a00.exe shows you a message box with the caption Error and the text Dement! if you run it under debugger. It shows you nothing when you run it outside of debugger and it just terminates silently.

1.
Debuggee -> Open Executable (Ctrl+E)
UNCHECK run over ntdll.DbgBreakPoint and halt on exe EntryPoint (it is checked by default)
double click a00.exe

2.
look into Log window
you see something like:
fdbg20070819
Process created. ProcessId=00000A04h ThreadId=00000D08h BaseOfImage=0000000000400000-0000000000404000h ThreadLocalBase=000007FFFFFDB000h ThreadStartAddress=0000000000401000h
Loaded dll. ProcessId=00000A04h ThreadId=00000D08h BaseOfDll=0000000078EC0000-0000000078FF9000h DllName=ntdll.dll
Loaded dll. ProcessId=00000A04h ThreadId=00000D08h BaseOfDll=0000000078D40000-0000000078EB2000h DllName=KERNEL32.dll
Loaded dll. ProcessId=00000A04h ThreadId=00000D08h BaseOfDll=0000000078C30000-0000000078D3C000h DllName=USER32.dll
Loaded dll. ProcessId=00000A04h ThreadId=00000D08h BaseOfDll=000007FF7FC90000-000007FF7FD28000h DllName=GDI32.dll

3.
grab value after ThreadLocalBase= from the Log window, it is 000007FFFFFDB000 in the above sample

4.
go to Stack window and put the value 000007FFFFFDB000 into the first address
you will get a list like:
address			  +6  +4  +2  +0
000007FFFFFDB000	0000000000000000
000007FFFFFDB008	0000000000070000
000007FFFFFDB010	000000000006D000
000007FFFFFDB018	0000000000000000
000007FFFFFDB020	0000000000001E00
000007FFFFFDB028	0000000000000000
000007FFFFFDB030	000007FFFFFDB000
000007FFFFFDB038	0000000000000000
000007FFFFFDB040	0000000000000A04
000007FFFFFDB048	0000000000000D08
000007FFFFFDB050	0000000000000000
000007FFFFFDB058	0000000000084840
000007FFFFFDB060	000007FFFFFDD000
000007FFFFFDB068	0000000000000000
000007FFFFFDB070	0000000000000000
000007FFFFFDB078	0000000000000000
grab the address at [ThreadLocalBase+60h], it is qword 000007FFFFFDD000 in the above case

5.
go into Data 1st window and put the address there, so you will see something like:
address			+0  +2  +4  +6   +8  +A  +C  +E		ASCII
000007FFFFFDD000	0000010000000000 FFFFFFFFFFFFFFFF	........yyyyyyyy
000007FFFFFDD010	0000400000000000 A07EFA7800000000	..@.....~x....
000007FFFFFDD020	0000020000000000 0000000000000000	................
000007FFFFFDD030	0000080000000000 E076FA7800000000	........avx....
000007FFFFFDD040	0000000000000000 0000000000000000	................
000007FFFFFDD050	0100000000000000 0000000000000000	................
000007FFFFFDD060	0000000000000000 0000000000000000	................
000007FFFFFDD070	0000000000000000 0049FA7800000000	.........Ix....
000007FFFFFDD080	0100000000000000 0000FE7E00000000	..........?~....
000007FFFFFDD090	0000FE7E00000000 D00CFE7E00000000	..?~....?.?~....
000007FFFFFDD0A0	0000FBFFFF070000 0010FCFFFF070000	..uyy....yy...
000007FFFFFDD0B0	0020FDFFFF070000 0100000070000000	. yy.......p...
000007FFFFFDD0C0	00809B076DE8FFFF 0000100000000000	..meyy.......
000007FFFFFDD0D0	0020000000000000 0000010000000000	. ..............
000007FFFFFDD0E0	0010000000000000 0200000010000000	..............
000007FFFFFDD0F0	6044FA7800000000 0000000000000000	`Dx............
change the value at [address+2] from 1 to 0
then it look like:
address			+0  +2  +4  +6   +8  +A  +C  +E		ASCII
000007FFFFFDD000	0000000000000000 FFFFFFFFFFFFFFFF	........yyyyyyyy
...

6.
go into Log window again and grab the value ThreadStartAddress=...h (it is 0000000000401000 in the above case)

7.
Action -> Execute to (Alt-F9)
put the obtained thread start address there (it is 0000000000401000 in the above sample)

8. this is all, now you are at exe entry point after cheating a00.exe about nonpresence of debugger !




I owe you an explanation of the above steps. For understanding you must do these steps:
Explore -> Imports
select kernel32.dll in the ComboBox, then go to SysListView, scroll some pages down and double click on IsDebuggerPresent
go into Log window and grab the last value, e.g.
IsDebuggerPresent 0000000078D69280
go into Code 1st window and put the value as an address there, you will see something like:
0000000078D69280	65488B042530000000	KERNEL32.IsDebuggerPresent: GS mov rax,[00000030] ; []=000007FFFFFDB000
0000000078D69289	488B4860		mov rcx,[rax+60]
0000000078D6928D	0FB64102		movzx eax,byte [rcx+02]
0000000078D69291	C3			ret 
Now you are perhaps thinking how big problem is to obtain the qword [gs:00000030]
Don't worry about it, it is the ThreadLocalBase= from the Log window!






--------------------------------------------------------------------------------------------------
Too looooong and difficult?
There is a strong weapon in fdbg to do it easier. Just turn on Rambo -> Stop on TLS Callback

If there are more callbacks (a01.exe), do these steps:
After returning from the first callback you are inside ntdll.dll, e.g.
0000000078F1CB67	E9E284FBFF	jmp 0000000078ED504E
Do some steps = press F7 a few times, you do steps like:
0000000078ED504E	48833F00	cmp qword [rdi],00 ; [0000000000402058]=0000000000401040
Last callback ? If no then execute next callback:
0000000078ED5052	0F85DD7A0400	jnz 0000000078F1CB35
Get address of next callback:
0000000078F1CB35	488B1F		mov rbx,[rdi] ; [0000000000402058]=0000000000401040
0000000078F1CB38	4883C708	add rdi,08
0000000078F1CB3C	48897C2438	mov [rsp+38],rdi
0000000078F1CB41	803DC2B3080000	cmp byte [0000000078FA7F0A],00 ; []=00
0000000078F1CB48	7412		jz 0000000078F1CB5C
0000000078F1CB4A	4C8BC3		mov r8,rbx
0000000078F1CB4D	498BD4		mov rdx,r12
0000000078F1CB50	488D0DE96D0600	lea rcx,[0000000078F83940] ; []=6C6143203A52444C
0000000078F1CB57	E8845BFAFF	call 0000000078EC26E0 ; ntdll.DbgPrint
0000000078F1CB5C	4533C0		xor r8d,r8d ; 3rd param dword = 0
0000000078F1CB5F	418BD5		mov edx,r13d ; 2nd param dword = 1
0000000078F1CB62	498BCC		mov rcx,r12 ; 1st param qword = image_base, e.g. 0000000000400000 in our case
; execute the callback !
0000000078F1CB65	FFD3		call rbx
; we have already been at this address:
0000000078F1CB67	E9E284FBFF	jmp 0000000078ED504E
