Norton AntiVirus v5.0
Greetings and welcome to the noble art of reverse engineering!
Numega SoftIce v3.22
Ok! the first thing we are going to do, is to fool the program that we have been connected to symantec and recived the unlockingcode!
The reason we do that, is to get the "Unlocking-window".
Step1. Execute Norton antivirus and choose [Buy Now].
Step2. Then exit Norton and go to : "c:\windows " and open 'rsagent'.
xxxxxx look for a string called mailstat, it looks like this:
xxxxxx change the value to a: zero(1).
Step3. Execute Norton again and choose [Buy Now].
Step4. Start softice by holding down 'Ctrl' and 'D'.
Step5. Type: bpx getdlgitemtexta and press enter!
Step6. Type: bl (If you like to list the breakpoints that has been set).
Step7. Press F5 to return to norton, type in 'first name', 'last name' and
xxxxxx these numbers: 1234567890, click
xxxxxx [OK] and softice breaks at the start of getdlgitemtexta.
Step8. Press F11 once.
Step9. Go to the: CMP line that looks like this:
xxxxxxxxx :10005681x 83F90Axxxxx CMPxx ECX,0A
Step10. Type: ? ecx
xxxxxxx and you will see this:
xxxxxxxxx 0000000Ax 0000 000010 xxxxx "0"xxxxx=>Length for our code!
Step11.Now look for the following code:
xxxxxxx:10005708x 51 xxxxxxxxxxxxxxxx PUSHxx ECX
xxxxxxx:10005709x 52 xxxxxxxxxxxxxxxx PUSHxx EDX
xxxxxxx:1000570Ax 50 xxxxxxxxxxxxxxxx PUSHxx EAX
xxxxxxx:1000570Bx E870630000 xxxxxxx CALLxx 100BA80
xxxxxxx:10005710x 83C40C xxxxxxxxxxx ADDxxx ESP,0C
xxxxxxx:10005713x 8D8C24D8000000xx LEAxxxx ECX,[ESP+000000D8]
xxxxxxx If you dump (d ecx) this: LEA....ECX, you will find the unlockingcode.
Step12. Go to the line:
xxxxxxxType: d 100030F40 => 1234567890, this is our fake serial!
Step13. Ok, we have found the serial...BUT WE WHANT TO FIND THE PUSH....RIGHT!!
xxxxxxxType: d ecx => This is the valid Unlockingcode!
Step17. Now type: bc * (to delete all breakpoints).
Step18. Press 'Ctrl' and 'D' to leave softice and try your
xxxxxxx unlocking code. Wow!!!!!!.......You have just cracked Norton AntiVirus