Jump to content

[Release] Internet Download Manager [How to Reverse Engineering]


babelpatcher

Recommended Posts

babelpatcher

Internet Download Manager

Reverse Engineering Release

 

 

 

Quote

A Short of Story

 

For years i have used my own patch for IDM, it was only need to patch serial check at IDM startup & prevent fake serial message.
Then IDM dev had made some changes, but it was just needed to update patch pattern for serial check at IDM startup. not hard task to do.
But lately, IDM dev improved the license protection by using another exe (IDMGrHlp.exe) that will call home (server check) to check serial validity.

This thread created to share my little knowledge, not for show off :)
IDM is most popular download manager for windows user :)

so i hope this thread will help you :)
I hope this thread will stay up to date.

Quote
Quote

I have created 3 Patcher of IDM


IDM-6.2.X-Patch Method 1.exe
----------------------------
This Patch has 3 search patterns: 
1a - this pattern will patch serial check at IDM start, at the end of the procedure. 
1b - this pattern prevent "fake serial" messages, at the end of the procedure. 
** - this pattern prevent server check.

IDM-6.2.X-Patch Method 2.exe
----------------------------
This Patch has 3 search patterns: 
2a - this pattern will patch serial check at IDM start, at the middle of the procedure. 
2b - this pattern prevent "fake serial" messages, at the middle of the procedure. 
** - this pattern prevent server check.

IDM-6.2.X-Patch Method 3.exe
----------------------------
This Patch has 2 search patterns: 
3a - this pattern not only patch serial check at IDM start but also prevent "fake serial" messages 
** - this pattern prevent server check.

:) All of these patterns i used below are from myself, from debugging IDM, not from ripping :)

 

 

 

Quote

Tools:Debugger: OllyDbg v1.10
Patch Generator: DUP2002 v2.26
(i will not supply these tools, find it yourself)

Target: IDMan.exe
Version: Internet Download Manager v6.2.XX

Method: Search & Replace byte patching
*) Registry Patching is not used, so you have to register IDM after patching IDMan.exe
*) but if you want to use it, see it at the end of this topic.

### METHOD 1 #####
1a) patch serial status at the end of check scheme
8B ?? 83 C4 04 89 5D ?? 8B 45 ?? 85 C0
33 DB 83 C4 04 89 5D ?? 8B 45 ?? 85 C0

1b) patch fake serial message jump
0044999F  |. /EB 04         JMP SHORT IDMan.004499A5
004499A1  |> |85C0          TEST EAX,EAX
004499A3  |. |74 6D         JE SHORT IDMan.00449A12                  ;  V - JUMP
004499A5     \6A 00         PUSH 0                                   ;  X - Dont get here

EB 04 85 C0 74 ?? 6A 00
EB 04 85 C0 EB ?? EB FC

##### METHOD 2 #####
2a) patch serial check at IDM startup
004445ED   |> \F7D8                 NEG EAX                                 ;  *** Serial check at startup
004445EF   |.  1BC0                 SBB EAX,EAX                             ;  xor eax,eax
004445F1   |.  40                   INC EAX                                 ;  NOP
004445F2   |.  85C0                 TEST EAX,EAX                            ;  

1B C0 40 85 C0
33 C0 90 85 C0

2b)
00444992   |. /74 7F                       JE SHORT IDMan.00444A13 ;  2b X check encrypted serial 1
00444994      |8DB5 80FEFFFF               LEA ESI,[EBP-0x180]
0044499A      |8D45 80                     LEA EAX,[EBP-0x80]
0044499D   |> |8A10                        /MOV DL,[EAX]
0044499F   |. |8A1E                        |MOV BL,[ESI]
004449A1   |. |8ACA                        |MOV CL,DL
004449A3   |. |3AD3                        |CMP DL,BL
004449A5   |. |75 1E                       |JNZ SHORT IDMan.004449C
5004449A7  |. |84C9                        |TEST CL,CL
004449A9   |. |74 16                       |JE SHORT IDMan.004449C1
004449AB   |. |8A50 01                     |MOV DL,[EAX+0x1]
004449AE   |. |8A5E 01                     |MOV BL,[ESI+0x1]
004449B1   |. |8ACA                        |MOV CL,DL
004449B3   |. |3AD3                        |CMP DL,BL
004449B5   |. |75 0E                       |JNZ SHORT IDMan.004449C5
004449B7   |. |83C0 02                     |ADD EAX,0x2
004449BA   |. |83C6 02                     |ADD ESI,0x2
004449BD   |. |84C9                        |TEST CL,CL
004449BF   |.^|75 DC                       \JNZ SHORT IDMan.0044499D
004449C1   |> |33C0                        XOR EAX,EAX
004449C3   |. |EB 05                       JMP SHORT IDMan.004449CA
004449C5   |> |1BC0                        SBB EAX,EAX
004449C7   |. |83D8 FF                     SBB EAX,-0x1
004449CA   |> |85C0                        TEST EAX,EAX                            ;  eax = 0
004449CC   |. |75 09                       JNZ SHORT IDMan.004449D7                ;  X

