This tutorials on cracking programs which are based on RSagent (eg most norton products like Norton antivirus).  You can tell if its an Rs prog cause there's rsagnt32.dll in its directory.  This text is for complete newbies and since I am not very competant at ASM, I had some help at cracking this prog.  I'm not really much of a cracker, but am learning.  IF you want to learn ASM, I highly recommend reading the ART of Assembly book (24megs and a legal download) ;).  

First of all. to be a good cracker, you should have these progz:

Softice
A registry monitor
w32dasm
a file monitor
A hex editor

However, U only need w32dasm to do this tutorial. it is much easier if you know a prefessional language like C++, pretty easy if you know Basic, but could be a pain in the ass if you don't know $hit.  It also helps to know alot about the Windoze 98 OS.  

Cracking windows progz are EASY cause Windoze is a weak O$ which is not secure. cracking DOS is slightly harder. For this tutorial, the commands U need to know are:

Jne which means jump somewhere.  This is a more general txt so U gotta keep that in mind. This was actually written based on Norton Antivirus 5 so if you have a demo copy of it, or can get a copy of it, it could help. Cracking RS progz are probably one of the easiest crackz you'll ever experiance.

First.  Lets open the programs directory. Is Rsagnt32.dll or RSagent.dll there??  If its not, you could be hiding it. Go to the folder options and under view, make sure all files are shown (because it is considered as a system file).  Check again. If its not but there is a dll that is like it, it could be. You might need to use slightly different precedures though. Under NAV5, the Dll is Rsagnt32.dll.  Next...  Lets look around the files in the directory and run them.  Hmm.  This one says "please wait, you're software being prepared" and then moves on to say "You cannot run this app at this time. Please leave it where it is because the system will need it later".  How many exe files do you know that contradict itself??? this is one. This is the file that needs to be cracked. It is obvious why it is the one.  But to U village idiots, its the one because it says you're software is being prepared.  But it can't run it AT THIS TIME. The keywords which are important are==> AT THIS TIME & BEING PREPARED. 
The files U need to crack usually have RS on their icon but not always.  Check if there are any more files like this.  All the files like this need to be cracked. In NAV5, there are 3. the reason that in some programs their is then one is because there is more then one main file. If you don't crack all of the RS files, one or 2 components will come up with the Trial/buy now screen.

The main command U need to know for this crack is:
jne (to jump somewhere)


If you're program U want to crack is open, close it. Open W32dasm. Go to open file to disassemble and open the File which says "plz wait your software......" In NAV5, the best file to start with is Qconspop.exe, the RS component of the Quarantine prog. If after the file is processed, the screen is full of psycho characters, goto font, select font and select any font and press OK. Should be easy to read now. Go to refs, string data referances.  Go down the list and see what our choices are.  Double click on "You cannot run this application" And press close. After scrolling up a bit.. You'll see this==>


* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:00404CA7 8B3DA8C44300            mov edi, dword ptr [0043C4A8]
:00404CAD 85F6                    test esi, esi        <==Compare ESI to 0 
:00404CAF 752F                    jne 00404CE0         <==Jump to fullversion if ESI allows it 

* Possible StringData Ref from Data Obj ->"You cannot run this application "
                                        ->"at this time."
                                  |
:00404CB1 68F8614200              push 004261F8
:00404CB6 68E0EF4200              push 0042EFE0
:00404CBB E850380100              call 00418510
:00404CC0 8B8C2458050000          mov ecx, dword ptr [esp+00000558]
:00404CC7 83C408                  add esp, 00000008
:00404CCA 6830000100              push 00010030

Lets find out what Esi equals at the moment.  We will just have to stick a breakpoint on it while its running. We can do that by going to debug, load process. You don't need any commands so click OK on the next window.  Then another 2 windows will pop up on you're monitor.  Move them aside and maximise your old window.  Go back to string refs, double click "you cannot run this application" and press close. select the line that test esi, esi and press F2. A yellow spot will show up. reduce that windows size and get the other 2 windows where you can see them. One of them will have a button with run. Click it. It will stop at the breakpoint. Goto the window that says EIP something or rather in kernal32. Go down the stack of buttons and click ESI. Goto modify data button and there will be a list of values. Presently ESI=0.....  To make the jump to fullversion and skip the "You cannot run..." message, its got to equal 1 or more.  Under enter value-->, add a 1 somewhere, preferably the last digit and click the esi button. Press the modify button and close. Lets run this baby now by pressing the run button again. The program will make the jump to fullversion now and modify the program automatically to make it fullversion. The program should pop up in full version form..  You can show off to your friends now all you want. Unfortunately in NAV5, Liveupdate won't work.  But who cares.  Update your virus defs using NU3 LIveupdate.  Remember, you must crack all the programs protected by RS. So if a program pops up with that buy/trial method, maybe you need to still crack one or more filez.  Also, I am unsure whether this method works of the new version of RSagent.  If you want to show off with this crack, use older versions of RS protected progs. 