Well, actually you said that "DEC ECX [...] can't crash or cause a special operation [...] since it can". So you told that DEC ECX can crash. Since I know nobody who would use the word "crash" for flag modification (and it wouldn't make any sence), a crash always causes an exception. So there is no need for you to use the word "exception", since you already said it.

It's nice that you try to tell me that DEC instructions change the flags and that Hardlock uses a driver, but that's common knowledge. It's also nice to talk about the "what can" and the "what cannot" in cracking. But it's pointless since we all know. So lets stop philosophy.

So tell me, how can a driver/thread/process react on the flags change at 00403EE7 without using any "middle" instructions (like you call them)? The only way would be exceptions (single-stepping, breakpoint, page fault, ...). And this way is using "middle" instructions.

BTW. what do you want to tell me with 00403ECE? Are you unaware that this kind of instructions (effective "NOPs") are used to align the next procedure to the next address boundary in memory?