Skip to content

Instantly share code, notes, and snippets.

@maboloshi
Last active June 14, 2024 00:15
Show Gist options
  • Save maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47 to your computer and use it in GitHub Desktop.
Save maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47 to your computer and use it in GitHub Desktop.
Crack Sublime Text and Sublime Merge

Note

  1. If you can, please purchase the genuine license through the official channel and support the software developer.
  2. All crack methods here are implemented by @leogx9r.
  3. All data is not guaranteed to be authoritative or correct, nor has it been tested across the platform, nor is it responsible for any errors, lost data, etc. in practice! Please assess yourself!!!
  4. I am only within the ability to update the information based on the existing crack methods until the existing rules fail.

Sublime Patcher Script for personal use

The code implementation is very poor.
https://gist.github.com/maboloshi/5baecbddacf43855f13240b63be5673d

ToC

Sublime Text Sublime Merge
Stable channel win / linux / mac / mac-arm64 win / linux / mac / mac-arm64
Dev channel win / linux / mac / mac-arm64 win / linux / mac / mac-arm64

How to Crack Sublime Text, Stable Channel, Build 4152

Thanks to @leogx9r for providing cracking methods.

https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451?permalink_comment_id=3762200#gistcomment-3762200 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3802197#gistcomment-3802197 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3803204#gistcomment-3803204

Win64

Desciption Offset Original Patched
Initial License Check 0x000A8D78 55 41 57 41 48 31 C0 C3
Persistent License Check 1 0x000071D0 E8 17 FE 20 00 90 90 90 90 90
Persistent License Check 2 0x000071E9 E8 FE FD 20 00 90 90 90 90 90
Disable Server Validation Thread 0x000AAB3E 55 56 57 48 83 EC 30 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x000A8945 55 C3
Disable Crash Reporter 0x00000400 41 C3

for 4117, 4118: https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3927712#gistcomment-3927712

Bat Script
:: for Win64
cd /d "C:\Program Files\Sublime Text" || exit
certutil -hashfile sublime_text.exe md5 | find /i "15BB398D5663B89A44372EF15F70A46F" || exit
echo 000A8D78: 48 31 C0 C3          | xxd -r - sublime_text.exe
echo 000071D0: 90 90 90 90 90       | xxd -r - sublime_text.exe
echo 000071E9: 90 90 90 90 90       | xxd -r - sublime_text.exe
echo 000AAB3E: 48 31 C0 48 FF C0 C3 | xxd -r - sublime_text.exe
echo 000A8945: C3                   | xxd -r - sublime_text.exe
echo 00000400: C3                   | xxd -r - sublime_text.exe

PS:xxd.exe extracted from git for windows

The license can be any string.

Blocked by Microsoft Defender SmartScreen -> More Info -> Run Anyway

Screenshot
![Screenshot](https://i.imgur.com/t4QlRZ6.png)

![Screenshot](https://i.imgur.com/18372Rh.png)

Linux

Desciption Offset Original Patched
Initial License Check 0x00415013 55 41 57 41 48 31 C0 C3
Persistent License Check 1 0x00409037 E8 C0 CC 12 00 90 90 90 90 90
Persistent License Check 2 0x0040904F E8 A8 CC 12 00 90 90 90 90 90
Disable Server Validation Thread 0x00416CA4 55 41 56 53 41 89 F6 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x00414C82 41 C3
Disable Crash Reporter 0x003FA310 55 C3
Bash Script
# for Linux
cd /opt/sublime_text || exit
md5sum -c <<<"7038C3B1CC79504602DA70599D4CCCE9  sublime_text" || exit
echo 00415013: 48 31 C0 C3          | xxd -r - sublime_text
echo 00409037: 90 90 90 90 90       | xxd -r - sublime_text
echo 0040904F: 90 90 90 90 90       | xxd -r - sublime_text
echo 00416CA4: 48 31 C0 48 FF C0 C3 | xxd -r - sublime_text
echo 00414C82: C3                   | xxd -r - sublime_text
echo 003FA310: C3                   | xxd -r - sublime_text

macOS

Desciption Offset Original Patched
Initial License Check 0x0009F313 55 48 89 E5 48 31 C0 C3
Persistent License Check 1 0x00009CEF E8 3C 2D 13 00 90 90 90 90 90
Persistent License Check 2 0x00009D07 E8 24 2D 13 00 90 90 90 90 90
Disable Server Validation Thread 0x000A085D 55 48 89 E5 41 57 41 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x0009EF0E 55 C3
Disable Crash Reporter 0x00002A87 55 C3
Bash Script
# for MacOS
cd "/Applications/Sublime Text.app/Contents/MacOS/" || exit
md5 -q sublime_text | grep -i "B07FDB3A228A46DF1CC178FE60B64D3B" || exit
echo 0009F313: 48 31 C0 C3          | xxd -r - sublime_text
echo 00009CEF: 90 90 90 90 90       | xxd -r - sublime_text
echo 00009D07: 90 90 90 90 90       | xxd -r - sublime_text
echo 000A085D: 48 31 C0 48 FF C0 C3 | xxd -r - sublime_text
echo 0009EF0E: C3                   | xxd -r - sublime_text
echo 00002A87: C3                   | xxd -r - sublime_text
Re-Sign App
codesign --force --deep --sign - "/Applications/Sublime Text.app"

Requires Apple Command Line Tools to be installed

macOS (ARM64)

Based on: https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3929427#gistcomment-3929427

Desciption Offset Original Patched
Initial License Check 0x01060C90 FC 6F BA A9 E6 03 1E AA E0 03 1F AA C0 03 5F D6
Persistent License Check 1 0x00FEAD18 40 BB 03 94 1F 20 03 D5
Persistent License Check 2 0x00FEAD2C 3B BB 03 94 1F 20 03 D5
Disable Server Validation Thread 0x01061F28 F6 57 BD A9 C0 03 5F D6
Disable License Notify Thread 0x01060908 FC 6F BD A9 C0 03 5F D6
Disable Crash Reporter 0x00FE5780 FC 6F BC A9 C0 03 5F D6
Bash Script
# for macOS (ARM64)
cd "/Applications/Sublime Text.app/Contents/MacOS/" || exit
md5 -q sublime_text | grep -i "B07FDB3A228A46DF1CC178FE60B64D3B" || exit
echo 01060C90: E0 03 1F AA C0 03 5F D6 | xxd -r - sublime_text
echo 00FEAD18: 1F 20 03 D5             | xxd -r - sublime_text
echo 00FEAD2C: 1F 20 03 D5             | xxd -r - sublime_text
echo 01061F28: C0 03 5F D6             | xxd -r - sublime_text
echo 01060908: C0 03 5F D6             | xxd -r - sublime_text
echo 00FE5780: C0 03 5F D6             | xxd -r - sublime_text
Re-Sign App
codesign --force --deep --sign - "/Applications/Sublime Text.app"

Requires Apple Command Line Tools to be installed


How to Crack Sublime Text, Dev Channel, Build 4154

Thanks to @leogx9r for providing cracking methods.

https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451?permalink_comment_id=3762200#gistcomment-3762200 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3802197#gistcomment-3802197 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3803204#gistcomment-3803204

Win64

Desciption Offset Original Patched
Initial License Check 0x0009E47C 55 41 57 41 48 31 C0 C3
Persistent License Check 1 0x0000647C E8 23 7C 20 00 90 90 90 90 90
Persistent License Check 2 0x00006495 E8 0A 7C 20 00 90 90 90 90 90
Disable Server Validation Thread 0x000A0222 55 56 57 48 83 EC 30 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x0009E043 55 C3

for 4117, 4118: https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3927712#gistcomment-3927712

Bat Script
:: for Win64
cd /d "C:\Program Files\Sublime Text" || exit
certutil -hashfile sublime_text.exe md5 | find /i "ADF277D39672D83637AB708FC45413C8" || exit
echo 0009E47C: 48 31 C0 C3          | xxd -r - sublime_text.exe
echo 0000647C: 90 90 90 90 90       | xxd -r - sublime_text.exe
echo 00006495: 90 90 90 90 90       | xxd -r - sublime_text.exe
echo 000A0222: 48 31 C0 48 FF C0 C3 | xxd -r - sublime_text.exe
echo 0009E043: C3                   | xxd -r - sublime_text.exe

PS:xxd.exe extracted from git for windows

The license can be any string.

