Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save JerryLokjianming/71dac05f27f8c96ad1c8941b88030451 to your computer and use it in GitHub Desktop.
Save JerryLokjianming/71dac05f27f8c96ad1c8941b88030451 to your computer and use it in GitHub Desktop.
Crack Sublime Text 3.2.2 Build 3211 and Sublime Text 4 Alpha 4098 with Hex

How to Crack Sublime Text 3.2.2 Build 3211 with Hex Editor (Windows | Without License) ↓

  1. Download & Install Sublime Text 3.2.2 Build 3211
  2. Visit https://hexed.it/
  3. Open file select sublime_text.exe
  4. Offset 0x8545: Original 84 -> 85
  5. Offset 0x08FF19: Original 75 -> EB
  6. Offset 0x1932C7: Original 75 -> 74 (remove UNREGISTERED in title bar, so no need to use a license)
  7. Export File and save it to location you want
  8. Backup sublime_text.exe file (just rename)
  9. Copy sublime_text.exe modified to directory Sublime Text 3
  10. Happy Coding :)
Screenshot

Screenshot


How to Crack Sublime Text 4 Alpha 4098 with Hex Editor (Windows | Without License) ↓

  1. Download & Install Sublime Text 4 Alpha 4094
  2. Visit https://hexed.it/
  3. Open file select sublime_text.exe
  4. Go to Address: 0000A700 change 80 38 00 to FE 00 90
  5. Export File and save it to location you want
  6. Backup sublime_text.exe file (just rename)
  7. Copy sublime_text.exe modified to directory Sublime Text 4 (i.e C:\Program Files\Sublime Text)
  8. Use this License
----- BEGIN LICENSE ----- 
TwitterInc 
200 User License 
EA7E-890007 
1D77F72E 390CDD93 4DCBA022 FAF60790 
61AA12C0 A37081C5 D0316412 4584D136 
94D7F7D4 95BC8C1C 527DA828 560BB037 
D1EDDD8C AE7B379F 50C9D69D B35179EF 
2FE898C4 8E4277A8 555CE714 E1FB0E43 
D5D52613 C3D12E98 BC49967F 7652EED2 
9D2D2E61 67610860 6D338B72 5CF95C69 
E36B85CC 84991F19 7575D828 470A92AB 
------ END LICENSE ------
  1. Happy Coding :)
Screenshot

Screenshot


Blocked by Microsoft Defender SmartScreen -> More Info -> Run Anyway

Screenshot

Screenshot

Screenshot


How to Crack Sublime Text 3 & 4 Alpha 4094 with Hex Editor (Linux & MacOS | With License) ↓

  1. Download & Install Sublime Text 3 or 4
  2. Visit https://hexed.it/
  3. Open file select sublime_text
    • Linux Location: /opt/sublime_text/sublime_text
    • MacOS Location: /Application/Sublime Text [version].app (Correct Me If I'm Wrong)
  4. Search 97 94 0D and Change to 00 00 00
  5. Export File and save it to location you want
  6. Backup sublime_text file (just rename)
  7. Copy sublime_text modified to default directory Sublime Text
  8. Use this License
----- BEGIN LICENSE ----- 
TwitterInc 
200 User License 
EA7E-890007 
1D77F72E 390CDD93 4DCBA022 FAF60790 
61AA12C0 A37081C5 D0316412 4584D136 
94D7F7D4 95BC8C1C 527DA828 560BB037 
D1EDDD8C AE7B379F 50C9D69D B35179EF 
2FE898C4 8E4277A8 555CE714 E1FB0E43 
D5D52613 C3D12E98 BC49967F 7652EED2 
9D2D2E61 67610860 6D338B72 5CF95C69 
E36B85CC 84991F19 7575D828 470A92AB 
------ END LICENSE ------
  1. Happy Coding :)
Screenshot

Screenshot


Copy link

ghost commented Jan 30, 2023

Fyi that link is 404 ??

github.com/socialfright/subzero i cant get that link to work

@Reelix
Copy link

Reelix commented Jan 30, 2023

The subzero link originally pointed to https://gist.github.com/maboloshi/url which is why it was broken for some people.

https://github.com/socialfright/subzero works properly.

@Aholicknight
Copy link

rapidgator.net/file/0e5e5b017ffc7ae94026040432122235/SUBLIME_TEXT_V4.4143_WIN64.7z.html

This version is not only uploaded to a random site that makes you wait 45 seconds to start downloading, but is 520kb, contains sandbox evasion code, is packed with UPX, alters the registry, and contains multiple other dlls and files - Including the actual 110.5kb file which it subsequently runs to appear legitimate.

