IDM退出机制研究

改这里有效果，但还会退出

P6N3Q-2839G-P203I-P2ED8

00412407      90            nop
0041241C      90            nop
004509AC      90            nop
004509D7      90            nop
00450A2D      90            nop

004509A5   .  A148116B00   mov eax,dword ptr ds:[0x6B1148]
004509A5      B801000000   mov eax,0x1

004483EE   .  A1 48116B00   mov eax,dword ptr ds:[0x6B1148]

 

===============================

00460632     /EB 1D         jmp short IDMan_ex.00460651 改这里有效果，但还会退出
于是再改另外的 3处

下bp MessageBoxA
断下后，发现

堆栈 ss:[00BC92C0]=02932D20, (ASCII "Internet Download Manager has been registered with a counterfeit Serial Number or the Serial Number has been blocked. IDM is exiting...")
ecx=02932D20, (ASCII "Internet Download Manager has been registered with a counterfeit Serial Number or the Serial Number has been blocked. IDM is exiting...")
跳转来自 00444BC2, 00444BC8, 00444DB0, 00444DB9
比如看 00444BC2
往前能来到段首00444BA0  /$  64:A1 0000000>mov eax,dword ptr fs:[0]
本地调用来自 0040142E, 004467C0, 0045965D, 0046063D
这4处call前的jXX跳过去，似乎一上午也没有出来对话框！

====================================以下搞启动的的注册给谁？
查找所有命令
mov     ecx, dword ptr ds:[0x6DC980]
全下断
ctrl+F2后，断在004E1005   .  8B0D 80C96D00 mov ecx,dword ptr ds:[0x6DC980]

004509E2   > \8B15 24D16D00 mov edx,dword ptr ds:[0x6DD124]这地方 看到serial

00450A14   .  51            push ecx                                 ; /pBufSize = 000000F8
00450A15   .  8B0D 80C96D00 mov ecx,dword ptr ds:[0x6DC980]          ; |
00450A1B   .  52            push edx                                 ; |Buffer = 00BCDDF4
00450A1C   .  6A 00         push 0x0                                 ; |pValueType = NULL
00450A1E   .  6A 00         push 0x0                                 ; |Reserved = NULL
00450A20   .  50            push eax                                 ; |ValueName = "Serial"
00450A21   .  51            push ecx                                 ; |hKey = 0xF8

Patches
地址       大小   状态      旧                                新                                注释
0040174A     2.   已删除       je short IDMan_ex.0040177A        jmp short IDMan_ex.0040177A
00401781     6.   已删除       jnz IDMan_ex.004018C6             nop
004017B0     2.   激活        je short IDMan_ex.004017BB        nop
0040180C     2.   激活        jnz short IDMan_ex.0040182A       nop
00401848     2.   激活        je short IDMan_ex.0040186C        nop
0040186A     2.   激活        jnz short IDMan_ex.00401878       nop
0040189B     2.   已删除       je short IDMan_ex.004018BA        nop
00412407     2.   已删除       jnz short IDMan_ex.0041240F       nop
0041241C     2.   已删除       jnz short IDMan_ex.00412475       nop
004509A5     5.   已删除       mov eax,dword ptr ds:[0x6B1148]   mov eax,0x1
004509AC     6.   激活        jnz IDMan_ex.00450ADF             nop
004509D7     2.   已删除       je short IDMan_ex.004509E2        nop
00450A04     2.   激活        je short IDMan_ex.00450A33        nop
00450A2D     6.   激活        jnz IDMan_ex.00450AC4             nop
00450C6E     2.   激活        je short IDMan_ex.00450C79        nop
00450CD4     6.   激活        je IDMan_ex.00450D71              nop
0580174A     2.   ???       je short 0580177A                 jmp short 0580177A
05801781     6.   ???       jnz 058018C6                      nop
058017B0     2.   ???       je short 058017BB                 nop
0580180C     2.   ???       jnz short 0580182A                nop
0580186A     2.   ???       jnz short 05801878                nop
0580189B     2.   ???       je short 058018BA                 nop
05812407     2.   ???       jnz short winine_1.0581240F       nop
0581241C     2.   ???       jnz short winine_1.05812475       nop
058509A5     5.   ???       mov eax,dword ptr ds:[0x6B1148]   mov eax,0x1
058509AC     6.   ???       jnz winine_1.05850ADF             nop
058509D7     2.   ???       je short winine_1.058509E2        nop
05850A2D     6.   ???       jnz winine_1.05850AC4             nop