I never investigated the ripped API's since one could simply launch the app from the second layer EP, but that signature you talk about (having the NOP's and then a call into ripped API) sounds a lot like how Ultraprotect worked.

Should be possible to make a ImpREC plugin for this, simply scan for calls into high mem (easy to do) and decode where they go. However, not sure if that's possible only because I never looked at a ripped API. (I didn't bother, only dumped at second EP to let it decode for me)

-Lunar