Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Crack Sublime Text and Sublime Merge

How to Crack Sublime Text Build 4114

Thanks to @leogx9r for providing cracking methods.

https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451#gistcomment-3762200 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3802197 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3803204

Note: ARM platform is not supported

Win64 ↓

Desciption Offset Original Patched
Initial License Check 0x000A668C 55 41 57 41 48 31 C0 C3
Persistent License Check 1 0x0000716A E8 89 5A 20 00 90 90 90 90 90
Persistent License Check 2 0x00007183 E8 70 5A 20 00 90 90 90 90 90
Disable Server Validation Thread 0x000A81B5 55 56 57 48 83 EC 30 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x000A6287 55 C3
Disable Crash Reporter 0x00000400 41 C3
Bat Script
:: for Win64
cd /d "C:\Program Files\Sublime Text" || exit
echo|set /p="2E3BBF78ED585983D04AD2C1CF123924  sublime_text.exe" >nul 2>&1 | md5sum -c - || exit
printf '\x48\x31\xC0\xC3'                 | dd.exe of=sublime_text.exe bs=1 seek=681612 conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd.exe of=sublime_text.exe bs=1 seek=29034  conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd.exe of=sublime_text.exe bs=1 seek=29059  conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd.exe of=sublime_text.exe bs=1 seek=688565 conv=notrunc
printf '\xC3'                             | dd.exe of=sublime_text.exe bs=1 seek=680583 conv=notrunc
printf '\xC3'                             | dd.exe of=sublime_text.exe bs=1 seek=1024   conv=notrunc

PS:Command Line Tools for Windows 64 extracted from PortableGit

The license can be any string.

Blocked by Microsoft Defender SmartScreen -> More Info -> Run Anyway

Screenshot

Screenshot

Screenshot

Linux ↓

Desciption Offset Original Patched
Initial License Check 0x0037BAD4 55 41 57 41 48 31 C0 C3
Persistent License Check 1 0x00371F95 E8 26 5D 1B 00 90 90 90 90 90
Persistent License Check 2 0x00371FB0 E8 0B 5D 1B 00 90 90 90 90 90
Disable Server Validation Thread 0x0037D531 55 41 56 53 41 89 F6 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x0037B79A 41 C3
Disable Crash Reporter 0x003655E0 55 C3
Bash Script
# for Linux
cd /opt/sublime_text || exit
md5sum -c <<<"CA6BA5AC190184B20A02A0B0B380D83A  sublime_text" > /dev/null 2>&1 || exit
printf '\x48\x31\xC0\xC3'                 | dd of=sublime_text bs=1 seek=$((0x0037BAD4)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_text bs=1 seek=$((0x00371F95)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_text bs=1 seek=$((0x00371FB0)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_text bs=1 seek=$((0x0037D531)) conv=notrunc
printf '\xC3'                             | dd of=sublime_text bs=1 seek=$((0x0037B79A)) conv=notrunc
printf '\xC3'                             | dd of=sublime_text bs=1 seek=$((0x003655E0)) conv=notrunc

macOS ↓

Desciption Offset Original Patched
Initial License Check 0x000926B4 55 48 89 E5 48 31 C0 C3
Persistent License Check 1 0x0000897E E8 DF 16 12 00 90 90 90 90 90
Persistent License Check 2 0x0000899D E8 C0 16 12 00 90 90 90 90 90
Disable Server Validation Thread 0x000939AF 55 48 89 E5 41 57 41 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x000922D2 55 C3
Disable Crash Reporter 0x00002AE7 55 C3
Bash Script
# for MacOS
cd "/Applications/Sublime Text.app/Contents/MacOS/" || exit
[ $(md5 -q sublime_text) = 4F204E9D4E466D4A628F448D07009189 ] || exit
printf '\x48\x31\xC0\xC3'                 | dd of=sublime_text bs=1 seek=$((0x000926B4)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_text bs=1 seek=$((0x0000897E)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_text bs=1 seek=$((0x0000899D)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_text bs=1 seek=$((0x000939AF)) conv=notrunc
printf '\xC3'                             | dd of=sublime_text bs=1 seek=$((0x000922D2)) conv=notrunc
printf '\xC3'                             | dd of=sublime_text bs=1 seek=$((0x00002AE7)) conv=notrunc

How to Crack Sublime Merge Build 2059

Thanks to @leogx9r for providing cracking methods.

https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3823090 https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451#gistcomment-3762883 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3802197

Note: ARM platform is not supported

Win64 ↓

Desciption Offset Original Patched
Initial License Check 0x00023778 55 41 57 41 56 41 55 41 48 C7 C0 19 01 00 00 C3
Persistent License Check 1 0x000261FB E8 8C 28 26 00 90 90 90 90 90
Persistent License Check 2 0x00026214 E8 73 28 26 00 90 90 90 90 90
Disable Server Validation Thread 0x00024BD3 55 56 57 48 83 EC 30 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x000233CB 55 C3
Disable Crash Reporter 0x00020C68 41 C3
Bat Script
:: for Win64
cd /d "C:\Program Files\Sublime Merge" || exit
echo|set /p="29A9F8BBF4F4958CBF5E46922487681D  sublime_merge.exe" >nul 2>&1 | md5sum -c - || exit
printf '\x48\xC7\xC0\x19\x01\x00\x00\xC3' | dd of=sublime_merge.exe bs=1 seek=145272 conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge.exe bs=1 seek=156155 conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge.exe bs=1 seek=156180 conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_merge.exe bs=1 seek=150483 conv=notrunc
printf '\xC3'                             | dd of=sublime_merge.exe bs=1 seek=144331 conv=notrunc
printf '\xC3'                             | dd of=sublime_merge.exe bs=1 seek=134248 conv=notrunc

PS:Command Line Tools for Windows 64 extracted from PortableGit

Linux ↓

Desciption Offset Original Patched
Initial License Check 0x003A5400 55 41 57 41 56 41 55 41 48 C7 C0 19 01 00 00 C3
Persistent License Check 1 0x003A7EC9 E8 7C F3 1B 00 90 90 90 90 90
Persistent License Check 2 0x003A7EE4 E8 61 F3 1B 00 90 90 90 90 90
Disable Server Validation Thread 0x003A67FE 55 41 56 53 41 89 F6 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x003A514E 41 C3
Disable Crash Reporter 0x003A40D2 55 C3
Bash Script
# for Linux
cd /opt/sublime_merge || exit
md5sum -c <<<"43E900A19926409EDF6BD8BA8709C633  sublime_merge" > /dev/null 2>&1 || exit
printf '\x48\xC7\xC0\x19\x01\x00\x00\xC3' | dd of=sublime_merge bs=1 seek=$((0x003A5400)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge bs=1 seek=$((0x003A7EC9)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge bs=1 seek=$((0x003A7EE4)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_merge bs=1 seek=$((0x003A67FE)) conv=notrunc
printf '\xC3'                             | dd of=sublime_merge bs=1 seek=$((0x003A514E)) conv=notrunc
printf '\xC3'                             | dd of=sublime_merge bs=1 seek=$((0x003A40D2)) conv=notrunc

macOS ↓

Desciption Offset Original Patched
Initial License Check 0x000261BB 55 48 89 E5 41 57 41 56 48 C7 C0 19 01 00 00 C3
Persistent License Check 1 0x00027F74 E8 62 13 22 00 90 90 90 90 90
Persistent License Check 2 0x00027F93 E8 43 13 22 00 90 90 90 90 90
Disable Server Validation Thread 0x00026E43 55 48 89 E5 41 57 41 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x00025E76 55 C3
Disable Crash Reporter 0x000248ED 55 C3
Bash Script
# for MacOS
cd "/Applications/Sublime Merge.app/Contents/MacOS/" || exit
[ $(md5 -q sublime_merge) = C38FF301DDCA0E2E8F84E76F6E25CA4B ] || exit
printf '\x48\xC7\xC0\x19\x01\x00\x00\xC3' | dd of=sublime_merge bs=1 seek=$((0x000261BB)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge bs=1 seek=$((0x00027F74)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge bs=1 seek=$((0x00027F93)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_merge bs=1 seek=$((0x00026E43)) conv=notrunc
printf '\xC3'                             | dd of=sublime_merge bs=1 seek=$((0x00025E76)) conv=notrunc
printf '\xC3'                             | dd of=sublime_merge bs=1 seek=$((0x000248ED)) conv=notrunc

Sublime Text & Sublime Merge cracked by TNT ( macOS | Without License) ↓

You can check and download the latest version from here (please note that not all versions are corresponding to the cracked version)

DISABLE SYSTEM INTERGRITY PROTECTION (SIP)

sudo spctl --master-disable

DISABLE GATEKEEPER

Enable Allow apps downloaded from “Anywhere” in Security & Privacy

disable-gatekeeper

@ohmybahgosh

This comment has been minimized.

Copy link

@ohmybahgosh ohmybahgosh commented May 4, 2021

DEBIAN (LINUX DUH) AUTO-PATCH SCRIPT

MAKE SURE TO BLOCK SUBL DOMAINS VIA HOSTS BEFORE REGISTERING

Here's a quick and shitty script to patch the file on debian..
FOR USE WITH SUBLIME TEXT & DEBIAN DISTROS..
Feel free modify to make it work however...it's an overly engineered solution to make it easier for peepz

Raw PastBin you can curl/wget or w/e:
https://pastebin.com/raw/aPjNpevq

The Script:
######################################################
##Quick And Dirty Way To Register Sublime Text V3#####
##MEANT FOR USE WITH DEBIAN ONLY BECAUSE I'M SELFISH##
#########Horribly Scripted By Ohmybahgosh#############
######################################################
###Let's Begin...#####################################
######################################################

#!/bin/bash

##Make Sure We're Running This ONLY on a Debian Setup##
DEBIANCHECKER=/etc/debian_version
if test -f "$DEBIANCHECKER"; then
	echo "Cool...You're on a Debian Distro"
	sleep 3s
else
	echo "MEANT FOR DEBIAN ONLY.."
	echo "If You're Brave, Just Comment out this shitty checker.."
	read -n 1 -s -r -p "Press any key to exit"
	clear && exit 1
fi