The user ShaGrAt-LsD also has 0 public gists, and hasn't committed to Github in at least a year, with no activity since they forked 3 repos at the start of last year.

I personally wouldn't trust this random file.

@Reelix I have analyzed the program on triage, and the sandbox scan can be viewed here.

It's packed with ACProtect + UPX,

@ShaGrAt-LsD
Copy link

rapidgator.net/file/0e5e5b017ffc7ae94026040432122235/SUBLIME_TEXT_V4.4143_WIN64.7z.html

This version is not only uploaded to a random site that makes you wait 45 seconds to start downloading, but is 520kb, contains sandbox evasion code, is packed with UPX, alters the registry, and contains multiple other dlls and files - Including the actual 110.5kb file which it subsequently runs to appear legitimate.
The user ShaGrAt-LsD also has 0 public gists, and hasn't committed to Github in at least a year, with no activity since they forked 3 repos at the start of last year.
I personally wouldn't trust this random file.

@Reelix I have analyzed the program on triage, and the sandbox scan can be viewed here.

It's packed with ACProtect + UPX,

No it's not. It seems it's time to get better tools...

@Aholicknight
Copy link

Aholicknight commented Feb 19, 2023

rapidgator.net/file/0e5e5b017ffc7ae94026040432122235/SUBLIME_TEXT_V4.4143_WIN64.7z.html

This version is not only uploaded to a random site that makes you wait 45 seconds to start downloading, but is 520kb, contains sandbox evasion code, is packed with UPX, alters the registry, and contains multiple other dlls and files - Including the actual 110.5kb file which it subsequently runs to appear legitimate.
The user ShaGrAt-LsD also has 0 public gists, and hasn't committed to Github in at least a year, with no activity since they forked 3 repos at the start of last year.
I personally wouldn't trust this random file.

@Reelix I have analyzed the program on triage, and the sandbox scan can be viewed here.
It's packed with ACProtect + UPX,

No it's not. It seems it's time to get better tools...

firefox_20230215_v4F9CkThI0

I beg to differ @ShaGrAt-LsD
Virus scan here: https://www.joesandbox.com/analysis/1178886

@Destitute-Streetdwelling-Guttersnipe
Copy link

@o-baka
Copy link

o-baka commented Apr 24, 2023

License+patched for Linux ARM64:

This disk seems to be unavailable,can you send me a linux arm64 license?it's so hard to find,thanks

o.baka@hotmail.com

@strotee
Copy link

strotee commented Aug 2, 2023

Untitled

@fredgolightly
Copy link

fredgolightly commented Aug 3, 2023

@strotee

Untitled

Hex patches?

@strotee
Copy link

strotee commented Aug 3, 2023

https://pastebin.com/raw/KywbN0xV
Same instructions for 4152. These work for portable x64, btw.

@jsbryans22
Copy link

https://pastebin.com/raw/KywbN0xV Same instructions for 4152. These work for portable x64, btw.

Thank you but for me is not working. I tried but I cannot find it.. on
image

@strotee
Copy link

strotee commented Aug 4, 2023

It works. Start with a clean, portable source, when you search in HxD, click on the Hex tab. After you search for & replace the two values, then save the file in HxD and exit and open the file. Click on Help then Enter License, copy/paste the license (altering the [Enter your name] with your name). It's going to attempt to connect so that's why having a firewall (Simplewall) is crucial.

@nopeitsnothing
Copy link

No it's not. It seems it's time to get better tools...

Sorry, are you actually trying to claim that you accidentally have multiple IoC's, and that it was due to changing some hex bytes?

@jsbryans22
Copy link

It works. Start with a clean, portable source, when you search in HxD, click on the Hex tab. After you search for & replace the two values, then save the file in HxD and exit and open the file. Click on Help then Enter License, copy/paste the license (altering the [Enter your name] with your name). It's going to attempt to connect so that's why having a firewall (Simplewall) is crucial.

I don't use portable one.. for normal installed sublime you don't have the solve?

@fredgolightly
Copy link

iN hXd if I search/find it find the strings but if I Replace it can't find the second line. Manually typing the code over the string still says unregistered.