Blocked by Microsoft Defender SmartScreen -> More Info -> Run Anyway

Screenshot
![Screenshot](https://i.imgur.com/t4QlRZ6.png)

![Screenshot](https://i.imgur.com/18372Rh.png)

Linux

Desciption Offset Original Patched
Initial License Check 0x00443F94 55 41 57 41 48 31 C0 C3
Persistent License Check 1 0x0042B210 E8 37 44 14 00 90 90 90 90 90
Persistent License Check 2 0x0042B228 E8 1F 44 14 00 90 90 90 90 90
Disable Server Validation Thread 0x00445EB6 55 41 56 53 41 89 F6 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x00443BF8 41 C3
Bash Script
# for Linux
cd /opt/sublime_text || exit
md5sum -c <<<"8836FE092DBB7BC8D3D2375D34510CA9  sublime_text" || exit
echo 00443F94: 48 31 C0 C3          | xxd -r - sublime_text
echo 0042B210: 90 90 90 90 90       | xxd -r - sublime_text
echo 0042B228: 90 90 90 90 90       | xxd -r - sublime_text
echo 00445EB6: 48 31 C0 48 FF C0 C3 | xxd -r - sublime_text
echo 00443BF8: C3                   | xxd -r - sublime_text

macOS

Desciption Offset Original Patched
Initial License Check 0x0009D527 55 48 89 E5 48 31 C0 C3
Persistent License Check 1 0x000097F5 E8 AE 12 13 00 90 90 90 90 90
Persistent License Check 2 0x0000980D E8 96 12 13 00 90 90 90 90 90
Disable Server Validation Thread 0x0009EA9D 55 48 89 E5 41 57 41 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x0009D122 55 C3
Bash Script
# for MacOS
cd "/Applications/Sublime Text.app/Contents/MacOS/" || exit
md5 -q sublime_text | grep -i "E1A3347BECDA7CC1EF583ECACECACBDC" || exit
echo 0009D527: 48 31 C0 C3          | xxd -r - sublime_text
echo 000097F5: 90 90 90 90 90       | xxd -r - sublime_text
echo 0000980D: 90 90 90 90 90       | xxd -r - sublime_text
echo 0009EA9D: 48 31 C0 48 FF C0 C3 | xxd -r - sublime_text
echo 0009D122: C3                   | xxd -r - sublime_text
Re-Sign App
codesign --force --deep --sign - "/Applications/Sublime Text.app"

Requires Apple Command Line Tools to be installed

macOS (ARM64)

Based on: https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3929427#gistcomment-3929427

Desciption Offset Original Patched
Initial License Check 0x010758B8 FC 6F BA A9 E6 03 1E AA E0 03 1F AA C0 03 5F D6
Persistent License Check 1 0x01000360 33 A4 03 94 1F 20 03 D5
Persistent License Check 2 0x01000374 2E A4 03 94 1F 20 03 D5
Disable Server Validation Thread 0x01076B54 F6 57 BD A9 C0 03 5F D6
Disable License Notify Thread 0x01075534 FC 6F BD A9 C0 03 5F D6
Bash Script
# for macOS (ARM64)
cd "/Applications/Sublime Text.app/Contents/MacOS/" || exit
md5 -q sublime_text | grep -i "E1A3347BECDA7CC1EF583ECACECACBDC" || exit
echo 010758B8: E0 03 1F AA C0 03 5F D6 | xxd -r - sublime_text
echo 01000360: 1F 20 03 D5             | xxd -r - sublime_text
echo 01000374: 1F 20 03 D5             | xxd -r - sublime_text
echo 01076B54: C0 03 5F D6             | xxd -r - sublime_text
echo 01075534: C0 03 5F D6             | xxd -r - sublime_text
Re-Sign App
codesign --force --deep --sign - "/Applications/Sublime Text.app"

Requires Apple Command Line Tools to be installed


How to Crack Sublime Merge, Stable Channel, Build 2083

Thanks to @leogx9r for providing cracking methods.

https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3823090#gistcomment-3823090 https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451?permalink_comment_id=3762883#gistcomment-3762883 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3802197#gistcomment-3802197

Win64

Desciption Offset Original Patched
Initial License Check 0x000251A8 55 41 57 41 56 41 55 41 48 C7 C0 19 01 00 00 C3
Persistent License Check 1 0x000286A3 E8 70 AA 26 00 90 90 90 90 90
Persistent License Check 2 0x000286BC E8 57 AA 26 00 90 90 90 90 90
Disable Server Validation Thread 0x000269B8 55 56 57 48 83 EC 30 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x00024DCD 55 C3
Disable Crash Reporter 0x00023F18 41 C3
Bat Script
:: for Win64
cd /d "C:\Program Files\Sublime Merge" || exit
certutil -hashfile sublime_merge.exe md5 | find /i "E33B76ADA6E7E7577CD4E81A7A4580C7" || exit
echo 000251A8: 48 C7 C0 19 01 00 00 C3 | xxd -r - sublime_merge.exe
echo 000286A3: 90 90 90 90 90          | xxd -r - sublime_merge.exe
echo 000286BC: 90 90 90 90 90          | xxd -r - sublime_merge.exe
echo 000269B8: 48 31 C0 48 FF C0 C3    | xxd -r - sublime_merge.exe
echo 00024DCD: C3                      | xxd -r - sublime_merge.exe
echo 00023F18: C3                      | xxd -r - sublime_merge.exe

PS:xxd.exe extracted from git for windows

Linux

thinks @urxi here

Bash Script
# for Linux
cd /opt/sublime_merge || exit
md5sum -c <<<"86F61A82E7EE8DD9BDC4CF16A7C8E825  sublime_merge" || exit
echo 0045A360: 48 C7 C0 19 01 00 00 C3 | xxd -r - sublime_merge
echo 0045D21D: 90 90 90 90 90          | xxd -r - sublime_merge
echo 0045D23A: 90 90 90 90 90          | xxd -r - sublime_merge
echo 0045B990: C3                      | xxd -r - sublime_merge
echo 0045A05A: C3                      | xxd -r - sublime_merge
echo 00459ABA: C3                      | xxd -r - sublime_merge

macOS

Desciption Offset Original Patched
Initial License Check 0x0002C2DF 55 48 89 E5 41 57 41 56 48 C7 C0 19 01 00 00 C3
Persistent License Check 1 0x0002E96C E8 1F B9 18 00 90 90 90 90 90
Persistent License Check 2 0x0002E98B E8 00 B9 18 00 90 90 90 90 90
Disable Server Validation Thread 0x0002D295 55 48 89 E5 41 57 41 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x0002BF6A 55 C3
Disable Crash Reporter 0x0002B7AB 55 C3
Bash Script
# for MacOS
cd "/Applications/Sublime Merge.app/Contents/MacOS/" || exit
md5 -q sublime_merge | grep -i "B1AADED4F196EEEEBF8D5A6F98B11288" || exit
echo 0002C2DF: 48 C7 C0 19 01 00 00 C3 | xxd -r - sublime_merge
echo 0002E96C: 90 90 90 90 90          | xxd -r - sublime_merge
echo 0002E98B: 90 90 90 90 90          | xxd -r - sublime_merge
echo 0002D295: 48 31 C0 48 FF C0 C3    | xxd -r - sublime_merge
echo 0002BF6A: C3                      | xxd -r - sublime_merge
echo 0002B7AB: C3                      | xxd -r - sublime_merge
Re-Sign App
codesign --force --deep --sign - "/Applications/Sublime Merge.app"

Requires Apple Command Line Tools to be installed

macOS (ARM64)

!!!! May have expired !!!!

Based on:

Desciption Offset Original Patched
Initial License Check 0x014D9060 FC 6F BA A9 E6 03 1E AA E0 03 1F AA C0 03 5F D6
Persistent License Check 1 0x014DAF68 AB B6 04 94 1F 20 03 D5
Persistent License Check 2 0x014DAF7C A6 B6 04 94 1F 20 03 D5
Disable Server Validation Thread 0x014D9DBC F6 57 BD A9 C0 03 5F D6
Disable License Notify Thread 0x014D8D9C FC 6F BD A9 C0 03 5F D6
Disable Crash Reporter 0x014D86E4 FC 6F BC A9 C0 03 5F D6
Bash Script
# for macOS (ARM64)
cd "/Applications/Sublime Merge.app/Contents/MacOS/" || exit
md5 -q sublime_merge | grep -i "B1AADED4F196EEEEBF8D5A6F98B11288" || exit
echo 014D9060: E0 03 1F AA C0 03 5F D6 | xxd -r - sublime_merge
echo 014DAF68: 1F 20 03 D5             | xxd -r - sublime_merge
echo 014DAF7C: 1F 20 03 D5             | xxd -r - sublime_merge
echo 014D9DBC: C0 03 5F D6             | xxd -r - sublime_merge
echo 014D8D9C: C0 03 5F D6             | xxd -r - sublime_merge
echo 014D86E4: C0 03 5F D6             | xxd -r - sublime_merge
Re-Sign App
codesign --force --deep --sign - "/Applications/Sublime Merge.app"

Requires Apple Command Line Tools to be installed


How to Crack Sublime Merge, Dev Channel, Build 2085

Thanks to @leogx9r for providing cracking methods.

https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3823090#gistcomment-3823090 https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451?permalink_comment_id=3762883#gistcomment-3762883 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47?permalink_comment_id=3802197#gistcomment-3802197

Win64

Desciption Offset Original Patched
Initial License Check 0x00025300 55 41 57 41 56 41 55 41 48 C7 C0 19 01 00 00 C3
Persistent License Check 1 0x00028813 E8 B8 7F 27 00 90 90 90 90 90
Persistent License Check 2 0x0002882C E8 9F 7F 27 00 90 90 90 90 90
Disable Server Validation Thread 0x00026B20 55 56 57 48 83 EC 30 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x00024F25 55 C3
Disable Crash Reporter 0x00024070 41 C3
Bat Script
:: for Win64
cd /d "C:\Program Files\Sublime Merge" || exit
certutil -hashfile sublime_merge.exe md5 | find /i "8B6590708E6AAE98AC3AE29135DB084F" || exit
echo 00025300: 48 C7 C0 19 01 00 00 C3 | xxd -r - sublime_merge.exe
echo 00028813: 90 90 90 90 90          | xxd -r - sublime_merge.exe
echo 0002882C: 90 90 90 90 90          | xxd -r - sublime_merge.exe
echo 00026B20: 48 31 C0 48 FF C0 C3    | xxd -r - sublime_merge.exe
echo 00024F25: C3                      | xxd -r - sublime_merge.exe
echo 00024070: C3                      | xxd -r - sublime_merge.exe

