To access the 'Registration Screen' you will need to select the 'Help' menu option then choose the 'Registration' sub menu option.

You will be asked to enter:

User Name:
Organization:
Serial Code:
 
On successful registration the program creates the following entries in your System registry File:-

HKEY_CURRENT_USER\Software\Software By Design\Audtion For Windows 95/NT\Registration

Code               = b017732b (2954326827)
Organization = #
Splash            = 0x00000000 (0)
User                = "The Sandman"
 
If you wish to legally register this program for a single license then it will cost ya $20 and If you wish to buy a corporate license then this will cost ya a cool $1000 !!! , way too much for a 'basic' program that is even more simpler than windoz own Wav Player!
 

The Essay

     
Software By Design has around a dozen or so other 'Shareware Products' available for download and from the one's I've already seen they ALL use extactly the same code for their protection systems, with only a slight change to the serial number generator, but that's no cause for us to worry since we're hitting this babe via the 'patch' method.  Go ahead, take a look at their other programs after reading this essay!.

Back to the task in hand...

Run Audition for Windows and once you've had a play with it and seen all there is to see about this program ( should take you about 5 seconds! ) go directly into the 'Registration Screen' and fill in YOUR user details, don't be lame by using my registration codes..
 
1. When you've done this fire up Softice by pressing CTL-D.

2. Type: bpx getdlgitemtexta then x to leave Softice.

3. Click on the 'OK' button.

4. Softice now breaks at the beginning of the System Function GetDlgItemTexta.

5. Press 'F11' once and you will arrive here, in Audition's code.
 
:00407DCA FFD5             call ebp   ;Call GetDlgItemTextA
:00407DCC 6A32             push 00000032 ;We land here
:00407DCE 53               push ebx      ;ebx = Your Organization Name
:00407DCF 6A66             push 00000066 ;Save value 66
:00407DD1 57               push edi      ;Save register edi
:00407DD2 FFD5             call ebp   ;Call GetDlgItemTextA
:00407DD4 8D442410         lea eax, dword ptr [esp+10]
:00407DD8 6800010000       push 00000100
:00407DDD 50               push eax
:00407DDE 6A67             push 00000067
:00407DE0 57               push edi
:00407DE1 FFD5             call ebp
:00407DE3 8D442410         lea eax, dword ptr [esp+10] ;eax= Your serial #
:00407DE7 50               push eax
:00407DE8 E8436C0000       call 0040EA30
:00407DED 83C404           add esp, 00000004
:00407DF0 8BE8             mov ebp, eax
:00407DF2 6824884100       push 00418824 ;="Gregory Braun"
:00407DF7 56               push esi ;esi ;= Your User Name
:00407DF8 FF15EC154200     Call KERNEL32.lstrcmpA
:00407DFE 85C0             test eax, eax
:00407E00 7524             jne 00407E26 ;Beggar off cracker
:00407E02 6810884100       push 00418810 ;="Software by Design"
:00407E07 53               push ebx
:00407E08 FF15EC154200     Call KERNEL32.lstrcmpA
:00407E0E 85C0             test eax, eax
:00407E10 7514             jne 00407E26 ;Beggar off cracker
:00407E12 81FD8D030000     cmp ebp, 0000038D
:00407E18 750C             jne 00407E26 ;Beggar off cracker

;This section of code HAS to be executed if we are to get this program
;properley *registered*, if we skip over this section then the patch won't
;work.

:00407E1A 53               push ebx
:00407E1B 56               push esi
:00407E1C E80F510000       call 0040CF30
:00407E21 83C408           add esp, 00000008
:00407E24 8BE8             mov ebp, eax
 

;If we allow the program to jump directly here, missing the above 5 lines
;of code then our patch won't work.

:00407E26 53               push ebx
:00407E27 56               push esi
:00407E28 E803510000       call 0040CF30
:00407E2D 83C408           add esp, 00000008
:00407E30 3BC5             cmp eax, ebp
:00407E32 741E             je 00407E52 ;Jump IF serial is valid
:00407E34 68CFEA0000       push 0000EACF
:00407E39 6888130000       push 00001388
:00407E3E 57               push edi
:00407E3F E86C0F0000       call 00408DB0
:00407E44 83C40C           add esp, 0000000C
:00407E47 5D               pop ebp
:00407E48 5F               pop edi
:00407E49 5E               pop esi
:00407E4A 5B               pop ebx
:00407E4B 81C400010000     add esp, 00000100
:00407E51 C3               ret
 
; If serial is valid then come here...
 
:00407E52 896E64           mov dword ptr [esi+64], ebp
:00407E55 EB07             jmp 00407E5E
:00407E57 8BBC2414010000   mov edi, dword ptr [esp+00000114]
:00407E5E 6A68             push 00000068
:00407E60 57               push edi
:00407E61 FF1584164200     Call dword ptr [00421684];Do FINAL check.
 
                          ;If our serial No is invalid then:
                          ;this call returns:
                          ;eax =00000001 meaning invalid.
                          ;eax =FFFFFFFF meaning valid.
 
 
:00407E67 5D               pop ebp
:00407E68 83F801           cmp eax, 00000001
:00407E6B 1BC0             sbb eax, eax ;sub eax with itself
:00407E6D 5F               pop edi
:00407E6E 40               inc eax  ;If our serial was invalid then this
                                    ;instruction now makes eax=1 (Invalid)
                                    ;else if serial ok then eax=0 (valid)
 
:00407E6F 894668           mov dword ptr [esi+68], eax ;Save results in the
                                                       ;Shareware/Reg Flag
 

Looking at the above code snippet we can clearly see that two patches are required to this program so that it will always be registered, regardless of what serial number we type in..

The first patch will be at:

:00407E00 7524             jne 00407E26 ;Beggar off cracker

This is where the program does it first check of our User Details, so we want to change this instruction into a jmp 00407E5 instead. That's where a particular section of code must be called if we are to successfully patch this program.

The second patch we need to do is on the second serial number check, the one that *could* catch out many newbies on, where it increase the value of the eax register by one then saves this result into the memory location treated by the program as the Shareware/Register Flag.
 
:00407E6E 40               inc eax   ;We need to NOP out this instruction.
 
 
Now some of you might be saying, well what about when we run the program, won't it disregard our fake serial number!. The answer is NO.. For reasons unknown, the programmers have programmed this software so that it ALWAYS saves the *REAL* serial number instead of the one typed in by the User!, so even if you register this program with twenty '0's the program will save the *real* serial to the System registry file and NOT your twenty '0's!.
 
 
Job Done.
 

The Patches

     
Load up audition.exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any Hex-Editor will do..
 
SEARCH FOR THE FOLLOWING BYTES : 85C0752468108841
REPLACE WITH HIGHLIGHTED BYTES : 85C0EB1868108841
     
Then
 
SEARCH FOR THE FOLLOWING BYTES : 5083F8011BC05F40
REPLACE WITH HIGHLIGHTED BYTES : 5083F8011BC05F90
 

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.