@Hazuki-san
Copy link

Hazuki-san commented Aug 6, 2023

4152 hex (Windows x64/leogx9r's method):
E8 17 FE 20 00 49 8B 96 B8 02 00 00 48 8D 0D 35 0C 00 00 41 B8 98 3A 00 00 E8 FE FD 20 00 4C 89 -> 90 90 90 90 90 49 8B 96 B8 02 00 00 48 8D 0D 35 0C 00 00 41 B8 98 3A 00 00 90 90 90 90 90 4C 89 (Invalidation/Validation Functions)
30 5E C3 E9 66 25 00 00 55 41 57 41 56 41 55 41 -> 30 5E C3 E9 66 25 00 00 48 31 C0 C3 56 41 55 41 (License Validity Checking)
F5 FF 90 48 83 C4 30 5B 5F 5E 41 5E 5D C3 55 56 57 48 83 EC 30 48 8D 6C -> F5 FF 90 48 83 C4 30 5B 5F 5E 41 5E 5D C3 48 31 C0 48 FF C0 C3 48 8D 6C (Server Validation Thread)

After patch just enter anything to license and it should work.

@fredgolightly
Copy link

F5 FF 90 48 83 C4 30 5B 5F 5E 41 5E 5D C3 55 56 57 48 83 EC 30 48 8D 6C -> F5 FF 90 48 83 C4 30 5B 5F 5E 41 5E 5D C3 55 56 57 48 83 EC 30 48 8D 6C (Server Validation Thread) these are the same values

@Hazuki-san
Copy link

Hazuki-san commented Aug 7, 2023

@fredgolightly I'm sorry, my copy/paste system probably had some hiccups.

F5 FF 90 48 83 C4 30 5B 5F 5E 41 5E 5D C3 55 56 57 48 83 EC 30 48 8D 6C -> F5 FF 90 48 83 C4 30 5B 5F 5E 41 5E 5D C3 48 31 C0 48 FF C0 C3 48 8D 6C

@Destitute-Streetdwelling-Guttersnipe
Copy link

@dansemal
Copy link

dansemal commented Aug 9, 2023

https://pastebin.com/raw/KywbN0xV Same instructions for 4152. These work for portable x64, btw.

Thank you but for me is not working. I tried but I cannot find it.. on image

this is work for me sublime text 4152 https://github.com/N1ght420/Sublime-Patch

@jsbryans22
Copy link

https://pastebin.com/raw/KywbN0xV Same instructions for 4152. These work for portable x64, btw.

Thank you but for me is not working. I tried but I cannot find it.. on image

this is work for me sublime text 4152 https://github.com/N1ght420/Sublime-Patch

Thank you very much is worked perfectly
image

@Aholicknight
Copy link

this is work for me sublime text 4152 https://github.com/N1ght420/Sublime-Patch

It seems like the Pastebin link was deleted. Incase this GitHub repo gets deleted, I moved the readme onto this site so it won't get deleted: https://go.0xfc.de/wrcy2j

@Aholicknight
Copy link

sublime text v4152-patch_20230814_mgY9o6Pdcw

I have also created a patcher from the GitHub repo https://github.com/N1ght420/Sublime-Patch incase you do not know how to use a hex editor. This patcher was created with dUP2, and also includes the setup. The patch.rar archive password is 123

Virustotal for patcher is here

Virustotal for patcher + setup is here

Download: https://www.mirrored.to/files/0LBL9JOI/Sublime_Text_v4152_x64___Patch_0.rar_links

Enjoy!

@Destitute-Streetdwelling-Guttersnipe

@Aholicknight Virustotal result for the patcher looks scary : 44 security vendors and 1 sandbox flagged this file as malicious

@Aholicknight
Copy link

Aholicknight commented Aug 12, 2023

@Aholicknight Virustotal result for the patcher looks scary : 44 security vendors and 1 sandbox flagged this file as malicious

@Destitute-Streetdwelling-Guttersnipe It shows 44 flags because I created the patcher with dup2, a very popular patcher that scene groups use, which is available here

This patcher also makes no internet connections, does not interact or even open any other files on the computer except the target exe (sublime text).

If you still do not trust me that it's just false positives I also uploaded the patcher on JoeSandbox, which can be seen here: https://www.joesandbox.com/analysis/1290344

@Destitute-Streetdwelling-Guttersnipe

@Aholicknight Virustotal result for the patcher looks scary : 44 security vendors and 1 sandbox flagged this file as malicious

@Destitute-Streetdwelling-Guttersnipe It shows 44 flags because I created the patcher with dup2, a very popular patcher that scene groups use, which is available here

This patcher also makes no internet connections, does not interact or even open with any other files on the computer except the target exe (sublime text).

If you still do not trust me that it's just false positives I also uploaded the patcher on JoeSandbox, which can be seen here: https://www.joesandbox.com/analysis/1290344

@Aholicknight I prefer to patch in web browser (without download or run anything) like this https://destitute-streetdwelling-guttersnipe.github.io/RomPatcher.js/#{"PATCHER":[{"name":"sublime_text_4154","file":"data:;base64,VVBTMQAgboMAIG6D+pUXwPqVF8AybecD"}]}

@strotee
Copy link

strotee commented Sep 18, 2023

Copy link

ghost commented Sep 19, 2023

If anyone is on windows or linux, I made a simple patcher in python for 4152 (stable). https://github.com/socialfright/subzerox
Linux is untested.

@strotee
Copy link

strotee commented Nov 6, 2023

4160 is out and the resolution for its crack is the same as I posted on 9/18.

@xovtar
Copy link

xovtar commented Nov 8, 2023

Im working with Ubuntu 22.04.3 and currently every which way i have tried to replace the file or put the new one in it has failed. Not sure if its just an Ubuntu thing or if i just need to crack the lock on the read only folder that sublime_text is stored or if there is a different location. (I have even tried changing the permissions of the folder but it says its already a read-write, but also tells me its a read only when i try changing permissions via terminal)

@duckimann
Copy link

@xovtar what about change user to root then replace the file?

@n6333373
Copy link

n6333373 commented Nov 25, 2023

So for Linux/Windows x64, I have created a Sublime Text 4 plugin which can patch itself.
Tested working on Sublime Text latest stable/dev build: 4168/4169

https://github.com/n6333373/warehouse/raw/main/SelfPatcher.zip

Quick Demo

dev.mp4
stable.mp4

@Kinjosa
Copy link

Kinjosa commented Nov 27, 2023

will you have a release for the new update version 4166 linux ?

@janabil
Copy link

janabil commented Dec 1, 2023

So for Linux/Windows x64, I have created a Sublime Text 4 plugin which can patch itself. Tested working on Sublime Text latest stable/dev build: 4168/4169

https://github.com/n6333373/warehouse/raw/main/SelfPatcher.zip

Quick Demo

thanks Mate works like charm in both linux and windows 11

@Reelix
Copy link

Reelix commented Dec 1, 2023

If I were people, I'd rather avoid a compiled DLL from someone who created their first repo a week ago and wait for an open-source version.

@Hazuki-san
Copy link

4169 hex (Windows x64/leogx9r's method):
E8 93 58 20 00 49 8B 96 B8 02 00 00 48 8D 0D 5D 0C 00 00 41 B8 98 3A 00 00 E8 7A 58 20 00 -> 90 90 90 90 90 49 8B 96 B8 02 00 00 48 8D 0D 5D 0C 00 00 41 B8 98 3A 00 00 90 90 90 90 90 (Invalidation/Validation Functions)
E4 24 00 00 55 41 57 41 56 41 55 41 -> E4 24 00 00 48 31 C0 C3 56 41 55 41 (License Validity Checking)
55 56 57 48 83 EC 30 48 8D 6C 24 30 48 C7 45 F8 FE FF FF FF 89 D6 48 89 CF 6A 28 -> 48 31 C0 48 FF C0 C3 48 8D 6C 24 30 48 C7 45 F8 FE FF FF FF 89 D6 48 89 CF 6A 28 (Server Validation Thread)

After patch just enter anything to license and it should work.

@0x337
Copy link

0x337 commented Dec 2, 2023

4169 hex (Windows x64/leogx9r's method): E8 93 58 20 00 49 8B 96 B8 02 00 00 48 8D 0D 5D 0C 00 00 41 B8 98 3A 00 00 E8 7A 58 20 00 -> 90 90 90 90 90 49 8B 96 B8 02 00 00 48 8D 0D 5D 0C 00 00 41 B8 98 3A 00 00 90 90 90 90 90 (Invalidation/Validation Functions) E4 24 00 00 55 41 57 41 56 41 55 41 -> E4 24 00 00 48 31 C0 C3 56 41 55 41 (License Validity Checking) 55 56 57 48 83 EC 30 48 8D 6C 24 30 48 C7 45 F8 FE FF FF FF 89 D6 48 89 CF 6A 28 -> 48 31 C0 48 FF C0 C3 48 8D 6C 24 30 48 C7 45 F8 FE FF FF FF 89 D6 48 89 CF 6A 28 (Server Validation Thread)

After patch just enter anything to license and it should work.

Thanks man, it works perfectly.

@Destitute-Streetdwelling-Guttersnipe
Copy link

Destitute-Streetdwelling-Guttersnipe commented Dec 7, 2023 via email

@fulicat
Copy link

fulicat commented Dec 7, 2023

4169 hex (Windows x64/leogx9r's method): E8 93 58 20 00 49 8B 96 B8 02 00 00 48 8D 0D 5D 0C 00 00 41 B8 98 3A 00 00 E8 7A 58 20 00 -> 90 90 90 90 90 49 8B 96 B8 02 00 00 48 8D 0D 5D 0C 00 00 41 B8 98 3A 00 00 90 90 90 90 90 (Invalidation/Validation Functions) E4 24 00 00 55 41 57 41 56 41 55 41 -> E4 24 00 00 48 31 C0 C3 56 41 55 41 (License Validity Checking) 55 56 57 48 83 EC 30 48 8D 6C 24 30 48 C7 45 F8 FE FF FF FF 89 D6 48 89 CF 6A 28 -> 48 31 C0 48 FF C0 C3 48 8D 6C 24 30 48 C7 45 F8 FE FF FF FF 89 D6 48 89 CF 6A 28 (Server Validation Thread)

After patch just enter anything to license and it should work.

It's works, thx

@vodiylik
Copy link

vodiylik commented Dec 10, 2023

So for Linux/Windows x64, I have created a Sublime Text 4 plugin which can patch itself. Tested working on Sublime Text latest stable/dev build: 4168/4169

https://github.com/n6333373/warehouse/raw/main/SelfPatcher.zip

Quick Demo

I've installed this plugin, but this menu item is inactive, I ca'nt press. What I need to do?

OS: Pop!_OS 20.04

@n6333373
Copy link

So for Linux/Windows x64, I have created a Sublime Text 4 plugin which can patch itself. Tested working on Sublime Text latest stable/dev build: 4168/4169
https://github.com/n6333373/warehouse/raw/main/SelfPatcher.zip

Quick Demo

I've installed this plugin, but this menu item is inactive, I ca'nt press. What I need to do?

OS: Pop!_OS 20.04

One possibility is that it the place it should be placed is Menu > Preferences > Browse Packages... rather than the Packages folder which lives aside sublime_text.

@vodiylik
Copy link

So for Linux/Windows x64, I have created a Sublime Text 4 plugin which can patch itself. Tested working on Sublime Text latest stable/dev build: 4168/4169
https://github.com/n6333373/warehouse/raw/main/SelfPatcher.zip

Quick Demo

I've installed this plugin, but this menu item is inactive, I can't press. What I need to do?
OS: Pop!_OS 20.04

One possibility is that it the place it should be placed is Menu > Preferences > Browse Packages... rather than the Packages folder which lives aside sublime_text.

Thank you for your answer. But I found a better method:

sudo sed -i 's/\x80\x78\x05\x00\x0f\x94\xc1/\xc6\x40\x05\x01\x48\x85\xc9/g' /opt/sublime_text/sublime_text

@Destitute-Streetdwelling-Guttersnipe

@vodiylik you should also prevent ST from notifying its server about your ST.

@diwasrimal
Copy link

Do we have something for macOS build 4169?

@defencedog
Copy link

defencedog commented Dec 14, 2023

So for Linux/Windows x64, I have created a Sublime Text 4 plugin which can patch itself. Tested working on Sublime Text latest stable/dev build: 4168/4169
https://github.com/n6333373/warehouse/raw/main/SelfPatcher.zip

Quick Demo

I've installed this plugin, but this menu item is inactive, I ca'nt press. What I need to do?
OS: Pop!_OS 20.04

One possibility is that it the place it should be placed is Menu > Preferences > Browse Packages... rather than the Packages folder which lives aside sublime_text.

Success
@pop-os:/opt/sublime_text$ sudo ./sublime_text
while its open in admin mode. Preferences > Browse Packages
Folder will open ...paste SelfPatch folder here.
Navigate back to Sublime. Help > Patch this application
Restart sublime [relaunch normally]

@JavaTryCatchMe
Copy link

I really hope no one is using that self patcher package. Hopefully @defencedog and @janabil are fake GH accounts (given lack of any real activity / loc) but if not almost certainly screwed as is @vodiylik . The binary uses TBF https://github.com/secretsquirrel/the-backdoor-factory possible to do legit patching with it? Sure. Are there far easier methods that don't use a literal backdoor kit? yes.