##Ugly Ass Dependency Checker..
##Makes A Temporary Txt File With The List Of Required, Basic Ass Tools
##(sed Is The Tool We'll Use For Applying The Hex Patch)##
echo "sed" >> ./PACKAGES_NEEDED.txt
##(Zenity provides a simple GUI dialog for bash)##
echo "zenity" >> ./PACKAGES_NEEDED.txt
##(xClip is what will copy the registration key for your lazy ass)##
echo "xclip" >> ./PACKAGES_NEEDED.txt

##Clear Terminal of Junk & Begin Checking/Installing Basic Shit You Really Should of Had Already##
clear

##Loops thru the needed packages to see if they are installed via apt-mark showinstall##
for line in $(cat ./PACKAGES_NEEDED.txt); do
	PKG_CHECK=$(apt-mark showinstall $line | grep "^$line$")
	if [ -z "$PKG_CHECK" ]; then
		echo "Ruh Roh!  $line is NOT installed.."
		read -p "Reply 'Y' to  Install $line or 'N' to EXIT this script..." answer
		if [[ $answer =~ ^[Yy]$ ]]; then
				clear
			   	echo "Calling on APT to install $line"
	       		sudo apt-get install $line
		else
	       		clear
	       		echo $line "is NOT installed, but is Required For This Script"
	       		echo "Please either manually install $line"
	       		echo "or.."
	       		echo "Re-run this script and type Y when promted to install $line"
	       		echo "Exiting script while you get your shit together.."
	       		sleep 1 && echo "..."
	       		sleep 1 && echo ".."
	       		sleep 1 && echo "."
	       		sleep 1 && echo "BYYYYYEEEEEEEE"
				read -n 1 -s -r -p "Press any key to exit"
	       		clear
	       		exit 1
		fi
	fi
done

##Clear the terminal duh##
clear
echo "Required Packages are installed, moving on.."
sleep 3s

##Remove any trace of my shitty depdency check script##
##Just hit yes to confirm the deletion of it (the tmp txt file listing needed packages)##
clear
echo "Removing the temporary package check list txt file..just hit enter"
echo ""
rm -i ./PACKAGES_NEEDED.txt
clear

#Zentiy Info Dialog Explaining File Selection Step:##
zenity --question --icon-name="gtk-dialog-warning" --title="Hey...Read This Shiznit" --text="<b><big>After Clicking <i>Continue</i> a File Selection Dialog Will Appear</big></b>\n\n<b>YOU NEED TO SELECT THE SUBLIME BINARY CALLED\n\n<i>sublime_text</i></b>\n\n<b>It's Normally Located in <i>/opt/sublime_text/</i></b>" --no-wrap --width 300 --ok-label=Continue --cancel-label=Exit
if [ "$?" -eq 1 ]; then
echo "Exited The Script" && exit 1
fi

##Launch Binary File Selection Dialog via Zenity##
##Wrap it in a WHILE loop to make sure only sublime_text is selected##
while true; do
BINARY_FULL_PATH=$(zenity --file-selection --title="Select The sublime_text Binary" --text="Select the sublime_text binary file" --filename="/opt/sublime_text/")
SUBL_CHECK=$(echo "$BINARY_FULL_PATH" | sed 's@.*/@@')
	if [[ ! "$SUBL_CHECK" =~ sublime_text ]]; then
		zenity --question --no-wrap --width 300 --ok-label="Try Again" --cancel-label="Exit Script" --icon-name="messagebox_warning" --title="WRONG BINARY SELECTED" --text="<big><b>WRONG BINARY..\n\nYOU MUST SELECT THE BINARY FILE CALLED:\n\n<i>sublime_text</i></b></big>"
		if [ "$?" -eq 1 ]; then
			read -n 1 -s -r -p "Press any key to exit"
			clear && exit 1
		fi
	else
		break
	fi
done

#Confirm Selection##
zenity --question --text="You Selected:\n<big><i><b>${BINARY_FULL_PATH}</b></i></big>\n<big>\nPress <b>Yes</b> to Patch</big>" --no-wrap --icon-name="face-devilish" --width 300
if [ "$?" -eq 1 ]; then
echo "Exited The Patching Proccess" && exit 1
fi

#MAKE BINARY BACKUP##
cp $BINARY_FULL_PATH $BINARY_FULL_PATH.bak
zenity --info --title="Backup Created" --text="<b><big>\nBackup Created Here:\n<i>$BINARY_FULL_PATH.bak</i></big></b>" --width=375 --height=150 --no-wrap

##Hex Patch The Binary##
sed -i 's/\x97\x94\x0D/\x00\x00\x00/' $BINARY_FULL_PATH
zenity --info --title="Binary Has Been Patched" --text="<b><big>\nSublime Has Been Patched</big></b>" --width=375 --height=150 --no-wrap

##Copy Key To Clipboard##
echo "----- BEGIN LICENSE ----- 
TwitterInc 
200 User License 
EA7E-890007 
1D77F72E 390CDD93 4DCBA022 FAF60790 
61AA12C0 A37081C5 D0316412 4584D136 
94D7F7D4 95BC8C1C 527DA828 560BB037 
D1EDDD8C AE7B379F 50C9D69D B35179EF 
2FE898C4 8E4277A8 555CE714 E1FB0E43 
D5D52613 C3D12E98 BC49967F 7652EED2 
9D2D2E61 67610860 6D338B72 5CF95C69 
E36B85CC 84991F19 7575D828 470A92AB 
------ END LICENSE ------" | xclip -selection c

##Show Registration Key To Use##
clear
touch ./KEY_4_REGISTRATION.txt
truncate -s0 ./KEY_4_REGISTRATION.txt
echo "----- BEGIN LICENSE ----- 
TwitterInc 
200 User License 
EA7E-890007 
1D77F72E 390CDD93 4DCBA022 FAF60790 
61AA12C0 A37081C5 D0316412 4584D136 
94D7F7D4 95BC8C1C 527DA828 560BB037 
D1EDDD8C AE7B379F 50C9D69D B35179EF 
2FE898C4 8E4277A8 555CE714 E1FB0E43 
D5D52613 C3D12E98 BC49967F 7652EED2 
9D2D2E61 67610860 6D338B72 5CF95C69 
E36B85CC 84991F19 7575D828 470A92AB 
------ END LICENSE ------" >> ./KEY_4_REGISTRATION.txt

##Launch Another Zenity Dialog Showing The Key For Manual Copy And Paste..even Though Copied To Clipboard Already##
zenity --text-info --filename=./KEY_4_REGISTRATION.txt --width=500 --height=475 --title="Use This To Register With" --text="Copy This Registration Key and Paste it in to Sublime to Register" --no-wrap

##Launch Sublime and Exit this shit##
subl &
clear
exit 0
@skydrome

This comment has been minimized.

Copy link

@skydrome skydrome commented May 6, 2021

Anyone know the arm64 offsets?

@pundoo

This comment has been minimized.

Copy link

@pundoo pundoo commented May 26, 2021

Not working for 4107

@bad1dea

This comment has been minimized.

Copy link

@bad1dea bad1dea commented May 26, 2021

This works for most of the Sublime Text 4.X (Including 4107) - block the license check via host or patch it out of EXE

RSA Key Patch (allows any key in right format to work)

Search for ...
4157415656575553B828210000
Replace with ...
33C0FEC0C3575553B828210000

Disable License Check (You can do this via hosts file if you rather)

Search for...
6C6963656E73652E7375626C696D6568712E636F6D
Replace with ...
7375626C696D6568712E6C6F63616C686F73740000

You can now use any license basically that follows the same syntax/format/key.

-- BEGIN LICENSE --
Generic Name
Unlimited User License
EA7E-81044230
0C0CD4A8 CAA317D9 CCABD1AC 434C984C
7E4A0B13 77893C3E DD0A5BA1 B2EB721C
4BAAB4C4 9B96437D 14EB743E 7DB55D9C
7CA26EE2 67C3B4EC 29B2C65A 88D90C59
CB6CCBA5 7DE6177B C02C2826 8C9A21B0
6AB1A5B6 20B09EA2 01C979BD 29670B19
92DC6D90 6E365849 4AB84739 5B4C3EA1
048CC1D0 9748ED54 CAC9D585 90CAD815
-- END LICENSE --```
@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented May 27, 2021

@bad1dea Thank you, already integrated

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented May 27, 2021

Anyone know the arm64 offsets?

You can try the arm64 patched by n6333373.

@n6333373

This comment has been minimized.

Copy link

@n6333373 n6333373 commented May 27, 2021

@maboloshi That's an AMD64 build, not an ARM64 build actually. I don't have an ARM64 machine.

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented May 27, 2021

@maboloshi That's an AMD64 build, not an ARM64 build actually. I don't have an ARM64 machine.

Sorry, I misread 😅

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented May 28, 2021

@n6333373 Your AMD64 build crack method is also applicable to macOS. 😎

@n6333373

This comment has been minimized.

Copy link

@n6333373 n6333373 commented May 28, 2021

@maboloshi Interesting. Thanks for that information.

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented May 28, 2021

thank you works perfect.

@mrfukai

This comment has been minimized.

Copy link

@mrfukai mrfukai commented Jun 2, 2021

I'm getting a codesigning error whenever I use this, can someone help?

@n6333373

This comment has been minimized.

Copy link

@n6333373 n6333373 commented Jun 3, 2021

@mrfukai Mac or Windows?

@mrfukai

This comment has been minimized.

Copy link

@mrfukai mrfukai commented Jun 3, 2021

@n6333373 mac

@n6333373

This comment has been minimized.

Copy link

@n6333373 n6333373 commented Jun 3, 2021

@n6333373 mac

There is a codesign tool which can remove certificate, but I didn't actually have a Mac machine, so 🤷

codesign --remove-signature "Sublime Text.app"

Maybe also work for a binary file, idk.

@wennxd

This comment has been minimized.

Copy link

@wennxd wennxd commented Jun 4, 2021

Works great!

@naml3i

This comment has been minimized.

Copy link

@naml3i naml3i commented Jun 15, 2021

Thank you!

This works for most of the Sublime Text 4.X (Including 4107) - block the license check via host or patch it out of EXE

RSA Key Patch (allows any key in right format to work)

Search for ...
4157415656575553B828210000
Replace with ...
33C0FEC0C3575553B828210000

Disable License Check (You can do this via hosts file if you rather)

Search for...
6C6963656E73652E7375626C696D6568712E636F6D
Replace with ...
7375626C696D6568712E6C6F63616C686F73740000

You can now use any license basically that follows the same syntax/format/key.

