Full Process Analysis of UPX3.03 shell section processing

The analysis is not very good. Some things have not been clearly expressed. Everyone analyzed them by themselves. This program is a process management program I wrote myself, but it has not been written yet ....
UPX3.03 shelling, encryption processing is selected when shelling, advanced import protection is used to simulate system standard functions, but the shell section does not seem to see these functions.
First, a CALL formula will be used later. For details, see the attachment and analyze it by yourself.

Code:
CALL address calculation formula: Start of the next CALL command + absolute offset after E8 = target address

For example, 00401B2C is the current address, 5 is the length of the CALL machine code, and E8 CF 00 00 00 is the machine code.

Calculation: 00401B2C + 5 + CF = 00401C00 E8 CF 00 00 00 indicates CALL 00401C00.

Example 2: 00401B3B |. E8 C0270000 CALL decode.00404300
00401B3B + 5 + 27C0 = 00404300; Address: CALL 00404300

Example 3: 00401B5F |. E8 3C1B0000 CALL decode.004036A0
00401B5F + 5 + 1B3C = 004036A0. The address is CALL 004036A0.
00401B5F + 5 = start address of the next command. Moving 1B3C backward is the start address of the target command.
00417550> $60 PUSHAD
00417551. BE 15604100 mov esi, process management. 00416015
00417556. 8DBE ebaffeff lea edi, dword ptr ds: [ESI + FFFEAFEB]; put the starting address of the code segment in EDI
0036655c. 57 PUSH EDI
00000055d. EB 0B jmp short process management. 00000056a
0036655f 90 NOP
00417560> 8A06 mov al, byte ptr ds: [ESI]; now the analysis shows that the address 00416015 is the starting address of the code segment of our program and is mapped here, retrieve one byte of the mapped code
00417562. 46 inc esi; points to the next byte of our code
00417563. 8807 mov byte ptr ds: [EDI], AL; EDI is now starting from 00401000. Put the ing code into the address of the original code. Now we know that the Code is being restored.
00417565. 47 inc edi; point to the next address of our code to store the next byte
00417566> 01DB add ebx, EBX; EBX + EBX. When EBX is not equal to 0, it will jump. If the carry addition is 0, extract the next address to EBX.
00417568. 75 07 jnz short process management. 00417571
0036656a> 8B1E mov ebx, dword ptr ds: [ESI]; 00416015 put this address in EBX,
0036656c. 83EE fc sub esi,-4; 00416015 + 4
0036656f. 11DB adc ebx, EBX; carry Calculator
00417571> ^ 72 ed jb short process management. 00417560; jump up. EBX serves as a flag for Skip, processing code cyclically, a large loop
00417573. B8 01000000 mov eax, 1; EAX = 1
00417578> 01DB add ebx, EBX; EBX plus EBX. EBX serves as a jump sign in this Code.
00000057a. 75 07 jnz short process management. 00417583
0034757c. 8B1E mov ebx, dword ptr ds: [ESI]; The address pointed by ESI to EBX
00000057e. 83EE fc sub esi,-4; ESI plus 4
00417581. 11DB adc ebx, EBX; carry Addition
00417583> 11C0 adc eax, EAX; carry Addition
00417585. 01DB add ebx, EBX; EBX + EBX
00417587. ^ 73 ef jnb short process management. 00417578
00417589. 75 09 jnz short process management. 00417594; jump to the following
0034758b. 8B1E mov ebx, dword ptr ds: [ESI]
00000058d. 83EE fc sub esi,-4
00417590. 11DB adc ebx, EBX
00417592. ^ 73 E4 jnb short process management. 00417578
00417594> 31C9 xor ecx and ECX are cleared
00417596. 83E8 03 sub eax, 3 & n