Old shell INT3 exception, expiration restrictions, and data shell removal Analysis

[Software name]: a program with EncryptPE1.0 V1.2003.5.18 shelling
[Software restrictions]: INT3 exception, expiration restrictions, data appending
[Shell removal statement]: thanks to the help of fly, loveboom, and other experts!
[Operating System]: WIN2K
[Shelling tool]: OD, etc.

-------------------------------------------
　
[Shelling Process ]:

An INT3 exception is added to the shell, expiration restrictions, and data appending.
If an INT3 exception occurs, just remove the INT3 exception NOP like an EncryptPE V1.2003.5.1 Preview. Use bp GetLocalTime to disable the expiration limit. The process of shelling and restoration is as follows:

I. shelling

Use OD to load, hide OD, ignore all exceptions, and add and ignore 0EEDFADF and C0000008 exceptions. After loading, stop:

0044D000> 60 PUSHAD ====> stop here.
0044D001 9C PUSHFD
0044D002 64: FF35 0000000> push dword ptr fs: [0]
0044D009 E8 79010000 CALL 00002.0044d187
0044D00E 0000 add byte ptr ds: [EAX], AL
0044D010 0000 add byte ptr ds: [EAX], AL
0044D012 0000 add byte ptr ds: [EAX], AL
0044D014 0000 add byte ptr ds: [EAX], AL

F9 running exception in:

77F813A2 FF75 0C push dword ptr ss: [EBP + C]
77F813A5 FF75 08 push dword ptr ss: [EBP + 8]
77F813A8 E8 ECEC0000 CALL ntdll.77F90099
77F813AD 5D POP EBP
77F813AE C2 1800 RETN 18
77F813B1> CC INT3 ====> NOP!
77F813B2 C3 RETN ====> stop here.
77F813B3 33C9 xor ecx, ECX
77F813B5 E9 A5BE0000 JMP ntdll.77F8D25F
77F813BA> 55 PUSH EBP
77F813BB 8BEC mov ebp, ESP
77F813BD 56 PUSH ESI
77F813BE 8B75 08 mov esi, dword ptr ss: [EBP + 8]
77F813C1 8A06 mov al, byte ptr ds: [ESI]
77F813C3 3C 02 cmp al, 2

After the bp GetLocalTime is disconnected, SHIFT + F9 runs the program:

77E649B6> 55 push ebp ===> disconnected here. Cancel a breakpoint. Check the data in the stack area.
77E649B7 8BEC mov ebp, ESP
77E649B9 83EC 18 sub esp, 18
77E649BC 56 PUSH ESI
77E649BD A1 1800FE7F mov eax, dword ptr ds: [7FFE0018]
77E649C2 8B0D 1400FE7F mov ecx, dword ptr ds: [7FFE0014]
77E649C8 3B05 1C00FE7F cmp eax, dword ptr ds: [7FFE001C]
77E649CE ^ 75 ed jnz short kernel32.77E649BD
77E649D0 8B15 2400FE7F mov edx, dword ptr ds: [7FFE0024]
77E649D6 8B35 2000FE7F mov esi, dword ptr ds: [7FFE0020]
77E649DC 3B15 2800FE7F cmp edx, dword ptr ds: [7FFE0028]
77E649E2 ^ 75 ec jnz short kernel32.77E649D0
77E649E4 2BCE sub ecx, ESI
77E649E6 1BC2 sbb eax, EDX
77E649E8 894D F8 mov dword ptr ss: [EBP-8], ECX

Stack zone data:

0123FBD8 72.16a429/CALL to GetLocalTime from v1_351.72.16a424
0123 FBDC 0123FBE8 pLocaltime = 0123FBE8
0123FBE0 71128B70 ASCII "% d"

To 72.16a429:

72.16a424 E8 8BC8FFFF CALL v1_351.71126cb4; JMP to kernel32.GetLocalTime
710000a429 66: 8B4C24 0E mov cx, word ptr ss: [ESP + E] ====> F9 runs here after disconnection. Then, cancel the breakpoint.
7366a42e 66: 8B5424 0A mov dx, word ptr ss: [ESP + A]
72.16a433 66: 8B4424 08 mov ax, word ptr ss: [ESP + 8]
7112A438 E8 1 bfeffff call v1_351.71_a258
72.16a43d DD5C24 18 fstp qword ptr ss: [ESP + 18]
72.16a441 9B WAIT
72.16a442 66: 8B4424 16 mov ax, word ptr ss: [ESP + 16]
72.16a447 50 PUSH EAX
72.16a448 66: 8B4C24 18 mov cx, word ptr ss: [ESP + 18]
7366a44d 66: 8B5424 16 mov dx, word ptr ss: [ESP + 16]
72.16a452 66: 8B4424 14 mov ax, word ptr ss: [ESP + 14]
7112A457 E8 5 cfcffff call v1_351.71_a0b8
72.16a45c DC4424 18 fadd qword ptr ss: [ESP + 18]
710000a460 DD1C24 fstp qword ptr ss: [ESP]
72.16a463 9B WAIT
72.16a464 DD0424 rjqword ptr ss: [ESP]
72.16a467 83C4 20 add esp, 20
7112A46A C3 RETN ====> return.

Return:

711A0EF0 83C4 F8 add esp,-8 ==> return here.
711A0EF3 DD1C24 fstp qword ptr ss: [ESP]
711A0EF6 9B WAIT
711A0EF7 8D95 90 fdffff lea edx, dword ptr ss: [EBP-270]
711A0EFD B8 741B1A71 mov eax, v1_351.711a1b74; ASCII "yyyymmdd"
711A0F02 E8 3DA1F8FF CALL v1_351.71_b044
711A0F07 8B95 90 fdffff mov edx, dword ptr ss: [EB