-- BEGIN LICENSE --
Generic Name
Unlimited User License
EA7E-81044230
0C0CD4A8 CAA317D9 CCABD1AC 434C984C
7E4A0B13 77893C3E DD0A5BA1 B2EB721C
4BAAB4C4 9B96437D 14EB743E 7DB55D9C
7CA26EE2 67C3B4EC 29B2C65A 88D90C59
CB6CCBA5 7DE6177B C02C2826 8C9A21B0
6AB1A5B6 20B09EA2 01C979BD 29670B19
92DC6D90 6E365849 4AB84739 5B4C3EA1
048CC1D0 9748ED54 CAC9D585 90CAD815
-- END LICENSE --```

Thank you!

@backermanbd

This comment has been minimized.

Copy link

@backermanbd backermanbd commented Jun 30, 2021

@maboloshi, sublime_text 4109 isn't out, isn't it?

@backermanbd

This comment has been minimized.

Copy link

@backermanbd backermanbd commented Jun 30, 2021

Hope i can get some help from you!
i am on Linux x86_64 & using sublime text 4107
but i am facing a problem in finding the rsa key!
I tried this two:

Search for x64...
4157415656575553B828210000
Replace with ...
33C0FEC0C3575553B828210000

rsa patch 4107 - x86
Search for: 55535756B8AC200000
Replace with: 33C0FEC0C3AC200000

but didn't work!
i am attaching my sublime_text from /opt/sublime_text/sublime_text here:
https://www.upload.ee/files/13273345/sublime_text.html
please tell me how to find the rsa key

@n6333373

This comment has been minimized.

Copy link

@n6333373 n6333373 commented Jun 30, 2021

Hope i can get some help from you!
i am on Linux x86_64 & using sublime text 4107
but i am facing a problem in finding the rsa key!

The method is for Win64 build.

@backermanbd

This comment has been minimized.

Copy link

@backermanbd backermanbd commented Jun 30, 2021

Hope i can get some help from you!
i am on Linux x86_64 & using sublime text 4107
but i am facing a problem in finding the rsa key!

The method is for Win64 build.

Well, i have attached my sublime_text
Help me finding the rsa key :)

@n6333373

This comment has been minimized.

Copy link

@n6333373 n6333373 commented Jun 30, 2021

@maboloshi

This comment has been minimized.

@backermanbd

This comment has been minimized.

Copy link

@backermanbd backermanbd commented Jun 30, 2021

@backermanbd Sublime Text Build 4107 for Linux x86_64
https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47/2b53ae4b050eda209d05d06b2d1d248af26c3a6f#linux-

@n6333373, thanks for the reply!
i went there but the rsa key is missing!

@maboloshi, which one is the rsa key & the host key?
i saw @bad1dea providing only two but this gist contain four ;(
i want to replace the rsa key & provide a custom license!

@n6333373

This comment has been minimized.

Copy link

@n6333373 n6333373 commented Jun 30, 2021

@backermanbd

This comment has been minimized.

Copy link

@backermanbd backermanbd commented Jun 30, 2021

not sure why you insist in finding rsa key. it's not the only way to crack it. backermanbd @.> 於 2021年6月30日 週三 21:46 寫道:

@.
* commented on this gist. ------------------------------ @backermanbd https://github.com/backermanbd Sublime Text Build 4107 for Linux x86_64 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47/2b53ae4b050eda209d05d06b2d1d248af26c3a6f#linux- @n6333373 https://github.com/n6333373, thanks for the reply! i went there but not being able to find the rsa key! @maboloshi https://github.com/maboloshi, which one is the rsa key & the host key? i saw @bad1dea https://github.com/bad1dea providing only two — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://gist.github.com/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3798180, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHOLPVD4PLNUKNMNUK66OWLTVMNZ5ANCNFSM4ZHYEHEA .

sed! this is the only one, i know for now!
whatever, please help me finding the rsa key and the replacing value for now!

@n6333373

This comment has been minimized.

Copy link

@n6333373 n6333373 commented Jun 30, 2021

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Jun 30, 2021

@backermanbd
Here "Initial License Check" is to skip the check of the validity of the rsa key (license).

@backermanbd

This comment has been minimized.

Copy link

@backermanbd backermanbd commented Jun 30, 2021

@backermanbd
Here "Initial License Check" is to skip the check of the validity of the rsa key (license).

i just did the 1st and last one. it just worked!
But i want to put a custom license so that i can show whom the license is registered to!
@maboloshi, what would be the possible solution?

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 4, 2021

@backermanbd If you want your name shown so badly in the registration window, you'll need to reverse-engineer it yourself and locate the relevant code segment. I'll outright tell you, the RSA function that you're looking for is inlined within the license validity function in the Linux binaries -- the same patch won't work since there's no separate function for it unlike Windows, you'll need different assembly to patch it after identifying which code is responsible for it. I won't put the work in to figure out the way around that since it's utterly pointless for anyone who just wants the thing registered so that'll be up to you to figure out.


Sublime Merge v2057 Crack

Literally the same patterns work as before. As usual, the same methods do as well. Here are the offsets from my auto-patcher:

Linux

image

Windows

image

MacOS

image

If you looked carefully, you'd see I added two additional things, disabling the crash reporter (which sends telemetry back to the server, not something I personally like) and also disabled the "phoning home" method when a new license is entered. The phoning home method can potentially be used to detect you cracking the application (as it'll send invalid info, also containing your unique identifier) and you may get your IP blacklisted, hence I've decided to disable it entirely, I also recommend you guys do too, just in case. If you'd like the patterns for that:

# Sends the HWID, license Information the moment a license is entered to the server for logging.
# Most likely used to detect when a license key is shared across too many systems with differing HWIDs.
# Simply return 0 here to disable.
Sublime Text
    Windows x64 Pattern: `raw sig: 55 56 57 48 81 EC ? ? ? ? 48 8D AC 24 ? ? ? ? 0F 29 B5 ? ? ? ? 48 C7 85 ? ? ? ? ? ? ? ? 48 89 CF`
    Linux x64   Pattern: `raw sig: 41 56 53 48 81 EC ? ? ? ? 48 89 FB BF ? ? ? ? E8 ? ? ? ? 4C 8D B4 24 ? ? ? ?`
    MacOS x64   Pattern: `raw sig: 55 48 89 E5 53 48 81 EC ? ? ? ? 48 89 FB 48 8B 05 ? ? ? ? 48 8B 00 48 89 45 F0 48 8D 3D ? ? ? ?`

Sublime Merge
    Windows x64 Pattern: `raw sig: 55 56 57 48 81 EC ? ? ? ? 48 8D AC 24 ? ? ? ? 0F 29 B5 ? ? ? ?`
    Linux x64   Pattern: `raw sig: 41 56 53 48 81 EC ? ? ? ? 48 89 FB BF ? ? ? ?`
    MacOS x64   Pattern: `raw sig: 55 48 89 E5 53 48 81 EC ? ? ? ? 48 89 FB 48 8B 05 ? ? ? ? 48 8B 00 48 89 45 F0 48 8D 3D ? ? ? ?`

Proof

image
image
image
image

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Jul 5, 2021

@leogx9r Thank you! Can you complement the patterns for "Disabled crash reporter"?

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 5, 2021

any news about ST4 build 4110?

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 5, 2021

@maboloshi Sure, here ya go:

Sublime Text
    Windows x64 Pattern: `raw sig: 41 57 41 56 41 55 41 54 56 57 55 53 B8 ? ? ? ? E8 ? ? ? ? 48 29 C4 8A 84 24 ? ? ? ?`
    Linux x64   Pattern: `raw sig: 55 41 57 41 56 41 55 41 54 53 48 81 EC ? ? ? ? 41 89 D4 48 89 FD`
    MacOS x64   Pattern: `raw sig: 55 48 89 E5 41 57 41 56 41 55 41 54 53 48 81 EC ? ? ? ? 41 89 CE 49 89 F7`

Sublime Merge
    Windows x64 Pattern: `raw sig: 41 57 41 56 41 55 41 54 56 57 55 53 B8 ? ? ? ? E8 ? ? ? ? 48 29 C4 8A 84 24 ? ? ? ?`
    Linux x64   Pattern: `raw sig: 55 41 57 41 56 41 55 41 54 53 48 81 EC ? ? ? ? 41 89 D4 48 89 FD`
    MacOS x64   Pattern: `raw sig: 55 48 89 E5 41 57 41 56 41 55 41 54 53 48 81 EC ? ? ? ? 41 89 CE 49 89 F7`

I just write a ret instruction to disable it.


@Bruskyer It was released < 12 hours ago, I doubt you'd get news that soon :P

Here's v4110 offsets (patterns are the same):

Linux

image

MacOS

image

Windows

image

image

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 6, 2021

Thank you

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 6, 2021

After I have applied the same keys on explained offset only accepted the license key that needs upgrade

—– BEGIN LICENSE —–
Die Socialisten GmbH
10 User License
EA7E-800613
51311422 E45F49ED 3F0ADE0C E5B8A508
2F4D9B65 64E1E244 EDA11F0E F9D06110
B7B2E826 E6FDAA72 2C653693 5D80582F
09DCFFB5 113A940C 5045C0CD 5F8332F8
34356CC6 D96F6FDB 4DEC20EA 0A24D83A
2C82C329 E3290B29 A16109A7 EC198EB9
F28EBB17 9C07403F D44BA75A C23C6874
EBF11238 5546C3DD 737DC616 445C2941
—— END LICENSE ——

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Jul 6, 2021

@Bruskyer If the crack is successful, any string is allowed. What version and platform are you using?

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 6, 2021

ST 4 Build4110 on win 10 x64
image
when insert any text/key to register input
image
there wasnt 0x00007143 offset I replaced the value on 0x00007140

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 6, 2021

@Bruskyer Then you did it wrong which is why it isn't working.

1.) You cannot just replace a completely different offset in the file and expect it to work.

2.) What do you mean the offset 0x7143 doesn't exist? It clearly does:

image

Use the batch script maboloshi made for Windows instead of attempting to patch it yourself and it will work just fine.

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 7, 2021

Sorry for previous post, I realized a mistake during changing the values, Now everything works perfect
Thanks to @leogx9r and @maboloshi

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 12, 2021

ST 4 Build 4111 released 🚀

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 12, 2021

Sublime Text v4111 Crack

Patterns are the same as before, as is the method for cracking. Offsets follow from my script:

Linux

image

Windows

image

MacOS

image

Proof

image

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 13, 2021

Sublime Text v4111 Crack

...