8D ?? ?? ?? ?? ?? 8D 45 ?? 8A 10
8D 75 80 90 90 90 8D ?? 80 8A 10

##### METHOD 3 #####
3a)
00444E6F    .  E8 8C000000          CALL IDMan.00444F00
00444E74    .  8B7D 08              MOV EDI,[EBP+0x8]                   
00444E77    >  3B75 0C              CMP ESI,[EBP+0xC]                   
00444E7A       7D 2A                JGE SHORT IDMan.00444EA6              ; V - JUMP
00444E7C    .  8D95 70FFFFFF        LEA EDX,[EBP-0x90]
00444E82    .  8BCB                 MOV ECX,EBX
00444E84    .  52                   PUSH EDX                            
00444E85    .  57                   PUSH EDI                            
00444E86       E8 F5010000          CALL IDMan.00445080
00444E8B    .  83C6 08              ADD ESI,0x8
00444E8E    .  83C7 08              ADD EDI,0x8
00444E91    .^ EB E4                JMP SHORT IDMan.00444E77

8B ?? ?? 3B ?? ?? 7D ?? 8D
8B ?? ?? 3B ?? ?? EB ?? 8D

### SERVER CHECK #####
option 1)
prevent run another file for call home
00451CBA    .  FF15 04B06000        CALL [<&ADVAPI32.RegQueryValueExA>]
00451CC0    .  85C0                 TEST EAX,EAX
00451CC2    .^ 0F85 4FDDFFFF        JNZ IDMan.0044FA17                  ;  V - JUMP
00451CC8       8DBD E8FDFFFF        LEA EDI,[EBP-0x218]
00451CCE    .  83C9 FF              OR ECX,0xFFFFFFFF
00451CD1    .  F2:AE                REPNE SCAS BYTE PTR ES:[EDI]
00451CD3    .  F7D1                 NOT ECX
00451CD5    .  49                   DEC ECX
00451CD6    .  83F9 02              CMP ECX,0x2
00451CD9    .^ 0F85 38DDFFFF        JNZ IDMan.0044FA17                  
00451CDF    .  33C9                 XOR ECX,ECX

FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ??
FF 15 ?? ?? ?? ?? 85 C0 90 E9 ?? ?? ?? ?? 8D BD ?? ?? ?? ??
  
option 2) 
prevent run another file for call home
004523DD    .^\EB ED                       JMP SHORT IDMan.004523CC
004523DF       8D45 80                     LEA EAX,[EBP-0x80]
004523E2       8D8D E8FDFFFF               LEA ECX,[EBP-0x218]
004523E8    .  50                          PUSH EAX                            ; /pBufSize = KERNEL32.BaseThreadInitThunk
004523E9    .  A1 E8986C00                 MOV EAX,[0x6C98E8]                  ; |
004523EE    .  51                          PUSH ECX                            ; |Buffer = NULL
004523EF    .  56                          PUSH ESI                            ; |pValueType = NULL
004523F0    .  8D55 AC                     LEA EDX,[EBP-0x54]                  ; |
004523F3    .  56                          PUSH ESI                            ; |Reserved = NULL
004523F4    .  52                          PUSH EDX                            ; |ValueName = "Uìjÿh¸2f"
004523F5    .  50                          PUSH EAX                            ; |hKey = 0x75859191
004523F6    .  C645 AC 43                  MOV BYTE PTR [EBP-0x54],0x43        ; |
004523FA    .  C645 B1 55                  MOV BYTE PTR [EBP-0x4F],0x55        ; |
004523FE    .  C645 B6 4D                  MOV BYTE PTR [EBP-0x4A],0x4D        ; |
00452402    .  C645 B5 56                  MOV BYTE PTR [EBP-0x4B],0x56        ; |
00452406    .  C645 B7 00                  MOV BYTE PTR [EBP-0x49],0x0         ; |
0045240A    .  C745 80 10000000            MOV DWORD PTR [EBP-0x80],0x10       ; |
00452411    .  FF15 04B06000               CALL [<&ADVAPI32.RegQueryValueExA>] ; \RegQueryValueExA
00452417    .  85C0                        TEST EAX,EAX                        ;  KERNEL32.BaseThreadInitThunk
00452419    .^ 0F85 48DDFFFF               JNZ IDMan.00450167                  ;  V
0045241F    .  8DBD E8FDFFFF               LEA EDI,[EBP-0x218]
00452425    .  83C9 FF                     OR ECX,0xFFFFFFFF
00452428    .  F2:AE                       REPNE SCAS BYTE PTR ES:[EDI]
0045242A    .  F7D1                        NOT ECX
0045242C    .  49                          DEC ECX
0045242D    .  83F9 02                     CMP ECX,0x2
00452430    .^ 0F85 31DDFFFF               JNZ IDMan.00450167                  ;  V
  
EB ?? 8D 45 ?? 8D ?? ?? ?? ?? ?? 50
EB ?? 8D 45 80 8D 75 80 90 90 90 50

##### OPTIONAL - PATCH REG SCHEME TO ACCEPT ANY SERIAL #####
004FB2CC   |.  99                   CDQ
004FB2CD       F7FE                 IDIV ESI                    ; NOP
004FB2CF   |.  85D2                 TEST EDX,EDX
004FB2D1   |.  75 04                JNZ SHORT IDMan.004FB2D7
004FB2D3   |.  85C9                 TEST ECX,ECX
004FB2D5   |.  75 04                JNZ SHORT IDMan.004FB2DB
004FB2D7   |>  C645 EF 01           MOV BYTE PTR [EBP-0x11],0x1

99 F7 ?? 85 ?? 75 ?? 85
99 90 90 85 ?? 75 ?? 85

This pattern will patch the reg scheme so you can input any serial
as long as the format is XXXXX-XXXXX-XXXXX-XXXXX

 

 

Quote

Silent Registry Patching (so you dont need to register IDM manually)


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Internet Download Manager]
"Email"="[email protected]"
"FName"="BabelPatcher"
"LName"="-  NsaneForums"
"Serial"="12345-67890-09876-54321"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Internet Download Manager]
"Email"="[email protected]"
"FName"="BabelPatcher"
"LName"="- NsaneForums"
"Serial"="12345-67890-09876-54321"
Registry Patching with input message (you'll be asked to input your fistname & your lastname)

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Internet Download Manager]
"Email"="[email protected]"
"FName"="$Your Fist Name$"
"LName"="$Your Last Name$"
"Serial"="12345-67890-09876-54321"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Internet Download Manager]
"Email"="[email protected]"
"FName"="$Your Fist Name$"
"LName"="$Your Last Name$"
"Serial"="12345-67890-09876-54321"

 

 

Quote

Download: 3 IDM Patchers & 3 DUP2002 Project Files


Site: rghost.net
Code: 57793248
Quote

Thanks :wub: NsaneForums

Link to comment
Share on other sites


  • Replies 48
  • Views 20.2k
  • Created
  • Last Reply

Great work, Indonesian Patcher (Reverse Engineering Release) :cheers:

Link to comment
Share on other sites


:thumbsup: :notworthy:

Why you release this? Do you want to retire?

Link to comment
Share on other sites


Excellent and well explained tutorial, I know exactly how to crack IDM.....Actually I don't....I guess this was useful to other crackers or those who have a good knowledge of coding already.

Link to comment
Share on other sites


  • 1 month later...
  • 3 weeks later...

On a completely unrelated note, babelpatcher doesn't need to show off. This is some serious skill right here. Patching the server check routine to jump to the success condition.. just.. GENIUS!

Link to comment
Share on other sites


File is deleted. Mirrors anyone?

File is deleted. Mirrors anyone?

+1 :wub:

ooops maybe the hosting deleted the file :D

1st post updated :D

Link to comment
Share on other sites


Hi babelpatcher can u tell me how u wer saying forever trial by just modifying hosts?

Can u pls elaborate

Link to comment
Share on other sites


Hi babelpatcher can u tell me how u wer saying forever trial by just modifying hosts?

Can u pls elaborate

no.. i did not mod my hosts file :D

i just patched IDM :D

IDM reset its trial status itself everytime it start :D

make it trial forever :D

believe me, there is no different between trial and registered version of IDM :D

Link to comment
Share on other sites


Hi babelpatcher can u tell me how u wer saying forever trial by just modifying hosts?

Can u pls elaborate

no.. i did not mod my hosts file :D

i just patched IDM :D

IDM reset its trial status itself everytime it start :D

make it trial forever :D

believe me, there is no different between trial and registered version of IDM :D

don't you have to re patch on updates ? for me just by adding some ips in windows fw as long as I don't delete the serial from the registry I don't have to do nothing but reinstall or install over-top ..stay working . I don't even know why people waste there time talking about host files for this program that was leaking for years and don't work at all anymore

Link to comment
Share on other sites


yes..

the minus point of my Trial Forever Patch is i have re-patch IDM after update to new version or in case it expired :D

i play alot with network tool and proxy (ssh & openvpn tunnel)

for that reason i sometimes disabled my firewall while IDM still running :D

that's why

1. firewall method is not suitable for me

2. further, firewall method will fail if IDM configured to use proxy

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...