I asked woodmann if he's ok to help them a little. We'll see.

dp-teunlock : on w2k, my tracer crashes at f0639f , just because here the code is unvalid (bad decrypted)
you maybe have used a trick to detect it, and then a bad key is used to decrypt those instructions...
almost the same than dp-borg2 , but maybe not with the int1 called in signle step mode that was calling the seh and generating the key to decrypt the code further.

I'm getting closer.... Nice tricks