👌 Thanks

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 13, 2021

@Bruskyer please don't quote the entire message, makes this thread really long and difficult to read.


Sublime Text v4112 Crack

Minor update, nothing too special. Offsets follow:

Linux

image

Windows

image

MacOS

image

Proof

image

In the future I may write a script to generate all these offsets for easily pasting on here afterwards.

@udwick

This comment has been minimized.

Copy link

@udwick udwick commented Jul 13, 2021

how can we get sublime patcher ?

@rahitashpaul

This comment has been minimized.

Copy link

@rahitashpaul rahitashpaul commented Jul 14, 2021

Sublime Text v4111 Crack

...

sir, what is this software for cracking....

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 14, 2021

@Bruskyer please don't quote the entire message, makes this thread really long and difficult to read.
@leogx9r 🆗

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 14, 2021

finally 4113 released on commercial(stable) channel 🚀

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 14, 2021

@udwick, @rahitashpaul I'm keeping it to myself. I've already provided all the information required to build your own patcher from this and this comment, with additional resources provided here. That's basically all you need to do it, it really isn't hard to figure out and I don't like spoonfeeding people the direct answers.


Sublime Text v4113 Crack

Windows patterns have changed again for the Invalidation/Validation methods. First pattern was only changed by a single byte (48 -> 49). Second one contains the raw address without displacement by 6 unlike before. Aka, NOP the first E8 XX XX XX XX after finding the second pattern. Here are the new patterns:

    Windows x64 Pattern 1: `direct reference sig: (+0x6) 41 B8 ? ? ? ? E8 ? ? ? ? 49 8B 96 ? ? ? ?`
                Pattern 2: `raw sig: E8 ? ? ? ? E8 ? ? ? ? 4C 89 F1 E8 ? ? ? ?`

Aside from that, everything else is the same.

MacOS

image

Windows

image

Linux

image

Proof

image

@Ingarsy

This comment has been minimized.

Copy link

@Ingarsy Ingarsy commented Jul 21, 2021

@leogx9r sublime merge 2058 just released and the patterns seem to have changed, any help?

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 21, 2021

Sublime Merge v2058 Crack

Seems the patterns for isValidLicense have changed in v2058 in addition to the method required for patching the function. Thanks @Ingarsy for informing me. The new patterns for that are as follows:

    Windows x64 Pattern: `direct reference sig: E8 ? ? ? ? 49 8B 8E ? ? ? ? 83 F8 01`
    Linux   x64 Pattern: `direct reference sig: E8 ? ? ? ? 83 F8 01 75 12`
    MacOS   x64 Pattern: `direct reference sig: E8 ? ? ? ? 83 F8 01 75 14`

The above patterns reference the instruction call isValidLicense with no displacement, jump to isValidLicense and patch it. Before, you needed to patch the isValidLicense function to return 281 however now, you need to return 1. You can do this easily by doing something like xor rax, rax; inc rax; ret which translates to the sequence 48 31 C0 48 FF C0 C3 which is how I did it in my patcher. All other patterns (validation/invalidation, server thread, crash reporter and license logging thread) remain the same, for the record as do the previous methods for patching those.

Offsets for the updated version follow:

Windows

image

Linux

image

MacOS

image

Proof

image
image
image

@Bruskyer

This comment has been minimized.

Copy link

@Bruskyer Bruskyer commented Jul 23, 2021

@leogx9r thanks for merge 2058

@Ingarsy

This comment has been minimized.

Copy link

@Ingarsy Ingarsy commented Jul 23, 2021

@leogx9r Well this is awkward 😄 2059 just released and the init license check pattern is still the same with a different offset i think, but as for everything else we got bamboozled

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Jul 23, 2021

@Ingarsy merge crack 2059 has been updated

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 23, 2021

They gotta be trolling now. As maboloshi already found out, the patterns have reverted as well as the method to patch it. For whatever reason they decided to change 1 as the valid value back to 281 as it was before. I'm curious whether subsequent dev builds will use the "new" method or they'll keep to the old method.

Regardless, the offsets maboloshi updated match mine as well so it'll work for all OSs.

@x-one

This comment has been minimized.

Copy link

@x-one x-one commented Jul 26, 2021

@leogx9r can you point me how to read RVA offset using python without IDA?

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Jul 26, 2021

@leogx9r can you point me how to read RVA offset using python without IDA?

For example:SM 2059 for mac

About "License Validity Checking":

Use "E8 ? ? ? ? 3D ? ? ? ? 75 14" pattern, Position to offset:
0x290EC-->Read The next 4 bytes: CA D0 FF FF -->Byte Flip: FF FF D0 CA -->Complementary offset: 0xFFFFD0CA
hex(0x290EC + 0x5 + 0xFFFFD0CA - 0x100000000) --> Target offset: 0x261BB

Other patterns are basically a direct binary search. Individual patterns may need to be shifted by a few bytes

@x-one

This comment has been minimized.

Copy link

@x-one x-one commented Jul 26, 2021

Ah!... So easy.. thank you @maboloshi :)

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Jul 26, 2021

Here's a C&P Python method that I'm using for ya:

# Converts 4 byte chunk of a bytearray() into a 32-bit Little-Endian encoded integer.
def LE32(value):
    return value[3] << 24 | value[2] << 16 | value[1] <<  8 | value[0]

# Calculates an absolute offset from a relative virtual address using a base offset and instruction length.
def RVA2ABS(base, rva, instruction_len):
    return ((base + instruction_len) + rva) & 0xFFFFFFFF

How I've used it:

       offset = pattern.locate(self.binary)

       # Check validity of pattern
       ...

       # Add any displacement required by the pattern
       offset += pattern.displacement()

        # Calculate the absolute offset from an RVA instruction if required.
        if self.rva:
            # The RVA value is stored after the first byte relative to the found offset as a 4-byte LE integer.
            rva = LE32(self.binary[offset + 1: offset + 5]) # Reverse byte order due to CPU encoding
            offset_abs = RVA2ABS(offset, rva, 5)            # Get true offset from referenced pointer
            print("[*] Found RVA pattern for \"{:s}\" at 0x{:X} -> 0x{:X} -> 0x{:X} ..." \
                .format(self.name, offset, rva, offset_abs)) if log else None
            return offset_abs

        # Not an RVA so no additional calculations required
        return offset

The instruction length is always 5 bytes here because the patterns that I use reference a CALL instruction which are 5 bytes long.

@x-one

This comment has been minimized.

Copy link

@x-one x-one commented Jul 28, 2021

@leogx9r thank You very much for examples.
Seems to be working.. I need bring together boxes and I'll have it. 😎

@lowendgamer

This comment has been minimized.

Copy link

@lowendgamer lowendgamer commented Aug 1, 2021

How to crack it for Linux?

Any commands like this:
cd /opt/sublime_text
sudo sed -i 's/\x97\x94\x0D/\x00\x00\x00/' sublime_text

@lowendgamer

This comment has been minimized.

Copy link

@lowendgamer lowendgamer commented Aug 1, 2021

sudo sed -i 's/\x55\x41\x57\x41/\x48\x31\xC0\xC3\x0/' sublime_text

sudo sed -i 's/\xE8\xAC\x82\x18\x00/\x90\x90\x90\x90\x90/' sublime_text

sudo sed -i 's/\xE8\x91\x82\x18\x00/\x90\x90\x90\x90\x90/' sublime_text

sudo sed -i 's/\x55\x41\x56\x53\x41\x89\xF6/\x48\x31\xC0\x48\xFF\xC0\xC3/' sublime_text

sudo sed -i 's/\x41/\xC3/' sublime_text

sudo sed -i 's/\x55/\xC3/' sublime_text

I tried this, but now Sublime won't open at all.

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Aug 2, 2021

@lowendgamer You seem to have no clue what that sed command does. It replaces all occurrences in the file with a predefined sequence. Because you attempted to replace \x41 and \x55, both function prologues that are present in MULTIPLE functions unrelated to just license verification, you essentially corrupted the executable. Why not use the bash script maboloshi made for Linux? It works and if you're using Linux, you should already have printf and dd.

Literally enter this in a terminal for v4113 and it will work:

printf '\x48\x31\xC0\xC3'                 | dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_text bs=1 seek=$((0x0035BCCB)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_text bs=1 seek=$((0x0035BCE6)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_text bs=1 seek=$((0x00367171)) conv=notrunc
printf '\xC3'                             | dd of=sublime_text bs=1 seek=$((0x003653CE)) conv=notrunc
printf '\xC3'                             | dd of=sublime_text bs=1 seek=$((0x0034F5F0)) conv=notrunc
@update-freak

This comment has been minimized.

Copy link

@update-freak update-freak commented Aug 2, 2021

Here's a C&P Python method that I'm using for ya:

# Converts 4 byte chunk of a bytearray() into a 32-bit Little-Endian encoded integer.
def LE32(value):
    return value[3] << 24 | value[2] << 16 | value[1] <<  8 | value[0]

# Calculates an absolute offset from a relative virtual address using a base offset and instruction length.
def RVA2ABS(base, rva, instruction_len):
    return ((base + instruction_len) + rva) & 0xFFFFFFFF

How I've used it:

       offset = pattern.locate(self.binary)

       # Check validity of pattern
       ...

       # Add any displacement required by the pattern
       offset += pattern.displacement()

        # Calculate the absolute offset from an RVA instruction if required.
        if self.rva:
            # The RVA value is stored after the first byte relative to the found offset as a 4-byte LE integer.
            rva = LE32(self.binary[offset + 1: offset + 5]) # Reverse byte order due to CPU encoding
            offset_abs = RVA2ABS(offset, rva, 5)            # Get true offset from referenced pointer
            print("[*] Found RVA pattern for \"{:s}\" at 0x{:X} -> 0x{:X} -> 0x{:X} ..." \
                .format(self.name, offset, rva, offset_abs)) if log else None
            return offset_abs

        # Not an RVA so no additional calculations required
        return offset

The instruction length is always 5 bytes here because the patterns that I use reference a CALL instruction which are 5 bytes long.

How to use this python code?

@lowendgamer

This comment has been minimized.

Copy link

@lowendgamer lowendgamer commented Aug 3, 2021

@leogx9r
How do i enter that in terminal? How to make linux mint bash script?

Screenshot
failed to open sublime text: Permission denied

@lowendgamer

This comment has been minimized.

