---------------------------------
How to make a keygen for Cacheman
---------------------------------

Cracker: stealthFIGHTER

Target: Cacheman v5.0

Tools: SoftICE
       Delphi

Where: http://www.outertech.com/

Protection: Serial number

--------------------------------------------------
Sorry for my English, it's not my mother language.
--------------------------------------------------

----------------
---[ Step 1 ]---
----------------

=======================================================================
You're in Cacheman >> Help >> Enter customer ID. Type something >> go
to SoftICE and set breakpoint 'HMemCpy' >> F5 >> hit OK >> SoftICE
should pops-up >> press F12 key till you're in Cacheman code >> stop
here:
=======================================================================

:004B75E1  MOV   EAX,[EBP-04]   ;Move fake serial into EAX (d eax)
:004B75E4  CALL  004A9704       ;Main keygen and check routine
:004B75E9  TEST  AL,AL
:004B75EB  JZ    004B7669       ;If AL = 0 then jump (jump if zero)

=======================================================================
Enter the main keygen routine and trace a bit ... stop here:
=======================================================================

:004A972C  MOV   EAX,004A97C4   ;Move '_' char into EAX (d eax)
:004A9731  CALL  00404238       ;Get position of '_' char from fake sn.
:004A9736  CMP   EAX,04         ;If position = 4 then good cracker
:004A9739  JNZ   004A9793       ;Else jump to bad cracker

=======================================================================
Now we know that our 4th character from the serial number have to
be equal '_'. Enter some serial again with '_' as 4th char. Now you
should successfuly pass JNZ 004A9793 ... trace a bit ... stop here:
=======================================================================

:004A973E  CALL  00403F4C      ;Get length of our serial
:004A9743  CMP   EAX,0C        ;If length = 12 then continue
:004A9746  JNZ   004A9793      ;If length <> 12 then jump to error

=======================================================================
Enter some serial again with '_' as 4th char and the length must be 12.
Trace a bit ... stop here:
=======================================================================

:004A9753  CALL  004B844C       ;Get 1st 3 chars from our serial
:004A9758  MOV   EAX,[EBP-0C]   ;Move them to EAX - remember this!
:004A975B  XOR   EDX,EDX        ;'Clear' EDX
:004A975D  CALL  00408B0C       ;Convert EAX from STRING to INTEGER
:004A9762  MOV   EBX,EAX        ;Move EAX into EBX
:004A9764  LEA   ECX,[EBP-08]
:004A9767  MOV   EDX,00000008
:004A976C  MOV   EAX,[EBP-04]
:004A976F  CALL  004B84A4
:004A9774  MOV   EAX,[EBP-08]
:004A9777  CALL  00403F4C
:004A977C  MOV   EDX,[EBP-08]
:004A977F  MOVZX EAX,BYTE PTR [EAX+EDX-01]  ;Move last char into EAX
:004A9784  ADD   EAX,EAX                    ;EAX = EAX + EAX
:004A9786  LEA   EAX,[EAX*2+EAX]            ;EAX = EAX * 2 + EAX
:004A9789  XOR   EAX,14                     ;EAX = EAX xor 14
:004A978C  CMP   EAX,EBX                    ;Compare EAX and EBX
:004A978E  SETZ  AL                         ;If EAX = EBX then AL = 0

=======================================================================
I think it's clear here. (If you don't understand see example below)
=======================================================================
Example: (As a serial I've entered: 111_23456789) - 4th character is
         equal to '_' and length is equal to 12.

Keygen routine:
Get 1st 3 chars from our serial and save them to EAX (:004A9758).
In my case they're '111'.
Then convert this string to integer (:004A975D) and save it to EAX.
In my case EAX = $6F
Once you're at :004A9762 type '? EAX' and you should see your 1st chars
in Hex and Dec value. ($6F = 111)
Take last char from our serial and save to EAX (:004A977F).
In my case the number is '9'. Hex value is '$39'.
Once you're at :004A9784 type '? EAX' and you see Hex and Dec value.
Double this number (:004A9784).
In my case: EAX = $39 + $39 (so EAX = $72)
Now do: EAX = EAX * $2 + EAX. (:004A9786)
In my case: EAX = $39 * $2 + $39. (so EAX = $156)
Now do: EAX = EAX xor $14 (:004A9789) (btw. $14 = 20)
In my case: EAX = $216 xor $14 (so EAX = $142)
Convert EAX to string: type '? EAX'
In my case: ? EAX = 322
=======================================================================

----------------
---[ Step 2 ]---
----------------

=======================================================================
Here comes my keygen:

1) Generate 8 numbers (and save them to some temporary variation)
2) Get the last one and save it to 'serial' as integer (ordinary n.)
3) Double this number and save it to 'serial'
4) Do: 'serial * serial + serial' and save it to 'serial' 
5) Do: 'serial xor 20'
6) Convert 'serial' from integer to string
7) Add '_' char behind the string
8) Add 8 generated variations to string (from temp. variation)
9) Display final serial

=======================================================================
procedure GenSer;
var i : Byte;
    temp : String;
    serial : Integer;
begin
temp := '';
for i := 1 to 8 do
  begin
    temp := temp + IntToStr(Random(9));
    serial := Ord(temp[length(temp)]);
  end;
serial := serial + serial;
serial := serial * 2 + serial;
serial := serial xor $14;
Label1.Caption := IntToStr(serial) + '_' + temp;
end;
=======================================================================
Any comments or mistakes are welcome at: stealthfighter@another.com or
you can visit me:http://nitrous.hop.to or http://stealthfighter.cjb.net
=======================================================================