I've never worked with it, but I think you're working backwards.
Start from the protectee and see how it interfaces with gameguard. You'll probably be lead to a call via a static variable which will have the address of the imported routine loaded into it via GetProcAddress, dig around in there. Fasdoj sodghdfjg Once I get more time(hopefully the coming weekend) I can write an applied reverse engineering section in my article(In my sig)
Which reminds me, I should have a section in there about delay-loaded libraries.