Copy link

@lowendgamer lowendgamer commented Aug 3, 2021

Yeah true idk what sudo sed -i is

I just copy and paste actually

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Aug 3, 2021

@lowendgamer

cd /opt/sublime_text || exit
printf '\x48\x31\xC0\xC3'                 | sudo dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | sudo dd of=sublime_text bs=1 seek=$((0x0035BCCB)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | sudo dd of=sublime_text bs=1 seek=$((0x0035BCE6)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | sudo dd of=sublime_text bs=1 seek=$((0x00367171)) conv=notrunc
printf '\xC3'                             | sudo dd of=sublime_text bs=1 seek=$((0x003653CE)) conv=notrunc
printf '\xC3'                             | sudo dd of=sublime_text bs=1 seek=$((0x0034F5F0)) conv=notrunc
@lowendgamer

This comment has been minimized.

Copy link

@lowendgamer lowendgamer commented Aug 3, 2021

@maboloshi

Thanks it finally worked! Sorry for all the trouble.

@AliChraghi

This comment has been minimized.

Copy link

@AliChraghi AliChraghi commented Aug 7, 2021

thank you

@secretiveolwagner

This comment has been minimized.

Copy link

@secretiveolwagner secretiveolwagner commented Aug 8, 2021

@maboloshi I can confirm the method is working for Sublime Text version 4113 on macOS Big Sur 11.4

@abranasays

This comment has been minimized.

Copy link

@abranasays abranasays commented Aug 9, 2021

@lowendgamer

cd /opt/sublime_text || exit
printf '\x48\x31\xC0\xC3'                 | sudo dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | sudo dd of=sublime_text bs=1 seek=$((0x0035BCCB)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | sudo dd of=sublime_text bs=1 seek=$((0x0035BCE6)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | sudo dd of=sublime_text bs=1 seek=$((0x00367171)) conv=notrunc
printf '\xC3'                             | sudo dd of=sublime_text bs=1 seek=$((0x003653CE)) conv=notrunc
printf '\xC3'                             | sudo dd of=sublime_text bs=1 seek=$((0x0034F5F0)) conv=notrunc

I am Using Ubuntu 20.04.2 LTS.
I install Sublime Text from Snap Store.

username@computer:/snap/sublime-text/106/opt/sublime_text$ ls
changelog.txt   Lib               Packages         sublime_text
crash_reporter  libcrypto.so.1.1  plugin_host-3.3  sublime_text.desktop
Icon            libssl.so.1.1     plugin_host-3.8
username@computer:/snap/sublime-text/106/opt/sublime_text$ printf '\x48\x31\xC0\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
dd: failed to open 'sublime_text': Read-only file system
@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Aug 9, 2021

@abranasays You can't do this. Snaps are squashfs images, which are by definition read-only. This problem of yours is not the problem that should be solved here

@abranasays

This comment has been minimized.

Copy link

@abranasays abranasays commented Aug 9, 2021

Sir, Then How Can I install Sublime Text 4 without Snap Store ???

@abranasays

This comment has been minimized.

Copy link

@abranasays abranasays commented Aug 9, 2021

@abranasays You can't do this. Snaps are squashfs images, which are by definition read-only. This problem of yours is not the problem that should be solved here

Any Solution???

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Aug 9, 2021

@abranasays Either extract the files, patch them and rebuild the SquashFS image as a snap or install the application via apt the way Sublime Text recommends.

@020monkey

This comment has been minimized.

Copy link

@020monkey 020monkey commented Aug 16, 2021

linux version is: Linux kali 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-4kali1 (2021-08-09) x86_64 GNU/Linux
when use this script:
cd /opt/sublime_text || exit
printf '\x48\x31\xC0\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
printf '\x90\x90\x90\x90\x90' | sudo dd of=sublime_text bs=1 seek=$((0x0035BCCB)) conv=notrunc
printf '\x90\x90\x90\x90\x90' | sudo dd of=sublime_text bs=1 seek=$((0x0035BCE6)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x00367171)) conv=notrunc
printf '\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x003653CE)) conv=notrunc
printf '\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x0034F5F0)) conv=notrunc

the subl cannot open .

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Aug 16, 2021

@020monkey Please post the terminal output

@020monkey

This comment has been minimized.

Copy link

@020monkey 020monkey commented Aug 16, 2021

@020monkey Please post the terminal output

─$ sudo ./crack.sh 1 ⨯
16+0 records in
16+0 records out
16 bytes copied, 0.000124535 s, 128 kB/s
20+0 records in
20+0 records out
20 bytes copied, 9.399e-05 s, 213 kB/s
20+0 records in
20+0 records out
20 bytes copied, 9.25e-05 s, 216 kB/s
28+0 records in
28+0 records out
28 bytes copied, 0.000101809 s, 275 kB/s
4+0 records in
4+0 records out
4 bytes copied, 5.2532e-05 s, 76.1 kB/s
4+0 records in
4+0 records out
4 bytes copied, 5.7648e-05 s, 69.4 kB/s

@020monkey

This comment has been minimized.

Copy link

@020monkey 020monkey commented Aug 16, 2021

when crack by the script,in terminal type subl,no sublime app launch,no error

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Aug 16, 2021

when crack by the script,in terminal type subl,no sublime app launch,no error

Maybe you are not using the latest ST, I suggest to update it first. Or, look up the history to find the corresponding version of the script

@020monkey

This comment has been minimized.

Copy link

@020monkey 020monkey commented Aug 17, 2021

when crack by the script,in terminal type subl,no sublime app launch,no error

Maybe you are not using the latest ST, I suggest to update it first. Or, look up the history to find the corresponding version of the script

sublime version is sublime 4113

@020monkey

This comment has been minimized.

Copy link

@020monkey 020monkey commented Aug 17, 2021

all is ok,thanks

@iexpurgator

This comment has been minimized.

Copy link

@iexpurgator iexpurgator commented Aug 17, 2021

when crack by the script,in terminal type subl,no sublime app launch,no error

I have same problem, how u fix it?

@fireghostwolf

This comment has been minimized.

Copy link

@fireghostwolf fireghostwolf commented Aug 18, 2021

when crack by the script,in terminal type subl,no sublime app launch,no error

I have same problem, how u fix it?

You can try to use commands or scripts to patch in the terminal. my sublime version is 4113. I use the script to patch sublime_text, it work perfect , but it can’t be modified manually using hexed.it, and the app cannot be launched just like you.

@iexpurgator

This comment has been minimized.

Copy link

@iexpurgator iexpurgator commented Aug 18, 2021

when crack by the script,in terminal type subl,no sublime app launch,no error

I have same problem, how u fix it?

You can try to use commands or scripts to patch in the terminal. my sublime version is 4113. I use the script to patch sublime_text, it work perfect , but it can’t be modified manually using hexed.it, and the app cannot be launched just like you.

Yeah I'm using bash-script but I can't launched (video try bash-script (sorry quality of video)). I installed x86_64 version 4113

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Aug 18, 2021

@iexpurgator
Please try:

  1. Verify that the original sublime_text MD5 checksum is FF083966171185D01CB5F7F3721F1B95
  2. Verify the executable permission of sublime_text after repair
@iexpurgator

This comment has been minimized.

Copy link

@iexpurgator iexpurgator commented Aug 18, 2021

@iexpurgator
Please try:

  1. Verify that the original sublime_text MD5 checksum is FF083966171185D01CB5F7F3721F1B95
  2. Verify the executable permission of sublime_text after repair

Thanks @maboloshi. Executable permission applied but md5sum was changed, how to fix that?

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Aug 18, 2021

@iexpurgator Can you upload the original sublime_text?

@iexpurgator

This comment has been minimized.

Copy link

@iexpurgator iexpurgator commented Aug 18, 2021

@iexpurgator Can you upload the original sublime_text?

md5sum changed is file patched (sorry not clearly). Download file here file .bak is original

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Aug 18, 2021

@iexpurgator You didn't patch the file correctly. I double checked the file offsets and you replaced the byte sequence with the actual ASCII characters, so where you'd expect to see 48 31 C0 C3 as the byte sequence, it was replaced with 5C 78 34 38 5C 78 33 31 5C 78 43 30 5C 78 43 33, translating to \x48\x31\xC0\xC3 instead of the ASCII interpretation H1... What shell are you using and are you sure you used printf ? I've tested the command printf with bash and zsh and it works as expected. If you're using another shell it may (but shouldn't) produce incorrect output.

Try running the following script in a .sh file and see if you get the "Successfully patched the application!" line. It's basically a rework of @maboloshi's script that gives more verbose output indicating what went wrong. Save it as a .sh file and chmod +x it.

#!/bin/bash

BASEDIR="/opt/sublime_text"
TARGET="sublime_text"

VER="4113"
MD5_ORIGINAL="FF083966171185D01CB5F7F3721F1B95"
MD5_PATCHED="80739de6c764edfd7eeb925004EB7ED5"

if [ -d "$BASEDIR" ]; then
    cd "$BASEDIR"

    RESULT=`md5sum -c <<< "$MD5_ORIGINAL  $TARGET"`
    if [ "$TARGET: OK" != "$RESULT" ]; then
        echo "Application checksum mismatch. Perhaps the file was already patched or you're not using $TARGET v$VER?"
        exit
    fi

    printf '\x48\x31\xC0\xC3'                 | sudo dd of="$TARGET" bs=1 seek=$((0x0036567C)) conv=notrunc > /dev/null 2>&1
    printf '\x90\x90\x90\x90\x90'             | sudo dd of="$TARGET" bs=1 seek=$((0x0035BCCB)) conv=notrunc > /dev/null 2>&1
    printf '\x90\x90\x90\x90\x90'             | sudo dd of="$TARGET" bs=1 seek=$((0x0035BCE6)) conv=notrunc > /dev/null 2>&1
    printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | sudo dd of="$TARGET" bs=1 seek=$((0x00367171)) conv=notrunc > /dev/null 2>&1
    printf '\xC3'                             | sudo dd of="$TARGET" bs=1 seek=$((0x003653CE)) conv=notrunc > /dev/null 2>&1
    printf '\xC3'                             | sudo dd of="$TARGET" bs=1 seek=$((0x0034F5F0)) conv=notrunc > /dev/null 2>&1

    RESULT=`md5sum -c <<< "$MD5_PATCHED  $TARGET"`
    if [ "$TARGET: OK" != "$RESULT" ]; then
        echo "Failed to patch the application. You may require a reinstall as it may no longer start."
        exit
    fi

    echo "Successfully patched the application!"
else
    echo "Sublime Text was not found in the expected directory: $BASEDIR"
    echo "Modify the script to point to the correct directory then re-run it."
fi
@iexpurgator

This comment has been minimized.

