Norton AntiVirus v5.0

Written by McCodEMaN


Greetings and welcome to the noble art of reverse engineering!

Norton Antivirus is made by Symantec and i think that this is one of the best virusprotections you canhave on your computer.
The crackprotection stinks!...with this kind of protection they could distribute it as freeware!
Norton.Antivir. can be bought online and uses RsAgent.

Please don`t make coffee...and dont make your self comfortable...
this pleasure will be over before you can say....


Tools required

Numega SoftIce v3.22

Target's URL



Ok! the first thing we are going to do, is to fool the program that we have been connected to symantec and recived the unlockingcode!
The reason we do that, is to get the "Unlocking-window".

Step1. Execute Norton antivirus and choose [Buy Now].

Step2. Then exit Norton and go to : "c:\windows " and open 'rsagent'.
xxxxxx look for a string called mailstat, it looks like this:

xxxxxx mailstat=0
xxxxxx change the value to a: zero(1).

Step3. Execute Norton again and choose [Buy Now].

Step4. Start softice by holding down 'Ctrl' and 'D'.

Step5. Type: bpx getdlgitemtexta and press enter!

Step6. Type: bl (If you like to list the breakpoints that has been set).

Step7. Press F5 to return to norton, type in 'first name', 'last name' and
xxxxxx these numbers: 1234567890, click
xxxxxx [OK] and softice breaks at the start of getdlgitemtexta.

Step8. Press F11 once.
Step9. Go to the: CMP line that looks like this:
xxxxxxxxx :10005681x 83F90Axxxxx CMPxx ECX,0A

Step10. Type: ? ecx
xxxxxxx and you will see this:

xxxxxxxxx 0000000Ax 0000 000010 xxxxx "0"xxxxx=>Length for our code!

Step11.Now look for the following code:
xxxxxxx:10005708x 51 xxxxxxxxxxxxxxxx PUSHxx ECX
xxxxxxx:10005709x 52 xxxxxxxxxxxxxxxx PUSHxx EDX
xxxxxxx:1000570Ax 50 xxxxxxxxxxxxxxxx PUSHxx EAX
xxxxxxx:1000570Bx E870630000 xxxxxxx CALLxx 100BA80
xxxxxxx:10005710x 83C40C xxxxxxxxxxx ADDxxx ESP,0C
xxxxxxx:10005713x 8D8C24D8000000xx LEAxxxx ECX,[ESP+000000D8]

xxxxxxx If you dump (d ecx) this: LEA....ECX, you will find the unlockingcode.

Step12. Go to the line:

xxxxxxx:1000571AxxxxPUSHxx 10030F40

xxxxxxxType: d 100030F40 => 1234567890, this is our fake serial!

Step13. Ok, we have found the serial...BUT WE WHANT TO FIND THE PUSH....RIGHT!!
xxxxxxxLook for:


xxxxxxxType: d ecx => This is the valid Unlockingcode!

Step17. Now type: bc * (to delete all breakpoints).

Step18. Press 'Ctrl' and 'D' to leave softice and try your
xxxxxxx unlocking code. Wow!!!!!!.......You have just cracked Norton AntiVirus

Final Notes

When ever there is a door,
there is an entrance.
And behind an entrance can no secret hide,
when a cracker takes his knowledge for a ride


The information in this essay is for educational purpose only!
You are only allow tocrack, reverse engineer, modify code and debugg programs that you legaly bought andthen for personal use only!!
To ignore this warning is a criminell act and can result in lawful actions!

So please note!
I take noresponebility for how you use the information in this essay, i take NO responebilityfor what might happen to you or your computer! You use this information on your own risk!!

What i mean is: Please buy the software!


Essay written by McCodEMaN ŠTRES2000. All Rights Reserved.