1. 前言
idm version : 6.38 Build 23
2.算法逆向
IDM的序列号验证函数定位在:
![在这里插入图片描述](https://i-blog.csdnimg.cn/blog_migrate/8eae187c193a30ea9e78811c277cc55a.png)
下面是在IDA下的代码分析:
.text:00510010 push ebp
.text:00510011 lea ebp, [esp-1FCh]
.text:00510018 sub esp, 1FCh
.text:0051001E push 0FFFFFFFFh
.text:00510020 push offset SEH_510010
.text:00510025 mov eax, large fs:0
.text:0051002B push eax
.text:0051002C sub esp, 160h
.text:00510032 mov eax, ___security_cookie
.text:00510037 xor eax, ebp
.text:00510039 mov [ebp+1FCh+var_4], eax
.text:0051003F push ebx
.text:00510040 push esi
.text:00510041 push edi
.text:00510042 push eax
.text:00510043 lea eax, [ebp+1FCh+var_208]
.text:00510046 mov large fs:0, eax
.text:0051004C mov [ebp+1FCh+var_20C], esp
.text:0051004F mov edi, ecx
.text:00510051 mov [ebp+1FCh+var_234], edi
.text:00510054 mov encode36, 32h ; '2' ; char basecode36[] = {0x32, 0x59, 0x4F, 0x50, 0x42, 0x33, 0x41, 0x51, 0x43, 0x56, 0x55, 0x58, 0x4D, 0x4E, 0x52, 0x53,0x39, 0x37, 0x57, 0x45, 0x30, 0x49, 0x5A, 0x44, 0x34, 0x4B, 0x4C, 0x46, 0x47, 0x48, 0x4A, 0x38,0x31, 0x36, 0x35, 0x54};
.text:0051005B mov encode36+1, 59h ; 'Y'
.text:00510062 mov encode36+2, 4Fh ; 'O'
.text:00510069 mov encode36+3, 50h ; 'P'
.text:00510070 mov encode36+4, 42h ; 'B'
.text:00510077 mov encode36+5, 33h ; '3'
.text:0051007E mov encode36+6, 41h ; 'A'
.text:00510085 mov encode36+7, 51h ; 'Q'
.text:0051008C mov encode36+8, 43h ; 'C'
.text:00510093 mov encode36+9, 56h ; 'V'
.text:0051009A mov encode36+0Ah, 55h ; 'U'
.text:005100A1 mov encode36+0Bh, 58h ; 'X'
.text:005100A8 mov encode36+0Ch, 4Dh ; 'M'
.text:005100AF mov encode36+0Dh, 4Eh ; 'N'
.text:005100B6 mov encode36+0Eh, 52h ; 'R'
.text:005100BD mov encode36+0Fh, 53h ; 'S'
.text:005100C4 mov encode36+10h, 39h ; '9'
.text:005100CB mov encode36+11h, 37h ; '7'
.text:005100D2 mov encode36+12h, 57h ; 'W'
.text:005100D9 mov encode36+13h, 45h ; 'E'
.text:005100E0 mov encode36+14h, 30h ; '0'
.text:005100E7 mov encode36+15h, 49h ; 'I'
.text:005100EE mov encode36+16h, 5Ah ; 'Z'
.text:005100F5 mov encode36+17h, 44h ; 'D'
.text:005100FC mov encode36+18h, 34h ; '4'
.text:00510103 mov encode36+19h, 4Bh ; 'K'
.text:0051010A mov encode36+1Ah, 4Ch ; 'L'
.text:00510111 mov encode36+1Bh, 46h ; 'F'
.text:00510118 mov encode36+1Ch, 47h ; 'G'
.text:0051011F mov encode36+1Dh, 48h ; 'H'
.text:00510126 mov encode36+1Eh, 4Ah ; 'J'
.text:0051012D mov encode36+1Fh, 38h ; '8'
.text:00510134 mov encode36+20h, 31h ; '1'
.text:0051013B mov encode36+21h, 36h ; '6'
.text:00510142 mov encode36+22h, 35h ; '5'
.text:00510149 mov encode36+23h, 54h ; 'T'
.text:00510150 mov [ebp+1FCh+var_200], 0
.text:00510157 push 32h ; '2' ; int
.text:00510159 lea eax, [ebp+1FCh+Data]
.text:0051015F push eax ; lpString
.text:00510160 push 4B0h ; nIDDlgItem
.text:00510165 call ?GetDlgItemTextA@CWnd@@QBEHHPADH@Z ; CWnd::GetDlgItemTextA(int,char *,int)
.text:0051016A test eax, eax
.text:0051016C jnz short loc_5101AC ; 获取注册名字并判断是否成功
.text:0051016E push eax ; uType
.text:0051016F push offset Caption ; "Internet Download Manager"
.text:00510174 mov ecx, dword_716978
.text:0051017A
.text:0051017A loc_51017A: ; CODE XREF: SerialCheck+1C1↓j
.text:0051017A ; SerialCheck+1E8↓j ...
.text:0051017A push ecx ; lpMultiByteStr
.text:0051017B mov edx, [edi+20h]
.text:0051017E push edx ; hWnd
.text:0051017F
.text:0051017F loc_51017F: ; CODE XREF: SerialCheck+271↓j
.text:0051017F ; SerialCheck+3F7↓j
.text:0051017F call MyMessageBox ; 弹出假冒序列号窗口函数
.text:00510184 add esp, 10h
.text:00510187
.text:00510187 loc_510187: ; CODE XREF: SerialCheck+5CF↓j
.text:00510187 ; SerialCheck+63B↓j ...
.text:00510187 mov ecx, [ebp+1FCh+var_208]
.text:0051018A mov large fs:0, ecx
.text:00510191 pop ecx
.text:00510192 pop edi
.text:00510193 pop esi
.text:00510194 pop ebx
.text:00510195 mov ecx, [ebp+1FCh+var_4]
.text:0051019B xor ecx, ebp ; StackCookie
.text:0051019D call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:005101A2 add ebp, 1F