Description
A Windows console binary detects debuggers via IsDebuggerPresent and refuses to show the flag if a debugger is attached. By intercepting the anti-debug check in x64dbg and skipping the alert path, you can read the embedded flag string.
This is a gentle intro to anti-debug bypass: find the check, break on it, and set EIP past the failure branch so execution continues as if no debugger was detected.
Setup
Windows & x64dbg
Download WinAntiDbg0x100.zip (password: picoctf) and extract the executable.
Open WinAntiDbg0x100.exe inside x64dbg (32-bit).
wget https://artifacts.picoctf.net/c_titan/84/WinAntiDbg0x100.zip && \
unzip WinAntiDbg0x100.zip
Solution
This is the first challenge in the WinAntiDbg series. WinAntiDbg0x200 and WinAntiDbg0x300 introduce progressively more advanced anti-debug techniques.
- Step 1Locate IsDebuggerPresentIn x64dbg, use View → Symbol Info → search for IsDebuggerPresent. Double-click it and set a breakpoint so execution halts at the anti-debug call.
- Step 2Step past the checkRun until the breakpoint hits, then Step Into to reach the ret instruction. Set EIP to the branch that executes when no debugger is present (address FA161B in the provided build).
- Step 3Continue to the flagStep over the subsequent instructions. The MOV eax, dword ptr ds:[FA5408] line reveals the flag string; copy it from memory to retrieve picoCTF{...}.
Flag
picoCTF{d3bug_f0r_th3_Win_0x100_e7...}
Skipping the failure branch reveals the stored flag string immediately.