How to Use OllyDBG to track EXECryptor v1.53

EXECryptor v1.53 is currently the most perfect shell using SEH anti-tracking. In SEH processing, the debugging registers such as DR0-DR7 are cleared and the EIP register is modified to realize redirection. If you do not have a full understanding of SEH, it is difficult to trace it.
I. SEH Review
1. Establish SEH framework
Assume fs: NOTHING; otherwise, the Masm compilation reports an error.
Push offset SEH_Handler
Push fs: [0]
Mov fs: [0], esp
2. parameters passed to the exception handling routine
There is only one final parameter that points to the prediction_pointers structure. The prediction_pointers is defined as follows:
Prediction_pointers STRUCT
PExceptionRecord DWORD?
ContextRecord DWORD?
Prediction_pointers ENDS
The stack structure during execution is as follows:
Esp-> ptEXCEPTION_POINTERS
Then run call _ Final_Handler.

Note that the parameters in the stack are pointers to prediction_pointers, not pExceptionRecord.
The detailed structure of the prediction_pointers members is as follows:
Prediction_record STRUCT
Predictioncode DWORD? ; Exception Code
Predictionflags DWORD? ; Exception flag
PExceptionRecord DWORD? ; Pointer to another EXCEPTION_RECORD
Predictionaddress DWORD? ; Abnormal address
NumberParameters DWORD? The number of dword contained in predictioninformation below
Predictioninformation DWORD prediction_maximum_parameters dup (?)
Prediction_record ENDS
; Prediction_maximum_parameters = 15

Specific parameter explanation:
ExceptionCode exception type. There are many types in the SDK, but the following types are most likely to be encountered:
C0000005h ---- read/write memory conflict
C0000094h ---- illegal division of 0
C00000FDh ---- stack overflow or out-of-bounds
80000001 h ---- attribute page conflict established by Virtual Alloc
C0000025h ---- the program cannot resume execution due to an unsustainable exception. The exception handling routine should not handle this exception.
C0000026h ---- code used by the system during exception handling. If the system returns an inexplicable result from a routine, this code appears, for example, when RtlUnwind is called without the Exception Record parameter, the Exception is filled in with this code.
80000003 h ---- int3 interrupted during debugging
80000004 h ---- in the single-step debugging status
Note: You can also define the Exception Code as follows:

Bit: 31 ~ 30 29 ~ 28 27 ~ 16 15 ~ 0
Meaning: code with a severity of 29-bit functional code exception
0 = Success 0 = Mcrosoft MICROSOFT defined user
1 = notification 1 = Customer
2 = 28 warning characters
3 = Error retained must be 0
ExceptionFlags exception flag
0 ---- recoverable exceptions
1 ---- irreparable exception
2 ---- expanding. Do not try to fix anything. If necessary, release necessary resources.
PExceptionRecord if the program itself causes an exception, point to the exception Structure
ExceptionAddress: The eip address with an exception
ExceptionInformation additional message, which can be specified when RaiseException is called or when the Exception Code is C0000005h, that is, Memory exception (ExceptionCode = C0000005h), has the following meanings. In other cases, it is generally meaningless.
First dword 0 = read conflict 1 = write conflict
Second dword read/write conflict address
The specific structure of CONTEXT:

Context struct ;_
ContextFlags DWORD? ; | ------------- + 00
IDr0 DWORD? ; | + 04
IDr1 DWORD? ; | & N