@Aholicknight
Copy link

I really hope no one is using that self patcher package. Hopefully @defencedog and @janabil are fake GH accounts (given lack of any real activity / loc) but if not almost certainly screwed as is @vodiylik . The binary uses TBF github.com/secretsquirrel/the-backdoor-factory possible to do legit patching with it? Sure. Are there far easier methods that don't use a literal backdoor kit? yes.

@JavaTryCatchMe do you have any proof or links you can provide if they have been using TBF?

@defencedog
Copy link

defencedog commented Apr 7, 2024

@JavaTryCatchMe we are not fakes! Maybe some PC knowledge is required to understand how to apply patch

@t94xr
Copy link

t94xr commented Apr 7, 2024

The patch is legit, I've used it on Linux and Windows and it works.

@JavaTryCatchMe
Copy link

@JavaTryCatchMe we are not fakes! Maybe some PC knowledge is required to understand how to apply patch

The patch is legit, I've used it on Linux and Windows and it works.

it is not hard to apply the patch. I am not even saying it doesn't work. Plenty of malware disguises itself as something legitimate and may even do that legitimate thing (or in this case the act of cracking the application). Plenty also does not do anything suspect for some period of time, or even for most users only phoning home with some basic information and to wait to see if it should do something else or run something truly malicious.

What I am saying is you are running closed source binary executable code in full trust situations on your system from a stranger. I am saying that the binary itself has code in it from "The Backdoor Factory" linked above, that is a toolkit primarily used for remote code execution and root kits.

It is not impossible that code is used in a non-nefarious way but there are also plenty of ways not to use it.

If (hopefully) ones suspect level of random strangers binaries is a 8/10 by default and then that binary has ties with a known backdoor maybe think twice about running it...

@n6333373
Copy link

n6333373 commented Apr 8, 2024

@JavaTryCatchMe

I am the author of SelfPatcher. Please do share the proof you've found that my patcher uses TBF github.com/secretsquirrel/the-backdoor-factory. That would be interesting.

The only 3rd-party lib I used is https://github.com/secretsquirrel/SigThief whose code is fairly short and I believe it doesn't use TBF. I believe I don't I use TBF for sure. The only thing left is https://github.com/Nuitka/Nuitka which I used to compile my module into .pyd/.so files. I don't believe it uses TBF for sure (otherwise, a big news).


Fwiw, people are less active here. https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47 is much more active. Actually, SelfPatcher is open-source to some of trusted cracker there, but you don't have to believe me.

@JavaTryCatchMe
Copy link

First, sorry @Aholicknight sorry I missed your initial comment requesting what I found related to TBF. I saw the defencedog notification and the reply after that, and didn't scroll back far enough.

@n6333373 if I made a mistake, and spending some more time in IDA it is likely so, I apologize. After being pointed to the plugin I noticed the binary distribution which was a bit odd, rather than just the dependencies/tools. I spent about 10 minutes looking for anything horrific originally. It involving compiled python always adds a layer of abstraction. There wasn't anything obvious. There were no obvious network imports but these things can be hidden.

Only a spurious comment about code from BDF.

image

This paired with the one obvious link as well in the code of "https://github.com/sponsors/secretsquirrel" which first and foremost talks about their primary project of the Back Door Factory and malware related topics.

Again this was a dozen minutes reviewing a suspect random binary in an area where things can often be fraught with malicious code. It wasn't run, there was no deep analysis.

So of course with the comments I went back and took some more time.

As I see it now now:

  • After running the extension sandboxed and reviewing the changes made to the assembly on the main executable there is almost certainly no malicious changes made.

  • The references I found, while existed, clearly were not from the BDF library but the SigThief library @n6333373 mentioned. Specifically https://github.com/secretsquirrel/SigThief/blob/ffb501bcd86acd439e4458a33e9fc5ebed4b59a8/sigthief.py#L14 . SigTheif doesn't do anything malicious only transfer signatures between PEBs and is not used in a malicious way here.

  • There are no other signs of anything malicious, network connections, etc. This isn't a full breakdown but again with a deeper dive than a glancing pass. Can things hide through something like this? Sure but is it likely here? no. I will note I only looked at the windows binary and not the linux library.

As I said at the top and will say it again now, I was almost certainly wrong. @n6333373 is quite believable and I am sorry for the hasty conclusions I initially made.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment