2020.01.12
可能解决了这个隐藏的idm的fake弹窗。
网上找到一个清理fake的bat文件,测试了一下,好像真的可以。观察了一下,分析可能还是IDM设置了一些古怪的参数。在OD上曾经翻到一篇文件提到了Mdata这个关键词,这个批处理中同样也在清除这个关键词。
后期如果升级的话,可能部分classes的名称要修改(目前6.38.16这些是可以的,实际运行中一些名称已经提示找不到,估计这个注册表清理还是针对早期的版本)
1)操作1:hosts限制,防火墙限制
2)IDM在检测到hosts被限制的时候会调用 idmfas.dll文件进行一次操作(不过好像也没有效果),可以用组策略的方式禁止这个dll文件运行。
3)批处理清理
4)自己生成一个序列号注册,目前搞定!2020.01.12
备份一下批处理文件
———————fake serial弹窗清除的reg文件:
@ECHO OFF & CD /D %~DP0 & TITLE 易破解网站IDM假冒序列号去除 @Echo OFF set /a _Debug=0 ::========================================== @Echo OFF :: AveYo: define USER before asking for elevation since it gets replaced for limited accounts @if not defined USER for /f "tokens=2" %%s in ('whoami /user /fo list') do set "USER=%%s">nul :: AveYo: ask for elevation passing arguments @set "_=set USER=%USER%&&call "%~f0" %*"® query HKU\S-1-5-19>nul 2>nul||( @powershell -nop -c "start -verb RunAs cmd -args '/d/x/q/r',$env:_"&exit) ::========================================== CLS Echo OFF Color 07 Title IDM FS Cleaner v20.10.13 Echo::================================================== Echo:: Echo::============ IDM FS Cleaner v20.10.13 ============ Echo:: Echo::== Contributors: @WindowsAddict, @BTJB, @Saheen == Echo:: Echo::========= Developer and Author: @yaschir ========= Echo:: Echo::===== * Special thanks to the Contributors * ===== Echo:: Echo::================================================== Echo: ::CALLScript CALL :ScriptA CALL :ScriptB CALL :ScriptEND goto :eof :: :ScriptA ::------------------------------------------------------------------------------------------------------------------------------------ ::Reg-entries cleaning ::------------------------------------------------------------------------------------------------------------------------------------ set "nul=1>nul 2>nul" setlocal EnableDelayedExpansion for %%# in ( "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" "HKLM\Software\Internet Download Manager" "HKLM\Software\Wow6432Node\Internet Download Manager" "HKLM\Software\Download Manager" "HKLM\Software\Wow6432Node\Download Manager" "HKLM\Software\DownloadManager" "HKLM\Software\Wow6432Node\DownloadManager" "HKCU\Software\Download Manager" "HKCU\Software\Wow6432Node\Download Manager" "HKCU\Software\Wow6432Node\DownloadManager" "HKU\.DEFAULT\Software\Download Manager" "HKU\.DEFAULT\Software\Wow6432Node\Download Manager" "HKU\.DEFAULT\Software\DownloadManager" "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager" ) do for /f "tokens=* delims=" %%A in ("%%#") do ( set "reg=%%#" &CALL :DELETE ) Echo: Exit /b :DELETE REG DELETE %reg% /f %nul% if [%errorlevel%]==[0] ( set "status=powershell write-host 'Deleted ' -fore '"Green"' -NoNewline; write-host '""%reg%""' -fore '"White"'" ) else ( set "status=echo Not found %reg%" ) reg query %reg% %nul% if [%errorlevel%]==[0] ( set "status=powershell write-host 'Deleted by taking ownership ' -fore '"Yellow"' -NoNewline; write-host '""%reg%""' -fore '"White"'" %nul% CALL :reg_takeownership "%reg%" "ReadPermissions, ReadKey" Allow %USER% %nul% CALL :reg_takeownership "%reg%" "SetValue, Delete" Deny S-1-5-32-544 S-1-5-18 for /f "tokens=2 delims=:" %%s in ('sc showsid TrustedInstaller ^|findstr "S-1"') do set TI=%%s& call set TI=%%TI: =%% %nul% CALL :reg_takeownership "%reg%" FullControl Allow S-1-5-32-544 %TI% REG DELETE %reg% /f %nul% ) reg query %reg% %nul% if [%errorlevel%]==[0] ( powershell write-host 'Failed to delete ' -fore '"Red"' -NoNewline; write-host '""%reg%""' -fore '"White"' ) else ( %status% ) Exit /b :reg_takeownership key:"HKCU\Console" perm:"FullControl" access:"Allow" user:"S-1-5-32-544" owner(optional):"S-1-5-18" powershell -nop -c "$A='%~1','%~2','%~3','%~4','%~5';iex(([io.file]::ReadAllText('%~f0')-split':regown\:.