The author of  TotalRecorde v2.0 says :

Total Recorder represents a new generation of sound recording programs. It
can record sound being played by other sound players, either from a file or
from the Internet. It can also record conventional audio from CD's,
microphone and other lines on a sound card.
The evaluation version is fully functional except that your recordings
are limited to 40 seconds each.
 

About this protection system

 This protection routine checks the registration key, but i didn't find that it creates the
 real one.
 Since i couldn't find the real one, i decided to crack it by fool the program to "think"
 it's registered.
 Usualy, when the key entered it the correct one, the program need to sign to it self
 that the program is registered. This usualy done by move '0' or '1' to one of
 the registers. By checking this register later on, then comes the decision.
 We will see how it get done, and checked later, when the program is re-run.

 The program keeps its settings at the registry :

 HKCU\Software\HighCriteria\TotalRecorder\RegKey
  HKCU\Software\HighCriteria\TotalRecorder\RegName

  In our case, the *fake* details will be there, and we will make the program to think
  that it's the *real* one :)
 

The Essay

Create a deadlist with w32dasm, you can find the "wrong key" message :

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040623A(C), :0040624A(C)
|
:004062A9 6A00                    push 00000000
:004062AB 6A45                    push 00000045
:004062AD 6A01                    push 00000001

* Possible Reference to String Resource ID=61216: "Invalid name or registration key"
                                  |
:004062AF 6820EF0000              push 0000EF20
:004062B4 E8F7AF0000              call 004112B0

We can see that we get here from 2 locations : 0040623A and 0040624A.
Run TotalRecorder and go to the Help/Registration menu.
Type in your name and registration key, but befor you hit the 'ok', set up Softice
to break with 'bpx getwindowtexta', and 'x'.
Hit the 'ok' button, and SI poped up, type x once, and SI poped on the 2nd time.
Press 'F11' once, and we are here :

:00439031 FF1570344400      Call dword ptr [00443470]  ; getwindowtexta
:00439037 8B4D10            mov ecx, dword ptr [ebp+10]
:0043903A 6AFF              push FFFFFFFF
:0043903C E89491FFFF        call 004321D5
:00439041 EB0B              jmp 0043904E

Since we know that we entered the wrong key, we want to set up new break points
at the locations that we saw above, to see why we jump there.
Disable the previous bpx (bd *) and set up 2 new : 'bpx 0040623A' & 'bpx 0040624A',
and type x to leave SI. SI break on the first one :

:00406230 8B4E5C            mov ecx, dword ptr [esi+5C]
:00406233 8D5E5C            lea ebx, dword ptr [esi+5C]
:00406236 8379F827          cmp dword ptr [ecx-08], 00000027
:0040623A 756D              jne 004062A9                 ; we land here
:0040623C 6A00              push 00000000

The protection routine is checking if the lenght of our key is equal to 27h, it is
length of 39 characers in decimal. We know that it's not, so type 'r fl z' to set back the
zero flag so we will not jump here. type x and we break on the 2nd bpx :

:0040623F 50                push eax
:00406240 E83BA60000        call 00410880
:00406245 83C40C            add esp, 0000000C
:00406248 85C0              test eax, eax
:0040624A 755D              jne 004062A9                 ; we land here
:0040624C E883730300        call 0043D5D4
:00406251 8B4004            mov eax, dword ptr [eax+04]
:00406254 57                push edi

Take a look at register EAX, it contains 00000001. the program checks if EAX = 0
test eax, eax if not it jumps to 004062A9 ("wrong key message").
The call 00410880 makes checks on the registration key, if it's the *real* one, EAX
get the value of 0, else 1. Type 'r fl z' to set back the zero flag so we will not jump
here. type x and we didn't get any message. At this time, our name and "fake" key
is in the registry. Goto Help/About and see that it registered to your name.
But we are not done yet. If you re-run the program, you wiil see that it's not
registered. The program checks the information from the registry file and decides
that it's *fake* key. The checks beeing done in here : call 00410880
In our deadlist it looks like this :

* Referenced by a CALL at Addresses:
|:00406240   , :00411B68
|
:00410880 83EC40         sub esp, 00000040
:00410883 53             push ebx
:00410884 55             push ebp
:00410885 56             push esi

It get called from 2 places 00406240 is when the key entered get checked,
and the other place is at     00411B68 this is when we strat Totalrecorder.

To check it, set a new bpx 00411b68 and re-run Totalrecorder.
When SI break type a to change to assembly mode, and type  mov eax,00
and enter twice, then x to leave. Now you can see that it registered.
we can see that instead of going into that call and return with 1 in EAX, we put
0 in EAX and that means that the key is ok and the prog registered.
 

The Patches

Load up TotalRecorder.exe into your Hex-Editor ( I use hexWorkshop-32).
Our name is already in the registry, so this is the only change needed :

SEARCH FOR THE FOLLOWING BYTES : 51E813EDFFFF8B
REPLACE WITH HIGHLIGHTED BYTES : 51B8000000008B

REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you like
this utility and want to keep using it, support the author and pay for it.
 

Final Notes

There is no need to find the *real* serial/key, there are a few ways to fool the
 protection routine to think that the key is the right one :)

My thanks and gratitude goes to:-

The Sandman for all what he is doing for us, newbies.

Rhayader for helping me with Reverse Code Engineering and useful tips