Skip to content

Instantly share code, notes, and snippets.

@JerryLokjianming
Last active December 4, 2024 13:30
Show Gist options
  • Save JerryLokjianming/71dac05f27f8c96ad1c8941b88030451 to your computer and use it in GitHub Desktop.
Save JerryLokjianming/71dac05f27f8c96ad1c8941b88030451 to your computer and use it in GitHub Desktop.
Crack Sublime Text 3.2.2 Build 3211 and Sublime Text 4 Alpha 4098 with Hex

How to Crack Sublime Text 3.2.2 Build 3211 with Hex Editor (Windows | Without License) ↓

  1. Download & Install Sublime Text 3.2.2 Build 3211
  2. Visit https://hexed.it/
  3. Open file select sublime_text.exe
  4. Offset 0x8545: Original 84 -> 85
  5. Offset 0x08FF19: Original 75 -> EB
  6. Offset 0x1932C7: Original 75 -> 74 (remove UNREGISTERED in title bar, so no need to use a license)
  7. Export File and save it to location you want
  8. Backup sublime_text.exe file (just rename)
  9. Copy sublime_text.exe modified to directory Sublime Text 3
  10. Happy Coding :)
Screenshot

Screenshot


How to Crack Sublime Text 4 Alpha 4098 with Hex Editor (Windows | Without License) ↓

  1. Download & Install Sublime Text 4 Alpha 4094
  2. Visit https://hexed.it/
  3. Open file select sublime_text.exe
  4. Go to Address: 0000A700 change 80 38 00 to FE 00 90
  5. Export File and save it to location you want
  6. Backup sublime_text.exe file (just rename)
  7. Copy sublime_text.exe modified to directory Sublime Text 4 (i.e C:\Program Files\Sublime Text)
  8. Use this License
----- BEGIN LICENSE ----- 
TwitterInc 
200 User License 
EA7E-890007 
1D77F72E 390CDD93 4DCBA022 FAF60790 
61AA12C0 A37081C5 D0316412 4584D136 
94D7F7D4 95BC8C1C 527DA828 560BB037 
D1EDDD8C AE7B379F 50C9D69D B35179EF 
2FE898C4 8E4277A8 555CE714 E1FB0E43 
D5D52613 C3D12E98 BC49967F 7652EED2 
9D2D2E61 67610860 6D338B72 5CF95C69 
E36B85CC 84991F19 7575D828 470A92AB 
------ END LICENSE ------
  1. Happy Coding :)
Screenshot

Screenshot


Blocked by Microsoft Defender SmartScreen -> More Info -> Run Anyway

Screenshot

Screenshot

Screenshot


How to Crack Sublime Text 3 & 4 Alpha 4094 with Hex Editor (Linux & MacOS | With License) ↓

  1. Download & Install Sublime Text 3 or 4
  2. Visit https://hexed.it/
  3. Open file select sublime_text
    • Linux Location: /opt/sublime_text/sublime_text
    • MacOS Location: /Application/Sublime Text [version].app (Correct Me If I'm Wrong)
  4. Search 97 94 0D and Change to 00 00 00
  5. Export File and save it to location you want
  6. Backup sublime_text file (just rename)
  7. Copy sublime_text modified to default directory Sublime Text
  8. Use this License
----- BEGIN LICENSE ----- 
TwitterInc 
200 User License 
EA7E-890007 
1D77F72E 390CDD93 4DCBA022 FAF60790 
61AA12C0 A37081C5 D0316412 4584D136 
94D7F7D4 95BC8C1C 527DA828 560BB037 
D1EDDD8C AE7B379F 50C9D69D B35179EF 
2FE898C4 8E4277A8 555CE714 E1FB0E43 
D5D52613 C3D12E98 BC49967F 7652EED2 
9D2D2E61 67610860 6D338B72 5CF95C69 
E36B85CC 84991F19 7575D828 470A92AB 
------ END LICENSE ------
  1. Happy Coding :)
Screenshot

Screenshot


@Destitute-Streetdwelling-Guttersnipe

@vodiylik you should also prevent ST from notifying its server about your ST.

@diwasrimal
Copy link

Do we have something for macOS build 4169?

@defencedog
Copy link

defencedog commented Dec 14, 2023

So for Linux/Windows x64, I have created a Sublime Text 4 plugin which can patch itself. Tested working on Sublime Text latest stable/dev build: 4168/4169
https://github.com/n6333373/warehouse/raw/main/SelfPatcher.zip

Quick Demo

I've installed this plugin, but this menu item is inactive, I ca'nt press. What I need to do?
OS: Pop!_OS 20.04

One possibility is that it the place it should be placed is Menu > Preferences > Browse Packages... rather than the Packages folder which lives aside sublime_text.