Copy link

@iexpurgator iexpurgator commented Aug 18, 2021

@iexpurgator You didn't patch the file correctly. I double checked the file offsets and you replaced the byte sequence with the actual ASCII characters, so where you'd expect to see 48 31 C0 C3 as the byte sequence, it was replaced with 5C 78 34 38 5C 78 33 31 5C 78 43 30 5C 78 43 33, translating to \x48\x31\xC0\xC3 instead of the ASCII interpretation H1... What shell are you using and are you sure you used printf ? I've tested the command printf with bash and zsh and it works as expected. If you're using another shell it may (but shouldn't) produce incorrect output.

Try running the following script in a .sh file and see if you get the "Successfully patched the application!" line. It's basically a rework of @maboloshi's script that gives more verbose output indicating what went wrong. Save it as a .sh file and chmod +x it.

#!/bin/bash

BASEDIR="/opt/sublime_text"
TARGET="sublime_text"

VER="4113"
MD5_ORIGINAL="FF083966171185D01CB5F7F3721F1B95"
MD5_PATCHED="80739de6c764edfd7eeb925004EB7ED5"

if [ -d "$BASEDIR" ]; then
    cd "$BASEDIR"

    RESULT=`md5sum -c <<< "$MD5_ORIGINAL  $TARGET"`
    if [ "$TARGET: OK" != "$RESULT" ]; then
        echo "Application checksum mismatch. Perhaps the file was already patched or you're not using $TARGET v$VER?"
        exit
    fi

    printf '\x48\x31\xC0\xC3'                 | sudo dd of="$TARGET" bs=1 seek=$((0x0036567C)) conv=notrunc > /dev/null 2>&1
    printf '\x90\x90\x90\x90\x90'             | sudo dd of="$TARGET" bs=1 seek=$((0x0035BCCB)) conv=notrunc > /dev/null 2>&1
    printf '\x90\x90\x90\x90\x90'             | sudo dd of="$TARGET" bs=1 seek=$((0x0035BCE6)) conv=notrunc > /dev/null 2>&1
    printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | sudo dd of="$TARGET" bs=1 seek=$((0x00367171)) conv=notrunc > /dev/null 2>&1
    printf '\xC3'                             | sudo dd of="$TARGET" bs=1 seek=$((0x003653CE)) conv=notrunc > /dev/null 2>&1
    printf '\xC3'                             | sudo dd of="$TARGET" bs=1 seek=$((0x0034F5F0)) conv=notrunc > /dev/null 2>&1

    RESULT=`md5sum -c <<< "$MD5_PATCHED  $TARGET"`
    if [ "$TARGET: OK" != "$RESULT" ]; then
        echo "Failed to patch the application. You may require a reinstall as it may no longer start."
        exit
    fi

    echo "Successfully patched the application!"
else
    echo "Sublime Text was not found in the expected directory: $BASEDIR"
    echo "Modify the script to point to the correct directory then re-run it."
fi

Thanks @leogx9r, you showed me the mistake. I'm missing #!/bin/bash in first line and printf it not works as expected. I want to discuss with you @leogx9r. How can I contact you?

@skmalviya

This comment has been minimized.

Copy link

@skmalviya skmalviya commented Aug 23, 2021

I am getting this error: "Failed to patch the application. You may require a reinstall as it may no longer start." for sublime 4113.

Only change in the script I did: BASEDIR="/opt/sublime_text" --> "/snap/sublime-text/106/opt/sublime_text"

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Aug 23, 2021

@skmalviya Snaps are squashfs images, which are by definition read-only.

You can try what @leogx9r mentioned.

Either extract the files, patch them and rebuild the SquashFS image as a snap or install the application via apt the way Sublime Text recommends.

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Aug 23, 2021

Thanks @leogx9r, you showed me the mistake. I'm missing #!/bin/bash in first line and printf it not works as expected. I want to discuss with you @leogx9r. How can I contact you?

@iexpurgator Sorry I don't give out contact info (to avoid being spammed) so best I can do is try to help you here.

Now onto your question, best I can imagine is that your bash shell isn't properly un-escaping characters, even though it works for me and I presume @maboloshi as well. Best I can gather from this is that you need to use double-quotes rather than single quotes (" vs ') as the bash manual indicates that single quotes will not interpolate vars (perhaps this also applies to escaped byte sequences?).

Try this, replace the printf '< .... >' with printf "< ... >" for each line containing it in the script. For example, the line:

printf '\x48\x31\xC0\xC3'                 | sudo dd of="$TARGET" bs=1 seek=$((0x0036567C)) conv=notrunc > /dev/null 2>&1

Should be replaced with:

printf "\x48\x31\xC0\xC3"                 | sudo dd of="$TARGET" bs=1 seek=$((0x0036567C)) conv=notrunc > /dev/null 2>&1

... and so on for the rest of the lines.

If that doesn't work, I've no idea what to tell you. It absolutely should at the very least and it's probably a quirk of your shell version (FTR, I'm using GNU bash, version 5.1.8(1)-release (x86_64-pc-linux-gnu), perhaps ensure you're using the same version?) or your terminal emulator (Also, I'm using guake as my personal terminal emulator, you can try that but it shouldn't be necessary tbh).


I am getting this error: "Failed to patch the application. You may require a reinstall as it may no longer start." for sublime 4113.

Only change in the script I did: BASEDIR="/opt/sublime_text" --> "/snap/sublime-text/106/opt/sublime_text"

@skmalviya as indicated in this comment, Snaps aren't supported via that patching method. They are read-only SquashFS images and cannot be modified. Your only way around that is to either extract the files, patch them and rebuild the SquashFS as a Snap or to install the program via the recommended method that Sublime devs have provided.

P.S. Assuming you've resolved that, you should be able to use the script maboloshi provided in the main post just fine (or the one you quoted).


P.P.S Both of you please stop quoting long messages, a simple tag like how I've mentioned you both keeps this thread cleaner and easier to read.

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Aug 27, 2021

Any clue how to patch Sublime Text on MacOS BigSur (for M1 cpu), Sublime Build 4113?

@vbovone

This comment has been minimized.

Copy link

@vbovone vbovone commented Aug 27, 2021

Any clue how to patch Sublime Text on MacOS BigSur (for M1 cpu), Sublime Build 4113?

Same here, I tried to use the MacOS bash commands above but didn't work for me

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Aug 27, 2021

@vbovone Probably the strings are different on the ARM version and that's why it's not working. I guess it should work with the right approach but everything I tried so failed

@rainbowpigeon

This comment has been minimized.

Copy link

@rainbowpigeon rainbowpigeon commented Aug 27, 2021

I have made a rough Python 3 patcher for Sublime Text v4113 Windows x64 that uses leogx9r's signatures instead of hardcoded offsets.

https://github.com/rainbowpigeon/sublime-text-4-patcher

image

If there is demand, I can probably update it to support Linux and macOS.

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Aug 27, 2021

@rainbowpigeon it would be really nice if you could update it for MacOS BigSur (ARM version), SublimeText build 4113. If you need the SublimeText binary as it is found on MacOS BigSur ARM, I can provide the original one resulted from the .zip file downloaded from Sublime's official website

@abranasays

This comment has been minimized.

Copy link

@abranasays abranasays commented Aug 28, 2021

Sir, I am beginner on Linux. Sir, I am using Ubuntu 20.04.
Sir, I install Sublime Text 4 from Snap Store.

Sir, Please Explain in Detail. How can I crack Sublime Text 4 ?
Sir, Please Help me.

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Aug 28, 2021

@rainbowpidgeon Nice work.

P.S. You can auto-detect Sublime Text/Merge with patterns too (as well as the version # -- not shown below). There's two strings always present in either Text/Merge and is shown if you enter a license key for another product:

    def detect_sublime_text(self):
        print('[>] Attempting to autodetect application type ...')

        # 'That appears to be a Sublime Text '<license key>
        pat1 = PatternFinder(
            "Sublime Merge Detector",
            '54 68 61 74 20 61 70 70 65 61 72 73 20 74 6F 20 62 65 20 61 20 53 75 62 6C 69 6D 65 20 54 65 78 74 20',
            can_duplicate = True
        ).locate(self.binary, slow_method = False, log = False)
        # 'That appears to be a Sublime Merge '<license key>
        pat2 = PatternFinder(
            "Sublime Text Detector",
            '54 68 61 74 20 61 70 70 65 61 72 73 20 74 6F 20 62 65 20 61 20 53 75 62 6C 69 6D 65 20 4D 65 72 67 65 20',
            can_duplicate = True
        ).locate(self.binary, slow_method = False, log = False)
        
        # Only one of these patterns can exist in the application. If neither is found, it's not a known application.
        if pat1 == -1 and pat2 == -1:
            print('[!] Failed to identify binary. Are you sure this is a Sublime Text or Sublime Merge binary?')
            quit()
        elif pat1 > 0 and pat2 > 0:
            print(
                "[!] Both identity signatures detected in the binary! Cannot detect what application this is.\n" +
                "[!] Manually specify the application type with `-t`."
            )
            quit()
        elif pat1 > 0:
            return False

        return True

# ...
self.is_sublime_text = app_type if app_type is not None else self.detect_patcher()

# PATTER_DB contains patterns for Sublime Text/Merge for each supported OS ( MacOS/Linux/Windows, x64 instruction set only )
self.patchset = PATTERN_DB[ self.is_sublime_text ][ self.target_os ]
@rainbowpigeon

This comment has been minimized.

Copy link

@rainbowpigeon rainbowpigeon commented Aug 29, 2021

@leogx9r Thanks for the tip!

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Aug 30, 2021

@leogx9r any clue on how to patch SublimeText build 4113 for MacOS BigSur ARM cpu?

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Aug 30, 2021

@bms8197 The same functions will exist, the patching method (well the replacement bytes) will be different since it's a different instruction set. If you're familiar with assembly (you'll need ARM64 assembly knowledge, obviously), open up the executable in a decompiler like IDA/Ghidra, select the ARM64 segment and try to locate the functions I've patched on x64 (all those listed in the main post of this thread). From there you'll just need to get those functions to either return 0/1 or rewrite them with non-functional opcodes (essentially nop).

