 16 | 17 | # data start with @, means command. 18 | 19 | def detect_crash(record_number): 20 | logging.debug("in detect_crash:{}".format(record_number)) 21 | record_number = int(record_number) 22 | h=win32evtlog.OpenEventLog(None, "Application") 23 | flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ 24 | records = win32evtlog.ReadEventLog(h,flags,0) 25 | newest_number = records[0].RecordNumber 26 | ret = "no" 27 | 28 | for item in records: 29 | event_number = item.RecordNumber 30 | if event_number <= record_number: 31 | break 32 | source_name = item.SourceName 33 | if item.SourceName == "Application Error" or item.SourceName == "Application Hang": 34 | ret = "yes" 35 | break 36 | 37 | result = "{}:{}".format(ret, str(newest_number)) 38 | return result 39 | 40 | 41 | class proxy(object): 42 | 43 | def __init__(self, sock): 44 | self.BUFSIZE = 10000 45 | self.server = sock 46 | self.inputs = [self.server] 47 | self.sock_dict = {} # record for controller, software, and device 48 | 49 | 50 | def socket_send(sock,data,tag): 51 | logging.debug("in process:{}".format(tag)) 52 | try: 53 | sock.send(data) 54 | time.sleep(0.1) # in case send two stream as one stream 55 | except Exception as exp: 56 | err = "{}:{}".format(tag,exp) 57 | logging.warning(err) 58 | 59 | def run(self): 60 | self.noblocking() 61 | 62 | 63 | def noblocking(self, timeout=10): 64 | while True: 65 | try: 66 | readable,_,exceps = select.select(self.inputs,[],self.inputs,timeout) 67 | for soc in readable: 68 | if soc is self.server: 69 | # proactive connect to to proxy, [controller,software], device should notify 70 | client_con, _ = soc.accept() 71 | self.inputs.append(client_con) 72 | logging.debug("connect success:{}".format(client_con.getpeername())) 73 | 74 | else: 75 | data = soc.recv(self.BUFSIZE) 76 | 77 | # socket is ok! 78 | if data != "": 79 | logging.debug("cmd:{}".format(data)) 80 | start = time.time() 81 | 82 | if data == "launch": 83 | 84 | r = os.system(".\\utils\\mit_execute_drrun.exe") 85 | # r = os.system(".\\utils\\launch.exe") 86 | 87 | elif data == "kill": 88 | r = os.system("python ./utils/kill_gxworks.py") 89 | 90 | elif data.find("detect")>=0: 91 | parmeter = data[7:] 92 | r = detect_crash(parmeter) 93 | 94 | elif data.find("operation") >=0: 95 | cmd = ".\\utils\\" + data[data.find(':')+1:] 96 | r = 'operation->' + str(os.system(cmd)) 97 | logging.debug('execute cmd result:{}'.format(r)) 98 | else: 99 | logging.debug("error in cmd") 100 | r = "error" 101 | 102 | end = time.time() 103 | logging.debug("time consumed:{}!".format(end-start)) 104 | soc.send(str(r)) 105 | 106 | # socket closed by peer 107 | else: 108 | self.inputs.remove(soc) 109 | 110 | logging.debug("socket is closed by peer") 111 | 112 | for exp in exceps: 113 | # maybe server? 114 | logging.warning('Exception:{}'.format(exp.getpeername())) 115 | self.inputs.remove(exp) 116 | 117 | except Exception as error: 118 | logging.warning("Error info:{}".format(error)) 119 | errMsg = "{}".format(error) 120 | self.inputs.remove(soc) 121 | 122 | 123 | if __name__ == "__main__": 124 | logging.basicConfig(level=logging.DEBUG) # can show debug info 125 | 126 | ADDR = ("0.0.0.0",65534) 127 | 128 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 129 | server.bind(ADDR) 130 | server.listen(10) 131 | p = proxy(server) 132 | p.run() 133 | -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/monitor_run_gxwork.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | def main(): 4 | cmd = "'C:\\Users\\xxx\\DynamoRIO-Windows-7.1.0-1\\bin32\\drrun.exe' -c 'C:\\Users\\xxx\\Mitsubishi\\monitor\\monitor.dll' -- 'C:\\Program Files (x86)\\MELSOFT\\GPPW2\\GD2.exe' 'C:\\Users\\xx\\Mitsubishi\\test.gxw'" 5 | os.system(cmd) 6 | 7 | if __name__ == '__main__': 8 | main() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/execute_drrun_real.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/execute_drrun_real.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/kill_gxworks.py: -------------------------------------------------------------------------------- 1 | import os 2 | import subprocess 3 | 4 | def get_pid(s): 5 | if len(s) == 0: 6 | return None 7 | idx = s.find(' ') 8 | start = end = 0 9 | for i in range(idx,len(s)): 10 | if s[i]!=' ': 11 | start = i 12 | break 13 | end = s.find(' ',start) 14 | return s[start:end] 15 | 16 | def kill_drrun(): 17 | cmd = "tasklist|findstr execute_drrun.exe*" 18 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 19 | output = proc.communicate()[0] 20 | target_pid = get_pid(output) 21 | print("execute_drrun.exe pid:{}".format(target_pid)) 22 | if target_pid is not None: 23 | cmd = "taskkill /PID {} /F".format(target_pid) 24 | os.system(cmd) 25 | print('killed the target_pid') 26 | 27 | 28 | def main(): 29 | kill_drrun() 30 | cmd = "tasklist|findstr dw20.exe*" 31 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 32 | output = proc.communicate()[0] 33 | target_pid = get_pid(output) 34 | print("dw20.exe pid:{}".format(target_pid)) 35 | if target_pid is not None: 36 | cmd = "taskkill /PID {} /F".format(target_pid) 37 | os.system(cmd) 38 | print('killed the target_pid') 39 | 40 | cmd = "tasklist|findstr WerFault.exe*" 41 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 42 | output = proc.communicate()[0] 43 | target_pid = get_pid(output) 44 | print("WerFault.exe pid:{}".format(target_pid)) 45 | if target_pid is not None: 46 | cmd = "taskkill /PID {} /F".format(target_pid) 47 | os.system(cmd) 48 | print('killed the target_pid') 49 | 50 | cmd = "tasklist|findstr GD2*" 51 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 52 | output = proc.communicate()[0] 53 | target_pid = get_pid(output) 54 | print("GD2.exe pid:{}".format(target_pid)) 55 | if target_pid is not None: 56 | cmd = "taskkill /PID {} /F".format(target_pid) 57 | os.system(cmd) 58 | print('killed the target_pid') 59 | # print([get_pid(output)]) 60 | cmd = "tasklist|findstr ECMonitor*" 61 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 62 | output = proc.communicate()[0] 63 | target_pid = get_pid(output) 64 | print("ECMonitor* pid:{}".format(target_pid)) 65 | if target_pid is not None: 66 | cmd = "taskkill /PID {} /F".format(target_pid) 67 | os.system(cmd) 68 | print('killed the target_pid') 69 | 70 | # os.system("tasklist|findstr FrameworkX") 71 | 72 | if __name__ == '__main__': 73 | main() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_arrange_plc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_arrange_plc.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_clear_plc_memory.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_clear_plc_memory.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_connect_test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_connect_test.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_crash_detector.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_crash_detector.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_delete.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_delete.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_execute_drrun.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_execute_drrun.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_execute_drrun_real.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_execute_drrun_real.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_format_plc_memory.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_format_plc_memory.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_launch.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_launch.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_plc_user_data.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_plc_user_data.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_read_from_plc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_read_from_plc.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_remote_operate.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_remote_operate.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_set_clock.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_set_clock.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/mit_write_title.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/mit_write_title.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/shm_monitor.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/Mitsubishi-Proxies/proxy/gui/utils/shm_monitor.exe -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/launch.au3: -------------------------------------------------------------------------------- 1 | #cs ---------------------------------------------------------------------------- 2 | 3 | AutoIt Version: 3.3.14.5 4 | Author: fdl 5 | 6 | Script Function: 7 | Template AutoIt script. 8 | 9 | #ce ---------------------------------------------------------------------------- 10 | 11 | #include 12 | 13 | Func launch() 14 | Local $iPID = Run("C:\Program Files (x86)\MELSOFT\GPPW2\GD2.EXE C:\Users\xxx\Desktop\Mitsubishi\test.gxw") 15 | ;Sleep(1500) 16 | WinWaitActive("MELSOFT Series GX Works2 C:\Users\xxx\Desktop\Mitsubishi\test.gxw - [[PRG]Write MAIN 1 Step]","",1) 17 | EndFunc 18 | 19 | launch() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_arrange_plc.au3: -------------------------------------------------------------------------------- 1 | Func read_from_plc() 2 | WinActivate("MELSOFT Series GX Works2 C:\Users\xxx\Desktop\Mitsubishi\test.gxw - [[PRG]Write MAIN 1 Step]") 3 | Local $windw = WinWaitActive("MELSOFT Series GX Works2 C:\Users\xxx\Desktop\Mitsubishi\test.gxw - [[PRG]Write MAIN 1 Step]","",4) 4 | Local $aPos = WinGetPos($windw) 5 | ;If $aPos Then 6 | Local $x = $aPos[0] + 330 7 | Local $y = $aPos[1] + 14 + 28 8 | MouseClick("left",$x,$y,1,3) 9 | send("{ENTER}") 10 | Send("{DOWN}") 11 | send("{ENTER}") 12 | ;EndIf 13 | 14 | EndFunc 15 | 16 | 17 | 18 | Func arrange_plc() 19 | WinActivate("Online Data Operation") 20 | Local $subwd = WinWaitActive("Online Data Operation","",3) 21 | If $subwd Then 22 | Local $aPos = WinGetPos($subwd) 23 | Local $x = $aPos[0] + 7 + 616 24 | Local $y = $aPos[1] + 523 + 30 25 | MouseClick("left",$x,$y,2,2) 26 | EndIf 27 | 28 | EndFunc 29 | 30 | Func write_title() 31 | WinActivate("Online Data Operation") 32 | Local $subwd = WinWaitActive("Online Data Operation","",3) 33 | If $subwd Then 34 | Local $aPos = WinGetPos($subwd) 35 | Local $x = $aPos[0] + 7 + 335 36 | Local $y = $aPos[1] + 523 + 45 37 | MouseClick("left",$x,$y,2,2) 38 | EndIf 39 | 40 | EndFunc 41 | 42 | Func set_clock() 43 | WinActivate("Online Data Operation") 44 | Local $subwd = WinWaitActive("Online Data Operation","",3) 45 | If $subwd Then 46 | Local $aPos = WinGetPos($subwd) 47 | Local $x = $aPos[0] + 7 + 148 48 | Local $y = $aPos[1] + 523 + 45 49 | MouseClick("left",$x,$y,2,2) 50 | EndIf 51 | 52 | EndFunc 53 | 54 | Func delete() 55 | WinActivate("Online Data Operation") 56 | Local $subwd = WinWaitActive("Online Data Operation","",3) 57 | If $subwd Then 58 | Local $aPos = WinGetPos($subwd) 59 | Local $x = $aPos[0] + 17 + 444 60 | Local $y = $aPos[1] + 57 + 33 61 | MouseClick("left",$x,$y,2,2) 62 | EndIf 63 | 64 | EndFunc 65 | 66 | Func format_plc_memory() 67 | WinActivate("Online Data Operation") 68 | Local $subwd = WinWaitActive("Online Data Operation","",3) 69 | If $subwd Then 70 | Local $aPos = WinGetPos($subwd) 71 | Local $x = $aPos[0] + 7 + 429 72 | Local $y = $aPos[1] + 523 + 45 73 | MouseClick("left",$x,$y,2,2) 74 | EndIf 75 | 76 | EndFunc 77 | 78 | Func clear_plc_memory() 79 | WinActivate("Online Data Operation") 80 | Local $subwd = WinWaitActive("Online Data Operation","",3) 81 | If $subwd Then 82 | Local $aPos = WinGetPos($subwd) 83 | Local $x = $aPos[0] + 7 + 535 84 | Local $y = $aPos[1] + 523 + 45 85 | MouseClick("left",$x,$y,2,2) 86 | EndIf 87 | 88 | EndFunc 89 | 90 | 91 | 92 | 93 | read_from_plc() 94 | clear_plc_memory() 95 | 96 | 97 | ;arrange_plc() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_clear_plc_memory.au3: -------------------------------------------------------------------------------- 1 | Func clear_plc_memory() 2 | WinActivate("Online Data Operation") 3 | Local $subwd = WinWaitActive("Online Data Operation","",3) 4 | If $subwd Then 5 | Local $aPos = WinGetPos($subwd) 6 | Local $x = $aPos[0] + 7 + 535 7 | Local $y = $aPos[1] + 523 + 45 8 | MouseClick("left",$x,$y,2,2) 9 | EndIf 10 | 11 | EndFunc 12 | 13 | clear_plc_memory() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_close.au3: -------------------------------------------------------------------------------- 1 | Func format_plc_memory() 2 | WinActivate("Online Data Operation") 3 | Local $subwd = WinWaitActive("Online Data Operation","",3) 4 | If $subwd Then 5 | ControlClick($subwd, "Close", "Button21") 6 | EndIf 7 | 8 | EndFunc 9 | 10 | format_plc_memory() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_connect_test.au3: -------------------------------------------------------------------------------- 1 | #cs ---------------------------------------------------------------------------- 2 | 3 | AutoIt Version: 3.3.14.5 4 | Author: myName 5 | 6 | Script Function: 7 | Template AutoIt script. 8 | 9 | #ce ---------------------------------------------------------------------------- 10 | 11 | #include 12 | 13 | Func connect_test() 14 | 15 | WinActivate("MELSOFT Series GX Works2 C:\Users\xxx\Desktop\Mitsubishi\test.gxw - [[PRG]Write MAIN 1 Step]") 16 | Local $windw = WinWaitActive("[CLASS:GXW2FrameWnd;INSTANCE:1]","",2) 17 | If $windw Then 18 | Local $aPos = WinGetPos($windw) 19 | ;MsgBox(($MB_SYSTEMMODAL,"box" , "posi:x=" & $aPos[0] & ",y=" & $aPos[1])) 20 | Local $x = $aPos[0] + 55 21 | Local $y = $aPos[1] + 430 + 156 22 | 23 | ; WinWaitActive("[CLASS:XTPShortcutBar;INSTANCE:1]","",1) 24 | ;MsgBox($MB_SYSTEMMODAL,"box" , "posi:x=" & $aPos[0] & ",y=" & $aPos[1]) 25 | 26 | MouseClick("left",$x,$y,2,0) 27 | 28 | $x = $aPos[0] + 1 + 77 29 | $y = $aPos[1] + 253 + 35 30 | ; WinWaitActive("[CLASS:SysTreeView32;INSTANCE:5]","",1) 31 | MouseClick("left",$x,$y,2,0) 32 | 33 | 34 | WinWaitActive("Transfer Setup Connection1","",2) 35 | send("!T") 36 | ;Sleep(500) 37 | 38 | 39 | ;WinWaitActive("MELSOFT Application") 40 | ;send("{ENTER}") 41 | ;Sleep(500) 42 | 43 | ;WinWaitActive("Transfer Setup Connection1") 44 | ;send("{ENTER}") 45 | EndIf 46 | 47 | EndFunc 48 | 49 | connect_test() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_delete.au3: -------------------------------------------------------------------------------- 1 | Func delete() 2 | WinActivate("Online Data Operation") 3 | Local $subwd = WinWaitActive("Online Data Operation","",3) 4 | If $subwd Then 5 | Local $aPos = WinGetPos($subwd) 6 | Local $x = $aPos[0] + 17 + 444 7 | Local $y = $aPos[1] + 57 + 33 8 | MouseClick("left",$x,$y,2,2) 9 | EndIf 10 | 11 | EndFunc 12 | 13 | delete() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_format_plc_memory.au3: -------------------------------------------------------------------------------- 1 | Func format_plc_memory() 2 | WinActivate("Online Data Operation") 3 | Local $subwd = WinWaitActive("Online Data Operation","",3) 4 | If $subwd Then 5 | Local $aPos = WinGetPos($subwd) 6 | Local $x = $aPos[0] + 7 + 429 7 | Local $y = $aPos[1] + 523 + 45 8 | MouseClick("left",$x,$y,2,2) 9 | EndIf 10 | 11 | EndFunc 12 | 13 | format_plc_memory() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_plc_user_data.au3: -------------------------------------------------------------------------------- 1 | Func plc_user_data() 2 | WinActivate("Online Data Operation") 3 | Local $subwd = WinWaitActive("Online Data Operation","",3) 4 | If $subwd Then 5 | Local $aPos = WinGetPos($subwd) 6 | Local $x = $aPos[0] + 7 + 241 7 | Local $y = $aPos[1] + 523 + 31 8 | MouseClick("left",$x,$y,2,2) 9 | EndIf 10 | 11 | EndFunc 12 | 13 | plc_user_data() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_read_from_plc.au3: -------------------------------------------------------------------------------- 1 | Func read_from_plc() 2 | WinActivate("MELSOFT Series GX Works2 C:\Users\xxx\Desktop\Mitsubishi\test.gxw - [[PRG]Write MAIN 1 Step]") 3 | Local $windw = WinWaitActive("MELSOFT Series GX Works2 C:\Users\xxx\Desktop\Mitsubishi\test.gxw - [[PRG]Write MAIN 1 Step]","",4) 4 | Local $aPos = WinGetPos($windw) 5 | ;If $aPos Then 6 | Local $x = $aPos[0] + 330 7 | Local $y = $aPos[1] + 14 + 28 8 | MouseClick("left",$x,$y,1,3) 9 | send("{ENTER}") 10 | Send("{DOWN}") 11 | send("{ENTER}") 12 | ;EndIf 13 | 14 | EndFunc 15 | 16 | read_from_plc() 17 | -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_remote_operate.au3: -------------------------------------------------------------------------------- 1 | Func remote_operate() 2 | WinActivate("Online Data Operation") 3 | Local $subwd = WinWaitActive("Online Data Operation","",3) 4 | If $subwd Then 5 | Local $aPos = WinGetPos($subwd) 6 | Local $x = $aPos[0] + 7 + 52 7 | Local $y = $aPos[1] + 523 + 36 8 | MouseClick("left",$x,$y,2,2) 9 | EndIf 10 | 11 | EndFunc 12 | 13 | remote_operate() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_set_clock.au3: -------------------------------------------------------------------------------- 1 | Func set_clock() 2 | WinActivate("Online Data Operation") 3 | Local $subwd = WinWaitActive("Online Data Operation","",3) 4 | If $subwd Then 5 | Local $aPos = WinGetPos($subwd) 6 | Local $x = $aPos[0] + 7 + 148 7 | Local $y = $aPos[1] + 523 + 45 8 | MouseClick("left",$x,$y,2,2) 9 | EndIf 10 | 11 | EndFunc 12 | 13 | set_clock() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/utils/sources/mit_write_title.au3: -------------------------------------------------------------------------------- 1 | Func write_title() 2 | WinActivate("Online Data Operation") 3 | Local $subwd = WinWaitActive("Online Data Operation","",3) 4 | If $subwd Then 5 | Local $aPos = WinGetPos($subwd) 6 | Local $x = $aPos[0] + 7 + 335 7 | Local $y = $aPos[1] + 523 + 45 8 | MouseClick("left",$x,$y,2,2) 9 | EndIf 10 | 11 | EndFunc 12 | 13 | write_title() -------------------------------------------------------------------------------- /Mitsubishi-Proxies/proxy/gui/watchdog.py: -------------------------------------------------------------------------------- 1 | # coding=utf-8 2 | import socket 3 | import select 4 | from multiprocessing import Process 5 | import thread 6 | import sys 7 | import Queue 8 | import logging # reconstruct the code after 9 | import json 10 | from binascii import b2a_hex 11 | import time 12 | from binascii import * 13 | import os 14 | import subprocess 15 | import thread 16 | # data start with @, means command. 17 | 18 | def get_pid(s): 19 | if len(s) == 0: 20 | return None 21 | idx = s.find(' ') 22 | start = end = 0 23 | for i in range(idx,len(s)): 24 | if s[i]!=' ': 25 | start = i 26 | break 27 | end = s.find(' ',start) 28 | return s[start:end] 29 | 30 | 31 | 32 | def start_proxy(): 33 | cmd = "python C:\\Users\\fdl\\Desktop\\Mitsubishi\\proxy\\network\\proxy.py" 34 | # proc = subprocess.Popen(cmd,shell=True) 35 | # proc.communicate() 36 | # print('in thread, start a program') 37 | os.system(cmd) 38 | 39 | def start_driver(): 40 | cmd = "python C:\\Users\\fdl\\Desktop\\Mitsubishi\\proxy\\gui\\driver.py" 41 | os.system(cmd) 42 | 43 | def get_service_pid(s): 44 | # print(s) 45 | if len(s) == 0: 46 | return None 47 | idx = s.find("LISTENING") 48 | start = end = 0 49 | for i in range(idx, len(s)): 50 | if s[i] == ' ': 51 | start = i 52 | end = s.find('\n', start) 53 | print('start:{},end:{}'.format(start,end)) 54 | return s[start:end].strip(' ') 55 | 56 | def kill_service(port): 57 | cmd = "netstat -ano|findstr :{}".format(port) 58 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 59 | output = proc.communicate()[0] 60 | target_pid = get_service_pid(output) 61 | if target_pid is not None: 62 | cmd = "taskkill /PID {} /F".format(target_pid) 63 | os.system(cmd) 64 | print('killed the proxy_pid') 65 | 66 | 67 | def restart_service(): 68 | kill_service(5007) 69 | kill_service(65534) 70 | 71 | proxy_process = Process(target=start_proxy,args=()) 72 | driver_process = Process(target=start_driver,args=()) 73 | proxy_process.start() 74 | driver_process.start() 75 | 76 | def kill_target_process(): 77 | cmd = "tasklist|findstr dw20.exe*" 78 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 79 | output = proc.communicate()[0] 80 | target_pid = get_pid(output) 81 | print("dw20.exe pid:{}".format(target_pid)) 82 | if target_pid is not None: 83 | cmd = "taskkill /PID {} /F".format(target_pid) 84 | os.system(cmd) 85 | print('killed the target_pid') 86 | 87 | cmd = "tasklist|findstr GD2*" 88 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 89 | output = proc.communicate()[0] 90 | target_pid = get_pid(output) 91 | print("GD2.exe pid:{}".format(target_pid)) 92 | if target_pid is not None: 93 | cmd = "taskkill /PID {} /F".format(target_pid) 94 | os.system(cmd) 95 | print('killed the target_pid') 96 | # print([get_pid(output)]) 97 | cmd = "tasklist|findstr ECMonitor*" 98 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 99 | output = proc.communicate()[0] 100 | target_pid = get_pid(output) 101 | print("ECMonitor* pid:{}".format(target_pid)) 102 | if target_pid is not None: 103 | cmd = "taskkill /PID {} /F".format(target_pid) 104 | os.system(cmd) 105 | print('killed the target_pid') 106 | 107 | def kill_utility(): 108 | cmd = "tasklist|findstr mit_*" 109 | proc = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE) 110 | output = proc.communicate()[0] 111 | process_infos = output.split('\r\n') 112 | for item in process_infos: 113 | m_pid = get_pid(item) 114 | if m_pid is not None: 115 | cmd = "taskkill /PID {} /F".format(m_pid) 116 | os.system(cmd) 117 | print("killed pid:{}".format(m_pid)) 118 | kill_target_process() 119 | 120 | def restart_utility(): 121 | kill_utility() 122 | # detector_process = Process(target=launch_detector,args=()) 123 | # detector_process.start() 124 | 125 | 126 | def reset_environment(): 127 | logging.debug("reset environment start......") 128 | restart_service() 129 | restart_utility() 130 | logging.debug("reset environment complete......") 131 | 132 | 133 | class proxy(object): 134 | 135 | def __init__(self, sock): 136 | self.BUFSIZE = 10000 137 | self.server = sock 138 | self.inputs = [self.server] 139 | self.sock_dict = {} # record for controller, software, and device 140 | 141 | 142 | def socket_send(sock,data,tag): 143 | logging.debug("in process:{}".format(tag)) 144 | try: 145 | sock.send(data) 146 | time.sleep(0.1) # in case send two stream as one stream 147 | except Exception as exp: 148 | err = "{}:{}".format(tag,exp) 149 | logging.warning(err) 150 | 151 | def run(self): 152 | self.noblocking() 153 | 154 | 155 | def noblocking(self, timeout=10): 156 | while True: 157 | try: 158 | readable,_,exceps = select.select(self.inputs,[],self.inputs,timeout) 159 | for soc in readable: 160 | if soc is self.server: 161 | # proactive connect to to proxy, [controller,software], device should notify 162 | client_con, _ = soc.accept() 163 | self.inputs.append(client_con) 164 | logging.debug("connect success:{}".format(client_con.getpeername())) 165 | 166 | else: 167 | data = soc.recv(self.BUFSIZE) 168 | 169 | # socket is ok! 170 | if data != "": 171 | logging.debug("cmd:{}".format(data)) 172 | if data == "reset": 173 | reset_environment() 174 | # socket closed by peer 175 | else: 176 | if soc in self.inputs: 177 | self.inputs.remove(soc) 178 | logging.debug("socket is closed by peer") 179 | 180 | for exp in exceps: 181 | # maybe server? 182 | logging.warning('Exception:{}'.format(exp.getpeername())) 183 | if exp in self.inputs: 184 | self.inputs.remove(exp) 185 | 186 | except Exception as error: 187 | logging.warning("Error info:{}".format(error)) 188 | errMsg = "{}".format(error) 189 | if soc in self.inputs: 190 | self.inputs.remove(soc) 191 | 192 | 193 | if __name__ == "__main__": 194 | logging.basicConfig(level=logging.DEBUG) # can show debug info 195 | 196 | # reset_environment() 197 | 198 | ADDR = ("0.0.0.0",65533) 199 | 200 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 201 | server.bind(ADDR) 202 | server.listen(10) 203 | p = proxy(server) 204 | p.run() 205 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## ICS3Fuzzer: A Framework for discovering protocol implementation bugs in supervisory software by fuzzing 2 | 3 |
4 | 5 |