Success
@pop-os:/opt/sublime_text$ sudo ./sublime_text
while its open in admin mode. Preferences > Browse Packages
Folder will open ...paste SelfPatch folder here.
Navigate back to Sublime. Help > Patch this application
Restart sublime [relaunch normally]

@JavaTryCatchMe
Copy link

I really hope no one is using that self patcher package. Hopefully @defencedog and @janabil are fake GH accounts (given lack of any real activity / loc) but if not almost certainly screwed as is @vodiylik . The binary uses TBF https://github.com/secretsquirrel/the-backdoor-factory possible to do legit patching with it? Sure. Are there far easier methods that don't use a literal backdoor kit? yes.

@Aholicknight
Copy link

I really hope no one is using that self patcher package. Hopefully @defencedog and @janabil are fake GH accounts (given lack of any real activity / loc) but if not almost certainly screwed as is @vodiylik . The binary uses TBF github.com/secretsquirrel/the-backdoor-factory possible to do legit patching with it? Sure. Are there far easier methods that don't use a literal backdoor kit? yes.

@JavaTryCatchMe do you have any proof or links you can provide if they have been using TBF?

@defencedog
Copy link

defencedog commented Apr 7, 2024

@JavaTryCatchMe we are not fakes! Maybe some PC knowledge is required to understand how to apply patch

@t94xr
Copy link

t94xr commented Apr 7, 2024

The patch is legit, I've used it on Linux and Windows and it works.

@JavaTryCatchMe
Copy link

@JavaTryCatchMe we are not fakes! Maybe some PC knowledge is required to understand how to apply patch

The patch is legit, I've used it on Linux and Windows and it works.

it is not hard to apply the patch. I am not even saying it doesn't work. Plenty of malware disguises itself as something legitimate and may even do that legitimate thing (or in this case the act of cracking the application). Plenty also does not do anything suspect for some period of time, or even for most users only phoning home with some basic information and to wait to see if it should do something else or run something truly malicious.

What I am saying is you are running closed source binary executable code in full trust situations on your system from a stranger. I am saying that the binary itself has code in it from "The Backdoor Factory" linked above, that is a toolkit primarily used for remote code execution and root kits.

It is not impossible that code is used in a non-nefarious way but there are also plenty of ways not to use it.

If (hopefully) ones suspect level of random strangers binaries is a 8/10 by default and then that binary has ties with a known backdoor maybe think twice about running it...

@n6333373
Copy link

n6333373 commented Apr 8, 2024

@JavaTryCatchMe

I am the author of SelfPatcher. Please do share the proof you've found that my patcher uses TBF github.com/secretsquirrel/the-backdoor-factory. That would be interesting.

The only 3rd-party lib I used is https://github.com/secretsquirrel/SigThief whose code is fairly short and I believe it doesn't use TBF. I believe I don't I use TBF for sure. The only thing left is https://github.com/Nuitka/Nuitka which I used to compile my module into .pyd/.so files. I don't believe it uses TBF for sure (otherwise, a big news).


Fwiw, people are less active here. https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47 is much more active. Actually, SelfPatcher is open-source to some of trusted cracker there, but you don't have to believe me.

@JavaTryCatchMe
Copy link

First, sorry @Aholicknight sorry I missed your initial comment requesting what I found related to TBF. I saw the defencedog notification and the reply after that, and didn't scroll back far enough.

@n6333373 if I made a mistake, and spending some more time in IDA it is likely so, I apologize. After being pointed to the plugin I noticed the binary distribution which was a bit odd, rather than just the dependencies/tools. I spent about 10 minutes looking for anything horrific originally. It involving compiled python always adds a layer of abstraction. There wasn't anything obvious. There were no obvious network imports but these things can be hidden.

Only a spurious comment about code from BDF.

image

This paired with the one obvious link as well in the code of "https://github.com/sponsors/secretsquirrel" which first and foremost talks about their primary project of the Back Door Factory and malware related topics.

Again this was a dozen minutes reviewing a suspect random binary in an area where things can often be fraught with malicious code. It wasn't run, there was no deep analysis.

So of course with the comments I went back and took some more time.

As I see it now now:

  • After running the extension sandboxed and reviewing the changes made to the assembly on the main executable there is almost certainly no malicious changes made.

  • The references I found, while existed, clearly were not from the BDF library but the SigThief library @n6333373 mentioned. Specifically https://github.com/secretsquirrel/SigThief/blob/ffb501bcd86acd439e4458a33e9fc5ebed4b59a8/sigthief.py#L14 . SigTheif doesn't do anything malicious only transfer signatures between PEBs and is not used in a malicious way here.

