2020.01.12
可能解决了这个隐藏的idm的fake弹窗。
网上找到一个清理fake的bat文件,测试了一下,好像真的可以。观察了一下,分析可能还是IDM设置了一些古怪的参数。在OD上曾经翻到一篇文件提到了Mdata这个关键词,这个批处理中同样也在清除这个关键词。
后期如果升级的话,可能部分classes的名称要修改(目前6.38.16这些是可以的,实际运行中一些名称已经提示找不到,估计这个注册表清理还是针对早期的版本)
1)操作1:hosts限制,防火墙限制
2)IDM在检测到hosts被限制的时候会调用 idmfas.dll文件进行一次操作(不过好像也没有效果),可以用组策略的方式禁止这个dll文件运行。
3)批处理清理
4)自己生成一个序列号注册,目前搞定!2020.01.12
备份一下批处理文件
———————fake serial弹窗清除的reg文件:
@ECHO OFF & CD /D %~DP0 & TITLE 易破解网站IDM假冒序列号去除
@Echo OFF
set /a _Debug=0
::==========================================
@Echo OFF
:: AveYo: define USER before asking for elevation since it gets replaced for limited accounts
@if not defined USER for /f "tokens=2" %%s in ('whoami /user /fo list') do set "USER=%%s">nul
:: AveYo: ask for elevation passing arguments
@set "_=set USER=%USER%&&call "%~f0" %*"® query HKU\S-1-5-19>nul 2>nul||(
@powershell -nop -c "start -verb RunAs cmd -args '/d/x/q/r',$env:_"&exit)
::==========================================
CLS
Echo OFF
Color 07
Title IDM FS Cleaner v20.10.13
Echo::==================================================
Echo::
Echo::============ IDM FS Cleaner v20.10.13 ============
Echo::
Echo::== Contributors: @WindowsAddict, @BTJB, @Saheen ==
Echo::
Echo::========= Developer and Author: @yaschir =========
Echo::
Echo::===== * Special thanks to the Contributors * =====
Echo::
Echo::==================================================
Echo:
::CALLScript
CALL :ScriptA
CALL :ScriptB
CALL :ScriptEND
goto :eof
::
:ScriptA
::------------------------------------------------------------------------------------------------------------------------------------
::Reg-entries cleaning
::------------------------------------------------------------------------------------------------------------------------------------
set "nul=1>nul 2>nul"
setlocal EnableDelayedExpansion
for %%# in (
"HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
"HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
"HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
"HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
"HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
"HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
"HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
"HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
"HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
"HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
"HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
"HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
"HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
"HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
"HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
"HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
"HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
"HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
"HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
"HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
"HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
"HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
"HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
"HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
"HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
"HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
"HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
"HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
"HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
"HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
"HKLM\Software\Internet Download Manager"
"HKLM\Software\Wow6432Node\Internet Download Manager"
"HKLM\Software\Download Manager"
"HKLM\Software\Wow6432Node\Download Manager"
"HKLM\Software\DownloadManager"
"HKLM\Software\Wow6432Node\DownloadManager"
"HKCU\Software\Download Manager"
"HKCU\Software\Wow6432Node\Download Manager"
"HKCU\Software\Wow6432Node\DownloadManager"
"HKU\.DEFAULT\Software\Download Manager"
"HKU\.DEFAULT\Software\Wow6432Node\Download Manager"
"HKU\.DEFAULT\Software\DownloadManager"
"HKU\.DEFAULT\Software\Wow6432Node\DownloadManager"
) do for /f "tokens=* delims=" %%A in ("%%#") do (
set "reg=%%#" &CALL :DELETE
)
Echo:
Exit /b
:DELETE
REG DELETE %reg% /f %nul%
if [%errorlevel%]==[0] (
set "status=powershell write-host 'Deleted ' -fore '"Green"' -NoNewline; write-host '""%reg%""' -fore '"White"'"
) else (
set "status=echo Not found %reg%"
)
reg query %reg% %nul%
if [%errorlevel%]==[0] (
set "status=powershell write-host 'Deleted by taking ownership ' -fore '"Yellow"' -NoNewline; write-host '""%reg%""' -fore '"White"'"
%nul% CALL :reg_takeownership "%reg%" "ReadPermissions, ReadKey" Allow %USER%
%nul% CALL :reg_takeownership "%reg%" "SetValue, Delete" Deny S-1-5-32-544 S-1-5-18
for /f "tokens=2 delims=:" %%s in ('sc showsid TrustedInstaller ^|findstr "S-1"') do set TI=%%s& call set TI=%%TI: =%%
%nul% CALL :reg_takeownership "%reg%" FullControl Allow S-1-5-32-544 %TI%
REG DELETE %reg% /f %nul%
)
reg query %reg% %nul%
if [%errorlevel%]==[0] (
powershell write-host 'Failed to delete ' -fore '"Red"' -NoNewline; write-host '""%reg%""' -fore '"White"'
) else (
%status%
)
Exit /b
:reg_takeownership key:"HKCU\Console" perm:"FullControl" access:"Allow" user:"S-1-5-32-544" owner(optional):"S-1-5-18"
powershell -nop -c "$A='%~1','%~2','%~3','%~4','%~5';iex(([io.file]::ReadAllText('%~f0')-split':regown\:.*')[1])"&exit/b:regown:
$D1=[IO.IODescriptionAttribute].Module.GetType('System.Diagnostics.Process').GetMethods(42)|where{$_.Name-eq'SetPrivilege'}
'SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @("$_",2))}
$rk=$A[0]-split'\\',2; switch -regex($rk[0]){'[mM]'{$HK='LocalMachine'};'[uU]'{$HK='CurrentUser'};default{$HK='ClassesRoot'};}
$key=$rk[1];$perm='FullControl',$A[1],$A[1];$access='Allow',$A[2],$A[2];$user=0,0,0; if($A[4]-eq''){$A[4]=$A[3]} ;$sec=0,0,0
$rule=0,0,0; $sid=$A[4],$A[3],'S-1-5-32-544'; 0,1,2 |% {$user[$_]=[System.Security.Principal.SecurityIdentifier]$sid[$_]
$rule[$_]=new-object System.Security.AccessControl.RegistryAccessRule($user[$_],$perm[$_],3,1,$access[$_])
$sec[$_]=new-object System.Security.AccessControl.RegistrySecurity}; $sec[0].SetOwner($user[0]); $sec[2].SetOwner($user[2])
function Reg_Own{param($hive,$key); $reg=[Microsoft.Win32.Registry]::$hive.OpenSubKey($key,'ReadWriteSubTree','TakeOwnership')
$reg.SetAccessControl($sec[2]); $rep=$reg.OpenSubKey('','ReadWriteSubTree','ChangePermissions'); $acl=$rep.GetAccessControl()
$acl.ResetAccessRule($rule[1]); $rep.SetAccessControl($acl); $acl=$sec[0]; $reg.SetAccessControl($acl)} ;Reg_Own $HK $key
$rec=[Microsoft.Win32.Registry]::$HK.OpenSubKey($key);foreach($sub in $rec.GetSubKeyNames()){Reg_Own $HK "$($key+'\\'+$sub)"}
Get-Acl $($rk[0]+':\\'+$rk[1])|fl #:regown: A lean and mean snippet by AveYo pastebin.com/XTPt0JSC
#-_-#
::
:ScriptB
::------------------------------------------------------------------------------------------------------------------------------------
::Reg-entries cleaning for current user info
::------------------------------------------------------------------------------------------------------------------------------------
REG DELETE "HKLM" /ve /f
REG DELETE "HKLM" /v "MData" /f
REG DELETE "HKLM" /v "Model" /f
REG DELETE "HKLM" /v "Therad" /f
REG DELETE "HKCU" /ve /f
REG DELETE "HKCU" /v "MData" /f
REG DELETE "HKCU" /v "Model" /f
REG DELETE "HKCU" /v "Therad" /f
REG DELETE "HKCU\Software\DownloadManager" /v "FName" /f
REG DELETE "HKCU\Software\DownloadManager" /v "LName" /f
REG DELETE "HKCU\Software\DownloadManager" /v "Email" /f
REG DELETE "HKCU\Software\DownloadManager" /v "Serial" /f
REG DELETE "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /f
REG DELETE "HKCU\Software\DownloadManager" /v "tvfrdt" /f
REG DELETE "HKCU\Software\DownloadManager" /v "LstCheck" /f
REG DELETE "HKCU\Software\DownloadManager" /v "scansk" /f
Exit /b
::
:ScriptEND
Echo:
Echo::===================================================
Echo::
Echo::======================= End =======================
Echo::
Echo::===================================================
Echo:
Echo:
powershell write-host '.::' -fore '"Red"' -NoNewline; write-host ' Please don''t forget to' -fore '"White"' -NoNewline; write-host ' re-register IDM' -fore '"Green"' -NoNewline; write-host ' !' -fore '"White"' -NoNewline; write-host ' ::.' -fore '"Red"'
Echo:
Echo:
Echo:Press any key to exit... & Pause >nul & Exit————早期内容(无效尝试)————–
需要具备的前提:
1)hosts屏蔽IDM的相关域名,并且保护hosts文件不被修改;
2)防火墙屏蔽IDM出站规则,阻止其访问检测更新的IP地址,禁止IDM出站
方法尝试:
1)OD方法,这个方法不很完善,目前所掌握的有限汇编技能可以屏蔽IDM的fake serial的弹窗,但是无法消除注册窗口的弹出。【备注:可以结合reshacker来删除注册窗口,但是IDM在下载任务结束后会自动退出(而且哪怕是在两个以上的任务同时进行,只要有一个任务完成了下载就自动退出),所以不是很完善】。另外这个方法只能处理IDM提示fake的serial,而不适合IDM直接判定改号为fake号,自动退出的情况。
2)注册表方法:(目前已经测试存在回弹,说明清理不干净,属于无效版本)
IDM在判断fake的时候在注册表里面留了特殊标记,甚至可能还不是一个简单的0或者1。但是可以通过重置注册表来实现试用,并且在确保hosts与防火墙阻断的前提下,重新注册idm,这时候可能就能解决了fake的问题(哪怕是检测到fake就直接退出idm不让使用的情况)
不同版本的idm可能在注册表的classes的名称不一样,所以采用Total Uninstall来监测IDM的安装行为,记录下安装中或者运行中涉及到class的内容直接与IDM有关的(64位比32位要多些位置)。然后套用以前的trial方法,清空IDM的注册信息,达到重新试用的目的,然后再次进行注册(采用注册表导入的注册方法)
例如尝试6.38.16版本的trail的子目如下:
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}]
[HKEY_CURRENT_USER\Software\DownloadManager]
"FName"=-
"LName"=-
"Email"=-
"Serial"=-
[HKEY_LOCAL_MACHINE\Software\Internet Download Manager]
"FName"=-
"LName"=-
"Email"=-
"Serial"=-
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Internet Download Manager]
"FName"=-
"LName"=-
"Email"=-
"Serial"=-这个方法在遇到IDM检测fake直接退出的时候测试了一次,好像有效。
3)关于序列号
IDM的算号原理在网上已经有公布,根据此方法,用excel编写了一个算号器,理论上可以算出上百万个号码,但是这些号码都是不确定经得起idm联网检测的。