看深思４官方的手册，然后安装Keil C51的环境，手册上都有一步一步写明的呀，就可以开工了，都是C语句了。头上包含一下ses_v3.h，，写好了编译成hex文件，用S4开发工具初始化好狗后导入狗内。

感谢TEE大侠指点，我的意思是 我门截取到的哪些数据信息，是不是都要自己用C语言来仿写，那些数据是不能直接用的

C51，截到数据只是拿来分析用，不是狗数据，需要重新写回算法

S4的通讯是没加密的，加密锁用DES 算法较多，而且由于硬件的关系，一般都用的8位的蜜月，我就搞不懂这个蜜月的处理和解密机制，那位朋友提供一个SDK的光盘才好

官方网上可以下载SDK的

官网是个文档，范例都是，没法用，光盘的直接些

主要是截取执行算法运算函数的通讯数据，例如进去是AAA，出来BBB，那总要知道从AAA变成BBB的换算关系吧，就是所说的狗内自定义算法函数，如果关系简单的，那就只看输入输出肉眼就看出来，比如只xor了一下，如果看着一堆的输入输出看不出个所以然来的，那就要对程序进行动态调试分析了，一般是在执行狗内算法运算函数前下断，跟它进去的数据是怎么来的，运算后出来的数据是干什么用的，大部份时候是根据输入输出来猜狗内算法了，，，有些时候开发软件的为了省事，你送进去什么数据它返回都是固定的，那你也就写个函数直接返回这数据就成了，只是这样的情况现在越来越少。

深思4通讯是明文，ET199通讯过程有DES对数据进行加密，论坛里有人发了获取ET199的通讯DES密钥的工具，可以用得到密钥对输入输出数据进行解码来得到明文。

再次感谢TEE大侠的热情指点，现在能找到S4的资料太少，很多人被问及S4时候都是不愿意多说的，特别是说到思路问题，许多人都不会说的，至少我问过的人如此；      他的开发套件也不好找，算法的问题都是靠自己去猜的，我不知道他的算法是如何处理入锁数据的  Function: S4ExecuteEx    FileID=0xAA21  dwflag=S4_VM_EXE
      InbufferSize=71    pInBuffer:[02 45 02 DC 14 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
      BytesReturned=66   pOutBuffer:[00 40 56 32 30 30 37 2E 31 30 2E 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]  Result:Success
      Function: S4ExecuteEx    FileID=0xAA21  dwflag=S4_VM_EXE
      InbufferSize=8    pInBuffer:[02 06 02 DC 12 00 01 00]
      BytesReturned=3   pOutBuffer:[00 01 31]  Result:Success

Function: S4ExecuteEx    FileID=0xAA21  dwflag=S4_VM_EXE
      InbufferSize=15    pInBuffer:[02 0D 02 DC 00 00 08 00 00 00 00 00 00 00 00]
      BytesReturned=16   pOutBuffer:[00 08 32 30 31 30 30 38 32 39 00 00 00 00 00 00]  Result:Success
他的入锁数据到底是按啥规则来处理, 入锁数据都是一样的位数,出锁数据的位数完全不通, 解读这个全靠经验

20100829…………

没看懂尹兄的意思

BytesReturned=16   pOutBuffer:[00 08 32 30 31 30 30 38 32 39 00 00 00 00 00 00]  Result:Success
输出十六进制，转换就是：20100829。。。。这个数据可能是限制时间或者比较时间的数据了

最后这个的确是日期  wflag=S4_VM_EXE
      InbufferSize=15    pInBuffer:[02 0D 02 DC 00 00 08 00 00 00 00 00 00 00 00]
      BytesReturned=10   pOutBuffer:[00 08 32 30 32 30 30 37 32 31]  Result:Success
这个是2020721

以下是各模块的出入锁数据InbufferSize=71    pInBuffer:[02 45 01 DC 14 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
      BytesReturned=66   pOutBuffer:[00 40 54 44 20 31 30 2E 31 2E 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]  Result:Success

InbufferSize=71    pInBuffer:[02 45 0C DC 14 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
      BytesReturned=66   pOutBuffer:[00 40 54 44 20 31 30 2E 31 2E 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]  Result:Success

InbufferSize=71    pInBuffer:[02 45 05 DC 14 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
      BytesReturned=66   pOutBuffer:[00 40 54 44 20 31 30 2E 31 2E 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

InbufferSize=71    pInBuffer:[02 45 07 DC 14 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
      BytesReturned=66   pOutBuffer:[00 40 54 44 20 31 30 2E 31 2E 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]  Result:Success

InbufferSize=71    pInBuffer:[02 45 07 DC 14 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
      BytesReturned=66   pOutBuffer:[00 40 54 44 20 31 30 2E 31 2E 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]  Result:Success

InbufferSize=71    pInBuffer:[02 45 02 DC 14 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
      BytesReturned=66   pOutBuffer:[00 40 56 32 30 30 37 2E 31 30 2E 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]  Result:Success
我发现入锁数据的第3位对应 不同的模块，但出锁数据 除最后一个都是相同的，那位大牛能解析下S4的这个数据的结构吗

经分析，输入的数据第三位对应不同的模块  02 05 01 07 0C     除02 输出:[00 40 56 32 30 30 37 2E 31 30 2E 31             其他的输出都是一样的05 01 07 0C    00 40 54 44 20 31 30 2E 31 2E 30   每个模块运行的时候首先输入  InbufferSize=8    pInBuffer:[02 06 02 DC 12 00 01 00]    如果锁里有这个模块 程序继续运行 ，如果没有就输出，没有发现单机锁进入学习版     有锁的话  根据不同模块判断输出，最后根据 InbufferSize=15    pInBuffer:[02 0D 02 DC 00 00 08 00 00 00 00 00 00 00 00]
这个输入来判定是不是在有效期之内 如果在继续执行，不在就退出，以上输入输出很固定 ，那位朋友能给个如何写模拟文件的思路

这个好像比较简单，返回固定值？

是的，先判断 后返回固定值,如果要在锁内建一个表，先用SES初始化内存，然后在直接操作内存，存入表后，再通过输入的数据，用SWTICH 来确定输出的值  不晓得这个思路对不对，那位大牛给个建议

啥软件呀，这么复杂，哈哈

这个这么象鲁班呢