While I could try doing it, I don't have any ARM64 based processors to test with, I've never done ARM64/THUMB assembly programming before and honestly, I'm lazy 😄

Setting up a VM just to virtualize ARM64 processors simply isn't worth the effort for me as I don't use them. Best of luck though.

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Aug 30, 2021

@leogx9r I see. Unfortunatelly I do not have assembly knowledge. I could send you the sublime_text binary from my computer if that helps. If I had the knowledge I would have done it myself but it beats me totally this assembly stuff :(

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Aug 30, 2021

@leogx9r I tried using Ghidra and try to dissassemble that sublime_text binary but I have no ideea how to figure out the functions that you patched on x64. If I try to search for 0x00090E5D it returns nothing so I'm totally lost here... Any clue on how to find what's needed?

@abranasays

This comment has been minimized.

Copy link

@abranasays abranasays commented Aug 31, 2021

Sir, I am beginner on Linux. Sir, I am using Ubuntu 20.04.
Sir, I install Sublime Text 4 from Snap Store.

Sir, Please Explain in Detail. How can I crack Sublime Text 4 ?

Sir, Please Help me.

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Sep 1, 2021

@bms8197 Honestly teaching you about disassemblers or reverse engineering will probably be more painful than just doing it myself (which I really don't want to do atm). I'll still give you some tips though:

  • Offsets for Windows/Linux/MacOS versions will not work on the ARM64 version, they're completely different.
  • The functions you're looking for would need to be found by digging around in the assembly, for example the license validity check calls several functions that display text like "License invalid" or whatever, you can search for those strings in the ARM64 version, cross-reference the function calls and try to locate those functions. You can use the offsets for the MacOS x64 version to dig around to see roughly what you're looking for.
  • If you've never done reverse-engineering before you're going to have a very steep learning curve. There are various resources out there showing how to use IDA/Ghidra and how assembly works.

Your best bet would be to find some other way (eg. someone else who worked on the ARM64 crack) or learn how to reverse-engineer x64/ARM64 because there's a lot you'd need to know to port that work, all of which is outside the scope of help I can provide (like I said, it'd be harder to teach you how to do it than make a VM, do it myself and test).

Good luck.


@abranasays Install the app via APT, not Snap and then run the patching program maboloshi made in the main post.

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Sep 1, 2021

@leogx9r Allright! Thank you for all this information. I'll play around to see if I'm getting anywhere... As it appears, it's way more complicated than I thought...

@rainbowpigeon

This comment has been minimized.

Copy link

@rainbowpigeon rainbowpigeon commented Sep 4, 2021

@rainbowpigeon it would be really nice if you could update it for MacOS BigSur (ARM version), SublimeText build 4113. If you need the SublimeText binary as it is found on MacOS BigSur ARM, I can provide the original one resulted from the .zip file downloaded from Sublime's official website

@bms8197 No worries, I can download the binary myself and test it out. Apologies for the delayed reply, I was working on updating the x64 Windows patcher to work with Dev builds as well (which means v4114 works now for anyone who is interested!).

@vbovone

This comment has been minimized.

Copy link

@vbovone vbovone commented Sep 4, 2021

@rainbowpigeon it would be really nice if you could update it for MacOS BigSur (ARM version), SublimeText build 4113. If you need the SublimeText binary as it is found on MacOS BigSur ARM, I can provide the original one resulted from the .zip file downloaded from Sublime's official website

@bms8197 No worries, I can download the binary myself and test it out. Apologies for the delayed reply, I was working on updating the x64 Windows patcher to work with Dev builds as well (which means v4114 works now for anyone who is interested!).

I tried your patcher and it works like a charm! congrats :)
It would be nice to use it as well in my MacBook M1

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Sep 5, 2021

Alright so I have absolutely no idea if this will work but I've (experimentally) patched the MacOS binary (v4114) for both x86_64 (x64) and ARM64 (Not ARM32, just like I've not done x86). Give it a shot here. Replace the original with that and try starting the app, if it doesn't work, well I tried. Virus scan here. If you don't trust it, you can do a simple byte diff on the original to see what I've changed, fire up your disassembler and look at the actual instructions. Too lazy to do a graph with bytes changed.

What's patched:

  • License check (enter anything just like normal and it should be valid)
  • Invalidation/validation functions disabled
  • Server license validation thread neutered
  • Disabled phoning home on new license being entered
  • Disabled crash reporter for sending dumps on a crash

Basically, I've replaced the ret with ret x30 and xor rax, rax with mov x0, xzr, which is basically the only difference in assembly from x86_64. x30 register contains the return address, x0 contains the return value. Instructions are always 32-bits long on ARM arch.

No, I'll probably not bother doing this for future executables, it should be enough for you all to build patterns off of though (assuming you know how to) and ofc, assuming it works.

Tagging @vbovone and @bms8197 as you guys would probably be interested.

If it works, great, if it doesn't well, I doubt i'll be trying again 👍

@vbovone

This comment has been minimized.

Copy link

@vbovone vbovone commented Sep 5, 2021

Alright so I have absolutely no idea if this will work but I've (experimentally) patched the MacOS binary (v4114) for both x86_64 (x64) and ARM64 (Not ARM32, just like I've not done x86). Give it a shot here. Replace the original with that and try starting the app, if it doesn't work, well I tried. Virus scan here. If you don't trust it, you can do a simple byte diff on the original to see what I've changed, fire up your disassembler and look at the actual instructions. Too lazy to do a graph with bytes changed.

What's patched:

  • License check (enter anything just like normal and it should be valid)
  • Invalidation/validation functions disabled
  • Server license validation thread neutered
  • Disabled phoning home on new license being entered
  • Disabled crash reporter for sending dumps on a crash

Basically, I've replaced the ret with ret x30 and xor rax, rax with mov x0, xzr, which is basically the only difference in assembly from x86_64. x30 register contains the return address, x0 contains the return value. Instructions are always 32-bits long on ARM arch.

No, I'll probably not bother doing this for future executables, it should be enough for you all to build patterns off of though (assuming you know how to) and ofc, assuming it works.

Tagging @vbovone and @bms8197 as you guys would probably be interested.

If it works, great, if it doesn't well, I doubt i'll be trying again 👍

Hi leogx9r,

First of all thanks for your time! I tried to launch the application from my Macbook M1, I've noticed that the file needs to be renamed with .app extension
From a quick launch it cannot be executed even if I changed Mac permissions to run third party applications
image

I don't want to bother you again with the Mac ARM version but it's just to giving you a feedback.

Regards,

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Sep 6, 2021

@leogx9r It's not working in my case, on Apple M1 cpu. I'm getting same error as @vbovone. I do appreciate your time and effort for this...

@abranasays

This comment has been minimized.

Copy link

@abranasays abranasays commented Sep 7, 2021

# for Linux
cd /opt/sublime_merge || exit
md5sum -c <<<"43E900A19926409EDF6BD8BA8709C633  sublime_merge" > /dev/null 2>&1 || exit
printf '\x48\xC7\xC0\x19\x01\x00\x00\xC3' | dd of=sublime_merge bs=1 seek=$((0x003A5400)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge bs=1 seek=$((0x003A7EC9)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge bs=1 seek=$((0x003A7EE4)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_merge bs=1 seek=$((0x003A67FE)) conv=notrunc
printf '\xC3'                             | dd of=sublime_merge bs=1 seek=$((0x003A514E)) conv=notrunc
printf '\xC3'                             | dd of=sublime_merge bs=1 seek=$((0x003A40D2)) conv=notrunc

Sir, I Installed sublime text via apt. I run below command:
md5sum -c <<<"43E900A19926409EDF6BD8BA8709C633 sublime_merge" > /dev/null 2>&1 || exit
Sir, My Terminal close.
Sir, Please Help me.

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Sep 8, 2021

@abranasays You should use the script corresponding to sublime text instead of sublime_merge,

@1-Dev1l

This comment has been minimized.

Copy link

@1-Dev1l 1-Dev1l commented Sep 13, 2021

Alright so I have absolutely no idea if this will work but I've (experimentally) patched the MacOS binary (v4114) for both x86_64 (x64) and ARM64 (Not ARM32, just like I've not done x86). Give it a shot here. Replace the original with that and try starting the app, if it doesn't work, well I tried. Virus scan here. If you don't trust it, you can do a simple byte diff on the original to see what I've changed, fire up your disassembler and look at the actual instructions. Too lazy to do a graph with bytes changed.
What's patched:

  • License check (enter anything just like normal and it should be valid)
  • Invalidation/validation functions disabled
  • Server license validation thread neutered
  • Disabled phoning home on new license being entered
  • Disabled crash reporter for sending dumps on a crash

Basically, I've replaced the ret with ret x30 and xor rax, rax with mov x0, xzr, which is basically the only difference in assembly from x86_64. x30 register contains the return address, x0 contains the return value. Instructions are always 32-bits long on ARM arch.
No, I'll probably not bother doing this for future executables, it should be enough for you all to build patterns off of though (assuming you know how to) and ofc, assuming it works.
Tagging @vbovone and @bms8197 as you guys would probably be interested.
If it works, great, if it doesn't well, I doubt i'll be trying again 👍

Hi leogx9r,

First of all thanks for your time! I tried to launch the application from my Macbook M1, I've noticed that the file needs to be renamed with .app extension
From a quick launch it cannot be executed even if I changed Mac permissions to run third party applications
image

I don't want to bother you again with the Mac ARM version but it's just to giving you a feedback.

Regards,

You aren't getting a message saying the file is damaged, so use the following command to re-sign the app yourself and it should run.
codesign --force --deep --sign - /Applications/Sublime\ Text.app

If you get an error about xcrun missing, just run the command xcode-select --install to install the missing files first, then re-run the command.

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Sep 13, 2021

@1-Dev1l you're the man! Thanks for the tip. I have now, SublimeText, build 4114 fully registered on MacOS BigSur ARM (M1).
@leogx9r You're a genius! Thank you so much!

image

@vbovone

This comment has been minimized.

Copy link

@vbovone vbovone commented Sep 13, 2021

@1-Dev1l you're the man! Thanks for the tip. I have now, SublimeText, build 4114 fully registered on MacOS BigSur ARM (M1).
@leogx9r You're a genius! Thank you so much!

Hi bms8197,

What did you do to successfully install the app?

I runt this :
image

But I'm still getting the same error

@1-Dev1l

This comment has been minimized.

