// 82 KB version (patched) — deliberately clears the pointer:
v3 = MmGetSystemRoutineAddress(L"MmCopyMemory");
if (v3 >= 0) {
    *(a1 + 24) = 0;        // ← NULLs it — SubCmd 12 is dead
}

// 333 KB version (vulnerable) — stores the pointer:
ptr = MmGetSystemRoutineAddress(L"MmCopyMemory");
if (ptr) {
    *(this + 0x18) = ptr;   // ← Keeps it — SubCmd 12 works
}