Obsidium1.2.5.0

This is not a complete example. I just keep a simple record of some of the points I think, and I don't know why there are too many details,
I am deceiving myself for the moment, and I am too lazy to track the details of each piece of code.
This version 1.25 is basically the same as the last version 1.20, and now I have forgotten how it was removed.
This time I spent a lot of time, so I decided to keep some simple records.
If you have tracked it yourself, I think you should be able to understand my ideas.

Startup:
Set seh: memory voilation
Set seh: div 0
Ignore others

First div 0
008D9A28 F7F0 div eax; first div 0
008D9A2A 8381 B8000000 02 add dword ptr ds: [ECX + B8], 2
008D9A31 5B POP EBX
008D9A32 5D POP EBP
008D9A33 C3 RETN

008D99DB 64: 8F00 pop dword ptr fs: [EAX]; goto here
008D99DE 83C4 04 add esp, 4
008D99E1 5B POP EBX
008D99E2 C3 RETN

Bp VirtualAlloc
0044DE1C FF93 80000000 call dword ptr ds: [EBX + 80]; VirtualAlloc
0044DE22 85C0 test eax, EAX; return here, eax = 9F0000
0044DE24 0F84 3A010000 JE Obsidium.0044DF64; new imagebase

Start the decoding process below
After decoding, reloc is processed here. In order to locate the base at 400000 h after shelling, you need to do some operations here.
0044DF27 8B43 10 mov eax, dword ptr ds: [EBX + 10]; new imagebase
0044DF2A 2B43 10 sub eax, dword ptr ds: [EBX + 3C]; old imagebase
0044DF2D FF77 08 push dword ptr ds: [EDI + 8]
0044DF30 FF77 04 push dword ptr ds: [EDI + 4]
0044DF33 FF73 78 push dword ptr ds: [EBX + 78]
0044DF36 50 PUSH EAX
0044DF37 FF73 10 push dword ptr ds: [EBX + 10]
0044DF3A FF53 70 call dword ptr ds: [EBX + 70]
0044DF3D 83C7 14 add edi, 14
0044DF40 FF4D fc dec dword ptr ss: [EBP-4]
0044DF43 ^ 0F85 F4FEFFFF JNZ Obsidium.0044DE3D

Continue to shift F9 several times to see this Code:
008DC4B2 F7F0 div eax; div 0
008DC4B4 8B00 mov eax, dword ptr ds: [EAX]; then an exception like this
008DC4B6 85C0 test eax, EAX
008DC4B8 74 19 je short 008DC4D3
008DC4BA 8B53 04 mov edx, dword ptr ds: [EBX + 4]
008DC4BD C702 07000000 mov dword ptr ds: [EDX], 7
008DC4C3 C740 08 00000000 mov dword ptr ds: [EAX + 8], 0
008DC4CA 8343 04 0C add dword ptr ds: [EBX + 4], 0C
008DC4CE 52 PUSH EDX
008DC4CF 51 PUSH ECX
008DC4D0 FF63 4C jmp dword ptr ds: [EBX + 4C]
008DC4D3 64: 67: 8F06 0000 pop dword ptr fs: [0]; goto here
008DC4D9 83C4 04 add esp, 4
008DC4DC 5B POP EBX
008DC4DD C3 RETN

Here is the IAT processing:
Ctrl + g 8DC5D0, hard break point on exec
(How did I find the address 8DC5D0? I ran it multiple times. I observed the hardware breakpoint and traced it back layer by layer.
Then I wrote it down and asked me to repeat it again. I had to try and think several times before I could locate it)
F9 stops here twice:
008DC5D0 E8 3F040000 CALL 008DCA14;
008DC5D5 85C0 test eax, EAX
008DC5D7 74 55 je short 008DC62E
008DC5D9 8B45 F4 mov eax, dword ptr ss: [EBP-C]
008DC5DC 05 679D4100 add eax, 419D67
008DC5E1 8B56 04 mov edx, dword ptr ds: [ESI + 4]
008DC5E4 0353 44 add edx, dword ptr ds: [EBX + 44]
008DC5E7 52 PUSH EDX
008DC5E8 50 PUSH EAX
008DC5E9 E8 26040000 CALL 008DCA14
008DC5EE 85C0 test eax, EAX
008DC5F0 74 3C je short 008DC62E
...
008DC692 FF36 push dword ptr ds: [ESI]
008DC694 53 PUSH EBX
008DC695 52 PUSH EDX
008DC696 50