Copy link

@1-Dev1l 1-Dev1l commented Sep 13, 2021

@1-Dev1l you're the man! Thanks for the tip. I have now, SublimeText, build 4114 fully registered on MacOS BigSur ARM (M1).
@leogx9r You're a genius! Thank you so much!

Hi bms8197,

What did you do to successfully install the app?

I runt this :
image

But I'm still getting the same error

Ensure 'App Store and identified developers' is selected under 'Allow apps downloaded from' in System Preferences > Security & Privacy > General

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Sep 13, 2021

I had SublimeText build 4113 installed. I've downloaded the latest dev build 4114 from their website. Then took the Sublime Text.App and put in Applications folder using replace (since the app was already there). I've opened the app just to check that I have build 4114. Close SublimeText App, Download the sublime_text binary provided by @legox9r. Copy sublime_text binary over the original binary then ran that codesign command. I've got the same message as you but the app works.

Oh I do have these entries in /etc/hosts:

# sublimetext
0.0.0.0 sublimetext.com
0.0.0.0 license.sublimehq.com
0.0.0.0 45.55.255.55 #sublimetext
0.0.0.0 45.55.41.223 #sublimetext

As a side note, I had SublimeText v4113 registered with a license that required upgrade (not sure if matters or not):

—– BEGIN LICENSE —–
Die Socialisten GmbH
10 User License
EA7E-800613
51311422 E45F49ED 3F0ADE0C E5B8A508
2F4D9B65 64E1E244 EDA11F0E F9D06110
B7B2E826 E6FDAA72 2C653693 5D80582F
09DCFFB5 113A940C 5045C0CD 5F8332F8
34356CC6 D96F6FDB 4DEC20EA 0A24D83A
2C82C329 E3290B29 A16109A7 EC198EB9
F28EBB17 9C07403F D44BA75A C23C6874
EBF11238 5546C3DD 737DC616 445C2941
—— END LICENSE ——

Go to Settings -> Security & Privacy -> General; check if you have SublimeText there and allow it to run

@1-Dev1l

This comment has been minimized.

Copy link

@1-Dev1l 1-Dev1l commented Sep 13, 2021

You could also try opening Applications folder in finder, control-click the application and choose Open if you aren't getting the 'Open Anyway' message for the app.

Also, I have nothing in hosts and nothing in licence and it works well for me.
Screenshot 2021-09-13 at 15 59 03

@vbovone

This comment has been minimized.

Copy link

@vbovone vbovone commented Sep 13, 2021

So the binary needs to be placed here right ? From Security & Privacy tab I've got Anywhere so it should be ok

image

@bms8197

This comment has been minimized.

Copy link

@bms8197 bms8197 commented Sep 13, 2021

I would do this:

  • close SublimeText
  • download SublimeText v4114 from their site;
  • copy SublimeText.app resulted from the previous download to Applications folder (using Finder) and chose Replace
  • then execute the following commands via Terminal:
cd /Applications/Sublime\ Text.app/Contents/MacOS/
cp ~/Downloads/sublime_text .
codesign --force --deep --sign - /Applications/Sublime\ Text.app

Then try to open SublimeText. You will get a notification message, click OK, then Go to Settings -> Security & Privacy -> General and see if you need to allow anything there.

After that it should work. At least it worked in my case. I'm running MacOS BigSur 11.5.2 (M1 cpu) on a 2021 iMac 24"

@vbovone

This comment has been minimized.

Copy link

@vbovone vbovone commented Sep 13, 2021

I would do this:

  • close SublimeText
  • download SublimeText v4114 from their site;
  • copy SublimeText.app resulted from the previous download to Applications folder (using Finder) and chose Replace
  • then execute the following commands via Terminal:
cd /Applications/Sublime\ Text.app/Contents/MacOS/
cp ~/Downloads/sublime_text .
codesign --force --deep --sign - /Applications/Sublime\ Text.app

Then try to open SublimeText. You will get a notification message, click OK, then Go to Settings -> Security & Privacy -> General and see if you need to allow anything there.

After that it should work. At least it worked in my case. I'm running MacOS BigSur 11.5.2 (M1 cpu) on a 2021 iMac 24"

Thanks you guys! It works 👯

Just remember this to anyone having my same issue. When copying the Application with Finder it's very important to NOT OPEN the app until the end of the entire process.

@maboloshi

This comment has been minimized.

Copy link
Owner Author

@maboloshi maboloshi commented Sep 14, 2021

I tried to organize the patched shulime text 4114 binary file provided by @leogx9r into rules, but, there are still two rules that are not organized and I don't know if the rest are valid.

Sublime Text Build 4114 macOS(arm64) ↓

Desciption Offset Original Patched
Disable Crash Reporter 0x00F615F4 FC 6F BC A9 C0 03 5F D6
  Pattern:  FC 6F BC A9 F6 57 01 A9 F4 4F 02 A9 FD 7B 03 A9 FD C3 00 91 FF 03 0F D1

May be:
4112-DEV:0x00F2A078
4113-STA:0x00F2A25C
4114-DEV:0x00F615F4

Desciption Offset Original Patched
Persistent License Check 1 0x00F65F80 AF 94 03 94 1F 20 03 D5
  Pattern:  ? ? ? 94 61 46 41 F9 ? ? 00 10 1F 20 03 D5 02 53 87 52

May be:
4112-DEV:0x00F2E9BB
4113-STA:0x00F2EBA3
4114-DEV:0x00F65F83

Desciption Offset Original Patched
Persistent License Check 2 0x00F65F94 AA 94 03 94 1F 20 03 D5
  Pattern:  ? ? ? 94 ? 2F 00 ? F7 ? ? 91 E0 42 ? 91 E0 6F 00 F9

May be:
4112-DEV:0x00F2E9CF
4113-STA:0x00F2EBB7
4114-DEV:0x00F65F97

Desciption Offset Original Patched
Disable License Notify Thread 0x00FD3EE8 FC 6F BD A9 C0 03 5F D6
  Patterne:  FC 6F BD A9 F4 4F 01 A9 FD 7B 02 A9 FD 83 00 91 FF 43 0C D1 F3 03 00 AA

May be:
4112-DEV:0x00F9AC94
4113-STA:0x00F9AD48
4114-DEV:0x00FD3EE8

Desciption Offset Original Patched
Initial License Check 0x00FD4258 FC 6F BD A9 C0 03 5F D6
  Pattern:  None
Desciption Offset Original Patched
Disable Server Validation Thread 0x00FD52F0 F6 57 BD A9 C0 03 5F D6
  Pattern:  F6 57 BD A9 F4 4F 01 A9 FD 7B 02 A9 FD 83 00 91 ? ? ? 94 ? ? ? 94 F3 03 00 AA ? ? ? 94 74 1A 00 B9

May be:
4112-DEV:0x00F9C078
4113-STA:0x00F9C114
4114-DEV:0x00FD52F0

4112, 4113 and 4114 have very different offset, Pattern validity is in doubt

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Sep 14, 2021

Well I'll be, I didn't expect that to work, lol. @1-Dev1l thanks for that.

@maboloshi Thanks, unfortunately I don't remember exactly what I change (didn't document it since I didn't expect it to work) and my patching method was slightly different from the x64 versions (patched wrapper functions iirc). Didn't make the time to do it "properly" but I'll maybe try to work on it when I get some time and see if I can put it together a bit more coherently.

For patterns, my signature maker plugin doesn't work on ARM and would basically require heavy modifications so that's a task for another day.

Glad it all worked out. 😄

@Destitute-Streetdwelling-Guttersnipe

This comment has been minimized.

Copy link

@Destitute-Streetdwelling-Guttersnipe Destitute-Streetdwelling-Guttersnipe commented Sep 15, 2021

@maboloshi You use "C3" (ret) to patch "Disable License Notify Thread". But I saw @leogx9r wrote that "Simply return 0 here to disable." in comment https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3802197.
Is this a mistake? Why don't you use ret 0?

@Destitute-Streetdwelling-Guttersnipe

This comment has been minimized.

Copy link

@Destitute-Streetdwelling-Guttersnipe Destitute-Streetdwelling-Guttersnipe commented Sep 15, 2021

@leogx9r thanks for your great contribution. I'm curious about the Server Validation Thread. In your analysis, you suggest to use ret 1 to disable it.
However, I saw someone named rufoa posted patches for it using ret for many versions of SM (from 2027 to 2059).
I tried ret on SM 2059 and it seems ok.
Do you think patching with ret has the same effect?

@leogx9r

This comment has been minimized.

Copy link

@leogx9r leogx9r commented Sep 15, 2021

@Destitute-Streetdwelling-Guttersnipe It does have the same effect. The function returns the value of pthread_join() or something similar. I didn't see Sublime Text/Merge use the return value but decided to have it return the proper value anyways for consistency (which upon research seems it required zero so I guess I documented that wrong).

The only function you really need to have a return value is for the license checking function, which requires zero always. The rest are basically optional. The return value isn't actually used (based on my reverse engineering) on the other functions.

Edit: On Windows it returns the value of CreateThread() which requires a non-zero value to indicate success. I originally patched this on Windows so I used the same method for Linux/MacOS -- they instead use pthread which requires a zero value to indicate success, so I guess that's where I got mixed up. So you should ideally return 1 on Windows (or any non-zero value) and 0 on Linux but it doesn't matter really since the value is never used.

@Destitute-Streetdwelling-Guttersnipe

This comment has been minimized.

Copy link

@Destitute-Streetdwelling-Guttersnipe Destitute-Streetdwelling-Guttersnipe commented Sep 16, 2021

@leogx9r thanks for the explanation. I think this also answer my question to @maboloshi about "License Notify Thread". We can return anything since the return value is ignored.

I created a patcher in my github which uses the patterns you posted. I upgraded them to use reghex (which is regex with hex bytes), so that I can combine more actions into 1 pattern.
For example: reghex="(?<= 41 B8 . . . . ) E8 . . . . (48|49) . .", fix=nop5 can be used to patch the invalidate1 call for both dev and stable versions of ST (48 for dev, 49 for stable), the offset to E8 is described by the lookahead (?<= 41 B8 . . . . ).
Another example: reghex="(?<= E8 ) . . . .", patch=ret0, is_ref=True can be used to patch the license_check call without the need to analyze the instruction length of Call (E8).
I hope to make it less dependent on x64 and easier to add support for arm64.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment