pico- WinAntiDBG0x100

06 Apr 2025 Writeup 
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Block; // [esp+0h] [ebp-8h]
  char Blocka; // [esp+0h] [ebp-8h]
  WCHAR *lpOutputString; // [esp+4h] [ebp-4h]

  if ((unsigned __int8)sub_401130())
  {
    OutputDebugStringW("\n");
    OutputDebugStringW("\n");
    sub_4011B0();
    if (sub_401200())
    {
      OutputDebugStringW(
        L"### Level 1: Why did the clever programmer become a gardener? Because they discovered their talent for growing a"
        " 'patch' of roses!\n");
      sub_401440(7);
      if (IsDebuggerPresent())
      {
        OutputDebugStringW(L"### Oops! The debugger was detected. Try to bypass this check to get the flag!\n");
      }
      else
      {
        sub_401440(11);
        sub_401530(dword_405404);
        lpOutputString = (WCHAR *)sub_4013B0(dword_405408);
        if (lpOutputString)
        {
          OutputDebugStringW(L"### Good job! Here's your flag:\n");
          OutputDebugStringW(L"### ~~~ ");
          OutputDebugStringW(lpOutputString);
          OutputDebugStringW(L"\n");
          OutputDebugStringW(L"### (Note: The flag could become corrupted if the process state is tampered with in any way.)\n\n");
          j_j_free(lpOutputString);
        }
        else
        {
          OutputDebugStringW(L"### Something went wrong...\n");
        }
      }
    }
    else
    {
      OutputDebugStringW(L"### Error reading the 'config.bin' file... Challenge aborted.\n");
    }
    free(::Block);
  }
  else
  {
    sub_401060((char *)lpMultiByteStr, Block);
    sub_401060("### To start the challenge, you'll need to first launch this program using a debugger!\n", Blocka);
  }
  OutputDebugStringW(L"\n");
  OutputDebugStringW(L"\n");
  return 0;
}

ida 디컴파일 전체 코드 

뜯어서 보자 

if (IsDebuggerPresent())
{
  OutputDebugStringW(L"### Oops! The debugger was detected. Try to bypass this check to get the flag!\n");
}
else
{
  sub_401440(11);
  sub_401530(dword_405404);
  lpOutputString = (WCHAR *)sub_4013B0(dword_405408);
  if (lpOutputString)
  {
    OutputDebugStringW(L"### Good job! Here's your flag:\n");
    OutputDebugStringW(L"### ~~~ ");
    OutputDebugStringW(lpOutputString);
    OutputDebugStringW(L"\n");
    OutputDebugStringW(L"### (Note: The flag could become corrupted if the process state is tampered with in any way.)\n\n");
    j_j_free(lpOutputString);
  }
}

여기 IsDebuggerPresent만 우회하면 될듯?

스크린샷 2025-04-06 125839.png

xdbg 열어주고 winantidbg0x100.exe 모듈에서 문자열 참조하면

스크린샷 2025-04-06 131932.png

위 문자열이 보임

대충 Good job! 눌러서 해당 위치로 움직이고 스크롤 좀만 올려보면

스크린샷 2025-04-06 125941.png

IsDebuggerPresent call 위치 발견

BP 걸어주자

스크린샷 2025-04-06 132036.png

f9로 call까지 와주고 f8 누르면 EAX값이 1일거임

아까 if문에서도 봤듯이 이걸 0으로 바꿔줘야 함

eax 값 더블클릭해서 0으로 바꿔줌

스크린샷 2025-04-06 132122.png

F8 계속 누르다보면 위처럼 picoCTF 플래그가 보일거임

스크린샷 2025-04-06 132218.png

stack에서 보면 위와 같음

 CTF  Debugging  Reverse Engineering