cyT0m!c's CrackMe #1 can be downloaded from http://www.crackmes.cjb.net

Cracking cyT0m!c's CrackMe #1 with ManKind
=============================================
Start the crackme, enter the information like below at the text-fields:

Name:ManKind
Serial #:23199981

Go into SoftICE, set a breakpoint on hmemcpy like below:

bpx hmemcpy

Leave SoftICE, press Try It button, SoftICE will pop up, press F11 once and F12 11 times and you will land here:

:00425078 8B45F4                  mov eax, dword ptr [ebp-0C] <-- move serial to eax
:0042507B 8D55F8                  lea edx, dword ptr [ebp-08]
:0042507E E871D7FDFF              call 004027F4
:00425083 8BF0                    mov esi, eax <-- esi contains serial now
:00425085 8B45FC                  mov eax, dword ptr [ebp-04] <-- move name to eax
:00425088 E813010000              call 004251A0  <-- calculation routine
:0042508D 8BF8                    mov edi, eax <-- move eax to edi
:0042508F 3BFE                    cmp edi, esi <-- compare edi and esi, edi contains real serial while esi contains false one(do '? register' to view the value)
:00425091 7418                    je 004250AB <-- good_boy_jump

We don't only want the correct serial, right? We want to make a keygen too, so, let's step into(by pressing F8 in SoftICE) the call at address 00425088 and you will come to this:

* Referenced by a CALL at Address:
|:00425088   
|
:004251A0 53                      push ebx <-- push ebx's value onto stack
:004251A1 89C3                    mov ebx, eax <-- move eax(name) to ebx
:004251A3 83FB00                  cmp ebx, 00000000 <-- see if there is any character left in ebx
:004251A6 7413                    je 004251BB <-- jump if none left
:004251A8 B801000000              mov eax, 00000001 <-- move 1 to eax
:004251AD 31C9                    xor ecx, ecx <-- set ecx to zero

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004251B9(U)
|
:004251AF 8A0B                    mov cl, byte ptr [ebx] <-- get the current byte's ascii into cl
:004251B1 80F900                  cmp cl, 00 <-- compare if there is any character put into cl
:004251B4 7405                    je 004251BB <-- jump if none
:004251B6 F7E1                    mul ecx <-- multiple ecx by eax and store the result in eax
:004251B8 43                      inc ebx <-- inc ebx so that the loop would take the next character for calculationg of correct serial
:004251B9 EBF4                    jmp 004251AF <-- loop it

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004251A6(C), :004251B4(C)
|
:004251BB 25FFFFFF0F              and eax, 0FFFFFFF <-- do a logical AND on eax
:004251C0 5B                      pop ebx <-- get the original value of ebx
:004251C1 C3                      ret <-- return
 
Huh, finally finished. Not a long algo really. I don't think I need to explain anymore with my comments above(unless if my explanation is really lame and in that case, mail me). Below is a source which I coded in my Turbo Pascal 7.0 compiler but it should be able to compile on any other Pascal compilers(whew, took me about 20 minutes cause i rarely code in Pascal):

Program keygen ; {name the program}
uses crt ; {crt is a unit, this is similar to the include directive in c/c++}
var {variable declarations}
  namelen, name1, i, eax : longint ;
  username : string ;

begin
  clrscr ; {clear the screen, similar to CLS in QBasic}
  writeln('cyT0m!cs CrackMe #1') ;
  writeln('====================') ;
  writeln ;

  write('Name: ') ; {input user}
  readln(username) ; {gets user's input, similar to gets in c/c++}
  namelen:=length(username) ; {get the length of user's name into variable namelen}
  eax:=1 ;

  if namelen > 1 then {the calculation will only take place if name is entered}
   begin
    for i:=1 to namelen do
     begin
      name1 := Ord(username[i]) * eax ;
      eax:= name1 ;
     end ;
    eax:=eax and 268435455 ;
    write('Serial #:') ; {output the correct serial}
    writeln(eax) ;
   end ;

  if namelen < 1 then
   begin
    writeln('Invalid name!') ; {display this message if no name is entered}
   end ;

readln ;
end.

As you might have known, I am not a good coder. So, if you could improve and optimize this code, by all means, do it! That's all for now. Cya next time.

Ending: 
Thanks and greetz to: 
+ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, CrackZ, cLUSTER, LaZaRuS, mISTER fANATIC, yes123, WhizKiD, Volatility, ACiD BuRN, Eternal Bliss, R!SC, Kwazy Webbit, +Mammon, MisterE, Shadow, ^tCM^, WaJ, Borna Janes, Kathras, AB4DS(Death), douby, Steinowitz, Lord Soth, Latigo, Lucifer48, NeuRaL_NoiSE, Fravia+, Latigo, Duelist, Alpine, flag eRRatum, Nitrus, +Frog's Print, Muad`Dib, Iczelion, Razzia, Warezpup, Bomber Monkey, llama and other crackers, individuals and organisations who have helped me, either directly or indirectly. 

Service for Mankind 
ManKind 
mankind001@bigfoot.com