*')[1])"&exit/b:regown: $D1=[IO.IODescriptionAttribute].Module.GetType('System.Diagnostics.Process').GetMethods(42)|where{$_.Name-eq'SetPrivilege'} 'SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @("$_",2))} $rk=$A[0]-split'\\',2; switch -regex($rk[0]){'[mM]'{$HK='LocalMachine'};'[uU]'{$HK='CurrentUser'};default{$HK='ClassesRoot'};} $key=$rk[1];$perm='FullControl',$A[1],$A[1];$access='Allow',$A[2],$A[2];$user=0,0,0; if($A[4]-eq''){$A[4]=$A[3]} ;$sec=0,0,0 $rule=0,0,0; $sid=$A[4],$A[3],'S-1-5-32-544'; 0,1,2 |% {$user[$_]=[System.Security.Principal.SecurityIdentifier]$sid[$_] $rule[$_]=new-object System.Security.AccessControl.RegistryAccessRule($user[$_],$perm[$_],3,1,$access[$_]) $sec[$_]=new-object System.Security.AccessControl.RegistrySecurity}; $sec[0].SetOwner($user[0]); $sec[2].SetOwner($user[2]) function Reg_Own{param($hive,$key); $reg=[Microsoft.Win32.Registry]::$hive.OpenSubKey($key,'ReadWriteSubTree','TakeOwnership') $reg.SetAccessControl($sec[2]); $rep=$reg.OpenSubKey('','ReadWriteSubTree','ChangePermissions'); $acl=$rep.GetAccessControl() $acl.ResetAccessRule($rule[1]); $rep.SetAccessControl($acl); $acl=$sec[0]; $reg.SetAccessControl($acl)} ;Reg_Own $HK $key $rec=[Microsoft.Win32.Registry]::$HK.OpenSubKey($key);foreach($sub in $rec.GetSubKeyNames()){Reg_Own $HK "$($key+'\\'+$sub)"} Get-Acl $($rk[0]+':\\'+$rk[1])|fl #:regown: A lean and mean snippet by AveYo pastebin.com/XTPt0JSC #-_-# :: :ScriptB ::------------------------------------------------------------------------------------------------------------------------------------ ::Reg-entries cleaning for current user info ::------------------------------------------------------------------------------------------------------------------------------------ REG DELETE "HKLM" /ve /f REG DELETE "HKLM" /v "MData" /f REG DELETE "HKLM" /v "Model" /f REG DELETE "HKLM" /v "Therad" /f REG DELETE "HKCU" /ve /f REG DELETE "HKCU" /v "MData" /f REG DELETE "HKCU" /v "Model" /f REG DELETE "HKCU" /v "Therad" /f REG DELETE "HKCU\Software\DownloadManager" /v "FName" /f REG DELETE "HKCU\Software\DownloadManager" /v "LName" /f REG DELETE "HKCU\Software\DownloadManager" /v "Email" /f REG DELETE "HKCU\Software\DownloadManager" /v "Serial" /f REG DELETE "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /f REG DELETE "HKCU\Software\DownloadManager" /v "tvfrdt" /f REG DELETE "HKCU\Software\DownloadManager" /v "LstCheck" /f REG DELETE "HKCU\Software\DownloadManager" /v "scansk" /f Exit /b :: :ScriptEND Echo: Echo::=================================================== Echo:: Echo::======================= End ======================= Echo:: Echo::=================================================== Echo: Echo: powershell write-host '.::' -fore '"Red"' -NoNewline; write-host ' Please don''t forget to' -fore '"White"' -NoNewline; write-host ' re-register IDM' -fore '"Green"' -NoNewline; write-host ' !' -fore '"White"' -NoNewline; write-host ' ::.' -fore '"Red"' Echo: Echo: Echo:Press any key to exit... & Pause >nul & Exit
————早期内容(无效尝试)————–
需要具备的前提:
1)hosts屏蔽IDM的相关域名,并且保护hosts文件不被修改;
2)防火墙屏蔽IDM出站规则,阻止其访问检测更新的IP地址,禁止IDM出站
方法尝试:
1)OD方法,这个方法不很完善,目前所掌握的有限汇编技能可以屏蔽IDM的fake serial的弹窗,但是无法消除注册窗口的弹出。【备注:可以结合reshacker来删除注册窗口,但是IDM在下载任务结束后会自动退出(而且哪怕是在两个以上的任务同时进行,只要有一个任务完成了下载就自动退出),所以不是很完善】。另外这个方法只能处理IDM提示fake的serial,而不适合IDM直接判定改号为fake号,自动退出的情况。
2)注册表方法:(目前已经测试存在回弹,说明清理不干净,属于无效版本)
IDM在判断fake的时候在注册表里面留了特殊标记,甚至可能还不是一个简单的0或者1。但是可以通过重置注册表来实现试用,并且在确保hosts与防火墙阻断的前提下,重新注册idm,这时候可能就能解决了fake的问题(哪怕是检测到fake就直接退出idm不让使用的情况)
不同版本的idm可能在注册表的classes的名称不一样,所以采用Total Uninstall来监测IDM的安装行为,记录下安装中或者运行中涉及到class的内容直接与IDM有关的(64位比32位要多些位置)。然后套用以前的trial方法,清空IDM的注册信息,达到重新试用的目的,然后再次进行注册(采用注册表导入的注册方法)
例如尝试6.38.16版本的trail的子目如下:
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}] [-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}] [HKEY_CURRENT_USER\Software\DownloadManager] "FName"=- "LName"=- "Email"=- "Serial"=- [HKEY_LOCAL_MACHINE\Software\Internet Download Manager] "FName"=- "LName"=- "Email"=- "Serial"=- [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Internet Download Manager] "FName"=- "LName"=- "Email"=- "Serial"=-
这个方法在遇到IDM检测fake直接退出的时候测试了一次,好像有效。
3)关于序列号
IDM的算号原理在网上已经有公布,根据此方法,用excel编写了一个算号器,理论上可以算出上百万个号码,但是这些号码都是不确定经得起idm联网检测的。