PS:xxd.exe extracted from git for windows

Linux

thinks @urxi here

Bash Script
# for Linux
cd /opt/sublime_merge || exit
md5sum -c <<<"958DA6B7EC687B25F55A16FF6A3D9BD0  sublime_merge" || exit
echo 0045F22C: 48 C7 C0 19 01 00 00 C3 | xxd -r - sublime_merge
echo 004620F9: 90 90 90 90 90          | xxd -r - sublime_merge
echo 00462116: 90 90 90 90 90          | xxd -r - sublime_merge
echo 0046086C: C3                      | xxd -r - sublime_merge
echo 0045EF26: C3                      | xxd -r - sublime_merge
echo 0045E986: C3                      | xxd -r - sublime_merge

macOS

Desciption Offset Original Patched
Initial License Check 0x0002C4CB 55 48 89 E5 41 57 41 56 48 C7 C0 19 01 00 00 C3
Persistent License Check 1 0x0002EB48 E8 15 23 19 00 90 90 90 90 90
Persistent License Check 2 0x0002EB67 E8 F6 22 19 00 90 90 90 90 90
Disable Server Validation Thread 0x0002D471 55 48 89 E5 41 57 41 48 31 C0 48 FF C0 C3
Disable License Notify Thread 0x0002C156 55 C3
Disable Crash Reporter 0x0002B997 55 C3
Bash Script
# for MacOS
cd "/Applications/Sublime Merge.app/Contents/MacOS/" || exit
md5 -q sublime_merge | grep -i "D67510219FB14938A47BE39260C87215" || exit
echo 0002C4CB: 48 C7 C0 19 01 00 00 C3 | xxd -r - sublime_merge
echo 0002EB48: 90 90 90 90 90          | xxd -r - sublime_merge
echo 0002EB67: 90 90 90 90 90          | xxd -r - sublime_merge
echo 0002D471: 48 31 C0 48 FF C0 C3    | xxd -r - sublime_merge
echo 0002C156: C3                      | xxd -r - sublime_merge
echo 0002B997: C3                      | xxd -r - sublime_merge
Re-Sign App
codesign --force --deep --sign - "/Applications/Sublime Merge.app"

Requires Apple Command Line Tools to be installed

macOS (ARM64)

!!!! May have expired !!!!

Based on:

Desciption Offset Original Patched
Initial License Check 0x015027EC FC 6F BA A9 E6 03 1E AA E0 03 1F AA C0 03 5F D6
Persistent License Check 1 0x015046D4 78 C9 04 94 1F 20 03 D5
Persistent License Check 2 0x015046E8 73 C9 04 94 1F 20 03 D5
Disable Server Validation Thread 0x0150352C F6 57 BD A9 C0 03 5F D6
Disable License Notify Thread 0x01502528 FC 6F BD A9 C0 03 5F D6
Disable Crash Reporter 0x01501E70 FC 6F BC A9 C0 03 5F D6
Bash Script
# for macOS (ARM64)
cd "/Applications/Sublime Merge.app/Contents/MacOS/" || exit
md5 -q sublime_merge | grep -i "D67510219FB14938A47BE39260C87215" || exit
echo 015027EC: E0 03 1F AA C0 03 5F D6 | xxd -r - sublime_merge
echo 015046D4: 1F 20 03 D5             | xxd -r - sublime_merge
echo 015046E8: 1F 20 03 D5             | xxd -r - sublime_merge
echo 0150352C: C0 03 5F D6             | xxd -r - sublime_merge
echo 01502528: C0 03 5F D6             | xxd -r - sublime_merge
echo 01501E70: C0 03 5F D6             | xxd -r - sublime_merge
Re-Sign App
codesign --force --deep --sign - "/Applications/Sublime Merge.app"

Requires Apple Command Line Tools to be installed

ST's new version of hexadecimal editing method

From: https://gist.github.com/opastorello/4d494d627ec9012367028c89cb7a1945

Search : 80 78 05 00 0f 94 c1 first result , replace: c6 40 05 01 48 85 c9

This patch is applicable to all x86-64 CPU platforms of ST.

ST's old version hexadecimal editing method

From: https://gist.github.com/opastorello/4d494d627ec9012367028c89cb7a1945?permalink_comment_id=4495369#gistcomment-4495369

97 94 0D --> 00 00 00

License Key:

----- BEGIN LICENSE -----
TwitterInc
200 User License
EA7E-890007
1D77F72E 390CDD93 4DCBA022 FAF60790
61AA12C0 A37081C5 D0316412 4584D136
94D7F7D4 95BC8C1C 527DA828 560BB037
D1EDDD8C AE7B379F 50C9D69D B35179EF
2FE898C4 8E4277A8 555CE714 E1FB0E43
D5D52613 C3D12E98 BC49967F 7652EED2
9D2D2E61 67610860 6D338B72 5CF95C69
E36B85CC 84991F19 7575D828 470A92AB
------ END LICENSE ------
@leogx9r
Copy link

leogx9r commented Jul 4, 2021

@backermanbd If you want your name shown so badly in the registration window, you'll need to reverse-engineer it yourself and locate the relevant code segment. I'll outright tell you, the RSA function that you're looking for is inlined within the license validity function in the Linux binaries -- the same patch won't work since there's no separate function for it unlike Windows, you'll need different assembly to patch it after identifying which code is responsible for it. I won't put the work in to figure out the way around that since it's utterly pointless for anyone who just wants the thing registered so that'll be up to you to figure out.


Sublime Merge v2057 Crack

Literally the same patterns work as before. As usual, the same methods do as well. Here are the offsets from my auto-patcher:

Linux

image

Windows

image

MacOS

image

If you looked carefully, you'd see I added two additional things, disabling the crash reporter (which sends telemetry back to the server, not something I personally like) and also disabled the "phoning home" method when a new license is entered. The phoning home method can potentially be used to detect you cracking the application (as it'll send invalid info, also containing your unique identifier) and you may get your IP blacklisted, hence I've decided to disable it entirely, I also recommend you guys do too, just in case. If you'd like the patterns for that:

# Sends the HWID, license Information the moment a license is entered to the server for logging.
# Most likely used to detect when a license key is shared across too many systems with differing HWIDs.
# Simply return 0 here to disable.
Sublime Text
    Windows x64 Pattern: `raw sig: 55 56 57 48 81 EC ? ? ? ? 48 8D AC 24 ? ? ? ? 0F 29 B5 ? ? ? ? 48 C7 85 ? ? ? ? ? ? ? ? 48 89 CF`
    Linux x64   Pattern: `raw sig: 41 56 53 48 81 EC ? ? ? ? 48 89 FB BF ? ? ? ? E8 ? ? ? ? 4C 8D B4 24 ? ? ? ?`
    MacOS x64   Pattern: `raw sig: 55 48 89 E5 53 48 81 EC ? ? ? ? 48 89 FB 48 8B 05 ? ? ? ? 48 8B 00 48 89 45 F0 48 8D 3D ? ? ? ?`

Sublime Merge
    Windows x64 Pattern: `raw sig: 55 56 57 48 81 EC ? ? ? ? 48 8D AC 24 ? ? ? ? 0F 29 B5 ? ? ? ?`
    Linux x64   Pattern: `raw sig: 41 56 53 48 81 EC ? ? ? ? 48 89 FB BF ? ? ? ?`
    MacOS x64   Pattern: `raw sig: 55 48 89 E5 53 48 81 EC ? ? ? ? 48 89 FB 48 8B 05 ? ? ? ? 48 8B 00 48 89 45 F0 48 8D 3D ? ? ? ?`

Proof

image
image
image
image

@maboloshi
Copy link
Author

@leogx9r Thank you! Can you complement the patterns for "Disabled crash reporter"?

@Bruskyer
Copy link

Bruskyer commented Jul 5, 2021

any news about ST4 build 4110?

@leogx9r
Copy link

leogx9r commented Jul 5, 2021

@maboloshi Sure, here ya go:

Sublime Text
    Windows x64 Pattern: `raw sig: 41 57 41 56 41 55 41 54 56 57 55 53 B8 ? ? ? ? E8 ? ? ? ? 48 29 C4 8A 84 24 ? ? ? ?`
    Linux x64   Pattern: `raw sig: 55 41 57 41 56 41 55 41 54 53 48 81 EC ? ? ? ? 41 89 D4 48 89 FD`
    MacOS x64   Pattern: `raw sig: 55 48 89 E5 41 57 41 56 41 55 41 54 53 48 81 EC ? ? ? ? 41 89 CE 49 89 F7`

Sublime Merge
    Windows x64 Pattern: `raw sig: 41 57 41 56 41 55 41 54 56 57 55 53 B8 ? ? ? ? E8 ? ? ? ? 48 29 C4 8A 84 24 ? ? ? ?`
    Linux x64   Pattern: `raw sig: 55 41 57 41 56 41 55 41 54 53 48 81 EC ? ? ? ? 41 89 D4 48 89 FD`
    MacOS x64   Pattern: `raw sig: 55 48 89 E5 41 57 41 56 41 55 41 54 53 48 81 EC ? ? ? ? 41 89 CE 49 89 F7`

I just write a ret instruction to disable it.


