On a shared server there are not many options...

Have you tried putting a CAPTCHA on the download page?

Tracking visitors with cookies, EverCookies or a Session code passed in the URL?

Where are the abusers coming from? can you block them by IP range ?

Is it one person using a scraper script or many humans?  take a look at the referer values & UserAgent strings  in the raw access logs this will tell you the kind of PC visiting your website.

Do you automatically change the download link locations using a random element every hour?

this stops people sharing  links and forces them to visit the website

Are you sure it is not a search engine from Google, Bing or Yahoo ? they operate from well known IP ranges and can be controlled by either your robots.txt file or by setting up your webmaster account with them to get a custom crawl rate.