diff --git a/xzre.h b/xzre.h
index 31aba66..1b4ceea 100644
--- a/xzre.h
+++ b/xzre.h
@@ -1747,8 +1747,7 @@ assert_offset(sshd_proxy_args_t, rsa, 0x30);
  * (which is what normally happens when sshd is sandboxed)
  * 
  * the code will then construct a new packet and send a monitor request with type `MONITOR_REQ_KEYALLOWED` and the payload as key.
- * the receiving end (`mm_answer_keyallowed`) will then run the payload, likely as soon as  `RSA_get0_key` is invoked, through the hook
- * (TODO: confirm this)
+ * the receiving end (`mm_answer_keyallowed`) will then run the payload through @ref mm_answer_keyallowed_hook
  *
  * the `disable_backdoor` flag is used to avoid running the payload more than once, in case of multiple calls
  *
@@ -3034,6 +3033,27 @@ extern BOOL sshd_get_client_socket(
  */
 extern BOOL sshd_get_sshbuf(struct sshbuf *sshbuf, global_context_t *ctx);
 
+/**
+ * @brief runs the payload received from @ref sshd_proxy_elevate,
+ * and then runs the original `mm_answer_keyallowed` function
+ * 
+ * @param ssh 
+ * @param sock 
+ * @param m 
+ * @return int 
+ */
+extern int mm_answer_keyallowed_hook(struct ssh *ssh, int sock, struct sshbuf *m);
+
+/**
+ * @brief used in conjunction with @ref mm_answer_keyallowed_hook to bypass the key validity check
+ * 
+ * @param ssh 
+ * @param sock 
+ * @param m 
+ * @return int 
+ */
+extern int mm_answer_keyverify_hook(struct ssh *ssh, int sock, struct sshbuf *m);
+
 /**
  * @brief counts the number of times the IFUNC resolver is called
  * 
diff --git a/xzre.lds.in b/xzre.lds.in
index 9737283..4ac82d9 100644
--- a/xzre.lds.in
+++ b/xzre.lds.in
@@ -120,6 +120,8 @@ SECTIONS_BEGIN()
 	DEFSYM(sshd_proxy_elevate, .text.lzip_decoder_memconfia)
 	DEFSYM(sshd_get_client_socket, .text.index_encoda)
 	DEFSYM(sshd_get_sshbuf, .text.threads_stoz)
+	DEFSYM(mm_answer_keyallowed_hook, .text.file_info_decoda)
+	DEFSYM(mm_answer_keyverify_hook, .text.bt_skip_funz)
 SECTIONS_END(.text)
 
 SECTIONS_BEGIN()