1 - NtQueryInformationProcess is a stub, except when called with ProcessInformationClass set to ProcessDebugPort, which is exactly what the copy protection does :-), so this is not really a problem. BTW, I found this link on the MSDN website while searching for some doc about NtQueryInformationProcess
http://msdn.microsoft.com/msdn-files/026/002/137/NTDLL/Source Files/ntdll_cpp.asp
hmm I think NtQueryInformationProcess should set the length of the modified data (4 for a DWORD)
Unfortunately the server returns an error, but it might be worth investigating :-)
2 - int 0x01 is called from within a try{} block (if I read the assembly code correctly), and the copy protection code seems to be looking for a side effect: the debugger detection returns false (no debugger present) if some memory location (0x00435b90), which has been initialized with the value -1, contains 0xc0000005 upon completion of int 0x01. Does this ring a bell to someone ?
C0000005 is STATUS_ACCESS_VIOLATION sounds like the code that has been caught in the exception handler
3 - fixme:win32:DEVICE_Open Unknown/unsupported VxD Secdrv. Try --winver nt40 or win31 ! I haven't been ablt to find any Secdrv.vxd, but there's a secdrv.sys on the CD... Should I disassembly it and add the code to wine ? :-)
of course not ;-) perhaps in that case (true in step 2) it tries to look for further information wrt debuggers
A+