@Bruskyer It was released < 12 hours ago, I doubt you'd get news that soon :P

Here's v4110 offsets (patterns are the same):

Linux

image

MacOS

image

Windows

image

image

@Bruskyer
Copy link

Bruskyer commented Jul 6, 2021

Thank you

@Bruskyer
Copy link

Bruskyer commented Jul 6, 2021

After I have applied the same keys on explained offset only accepted the license key that needs upgrade

—– BEGIN LICENSE —–
Die Socialisten GmbH
10 User License
EA7E-800613
51311422 E45F49ED 3F0ADE0C E5B8A508
2F4D9B65 64E1E244 EDA11F0E F9D06110
B7B2E826 E6FDAA72 2C653693 5D80582F
09DCFFB5 113A940C 5045C0CD 5F8332F8
34356CC6 D96F6FDB 4DEC20EA 0A24D83A
2C82C329 E3290B29 A16109A7 EC198EB9
F28EBB17 9C07403F D44BA75A C23C6874
EBF11238 5546C3DD 737DC616 445C2941
—— END LICENSE ——

@maboloshi
Copy link
Author

@Bruskyer If the crack is successful, any string is allowed. What version and platform are you using?

@Bruskyer
Copy link

Bruskyer commented Jul 6, 2021

ST 4 Build4110 on win 10 x64
image
when insert any text/key to register input
image
there wasnt 0x00007143 offset I replaced the value on 0x00007140

@leogx9r
Copy link

leogx9r commented Jul 6, 2021

@Bruskyer Then you did it wrong which is why it isn't working.

1.) You cannot just replace a completely different offset in the file and expect it to work.

2.) What do you mean the offset 0x7143 doesn't exist? It clearly does:

image

Use the batch script maboloshi made for Windows instead of attempting to patch it yourself and it will work just fine.

@Bruskyer
Copy link

Bruskyer commented Jul 7, 2021

Sorry for previous post, I realized a mistake during changing the values, Now everything works perfect
Thanks to @leogx9r and @maboloshi

@Bruskyer
Copy link

Bruskyer commented Jul 12, 2021

ST 4 Build 4111 released 🚀

@leogx9r
Copy link

leogx9r commented Jul 12, 2021

Sublime Text v4111 Crack

Patterns are the same as before, as is the method for cracking. Offsets follow from my script:

Linux

image

Windows

image

MacOS

image

Proof

image

@Bruskyer
Copy link

Bruskyer commented Jul 13, 2021

Sublime Text v4111 Crack

...

👌 Thanks

@leogx9r
Copy link

leogx9r commented Jul 13, 2021

@Bruskyer please don't quote the entire message, makes this thread really long and difficult to read.


Sublime Text v4112 Crack

Minor update, nothing too special. Offsets follow:

Linux

image

Windows

image

MacOS

image

Proof

image

In the future I may write a script to generate all these offsets for easily pasting on here afterwards.

Copy link

ghost commented Jul 13, 2021

how can we get sublime patcher ?

@rahitashpaul
Copy link

rahitashpaul commented Jul 14, 2021

Sublime Text v4111 Crack

...

sir, what is this software for cracking....

@Bruskyer
Copy link

@Bruskyer please don't quote the entire message, makes this thread really long and difficult to read.
@leogx9r 🆗

@Bruskyer
Copy link

Bruskyer commented Jul 14, 2021

finally 4113 released on commercial(stable) channel 🚀

@leogx9r
Copy link

leogx9r commented Jul 14, 2021

@udwick, @rahitashpaul I'm keeping it to myself. I've already provided all the information required to build your own patcher from this and this comment, with additional resources provided here. That's basically all you need to do it, it really isn't hard to figure out and I don't like spoonfeeding people the direct answers.


Sublime Text v4113 Crack

Windows patterns have changed again for the Invalidation/Validation methods. First pattern was only changed by a single byte (48 -> 49). Second one contains the raw address without displacement by 6 unlike before. Aka, NOP the first E8 XX XX XX XX after finding the second pattern. Here are the new patterns:

    Windows x64 Pattern 1: `direct reference sig: (+0x6) 41 B8 ? ? ? ? E8 ? ? ? ? 49 8B 96 ? ? ? ?`
                Pattern 2: `raw sig: E8 ? ? ? ? E8 ? ? ? ? 4C 89 F1 E8 ? ? ? ?`

Aside from that, everything else is the same.

MacOS

image

Windows

image

Linux

image

Proof

image

@Ingarsy
Copy link

Ingarsy commented Jul 21, 2021

@leogx9r sublime merge 2058 just released and the patterns seem to have changed, any help?

@leogx9r
Copy link

leogx9r commented Jul 21, 2021

Sublime Merge v2058 Crack

Seems the patterns for isValidLicense have changed in v2058 in addition to the method required for patching the function. Thanks @Ingarsy for informing me. The new patterns for that are as follows:

    Windows x64 Pattern: `direct reference sig: E8 ? ? ? ? 49 8B 8E ? ? ? ? 83 F8 01`
    Linux   x64 Pattern: `direct reference sig: E8 ? ? ? ? 83 F8 01 75 12`
    MacOS   x64 Pattern: `direct reference sig: E8 ? ? ? ? 83 F8 01 75 14`

The above patterns reference the instruction call isValidLicense with no displacement, jump to isValidLicense and patch it. Before, you needed to patch the isValidLicense function to return 281 however now, you need to return 1. You can do this easily by doing something like xor rax, rax; inc rax; ret which translates to the sequence 48 31 C0 48 FF C0 C3 which is how I did it in my patcher. All other patterns (validation/invalidation, server thread, crash reporter and license logging thread) remain the same, for the record as do the previous methods for patching those.

Offsets for the updated version follow:

Windows

image

Linux

image

MacOS

image

Proof

image
image
image

@Bruskyer
Copy link

@leogx9r thanks for merge 2058

@Ingarsy
Copy link

Ingarsy commented Jul 23, 2021

@leogx9r Well this is awkward 😄 2059 just released and the init license check pattern is still the same with a different offset i think, but as for everything else we got bamboozled

@maboloshi
Copy link
Author

@Ingarsy merge crack 2059 has been updated

@leogx9r
Copy link

leogx9r commented Jul 23, 2021

They gotta be trolling now. As maboloshi already found out, the patterns have reverted as well as the method to patch it. For whatever reason they decided to change 1 as the valid value back to 281 as it was before. I'm curious whether subsequent dev builds will use the "new" method or they'll keep to the old method.

Regardless, the offsets maboloshi updated match mine as well so it'll work for all OSs.

@x-one
Copy link

x-one commented Jul 26, 2021

@leogx9r can you point me how to read RVA offset using python without IDA?

@maboloshi
Copy link
Author

maboloshi commented Jul 26, 2021

@leogx9r can you point me how to read RVA offset using python without IDA?

For example:SM 2059 for mac

About "License Validity Checking":

Use "E8 ? ? ? ? 3D ? ? ? ? 75 14" pattern, Position to offset:
0x290EC-->Read The next 4 bytes: CA D0 FF FF -->Byte Flip: FF FF D0 CA -->Complementary offset: 0xFFFFD0CA
hex(0x290EC + 0x5 + 0xFFFFD0CA - 0x100000000) --> Target offset: 0x261BB

Other patterns are basically a direct binary search. Individual patterns may need to be shifted by a few bytes

@x-one
Copy link

x-one commented Jul 26, 2021

Ah!... So easy.. thank you @maboloshi :)

@leogx9r
Copy link

leogx9r commented Jul 26, 2021

Here's a C&P Python method that I'm using for ya:

# Converts 4 byte chunk of a bytearray() into a 32-bit Little-Endian encoded integer.
def LE32(value):
    return value[3] << 24 | value[2] << 16 | value[1] <<  8 | value[0]

# Calculates an absolute offset from a relative virtual address using a base offset and instruction length.
def RVA2ABS(base, rva, instruction_len):
    return ((base + instruction_len) + rva) & 0xFFFFFFFF

How I've used it:

       offset = pattern.locate(self.binary)

       # Check validity of pattern
       ...

       # Add any displacement required by the pattern
       offset += pattern.displacement()

        # Calculate the absolute offset from an RVA instruction if required.
        if self.rva:
            # The RVA value is stored after the first byte relative to the found offset as a 4-byte LE integer.
            rva = LE32(self.binary[offset + 1: offset + 5]) # Reverse byte order due to CPU encoding
            offset_abs = RVA2ABS(offset, rva, 5)            # Get true offset from referenced pointer
            print("[*] Found RVA pattern for \"{:s}\" at 0x{:X} -> 0x{:X} -> 0x{:X} ..." \
                .format(self.name, offset, rva, offset_abs)) if log else None
            return offset_abs

        # Not an RVA so no additional calculations required
        return offset

The instruction length is always 5 bytes here because the patterns that I use reference a CALL instruction which are 5 bytes long.

@x-one
Copy link

x-one commented Jul 28, 2021

@leogx9r thank You very much for examples.
Seems to be working.. I need bring together boxes and I'll have it. 😎

@lowendgamer
Copy link

How to crack it for Linux?

