Code
0061C335 . 6A 00 PUSH 0
0061C337 . 68 3F000F00 PUSH 0F003F
0061C33C . 6A 00 PUSH 0
0061C33E . 68 3325BB00 PUSH WCEval.00BB2533
0061C343 . 6A 00 PUSH 0
0061C345 . 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
0061C349 . 75 07 JNZ SHORT WCEval.0061C352
0061C34B . BA 3425BB00 MOV EDX,WCEval.00BB2534
0061C350 . EB 28 JMP SHORT WCEval.0061C37A
0061C352 > 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
0061C356 . 74 1F JE SHORT WCEval.0061C377
0061C358 . 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0061C35B . 0FB741 F6 MOVZX EAX,WORD PTR DS:[ECX-A]
0061C35F . 83F8 02 CMP EAX,2
0061C362 . 75 13 JNZ SHORT WCEval.0061C377
0061C364 . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0061C367 . E8 84881200 CALL WCEval.00744BF0
0061C36C . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0061C36F . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0061C372 . E8 F9A30E00 CALL WCEval.00706770
0061C377 > 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0061C37A > 52 PUSH EDX ; |Subkey
0061C37B . 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0061C380 . E8 CDCF5000 CALL <JMP.&ADVAPI32.RegCreateKeyExA> ; \RegCreateKeyExA
0061C385 . 85C0 TEST EAX,EAX
0061C387 . 0F85 D9000000 JNZ WCEval.0061C466
0061C38D . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0061C390 . 51 PUSH ECX ; /pBufSize
0061C391 . 8D85 A4FEFFFF LEA EAX,DWORD PTR SS:[EBP-15C] ; |
0061C397 . 50 PUSH EAX ; |Buffer
0061C398 . 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-58] ; |
0061C39B . 52 PUSH EDX ; |pValueType
0061C39C . 6A 00 PUSH 0 ; |Reserved = NULL
0061C39E . 68 3525BB00 PUSH WCEval.00BB2535 ; |ValueName = "DFTE"
0061C3A3 . 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50] ; |
0061C3A6 . 51 PUSH ECX ; |hKey
0061C3A7 . E8 C4CF5000 CALL <JMP.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
0061C3AC . 85C0 TEST EAX,EAX
0061C3AE . 74 55 JE SHORT WCEval.0061C405
0061C3B0 . 8D85 94FEFFFF LEA EAX,DWORD PTR SS:[EBP-16C]
0061C3B6 . 50 PUSH EAX ; /pSystemTime
0061C3B7 . E8 C4D15000 CALL <JMP.&KERNEL32.GetSystemTime> ; \GetSystemTime
0061C3BC . 0FB795 9AFEFFF>MOVZX EDX,WORD PTR SS:[EBP-166]
0061C3C3 . 52 PUSH EDX ; /Arg5
0061C3C4 . 8D95 30FFFFFF LEA EDX,DWORD PTR SS:[EBP-D0] ; |
0061C3CA . 0FB78D 96FEFFF>MOVZX ECX,WORD PTR SS:[EBP-16A] ; |
0061C3D1 . 51 PUSH ECX ; |Arg4
0061C3D2 . 0FB785 94FEFFF>MOVZX EAX,WORD PTR SS:[EBP-16C] ; |
0061C3D9 . 50 PUSH EAX ; |Arg3
0061C3DA . 68 3A25BB00 PUSH WCEval.00BB253A ; |Arg2 = 00BB253A ASCII "%ld:%ld:%ld"
0061C3DF . 52 PUSH EDX ; |Arg1
0061C3E0 . E8 7F414100 CALL WCEval.00A30564 ; \WCEval.00A30564
0061C3E5 . 83C4 14 ADD ESP,14
0061C3E8 . 40 INC EAX
0061C3E9 . 50 PUSH EAX ; /BufSize
0061C3EA . 8D95 30FFFFFF LEA EDX,DWORD PTR SS:[EBP-D0] ; |
0061C3F0 . 52 PUSH EDX ; |Buffer
0061C3F1 . 6A 03 PUSH 3 ; |ValueType = REG_BINARY
0061C3F3 . 6A 00 PUSH 0 ; |Reserved = 0
0061C3F5 . 68 4625BB00 PUSH WCEval.00BB2546 ; |ValueName = "DFTE"
0061C3FA . 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50] ; |
0061C3FD . 51 PUSH ECX ; |hKey
0061C3FE . E8 79CF5000 CALL <JMP.&ADVAPI32.RegSetValueExA> ; \RegSetValueExA
0061C403 . EB 05 JMP SHORT WCEval.0061C40A
0061C405 > BB 01000000 MOV EBX,1
0061C40A > 8D85 94FEFFFF LEA EAX,DWORD PTR SS:[EBP-16C]
0061C410 . 50 PUSH EAX ; /pSystemTime
0061C411 . E8 6AD15000 CALL <JMP.&KERNEL32.GetSystemTime> ; \GetSystemTime
0061C416 . 0FB795 9AFEFFF>MOVZX EDX,WORD PTR SS:[EBP-166]
0061C41D . 52 PUSH EDX ; /Arg5
0061C41E . 8D95 30FFFFFF LEA EDX,DWORD PTR SS:[EBP-D0] ; |
0061C424 . 0FB78D 96FEFFF>MOVZX ECX,WORD PTR SS:[EBP-16A] ; |
0061C42B . 51 PUSH ECX ; |Arg4
0061C42C . 0FB785 94FEFFF>MOVZX EAX,WORD PTR SS:[EBP-16C] ; |
0061C433 . 50 PUSH EAX ; |Arg3
0061C434 . 68 4B25BB00 PUSH WCEval.00BB254B ; |Arg2 = 00BB254B ASCII "%ld:%ld:%ld"
0061C439 . 52 PUSH EDX ; |Arg1
0061C43A . E8 25414100 CALL WCEval.00A30564 ; \WCEval.00A30564
0061C43F . 83C4 14 ADD ESP,14
0061C442 . 40 INC EAX
0061C443 . 50 PUSH EAX ; /BufSize
0061C444 . 8D95 30FFFFFF LEA EDX,DWORD PTR SS:[EBP-D0] ; |
0061C44A . 52 PUSH EDX ; |Buffer
0061C44B . 6A 03 PUSH 3 ; |ValueType = REG_BINARY
0061C44D . 6A 00 PUSH 0 ; |Reserved = 0
0061C44F . 68 5725BB00 PUSH WCEval.00BB2557 ; |ValueName = "DLTE"
0061C454 . 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50] ; |
0061C457 . 51 PUSH ECX ; |hKey
0061C458 . E8 1FCF5000 CALL <JMP.&ADVAPI32.RegSetValueExA> ; \RegSetValueExA
0061C45D . 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
0061C460 . 50 PUSH EAX ; /hKey
0061C461 . E8 E6CE5000 CALL <JMP.&ADVAPI32.RegCloseKey> ; \RegCloseKey
0061C466 > 6A 46 PUSH 46 ; /BufSize = 46 (70.)
