The author of  CD-R diagnostic  v1.4.5 says :

The CD-R Diagnostic program is designed to assist in determining the contents of a CD-ROM or CD-R.  It has several useful displays that provide
substantially more information than Windows 95 or many CD mastering programs.

More importantly, it gives you the ability to examine all of the sessions
on a multi-session disc without requiring additional software.  For CD-RW
discs this program provides some data recovery capability.  If you have a
CD-RW disc with inaccessible files, CD-R Diagnostic may be able to access
them where other programs cannot.
 

About this protection system

 This protection routine checks the last part of the registration key, this made me think
 that the first part is something permanent, but who cares, we are going to patch
 the program to accept any code :)
 
 The program keeps its settings at the registry :

 HKCU\Software\CDROM_Productions\CDRDAG\Registration "code/name"

  In our case, the *fake* details will be there, and we will make the program to think
  that it's the *real* one :)
 

The Essay

Create a deadlist with w32dasm, you can find the "Thank you" message :

* Possible Reference to String Resource ID=00137: "Registration: %s
                                  Thank you for registering."
                                  |
:00401285 6889000000              push 00000089
:0040128A FF3540CE4200            push dword ptr [0042CE40]

This message does not concern us, it only shows at the 'about' screen.
When registering, no massege shows up.
What we will do now is to run the program, go into the help/Enter Registration screen
and type 'abcdef' as name and '22334455'  as code , but before you hit the 'ok',
set up Softice to break with 'bpx getdlgitemtexta', and 'x'.
Hit the 'ok' button, and SI poped up, type x once, and SI poped on the 2nd time.
Press 'F11' once, and we are here :

* Reference To: USER32.GetDlgItemTextA, Ord:00F5h
                                  |
:0040D7E2 FF15A0F74200      Call dword ptr [0042F7A0]
:0040D7E8 53                push ebx                   ; we land here
:0040D7E9 E890D9FFFF        call 0040B17E
:0040D7EE 59                pop ecx
:0040D7EF 53                push ebx
:0040D7F0 E8B1FEFFFF        call 0040D6A6              ; interesting call
:0040D7F5 59                pop ecx
:0040D7F6 894510            mov dword ptr [ebp+10], eax
:0040D7F9 6843CC4200        push 0042CC43
:0040D7FE E8ED810000        call 004159F0
:0040D803 59                pop ecx
:0040D804 99                cdq
:0040D805 B9A0860100        mov ecx, 000186A0
:0040D80A F7F9              idiv ecx
:0040D80C 395510            cmp dword ptr [ebp+10], edx ; check this !!
:0040D80F 7536              jne 0040D847

Keep press 'F10' until you land over location 0040D80C. Type 'd edx', it contains
hex value of '8697', type '? 8697' and the decimal of it is '34455'. this is the last
characters of our fake code. Check what it's compared with, type 'd ebp+10', this
adress contains hex value of '2040' but in reverse order. Type '? 2040' and the
decimal of it is '8256'. So, the program checks the last bytes of the codes.
Type 'x' to leave, and replace the '34455' with '8256', and type 'ok'. After you break
keep press 'F10' until you're over the cmp dword ptr [ebp+10], edx  again, now
it will not jump. At this point i was sure that now will come the check for the first part
of the code, but not, the program stores our name and fake code in the registry.

:0040D811 6800784200        push 00427800
:0040D816 56                push esi
:0040D817 FF1538F64200      Call dword ptr [0042F638]
:0040D81D 53                push ebx
:0040D81E 56                push esi
:0040D81F FF1538F64200      Call dword ptr [0042F638]
:0040D825 56                push esi
:0040D826 68F0774200        push 004277F0
:0040D82B E8CF0F0000        call 0040E7FF ; prepare registry setings
:0040D830 59                pop ecx
:0040D831 50                push eax
:0040D832 E871690000        call 004141A8 ; saves in registry
:0040D837 59                pop ecx

Ok, so the program starts to think that the code is right, and stored it to the registry
file. Did you see above the comment :

:0040D7F0 E8B1FEFFFF        call 0040D6A6          ; interesting call

This call is beeing called from 2 places, one, when we entered the code, and the
second is probably when running the program, to check if registerd :

* Referenced by a CALL at Addresses:
|:0040D689   , :0040D7F0
|
:0040D6A6 56               push esi
:0040D6A7 8B742408         mov esi, dword ptr [esp+08]
:0040D6AB 33C0             xor eax, eax

We will take a look for the second time :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D681(C)
|
:0040D684 8B4508           mov eax, dword ptr [ebp+08]
:0040D687 40               inc eax
:0040D688 50               push eax
:0040D689 E818000000       call 0040D6A6  ; interesting call again
:0040D68E 3BF0             cmp esi, eax
:0040D690 59               pop ecx
:0040D691 7505             jne 0040D698
:0040D693 6A01             push 00000001  ; mark as registered
:0040D695 58               pop eax
:0040D696 EB09             jmp 0040D6A1

To check it, re-run the program.
Hey, did you notice that the "about screen" poped up for one second showing our fake
registration inf ? i thin i's a bug...
Enter again the name and code, and when Softice break, disable our previous bpx's
'bd *' and set up a new one : 'bpx 0040d689', type 'x', exit the program, and re-run.
Now we break on the call. Press 'F10' and we can see that after the cmp esi, eax
the program will jump on jne 0040D698. type 'r eip=40d693' and 'x'. the program
will continue on the next line without jumping. do you see the "push 00000001" ?
this tells the program that it's registered. Take a look at the 'about' screen...

Those are the 2 places we need to patch the program. one to think that the code
entered is the correct one, and the other is for the code beeing read from the registry.

that's it, job done.
 

The Patches

Load up Crdiag.exe into your Hex-Editor ( I use hexWorkshop-32).
Our name is already in the registry, so this is the only change needed :

SEARCH FOR THE FOLLOWING BYTES : F7F93955107536
REPLACE WITH HIGHLIGHTED BYTES : F7F93955109090

SEARCH FOR THE FOLLOWING BYTES : 75056A0158EB09
REPLACE WITH HIGHLIGHTED BYTES : 75056A01589090

REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you like
this utility and want to keep using it, support the author and pay for it.
 

Final Notes

My thanks and gratitude goes to:-

The Sandman for all what he is doing for us, newbies.

Rhayader for helping me with Reverse Code Engineering and useful tips

All the reversers from the newbies forum, that without them, we couldn't be here.