Any commands like this:
cd /opt/sublime_text
sudo sed -i 's/\x97\x94\x0D/\x00\x00\x00/' sublime_text

@lowendgamer
Copy link

sudo sed -i 's/\x55\x41\x57\x41/\x48\x31\xC0\xC3\x0/' sublime_text

sudo sed -i 's/\xE8\xAC\x82\x18\x00/\x90\x90\x90\x90\x90/' sublime_text

sudo sed -i 's/\xE8\x91\x82\x18\x00/\x90\x90\x90\x90\x90/' sublime_text

sudo sed -i 's/\x55\x41\x56\x53\x41\x89\xF6/\x48\x31\xC0\x48\xFF\xC0\xC3/' sublime_text

sudo sed -i 's/\x41/\xC3/' sublime_text

sudo sed -i 's/\x55/\xC3/' sublime_text

I tried this, but now Sublime won't open at all.

@leogx9r
Copy link

leogx9r commented Aug 2, 2021

@lowendgamer You seem to have no clue what that sed command does. It replaces all occurrences in the file with a predefined sequence. Because you attempted to replace \x41 and \x55, both function prologues that are present in MULTIPLE functions unrelated to just license verification, you essentially corrupted the executable. Why not use the bash script maboloshi made for Linux? It works and if you're using Linux, you should already have printf and dd.

Literally enter this in a terminal for v4113 and it will work:

printf '\x48\x31\xC0\xC3'                 | dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_text bs=1 seek=$((0x0035BCCB)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_text bs=1 seek=$((0x0035BCE6)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_text bs=1 seek=$((0x00367171)) conv=notrunc
printf '\xC3'                             | dd of=sublime_text bs=1 seek=$((0x003653CE)) conv=notrunc
printf '\xC3'                             | dd of=sublime_text bs=1 seek=$((0x0034F5F0)) conv=notrunc

@update-freak
Copy link

Here's a C&P Python method that I'm using for ya:

# Converts 4 byte chunk of a bytearray() into a 32-bit Little-Endian encoded integer.
def LE32(value):
    return value[3] << 24 | value[2] << 16 | value[1] <<  8 | value[0]

# Calculates an absolute offset from a relative virtual address using a base offset and instruction length.
def RVA2ABS(base, rva, instruction_len):
    return ((base + instruction_len) + rva) & 0xFFFFFFFF

How I've used it:

       offset = pattern.locate(self.binary)

       # Check validity of pattern
       ...

       # Add any displacement required by the pattern
       offset += pattern.displacement()

        # Calculate the absolute offset from an RVA instruction if required.
        if self.rva:
            # The RVA value is stored after the first byte relative to the found offset as a 4-byte LE integer.
            rva = LE32(self.binary[offset + 1: offset + 5]) # Reverse byte order due to CPU encoding
            offset_abs = RVA2ABS(offset, rva, 5)            # Get true offset from referenced pointer
            print("[*] Found RVA pattern for \"{:s}\" at 0x{:X} -> 0x{:X} -> 0x{:X} ..." \
                .format(self.name, offset, rva, offset_abs)) if log else None
            return offset_abs

        # Not an RVA so no additional calculations required
        return offset

The instruction length is always 5 bytes here because the patterns that I use reference a CALL instruction which are 5 bytes long.

How to use this python code?

@lowendgamer
Copy link

@leogx9r
How do i enter that in terminal? How to make linux mint bash script?

Screenshot
failed to open sublime text: Permission denied

@lowendgamer
Copy link

Yeah true idk what sudo sed -i is

I just copy and paste actually

@maboloshi
Copy link
Author

@lowendgamer

cd /opt/sublime_text || exit
printf '\x48\x31\xC0\xC3'                 | sudo dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | sudo dd of=sublime_text bs=1 seek=$((0x0035BCCB)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | sudo dd of=sublime_text bs=1 seek=$((0x0035BCE6)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | sudo dd of=sublime_text bs=1 seek=$((0x00367171)) conv=notrunc
printf '\xC3'                             | sudo dd of=sublime_text bs=1 seek=$((0x003653CE)) conv=notrunc
printf '\xC3'                             | sudo dd of=sublime_text bs=1 seek=$((0x0034F5F0)) conv=notrunc

@lowendgamer
Copy link

@maboloshi

Thanks it finally worked! Sorry for all the trouble.

@alichraghi
Copy link

thank you

@secretiveolwagner
Copy link

@maboloshi I can confirm the method is working for Sublime Text version 4113 on macOS Big Sur 11.4

@basitcodeenv
Copy link

@lowendgamer

cd /opt/sublime_text || exit
printf '\x48\x31\xC0\xC3'                 | sudo dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | sudo dd of=sublime_text bs=1 seek=$((0x0035BCCB)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | sudo dd of=sublime_text bs=1 seek=$((0x0035BCE6)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | sudo dd of=sublime_text bs=1 seek=$((0x00367171)) conv=notrunc
printf '\xC3'                             | sudo dd of=sublime_text bs=1 seek=$((0x003653CE)) conv=notrunc
printf '\xC3'                             | sudo dd of=sublime_text bs=1 seek=$((0x0034F5F0)) conv=notrunc

I am Using Ubuntu 20.04.2 LTS.
I install Sublime Text from Snap Store.

username@computer:/snap/sublime-text/106/opt/sublime_text$ ls
changelog.txt   Lib               Packages         sublime_text
crash_reporter  libcrypto.so.1.1  plugin_host-3.3  sublime_text.desktop
Icon            libssl.so.1.1     plugin_host-3.8
username@computer:/snap/sublime-text/106/opt/sublime_text$ printf '\x48\x31\xC0\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
dd: failed to open 'sublime_text': Read-only file system

@maboloshi
Copy link
Author

maboloshi commented Aug 9, 2021

@abranasays You can't do this. Snaps are squashfs images, which are by definition read-only. This problem of yours is not the problem that should be solved here

@basitcodeenv
Copy link

Sir, Then How Can I install Sublime Text 4 without Snap Store ???

@basitcodeenv
Copy link

basitcodeenv commented Aug 9, 2021

@abranasays You can't do this. Snaps are squashfs images, which are by definition read-only. This problem of yours is not the problem that should be solved here

Any Solution???

@leogx9r
Copy link

leogx9r commented Aug 9, 2021

@abranasays Either extract the files, patch them and rebuild the SquashFS image as a snap or install the application via apt the way Sublime Text recommends.

@020monkey
Copy link

linux version is: Linux kali 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-4kali1 (2021-08-09) x86_64 GNU/Linux
when use this script:
cd /opt/sublime_text || exit
printf '\x48\x31\xC0\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x0036567C)) conv=notrunc
printf '\x90\x90\x90\x90\x90' | sudo dd of=sublime_text bs=1 seek=$((0x0035BCCB)) conv=notrunc
printf '\x90\x90\x90\x90\x90' | sudo dd of=sublime_text bs=1 seek=$((0x0035BCE6)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x00367171)) conv=notrunc
printf '\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x003653CE)) conv=notrunc
printf '\xC3' | sudo dd of=sublime_text bs=1 seek=$((0x0034F5F0)) conv=notrunc

the subl cannot open .

@maboloshi
Copy link
Author

@020monkey Please post the terminal output

@020monkey
Copy link

@020monkey Please post the terminal output

─$ sudo ./crack.sh 1 ⨯
16+0 records in
16+0 records out
16 bytes copied, 0.000124535 s, 128 kB/s
20+0 records in
20+0 records out
20 bytes copied, 9.399e-05 s, 213 kB/s
20+0 records in
20+0 records out
20 bytes copied, 9.25e-05 s, 216 kB/s
28+0 records in
28+0 records out
28 bytes copied, 0.000101809 s, 275 kB/s
4+0 records in
4+0 records out
4 bytes copied, 5.2532e-05 s, 76.1 kB/s
4+0 records in
4+0 records out
4 bytes copied, 5.7648e-05 s, 69.4 kB/s

@020monkey
Copy link

when crack by the script,in terminal type subl,no sublime app launch,no error

@maboloshi
Copy link
Author

when crack by the script,in terminal type subl,no sublime app launch,no error

Maybe you are not using the latest ST, I suggest to update it first. Or, look up the history to find the corresponding version of the script

@020monkey
Copy link

when crack by the script,in terminal type subl,no sublime app launch,no error

Maybe you are not using the latest ST, I suggest to update it first. Or, look up the history to find the corresponding version of the script

sublime version is sublime 4113

@020monkey
Copy link

all is ok,thanks

@iexpurgator
Copy link

when crack by the script,in terminal type subl,no sublime app launch,no error

I have same problem, how u fix it?

@fireghostwolf
Copy link

when crack by the script,in terminal type subl,no sublime app launch,no error

I have same problem, how u fix it?

You can try to use commands or scripts to patch in the terminal. my sublime version is 4113. I use the script to patch sublime_text, it work perfect , but it can’t be modified manually using hexed.it, and the app cannot be launched just like you.

@iexpurgator
Copy link

when crack by the script,in terminal type subl,no sublime app launch,no error

I have same problem, how u fix it?

You can try to use commands or scripts to patch in the terminal. my sublime version is 4113. I use the script to patch sublime_text, it work perfect , but it can’t be modified manually using hexed.it, and the app cannot be launched just like you.

Yeah I'm using bash-script but I can't launched (video try bash-script (sorry quality of video)). I installed x86_64 version 4113

@maboloshi
Copy link
Author

@iexpurgator
Please try:

  1. Verify that the original sublime_text MD5 checksum is FF083966171185D01CB5F7F3721F1B95
  2. Verify the executable permission of sublime_text after repair

@iexpurgator
Copy link

@iexpurgator
Please try:

  1. Verify that the original sublime_text MD5 checksum is FF083966171185D01CB5F7F3721F1B95
  2. Verify the executable permission of sublime_text after repair

Thanks @maboloshi. Executable permission applied but md5sum was changed, how to fix that?