  • There are no other signs of anything malicious, network connections, etc. This isn't a full breakdown but again with a deeper dive than a glancing pass. Can things hide through something like this? Sure but is it likely here? no. I will note I only looked at the windows binary and not the linux library.

As I said at the top and will say it again now, I was almost certainly wrong. @n6333373 is quite believable and I am sorry for the hasty conclusions I initially made.

@iblissstudent
Copy link

4169 hex (Windows x64/leogx9r's method): E8 93 58 20 00 49 8B 96 B8 02 00 00 48 8D 0D 5D 0C 00 00 41 B8 98 3A 00 00 E8 7A 58 20 00 -> 90 90 90 90 90 49 8B 96 B8 02 00 00 48 8D 0D 5D 0C 00 00 41 B8 98 3A 00 00 90 90 90 90 90 (Invalidation/Validation Functions) E4 24 00 00 55 41 57 41 56 41 55 41 -> E4 24 00 00 48 31 C0 C3 56 41 55 41 (License Validity Checking) 55 56 57 48 83 EC 30 48 8D 6C 24 30 48 C7 45 F8 FE FF FF FF 89 D6 48 89 CF 6A 28 -> 48 31 C0 48 FF C0 C3 48 8D 6C 24 30 48 C7 45 F8 FE FF FF FF 89 D6 48 89 CF 6A 28 (Server Validation Thread)

After patch just enter anything to license and it should work.

Thank you so much!!!!

@scryptio
Copy link

@n6333373
fun fact, you could simply provide the source to make it more trusted. If it's using posted methods and just automates it, no reason not to. We are on github already.

@n6333373
Copy link

n6333373 commented Apr 23, 2024

@n6333373
fun fact, you could simply provide the source to make it more trusted. If it's using posted methods and just automates it, no reason not to. We are on github already.

Well. I don't care whether you trust it or not. Make your decision. Or buy a license = 100% safe. I have a legit license seriously. I do this for fun.

@n6333373
Copy link

Fwiw, people are less active here. maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47 is much more active. Actually, SelfPatcher is open-source to some of trusted cracker there, but you don't have to believe me.

I also provided discussion link there. If you don't trust it, do patch by yourself manually.

@Destitute-Streetdwelling-Guttersnipe
Copy link

@Fireshtorm1k
Copy link

I found a very simple way. We have 2 byte value at 00007FF77C7D9144 (in build 4180). This value is set when the program is started to 0 by the instruction:

and word ptr [00007FF77C7D9144], 0

Since the instruction is eight-byte, and I do not want to rebase the program, we replace it with an eight-byte instruction:

or word ptr [00007FF77C7D9144], 0FFFFh

When this value compares with 0 (instruction 00007FF77C0841CF), zf flag doesnt sets to 1, and we have licensed program.

image
image

@strotee
Copy link

strotee commented Aug 8, 2024

Found elsewhere but it works on Win64. Make sure to run a firewall & prevent from accessing web.

4180: 80 79 05 00 0F 94 C2 -> C6 41 05 01 B2 00 90

@naml3i
Copy link

naml3i commented Aug 8, 2024

This works for most of the Sublime Text 4.X x64 (Including 4107) - block the license check via host or patch it out of EXE

RSA Key Patch (allows any key in right format to work)

Search for ...
4157415656575553B828210000
Replace with ...
33C0FEC0C3575553B828210000

Disable License Check (You can do this via hosts file if you rather)

Search for...
6C6963656E73652E7375626C696D6568712E636F6D
Replace with ...
7375626C696D6568712E6C6F63616C686F73740000

You can now use any license basically that follows the same syntax/format/key.

-- BEGIN LICENSE --
Generic Name
Unlimited User License
EA7E-81044230
0C0CD4A8 CAA317D9 CCABD1AC 434C984C
7E4A0B13 77893C3E DD0A5BA1 B2EB721C
4BAAB4C4 9B96437D 14EB743E 7DB55D9C
7CA26EE2 67C3B4EC 29B2C65A 88D90C59
CB6CCBA5 7DE6177B C02C2826 8C9A21B0
6AB1A5B6 20B09EA2 01C979BD 29670B19
92DC6D90 6E365849 4AB84739 5B4C3EA1
048CC1D0 9748ED54 CAC9D585 90CAD815
-- END LICENSE --```

so this has always been my go-to pair of hex strings to edit since the 4.x age, but since yesterday it's doesn't work anymore with 4180 (string not found)

@directentis1
Copy link

It's also works for Linux too, btw 😮

Found elsewhere but it works on Win64. Make sure to run a firewall & prevent from accessing web.

4180: 80 79 05 00 0F 94 C2 -> C6 41 05 01 B2 00 90

@Destitute-Streetdwelling-Guttersnipe
Copy link

@WeeGerGai
Copy link

Found elsewhere but it works on Win64. Make sure to run a firewall & prevent from accessing web.

4180: 80 79 05 00 0F 94 C2 -> C6 41 05 01 B2 00 90

Ditto this. Works on Arch after hexed and chmod.

@Destitute-Streetdwelling-Guttersnipe

Click To Download Crack Sublime Text Windows and Linux.md

This link to corlubar . com looks suspicious.
You could be infected with malware when visiting it.
It's safer to stay on gist.github.com

@directentis1
Copy link

Click To Download Crack Sublime Text Windows and Linux.md

This link to corlubar . com looks suspicious. You could be infected with malware when visiting it. It's safer to stay on gist.github.com

It is... Some kind of scam (advertise spam).
https://www.virustotal.com/gui/url/c7fb2551bbac3b03f79a2630786c883b560957dbc9b13c5f73cd451e9e607acb/details

@Hazuki-san
Copy link

Hazuki-san commented Aug 13, 2024

4180 hex (Windows x64/leogx9r's method):
48 8B 96 B0 02 00 00 48 8D 0D 4A 06 00 00 41 B8 88 13 00 00 E8 11 D0 1A 00 48 8B 96 B0 02 00 00 48 8D 0D BB 07 00 00 41 B8 98 3A 00 00 E8 F8 CF 1A 00 -> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 (Invalidation/Validation Functions)
41 57 41 56 41 54 56 57 53 48 81 EC E8 03 -> C3 57 41 56 41 54 56 57 53 48 81 EC E8 03 (License Notify Thread)
20 C8 C3 41 57 41 56 -> 20 C8 C3 48 31 C0 C3 (License Validity Checking)
5F C3 56 57 53 48 83 EC 20 89 D6 -> 5F C3 48 31 C0 48 FF C0 C3 89 D6 (Server Validation Thread)

There was no crash reporter code found in this version.
After patch just enter anything to license and it should work.

Also available here

@Woolfy025
Copy link

Thanks! Worked great on my Linux machine.

It's also works for Linux too, btw 😮

Found elsewhere but it works on Win64. Make sure to run a firewall & prevent from accessing web.
4180: 80 79 05 00 0F 94 C2 -> C6 41 05 01 B2 00 90

@sanchit0160
Copy link

I found a very simple way. We have 2 byte value at 00007FF77C7D9144 (in build 4180). This value is set when the program is started to 0 by the instruction:

and word ptr [00007FF77C7D9144], 0

Since the instruction is eight-byte, and I do not want to rebase the program, we replace it with an eight-byte instruction:

or word ptr [00007FF77C7D9144], 0FFFFh

When this value compares with 0 (instruction 00007FF77C0841CF), zf flag doesnt sets to 1, and we have licensed program.

image image

Wow perfect, thanks it worked!!!
how did you arrive at this conclusion??

@Fireshtorm1k
Copy link

Fireshtorm1k commented Aug 19, 2024

I found a very simple way. We have 2 byte value at 00007FF77C7D9144 (in build 4180). This value is set when the program is started to 0 by the instruction:

and word ptr [00007FF77C7D9144], 0

Since the instruction is eight-byte, and I do not want to rebase the program, we replace it with an eight-byte instruction:

or word ptr [00007FF77C7D9144], 0FFFFh

When this value compares with 0 (instruction 00007FF77C0841CF), zf flag doesnt sets to 1, and we have licensed program.
image image

Wow perfect, thanks it worked!!! how did you arrive at this conclusion??

Ida pro, and some debugging. I'm very glad that I helped someone at least

@sanchit0160
Copy link

I found a very simple way. We have 2 byte value at 00007FF77C7D9144 (in build 4180). This value is set when the program is started to 0 by the instruction:

and word ptr [00007FF77C7D9144], 0

Since the instruction is eight-byte, and I do not want to rebase the program, we replace it with an eight-byte instruction:

or word ptr [00007FF77C7D9144], 0FFFFh

When this value compares with 0 (instruction 00007FF77C0841CF), zf flag doesnt sets to 1, and we have licensed program.
image image

Wow perfect, thanks it worked!!! how did you arrive at this conclusion??

Ida pro, and some debugging. I'm very glad that I helped someone at least

Ohhh,
thank you again, brother. Respect++

@dakowd
Copy link

dakowd commented Sep 19, 2024

Found elsewhere but it works on Win64. Make sure to run a firewall & prevent from accessing web.

4180: 80 79 05 00 0F 94 C2 -> C6 41 05 01 B2 00 90

It works perfectly—thank you!

@vodiylik
Copy link

Does anyone have a patching method for Build 4180 Linux?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment