[?]: How to crack password keyword stored in the SLC500 pro

RSLinx, RSLogix, RSView, LogixPro ...
Anderson1987
Posts: 1
Joined: Tue Jul 20, 2021 6:46 pm

Re: [?]: How to crack password keyword stored in the SLC500 pro

Post by Anderson1987 »

hello, and when the programmer sets the Encrypt Password option. What can I do to crack the password?
psgama
Posts: 89
Joined: Thu Aug 08, 2013 6:00 pm

Re: [?]: How to crack password keyword stored in the SLC500 pro

Post by psgama »

what version rslogix 500 are you using?
Hexados
Posts: 6
Joined: Sat Jan 26, 2019 1:02 am

Re: [?]: How to crack password keyword stored in the SLC500 pro

Post by Hexados »

psgama wrote: Thu Jul 22, 2021 2:06 am what version rslogix 500 are you using?
Hello there!

First and foremost, thank you for EVERYTHING you and others are doing! It really has helped me, and still is helping me, immeasurably!
Second, concerning RSLogix 500, I have version 11 (I think CPR 9, or Build 9... I forgot which exactly :mrgreen: ).

The PLC from which I want to upload is a MicroLogix 1400 Series C, by the way, and even though the option isn't technically there in RSLogix 500, it is still able to communicate and identify it as a Series B (for some reason).

In any case, I also tried to crack this version on my own, to find a way around the password upload protection. When using PE Explorer, I was able to read the assembly lines in that set things like ladder diagram view password, master password, etc., and they all went back to two dll files: gkc1.dll and gkc2.dll.

Of course, I opened those too to check what I can and saw the functions and subfunctions written accordingly. However, assembly isn't exactly my strong suit (I'm more on the higher end coding of things, like MATLAB, Arduino, and of course PLC programs with ladder diagrams, FBDs, etc.) and I didn't know what to change! Would you please guide me to the section where I have to nullify the "74 14" hex part (or basically, the "jmp" instruction replaced by "nop")? I would really appreciate it!! I'm just really new to stuff like this.

Oh, and concerning the part that needs to be "nop"-ed, can you please send me what comes before and after those hex numbers? For example: 00313C64 and 00313C65 are to target in v8.10.00. I'd like to know the hex values in a big chunk basically, like from 00313C40 to 00313C80 but, I would have to target the 74 and 14 values in 00313C64 and 00313C65 addresses), so that I know what I'm looking for exactly in hex values, just in case there is a mismatch in the RSLogix 500 v11.

Thank you again!!
psgama
Posts: 89
Joined: Thu Aug 08, 2013 6:00 pm

Re: [?]: How to crack password keyword stored in the SLC500 pro

Post by psgama »

Sorry for delayed reply. I no longer visit regularly. Are you attempting to upload from PLC and Deny Future Access is enabled? Or do you have protected routine that you cannot read in PLC logic.

I don't have version 11 available, in version 10 use ollydbg or windbg or whatever. Load rs500 and search for command push 0F40. The JE command in v10 that needs to be changed to a JMP
patch 0F84F80100008D8D to E9F9010000908D8D.

Several other patches to allow for display code and select rungs, but this will let you save file. And is a starting point to determine other Deny Future Access checks.
Hexados
Posts: 6
Joined: Sat Jan 26, 2019 1:02 am

Re: [?]: How to crack password keyword stored in the SLC500 pro

Post by Hexados »

psgama wrote: Wed Dec 01, 2021 5:17 am Sorry for delayed reply. I no longer visit regularly. Are you attempting to upload from PLC and Deny Future Access is enabled? Or do you have protected routine that you cannot read in PLC logic.

I don't have version 11 available, in version 10 use ollydbg or windbg or whatever. Load rs500 and search for command push 0F40. The JE command in v10 that needs to be changed to a JMP
patch 0F84F80100008D8D to E9F9010000908D8D.

Several other patches to allow for display code and select rungs, but this will let you save file. And is a starting point to determine other Deny Future Access checks.
Hello and thank you for your reply!!

I am attempting to upload from the PLC. I have read the forum and this is all that I have compiled thus far (which I'm sure you already know):


Version 8.10.00 (CPR 9) Build 18 [CRC32="67AF5288"]

Offset | Old Byte | New Byte
----------------------------------------
00313C64 | 74 | 90
00313C65 | 14 | 90
-----------------------------------------


Version 9.05.00 (CPR 9)

Offset | Old Byte | New Byte
----------------------------------------
003566D3 | 74 | 90
003566D4 | 14 | 90
-----------------------------------------


Version V10.00.00

Offset | Old Byte | New Byte
----------------------------------------
003513AC | 74 | 90
003513AD | 14 | 90
-----------------------------------------



I unfortunately don't have v10 with me. I only have v11 and v12 (currently, I have v11 installed), and I was hoping if you could help me out with that as well. Maybe if I can upload the files and you explain the methodology? I don't mind doing it with Ollydbg, but I just want to understand where exactly to look for that jump instruction.
psgama
Posts: 89
Joined: Thu Aug 08, 2013 6:00 pm

Re: [?]: How to crack password keyword stored in the SLC500 pro

Post by psgama »

You must find the where the routine is that checks for the deny future access bit in the processor.

By finding where the text "This program has been PROTECTED from user access" is pushed to the program you can work your way backwards and then force rslogix to ignore this bit by modifying the jump instructions.
amcraw16
Posts: 1
Joined: Wed Oct 25, 2023 3:10 pm

Re: [?]: How to crack password keyword stored in the SLC500 pro

Post by amcraw16 »

I found the offset that needs changed on version 12.00.01. Made an account just to share with anyone looking for this like me.
To skip the Authenticate Password prompt for protected .rss files, use a hex editor and change 74 14 to 90 90 at offset 353a61 to 353a62
Kh_444
Posts: 6
Joined: Fri Feb 02, 2024 5:15 am

Re: [?]: How to crack password keyword stored in the SLC500 pro

Post by Kh_444 »

Can you gentlemen send me v10 or 11or 12 in order to apply what you explain cause I am facing the same problem you mentioned above.
If you read this comment, Please send the file

Thanks