@maboloshi
Copy link
Author

@iexpurgator Can you upload the original sublime_text?

@iexpurgator
Copy link

@iexpurgator Can you upload the original sublime_text?

md5sum changed is file patched (sorry not clearly). Download file here file .bak is original

@leogx9r
Copy link

leogx9r commented Aug 18, 2021

@iexpurgator You didn't patch the file correctly. I double checked the file offsets and you replaced the byte sequence with the actual ASCII characters, so where you'd expect to see 48 31 C0 C3 as the byte sequence, it was replaced with 5C 78 34 38 5C 78 33 31 5C 78 43 30 5C 78 43 33, translating to \x48\x31\xC0\xC3 instead of the ASCII interpretation H1... What shell are you using and are you sure you used printf ? I've tested the command printf with bash and zsh and it works as expected. If you're using another shell it may (but shouldn't) produce incorrect output.

Try running the following script in a .sh file and see if you get the "Successfully patched the application!" line. It's basically a rework of @maboloshi's script that gives more verbose output indicating what went wrong. Save it as a .sh file and chmod +x it.

#!/bin/bash

BASEDIR="/opt/sublime_text"
TARGET="sublime_text"

VER="4113"
MD5_ORIGINAL="FF083966171185D01CB5F7F3721F1B95"
MD5_PATCHED="80739de6c764edfd7eeb925004EB7ED5"

if [ -d "$BASEDIR" ]; then
    cd "$BASEDIR"

    RESULT=`md5sum -c <<< "$MD5_ORIGINAL  $TARGET"`
    if [ "$TARGET: OK" != "$RESULT" ]; then
        echo "Application checksum mismatch. Perhaps the file was already patched or you're not using $TARGET v$VER?"
        exit
    fi

    printf '\x48\x31\xC0\xC3'                 | sudo dd of="$TARGET" bs=1 seek=$((0x0036567C)) conv=notrunc > /dev/null 2>&1
    printf '\x90\x90\x90\x90\x90'             | sudo dd of="$TARGET" bs=1 seek=$((0x0035BCCB)) conv=notrunc > /dev/null 2>&1
    printf '\x90\x90\x90\x90\x90'             | sudo dd of="$TARGET" bs=1 seek=$((0x0035BCE6)) conv=notrunc > /dev/null 2>&1
    printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | sudo dd of="$TARGET" bs=1 seek=$((0x00367171)) conv=notrunc > /dev/null 2>&1
    printf '\xC3'                             | sudo dd of="$TARGET" bs=1 seek=$((0x003653CE)) conv=notrunc > /dev/null 2>&1
    printf '\xC3'                             | sudo dd of="$TARGET" bs=1 seek=$((0x0034F5F0)) conv=notrunc > /dev/null 2>&1

    RESULT=`md5sum -c <<< "$MD5_PATCHED  $TARGET"`
    if [ "$TARGET: OK" != "$RESULT" ]; then
        echo "Failed to patch the application. You may require a reinstall as it may no longer start."
        exit
    fi

    echo "Successfully patched the application!"
else
    echo "Sublime Text was not found in the expected directory: $BASEDIR"
    echo "Modify the script to point to the correct directory then re-run it."
fi

@iexpurgator
Copy link

@iexpurgator You didn't patch the file correctly. I double checked the file offsets and you replaced the byte sequence with the actual ASCII characters, so where you'd expect to see 48 31 C0 C3 as the byte sequence, it was replaced with 5C 78 34 38 5C 78 33 31 5C 78 43 30 5C 78 43 33, translating to \x48\x31\xC0\xC3 instead of the ASCII interpretation H1... What shell are you using and are you sure you used printf ? I've tested the command printf with bash and zsh and it works as expected. If you're using another shell it may (but shouldn't) produce incorrect output.

Try running the following script in a .sh file and see if you get the "Successfully patched the application!" line. It's basically a rework of @maboloshi's script that gives more verbose output indicating what went wrong. Save it as a .sh file and chmod +x it.

#!/bin/bash

BASEDIR="/opt/sublime_text"
TARGET="sublime_text"

VER="4113"
MD5_ORIGINAL="FF083966171185D01CB5F7F3721F1B95"
MD5_PATCHED="80739de6c764edfd7eeb925004EB7ED5"

if [ -d "$BASEDIR" ]; then
    cd "$BASEDIR"

    RESULT=`md5sum -c <<< "$MD5_ORIGINAL  $TARGET"`
    if [ "$TARGET: OK" != "$RESULT" ]; then
        echo "Application checksum mismatch. Perhaps the file was already patched or you're not using $TARGET v$VER?"
        exit
    fi

    printf '\x48\x31\xC0\xC3'                 | sudo dd of="$TARGET" bs=1 seek=$((0x0036567C)) conv=notrunc > /dev/null 2>&1
    printf '\x90\x90\x90\x90\x90'             | sudo dd of="$TARGET" bs=1 seek=$((0x0035BCCB)) conv=notrunc > /dev/null 2>&1
    printf '\x90\x90\x90\x90\x90'             | sudo dd of="$TARGET" bs=1 seek=$((0x0035BCE6)) conv=notrunc > /dev/null 2>&1
    printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | sudo dd of="$TARGET" bs=1 seek=$((0x00367171)) conv=notrunc > /dev/null 2>&1
    printf '\xC3'                             | sudo dd of="$TARGET" bs=1 seek=$((0x003653CE)) conv=notrunc > /dev/null 2>&1
    printf '\xC3'                             | sudo dd of="$TARGET" bs=1 seek=$((0x0034F5F0)) conv=notrunc > /dev/null 2>&1

    RESULT=`md5sum -c <<< "$MD5_PATCHED  $TARGET"`
    if [ "$TARGET: OK" != "$RESULT" ]; then
        echo "Failed to patch the application. You may require a reinstall as it may no longer start."
        exit
    fi

    echo "Successfully patched the application!"
else
    echo "Sublime Text was not found in the expected directory: $BASEDIR"
    echo "Modify the script to point to the correct directory then re-run it."
fi

Thanks @leogx9r, you showed me the mistake. I'm missing #!/bin/bash in first line and printf it not works as expected. I want to discuss with you @leogx9r. How can I contact you?

@skmalviya
Copy link

skmalviya commented Aug 23, 2021

I am getting this error: "Failed to patch the application. You may require a reinstall as it may no longer start." for sublime 4113.

Only change in the script I did: BASEDIR="/opt/sublime_text" --> "/snap/sublime-text/106/opt/sublime_text"

@maboloshi
Copy link
Author

@skmalviya Snaps are squashfs images, which are by definition read-only.

You can try what @leogx9r mentioned.

Either extract the files, patch them and rebuild the SquashFS image as a snap or install the application via apt the way Sublime Text recommends.

@leogx9r
Copy link

leogx9r commented Aug 23, 2021

Thanks @leogx9r, you showed me the mistake. I'm missing #!/bin/bash in first line and printf it not works as expected. I want to discuss with you @leogx9r. How can I contact you?

@iexpurgator Sorry I don't give out contact info (to avoid being spammed) so best I can do is try to help you here.

Now onto your question, best I can imagine is that your bash shell isn't properly un-escaping characters, even though it works for me and I presume @maboloshi as well. Best I can gather from this is that you need to use double-quotes rather than single quotes (" vs ') as the bash manual indicates that single quotes will not interpolate vars (perhaps this also applies to escaped byte sequences?).

Try this, replace the printf '< .... >' with printf "< ... >" for each line containing it in the script. For example, the line:

printf '\x48\x31\xC0\xC3'                 | sudo dd of="$TARGET" bs=1 seek=$((0x0036567C)) conv=notrunc > /dev/null 2>&1

Should be replaced with:

printf "\x48\x31\xC0\xC3"                 | sudo dd of="$TARGET" bs=1 seek=$((0x0036567C)) conv=notrunc > /dev/null 2>&1

... and so on for the rest of the lines.

If that doesn't work, I've no idea what to tell you. It absolutely should at the very least and it's probably a quirk of your shell version (FTR, I'm using GNU bash, version 5.1.8(1)-release (x86_64-pc-linux-gnu), perhaps ensure you're using the same version?) or your terminal emulator (Also, I'm using guake as my personal terminal emulator, you can try that but it shouldn't be necessary tbh).


I am getting this error: "Failed to patch the application. You may require a reinstall as it may no longer start." for sublime 4113.

Only change in the script I did: BASEDIR="/opt/sublime_text" --> "/snap/sublime-text/106/opt/sublime_text"

@skmalviya as indicated in this comment, Snaps aren't supported via that patching method. They are read-only SquashFS images and cannot be modified. Your only way around that is to either extract the files, patch them and rebuild the SquashFS as a Snap or to install the program via the recommended method that Sublime devs have provided.

P.S. Assuming you've resolved that, you should be able to use the script maboloshi provided in the main post just fine (or the one you quoted).


P.P.S Both of you please stop quoting long messages, a simple tag like how I've mentioned you both keeps this thread cleaner and easier to read.

@bms8197
Copy link

bms8197 commented Aug 27, 2021

Any clue how to patch Sublime Text on MacOS BigSur (for M1 cpu), Sublime Build 4113?

@vbovone
Copy link

vbovone commented Aug 27, 2021

Any clue how to patch Sublime Text on MacOS BigSur (for M1 cpu), Sublime Build 4113?