0061C468 . 8D95 4CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1B4] ; |
0061C46E . 52 PUSH EDX ; |Buffer
0061C46F . E8 5AD15000 CALL <JMP.&KERNEL32.GetWindowsDirectoryA>; \GetWindowsDirectoryA
0061C474 . 66:8945 82 MOV WORD PTR SS:[EBP-7E],AX
0061C478 . 8D8D 4CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1B4]
0061C47E . 51 PUSH ECX ; /String
0061C47F . E8 36D35000 CALL <JMP.&KERNEL32.lstrlenA> ; \lstrlenA
0061C484 . 66:8945 82 MOV WORD PTR SS:[EBP-7E],AX
0061C488 . 66:837D 82 00 CMP WORD PTR SS:[EBP-7E],0
0061C48D . 7E 1D JLE SHORT WCEval.0061C4AC
0061C48F . 0FBF45 82 MOVSX EAX,WORD PTR SS:[EBP-7E]
0061C493 . 0FBE9405 4BFEF>MOVSX EDX,BYTE PTR SS:[EBP+EAX-1B5]
0061C49B . 83FA 5C CMP EDX,5C
0061C49E . 75 0C JNZ SHORT WCEval.0061C4AC
0061C4A0 . 0FBF4D 82 MOVSX ECX,WORD PTR SS:[EBP-7E]
0061C4A4 . C6840D 4BFEFFF>MOV BYTE PTR SS:[EBP+ECX-1B5],0
0061C4AC > 68 5C25BB00 PUSH WCEval.00BB255C ; /String2 = "\~SYS.BIN"
0061C4B1 . 8D85 30FFFFFF LEA EAX,DWORD PTR SS:[EBP-D0] ; |
0061C4B7 . 50 PUSH EAX ; |String1
0061C4B8 . E8 E5D25000 CALL <JMP.&KERNEL32.lstrcpyA> ; \lstrcpyA
0061C4BD . 8D95 30FFFFFF LEA EDX,DWORD PTR SS:[EBP-D0]
0061C4C3 . 52 PUSH EDX ; /StringToAdd
0061C4C4 . 8D8D 4CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1B4] ; |
0061C4CA . 51 PUSH ECX ; |ConcatString
0061C4CB . E8 BAD25000 CALL <JMP.&KERNEL32.lstrcatA> ; \lstrcatA
0061C4D0 . 6A 00 PUSH 0
0061C4D2 . 8D85 4CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1B4]
0061C4D8 . 50 PUSH EAX
0061C4D9 . E8 520F4100 CALL WCEval.00A2D430
0061C4DE . 83C4 08 ADD ESP,8
0061C4E1 . 85C0 TEST EAX,EAX
0061C4E3 . 0F84 B2020000 JE WCEval.0061C79B
0061C4E9 . 85DB TEST EBX,EBX
0061C4EB . 74 6E JE SHORT WCEval.0061C55B
0061C4ED . 8BC7 MOV EAX,EDI
0061C4EF . 33D2 XOR EDX,EDX
0061C4F1 . 8B80 80030000 MOV EAX,DWORD PTR DS:[EAX+380]
0061C4F7 . E8 E08A1800 CALL WCEval.007A4FDC
0061C4FC . 6A 00 PUSH 0 ; /BeepType = MB_OK
0061C4FE . E8 11DB5000 CALL <JMP.&USER32.MessageBeep> ; \MessageBeep
0061C503 . 6A 10 PUSH 10
0061C505 . 6A 00 PUSH 0
0061C507 . 68 6625BB00 PUSH WCEval.00BB2566 ; ASCII "Evaluation copy corrupted"
0061C50C . 8BC7 MOV EAX,EDI
0061C50E . E8 71481A00 CALL WCEval.007C0D84
0061C513 . 50 PUSH EAX ; |hOwner
0061C514 . E8 01DB5000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0061C519 . E8 3EFAFFFF CALL WCEval.0061BF5C
0061C51E . A1 A44EBF00 MOV EAX,DWORD PTR DS:[BF4EA4]