IDM退出機制研究

改這裡有效果，但還會退出

P6N3Q-2839G-P203I-P2ED8

00412407      90            nop

0041241C      90            nop

004509AC      90            nop

004509D7      90            nop

00450A2D      90            nop

004509A5   .  A148116B00   mov eax,dword ptr ds:[0x6B1148]

004509A5      B801000000   mov eax,0x1

004483EE   .  A1 48116B00   mov eax,dword ptr ds:[0x6B1148]

===============================

00460632     /EB 1D         jmp short IDMan_ex.00460651 改這裡有效果，但還會退出

于是再改另外的 3處

下bp MessageBoxA

斷下後，發現

堆棧 ss:[00BC92C0]=02932D20, (ASCII "Internet Download Manager has been registered with a counterfeit Serial Number or the Serial Number has been blocked. IDM is exiting...")

ecx=02932D20, (ASCII "Internet Download Manager has been registered with a counterfeit Serial Number or the Serial Number has been blocked. IDM is exiting...")

跳轉來自 00444BC2, 00444BC8, 00444DB0, 00444DB9

比如看 00444BC2

往前能來到段首00444BA0  /$  64:A1 0000000>mov eax,dword ptr fs:[0]

本地調用來自 0040142E, 004467C0, 0045965D, 0046063D

這4處call前的jXX跳過去，似乎一上午也沒有出來對話框！

====================================以下搞啟動的的注冊給誰？

查找所有指令

mov     ecx, dword ptr ds:[0x6DC980]

全下斷

ctrl+F2後，斷在004E1005   .  8B0D 80C96D00 mov ecx,dword ptr ds:[0x6DC980]

004509E2   > \8B15 24D16D00 mov edx,dword ptr ds:[0x6DD124]這地方 看到serial

00450A14   .  51            push ecx                                 ; /pBufSize = 000000F8

00450A15   .  8B0D 80C96D00 mov ecx,dword ptr ds:[0x6DC980]          ; |

00450A1B   .  52            push edx                                 ; |Buffer = 00BCDDF4

00450A1C   .  6A 00         push 0x0                                 ; |pValueType = NULL

00450A1E   .  6A 00         push 0x0                                 ; |Reserved = NULL

00450A20   .  50            push eax                                 ; |ValueName = "Serial"

00450A21   .  51            push ecx                                 ; |hKey = 0xF8

Patches

位址       大小   狀态      舊                                新                                注釋

0040174A     2.   已删除       je short IDMan_ex.0040177A        jmp short IDMan_ex.0040177A

00401781     6.   已删除       jnz IDMan_ex.004018C6             nop

004017B0     2.   激活        je short IDMan_ex.004017BB        nop

0040180C     2.   激活        jnz short IDMan_ex.0040182A       nop

00401848     2.   激活        je short IDMan_ex.0040186C        nop

0040186A     2.   激活        jnz short IDMan_ex.00401878       nop

0040189B     2.   已删除       je short IDMan_ex.004018BA        nop

00412407     2.   已删除       jnz short IDMan_ex.0041240F       nop

0041241C     2.   已删除       jnz short IDMan_ex.00412475       nop

004509A5     5.   已删除       mov eax,dword ptr ds:[0x6B1148]   mov eax,0x1

004509AC     6.   激活        jnz IDMan_ex.00450ADF             nop

004509D7     2.   已删除       je short IDMan_ex.004509E2        nop

00450A04     2.   激活        je short IDMan_ex.00450A33        nop

00450A2D     6.   激活        jnz IDMan_ex.00450AC4             nop

00450C6E     2.   激活        je short IDMan_ex.00450C79        nop

00450CD4     6.   激活        je IDMan_ex.00450D71              nop

0580174A     2.   ???       je short 0580177A                 jmp short 0580177A

05801781     6.   ???       jnz 058018C6                      nop

058017B0     2.   ???       je short 058017BB                 nop

0580180C     2.   ???       jnz short 0580182A                nop

0580186A     2.   ???       jnz short 05801878                nop

0580189B     2.   ???       je short 058018BA                 nop

05812407     2.   ???       jnz short winine_1.0581240F       nop

0581241C     2.   ???       jnz short winine_1.05812475       nop

058509A5     5.   ???       mov eax,dword ptr ds:[0x6B1148]   mov eax,0x1

058509AC     6.   ???       jnz winine_1.05850ADF             nop

058509D7     2.   ???       je short winine_1.058509E2        nop

05850A2D     6.   ???       jnz winine_1.05850AC4             nop