6 | 7 | To help understand the ideas in the paper, 8 | and considering the situation of bug fix, 9 | we show a detailed example of fuzzing GX Works2. 10 | The process of fuzzing other objects is exactly the same. 11 | 12 | ## Code structure 13 | 14 | + Dispatcher (The main fuzzer) 15 | + `mutate_engine.py`: for mutation 16 | + `utils.py`: send comand to the proxy 17 | + `read_from_plc.py`: the main fuzzer, one of the functionality 18 | + `length_cluster.py`: protocol analysis 19 | + `length_fields_analysis.py`: protocol analysis 20 | + `split_fields.py`: protocol analysis 21 | + `gen_template.py`: protocol analysis 22 | + `state_fiter.py`: pre-processing for selecting states 23 | 24 | 25 | + Proxies 26 | + `./gui/watchdog.py`: launch he environment related to the proxies 27 | + `./gui/utils/kill_gxworks.py`: kill the process after feeding the inputs 28 | + `./gui/utils/*.exe`: guiautolits 29 | + `./gui/utils/source/*.au3`: source code of guiautolits 30 | + `./gui/driver.py`: GUI proxy 31 | + `./network/proxy.py`: Traffic proxy 32 | 33 | Note that all `*.au3` file need to be adjusted due to different size of screen display. For example, in `read_from_plc.au3`, you may need to adjust the constant `330` in the statement `Local $x = $aPos[0] + 330` to a special value according to your display configuration. Also, the path of executables need to be adjusted too. 34 | 35 | 36 | ## Setup 37 | Currently, ICS3Fuzzer only supports python 2.7.13. 38 | Also, you may need to install some python lib. 39 | + boofuzz 40 | + win32evtlog 41 | + netzob (for fuzzing process, it is not a must) 42 | 43 | Besides, you need to install AutoIt to write `guiautolits`, see https://www.autoitscript.com/site. 44 | 45 | We recommend that the main fuzzer and the proxies in different machines. 46 | The proxies and the target software can be on the same host, and the main fuzzer(dispatcher) should be on another. 47 | 48 | 49 | ### 1.Install the `boofuzz` 50 | 51 | ``` 52 | git clone https://github.com/jtpereyda/boofuzz.git 53 | ``` 54 | Our mutation is based on mutate() function, which is deprecated in the latest version. Therefore, we need to roll back its version. 55 | 56 | ``` 57 | cd boofuzz 58 | git checkout 0c03ee04817fae2 59 | python -m pip install . 60 | ``` 61 | Maybe you will encounter an error log, and you need to install `typing` based on 62 | ``` 63 | python -m pip install typing 64 | ``` 65 | 66 | 67 | ### 2. Run the fuzzer 68 | + Install the GX Works2, which can be downloaded from the Internet. 69 | + Configure the IP address of GX Works2 as `0.0.0.0` 70 | + run `python watchdog.py` on the same machine of GX Works2. It assumed that python lib `win32evtlog` has been installed. 71 | + run `python read_from_plc.py` from another machine. If things go smoothly, fuzzing process will be started! 72 | 73 | ### 3.Findings 74 | 75 | CVE-2019-16353, 76 | CVE-2021-29297, 77 | CVE-2021-29298, 78 | CVE-2021-20587, 79 | CVE-2021-20588 80 | 81 | 82 | ## Cite the paper 83 | 84 | @inproceedings{ics3fuzzer, 85 | title={ICS3Fuzzer: A Framework for Discovering Protocol Implementation Bugs in ICS Supervisory Software by Fuzzing}, 86 | author={Fang, Dongliang and Song, Zhanwei and Guan, Le and Liu, Puzhuo and Peng, Anni and Cheng, Kai and Zheng, Yaowen and Liu, Peng and Zhu, Hongsong and Sun, Limin}, 87 | booktitle={Annual Computer Security Applications Conference}, 88 | pages={849--860}, 89 | year={2021} 90 | } 91 | -------------------------------------------------------------------------------- /img/system_architecture.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/img/system_architecture.pdf -------------------------------------------------------------------------------- /img/system_architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boofish/ICS3Fuzzer/77b103909f6a30b59e14c10a84fff6b542949941/img/system_architecture.png --------------------------------------------------------------------------------