Same here, I tried to use the MacOS bash commands above but didn't work for me

@bms8197
Copy link

bms8197 commented Aug 27, 2021

@vbovone Probably the strings are different on the ARM version and that's why it's not working. I guess it should work with the right approach but everything I tried so failed

Copy link

ghost commented Aug 27, 2021

I have made a rough Python 3 patcher for Sublime Text v4113 Windows x64 that uses leogx9r's signatures instead of hardcoded offsets.

https://github.com/rainbowpigeon/sublime-text-4-patcher

image

If there is demand, I can probably update it to support Linux and macOS.

@bms8197
Copy link

bms8197 commented Aug 27, 2021

@rainbowpigeon it would be really nice if you could update it for MacOS BigSur (ARM version), SublimeText build 4113. If you need the SublimeText binary as it is found on MacOS BigSur ARM, I can provide the original one resulted from the .zip file downloaded from Sublime's official website

@basitcodeenv
Copy link

Sir, I am beginner on Linux. Sir, I am using Ubuntu 20.04.
Sir, I install Sublime Text 4 from Snap Store.

Sir, Please Explain in Detail. How can I crack Sublime Text 4 ?
Sir, Please Help me.

@leogx9r
Copy link

leogx9r commented Aug 28, 2021

@rainbowpidgeon Nice work.

P.S. You can auto-detect Sublime Text/Merge with patterns too (as well as the version # -- not shown below). There's two strings always present in either Text/Merge and is shown if you enter a license key for another product:

    def detect_sublime_text(self):
        print('[>] Attempting to autodetect application type ...')

        # 'That appears to be a Sublime Text '<license key>
        pat1 = PatternFinder(
            "Sublime Merge Detector",
            '54 68 61 74 20 61 70 70 65 61 72 73 20 74 6F 20 62 65 20 61 20 53 75 62 6C 69 6D 65 20 54 65 78 74 20',
            can_duplicate = True
        ).locate(self.binary, slow_method = False, log = False)
        # 'That appears to be a Sublime Merge '<license key>
        pat2 = PatternFinder(
            "Sublime Text Detector",
            '54 68 61 74 20 61 70 70 65 61 72 73 20 74 6F 20 62 65 20 61 20 53 75 62 6C 69 6D 65 20 4D 65 72 67 65 20',
            can_duplicate = True
        ).locate(self.binary, slow_method = False, log = False)
        
        # Only one of these patterns can exist in the application. If neither is found, it's not a known application.
        if pat1 == -1 and pat2 == -1:
            print('[!] Failed to identify binary. Are you sure this is a Sublime Text or Sublime Merge binary?')
            quit()
        elif pat1 > 0 and pat2 > 0:
            print(
                "[!] Both identity signatures detected in the binary! Cannot detect what application this is.\n" +
                "[!] Manually specify the application type with `-t`."
            )
            quit()
        elif pat1 > 0:
            return False

        return True

# ...
self.is_sublime_text = app_type if app_type is not None else self.detect_patcher()

# PATTER_DB contains patterns for Sublime Text/Merge for each supported OS ( MacOS/Linux/Windows, x64 instruction set only )
self.patchset = PATTERN_DB[ self.is_sublime_text ][ self.target_os ]

Copy link

ghost commented Aug 29, 2021

@leogx9r Thanks for the tip!

@bms8197
Copy link

bms8197 commented Aug 30, 2021

@leogx9r any clue on how to patch SublimeText build 4113 for MacOS BigSur ARM cpu?

@leogx9r
Copy link

leogx9r commented Aug 30, 2021

@bms8197 The same functions will exist, the patching method (well the replacement bytes) will be different since it's a different instruction set. If you're familiar with assembly (you'll need ARM64 assembly knowledge, obviously), open up the executable in a decompiler like IDA/Ghidra, select the ARM64 segment and try to locate the functions I've patched on x64 (all those listed in the main post of this thread). From there you'll just need to get those functions to either return 0/1 or rewrite them with non-functional opcodes (essentially nop).

While I could try doing it, I don't have any ARM64 based processors to test with, I've never done ARM64/THUMB assembly programming before and honestly, I'm lazy 😄

Setting up a VM just to virtualize ARM64 processors simply isn't worth the effort for me as I don't use them. Best of luck though.

@bms8197
Copy link

bms8197 commented Aug 30, 2021

@leogx9r I see. Unfortunatelly I do not have assembly knowledge. I could send you the sublime_text binary from my computer if that helps. If I had the knowledge I would have done it myself but it beats me totally this assembly stuff :(

@bms8197
Copy link

bms8197 commented Aug 30, 2021

@leogx9r I tried using Ghidra and try to dissassemble that sublime_text binary but I have no ideea how to figure out the functions that you patched on x64. If I try to search for 0x00090E5D it returns nothing so I'm totally lost here... Any clue on how to find what's needed?

@basitcodeenv
Copy link

Sir, I am beginner on Linux. Sir, I am using Ubuntu 20.04.
Sir, I install Sublime Text 4 from Snap Store.

Sir, Please Explain in Detail. How can I crack Sublime Text 4 ?

Sir, Please Help me.

@leogx9r
Copy link

leogx9r commented Sep 1, 2021

@bms8197 Honestly teaching you about disassemblers or reverse engineering will probably be more painful than just doing it myself (which I really don't want to do atm). I'll still give you some tips though:

  • Offsets for Windows/Linux/MacOS versions will not work on the ARM64 version, they're completely different.
  • The functions you're looking for would need to be found by digging around in the assembly, for example the license validity check calls several functions that display text like "License invalid" or whatever, you can search for those strings in the ARM64 version, cross-reference the function calls and try to locate those functions. You can use the offsets for the MacOS x64 version to dig around to see roughly what you're looking for.
  • If you've never done reverse-engineering before you're going to have a very steep learning curve. There are various resources out there showing how to use IDA/Ghidra and how assembly works.

Your best bet would be to find some other way (eg. someone else who worked on the ARM64 crack) or learn how to reverse-engineer x64/ARM64 because there's a lot you'd need to know to port that work, all of which is outside the scope of help I can provide (like I said, it'd be harder to teach you how to do it than make a VM, do it myself and test).

Good luck.


@abranasays Install the app via APT, not Snap and then run the patching program maboloshi made in the main post.

@bms8197
Copy link

bms8197 commented Sep 1, 2021

@leogx9r Allright! Thank you for all this information. I'll play around to see if I'm getting anywhere... As it appears, it's way more complicated than I thought...

Copy link

ghost commented Sep 4, 2021

@rainbowpigeon it would be really nice if you could update it for MacOS BigSur (ARM version), SublimeText build 4113. If you need the SublimeText binary as it is found on MacOS BigSur ARM, I can provide the original one resulted from the .zip file downloaded from Sublime's official website

@bms8197 No worries, I can download the binary myself and test it out. Apologies for the delayed reply, I was working on updating the x64 Windows patcher to work with Dev builds as well (which means v4114 works now for anyone who is interested!).

@vbovone
Copy link

vbovone commented Sep 4, 2021

@rainbowpigeon it would be really nice if you could update it for MacOS BigSur (ARM version), SublimeText build 4113. If you need the SublimeText binary as it is found on MacOS BigSur ARM, I can provide the original one resulted from the .zip file downloaded from Sublime's official website

@bms8197 No worries, I can download the binary myself and test it out. Apologies for the delayed reply, I was working on updating the x64 Windows patcher to work with Dev builds as well (which means v4114 works now for anyone who is interested!).

I tried your patcher and it works like a charm! congrats :)
It would be nice to use it as well in my MacBook M1

@leogx9r
Copy link

leogx9r commented Sep 5, 2021

Alright so I have absolutely no idea if this will work but I've (experimentally) patched the MacOS binary (v4114) for both x86_64 (x64) and ARM64 (Not ARM32, just like I've not done x86). Give it a shot here. Replace the original with that and try starting the app, if it doesn't work, well I tried. Virus scan here. If you don't trust it, you can do a simple byte diff on the original to see what I've changed, fire up your disassembler and look at the actual instructions. Too lazy to do a graph with bytes changed.

What's patched:

  • License check (enter anything just like normal and it should be valid)
  • Invalidation/validation functions disabled
  • Server license validation thread neutered
  • Disabled phoning home on new license being entered
  • Disabled crash reporter for sending dumps on a crash

Basically, I've replaced the ret with ret x30 and xor rax, rax with mov x0, xzr, which is basically the only difference in assembly from x86_64. x30 register contains the return address, x0 contains the return value. Instructions are always 32-bits long on ARM arch.

No, I'll probably not bother doing this for future executables, it should be enough for you all to build patterns off of though (assuming you know how to) and ofc, assuming it works.

Tagging @vbovone and @bms8197 as you guys would probably be interested.

If it works, great, if it doesn't well, I doubt i'll be trying again 👍

@vbovone
Copy link

vbovone commented Sep 5, 2021

Alright so I have absolutely no idea if this will work but I've (experimentally) patched the MacOS binary (v4114) for both x86_64 (x64) and ARM64 (Not ARM32, just like I've not done x86). Give it a shot here. Replace the original with that and try starting the app, if it doesn't work, well I tried. Virus scan here. If you don't trust it, you can do a simple byte diff on the original to see what I've changed, fire up your disassembler and look at the actual instructions. Too lazy to do a graph with bytes changed.

What's patched:

  • License check (enter anything just like normal and it should be valid)
  • Invalidation/validation functions disabled
  • Server license validation thread neutered
  • Disabled phoning home on new license being entered
  • Disabled crash reporter for sending dumps on a crash

Basically, I've replaced the ret with ret x30 and xor rax, rax with mov x0, xzr, which is basically the only difference in assembly from x86_64. x30 register contains the return address, x0 contains the return value. Instructions are always 32-bits long on ARM arch.

No, I'll probably not bother doing this for future executables, it should be enough for you all to build patterns off of though (assuming you know how to) and ofc, assuming it works.

Tagging @vbovone and @bms8197 as you guys would probably be interested.

If it works, great, if it doesn't well, I doubt i'll be trying again 👍

Hi leogx9r,

First of all thanks for your time! I tried to launch the application from my Macbook M1, I've noticed that the file needs to be renamed with .app extension
From a quick launch it cannot be executed even if I changed Mac permissions to run third party applications
image

I don't want to bother you again with the Mac ARM version but it's just to giving you a feedback.

Regards,

@bms8197
Copy link

bms8197 commented Sep 6, 2021

@leogx9r It's not working in my case, on Apple M1 cpu. I'm getting same error as @vbovone. I do appreciate your time and effort for this...

@basitcodeenv
Copy link

# for Linux
cd /opt/sublime_merge || exit
md5sum -c <<<"43E900A19926409EDF6BD8BA8709C633  sublime_merge" > /dev/null 2>&1 || exit
printf '\x48\xC7\xC0\x19\x01\x00\x00\xC3' | dd of=sublime_merge bs=1 seek=$((0x003A5400)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge bs=1 seek=$((0x003A7EC9)) conv=notrunc
printf '\x90\x90\x90\x90\x90'             | dd of=sublime_merge bs=1 seek=$((0x003A7EE4)) conv=notrunc
printf '\x48\x31\xC0\x48\xFF\xC0\xC3'     | dd of=sublime_merge bs=1 seek=$((0x003A67FE)) conv=notrunc
printf '\xC3'                             | dd of=sublime_merge bs=1 seek=$((0x003A514E)) conv=notrunc
printf '\xC3'                             | dd of=sublime_merge bs=1 seek=$((0x003A40D2)) conv=notrunc

Sir, I Installed sublime text via apt. I run below command:
md5sum -c <<<"43E900A19926409EDF6BD8BA8709C633 sublime_merge" > /dev/null 2>&1 || exit
Sir, My Terminal close.
Sir, Please Help me.

@maboloshi
Copy link
Author

@abranasays You should use the script corresponding to sublime text instead of sublime_merge,

Copy link

ghost commented Sep 13, 2021

Alright so I have absolutely no idea if this will work but I've (experimentally) patched the MacOS binary (v4114) for both x86_64 (x64) and ARM64 (Not ARM32, just like I've not done x86). Give it a shot here. Replace the original with that and try starting the app, if it doesn't work, well I tried. Virus scan here. If you don't trust it, you can do a simple byte diff on the original to see what I've changed, fire up your disassembler and look at the actual instructions. Too lazy to do a graph with bytes changed.
What's patched:

  • License check (enter anything just like normal and it should be valid)
  • Invalidation/validation functions disabled
  • Server license validation thread neutered
  • Disabled phoning home on new license being entered
  • Disabled crash reporter for sending dumps on a crash

Basically, I've replaced the ret with ret x30 and xor rax, rax with mov x0, xzr, which is basically the only difference in assembly from x86_64. x30 register contains the return address, x0 contains the return value. Instructions are always 32-bits long on ARM arch.
No, I'll probably not bother doing this for future executables, it should be enough for you all to build patterns off of though (assuming you know how to) and ofc, assuming it works.
Tagging @vbovone and @bms8197 as you guys would probably be interested.
If it works, great, if it doesn't well, I doubt i'll be trying again 👍

Hi leogx9r,

First of all thanks for your time! I tried to launch the application from my Macbook M1, I've noticed that the file needs to be renamed with .app extension
From a quick launch it cannot be executed even if I changed Mac permissions to run third party applications
image

I don't want to bother you again with the Mac ARM version but it's just to giving you a feedback.

Regards,

You aren't getting a message saying the file is damaged, so use the following command to re-sign the app yourself and it should run.
codesign --force --deep --sign - /Applications/Sublime\ Text.app

If you get an error about xcrun missing, just run the command xcode-select --install to install the missing files first, then re-run the command.

@bms8197
Copy link

bms8197 commented Sep 13, 2021

@1-Dev1l you're the man! Thanks for the tip. I have now, SublimeText, build 4114 fully registered on MacOS BigSur ARM (M1).
@leogx9r You're a genius! Thank you so much!

image

@vbovone
Copy link

vbovone commented Sep 13, 2021

@1-Dev1l you're the man! Thanks for the tip. I have now, SublimeText, build 4114 fully registered on MacOS BigSur ARM (M1).
@leogx9r You're a genius! Thank you so much!

Hi bms8197,

What did you do to successfully install the app?

I runt this :
image

But I'm still getting the same error

Copy link

ghost commented Sep 13, 2021

@1-Dev1l you're the man! Thanks for the tip. I have now, SublimeText, build 4114 fully registered on MacOS BigSur ARM (M1).
@leogx9r You're a genius! Thank you so much!

Hi bms8197,

What did you do to successfully install the app?

I runt this :
image

But I'm still getting the same error

Ensure 'App Store and identified developers' is selected under 'Allow apps downloaded from' in System Preferences > Security & Privacy > General

@bms8197
Copy link

bms8197 commented Sep 13, 2021

I had SublimeText build 4113 installed. I've downloaded the latest dev build 4114 from their website. Then took the Sublime Text.App and put in Applications folder using replace (since the app was already there). I've opened the app just to check that I have build 4114. Close SublimeText App, Download the sublime_text binary provided by @legox9r. Copy sublime_text binary over the original binary then ran that codesign command. I've got the same message as you but the app works.

Oh I do have these entries in /etc/hosts:

# sublimetext
0.0.0.0 sublimetext.com
0.0.0.0 license.sublimehq.com
0.0.0.0 45.55.255.55 #sublimetext
0.0.0.0 45.55.41.223 #sublimetext

As a side note, I had SublimeText v4113 registered with a license that required upgrade (not sure if matters or not):

—– BEGIN LICENSE —–
Die Socialisten GmbH
10 User License
EA7E-800613
51311422 E45F49ED 3F0ADE0C E5B8A508
2F4D9B65 64E1E244 EDA11F0E F9D06110
B7B2E826 E6FDAA72 2C653693 5D80582F
09DCFFB5 113A940C 5045C0CD 5F8332F8
34356CC6 D96F6FDB 4DEC20EA 0A24D83A
2C82C329 E3290B29 A16109A7 EC198EB9
F28EBB17 9C07403F D44BA75A C23C6874
EBF11238 5546C3DD 737DC616 445C2941
—— END LICENSE ——

Go to Settings -> Security & Privacy -> General; check if you have SublimeText there and allow it to run

Copy link

ghost commented Sep 13, 2021

You could also try opening Applications folder in finder, control-click the application and choose Open if you aren't getting the 'Open Anyway' message for the app.

Also, I have nothing in hosts and nothing in licence and it works well for me.
Screenshot 2021-09-13 at 15 59 03

@vbovone
Copy link

vbovone commented Sep 13, 2021

So the binary needs to be placed here right ? From Security & Privacy tab I've got Anywhere so it should be ok

image

@bms8197
Copy link

bms8197 commented Sep 13, 2021

I would do this:

  • close SublimeText
  • download SublimeText v4114 from their site;
  • copy SublimeText.app resulted from the previous download to Applications folder (using Finder) and chose Replace
  • then execute the following commands via Terminal:
cd /Applications/Sublime\ Text.app/Contents/MacOS/
cp ~/Downloads/sublime_text .
codesign --force --deep --sign - /Applications/Sublime\ Text.app

Then try to open SublimeText. You will get a notification message, click OK, then Go to Settings -> Security & Privacy -> General and see if you need to allow anything there.

After that it should work. At least it worked in my case. I'm running MacOS BigSur 11.5.2 (M1 cpu) on a 2021 iMac 24"

@vbovone
Copy link

vbovone commented Sep 13, 2021

I would do this:

  • close SublimeText
  • download SublimeText v4114 from their site;
  • copy SublimeText.app resulted from the previous download to Applications folder (using Finder) and chose Replace
  • then execute the following commands via Terminal:
cd /Applications/Sublime\ Text.app/Contents/MacOS/
cp ~/Downloads/sublime_text .
codesign --force --deep --sign - /Applications/Sublime\ Text.app

Then try to open SublimeText. You will get a notification message, click OK, then Go to Settings -> Security & Privacy -> General and see if you need to allow anything there.

After that it should work. At least it worked in my case. I'm running MacOS BigSur 11.5.2 (M1 cpu) on a 2021 iMac 24"

Thanks you guys! It works 👯

Just remember this to anyone having my same issue. When copying the Application with Finder it's very important to NOT OPEN the app until the end of the entire process.

@maboloshi
Copy link
Author

maboloshi commented Sep 14, 2021

I tried to organize the patched shulime text 4114 binary file provided by @leogx9r into rules, but, there are still two rules that are not organized and I don't know if the rest are valid.

Sublime Text Build 4114 macOS(arm64) ↓

Desciption Offset Original Patched
Disable Crash Reporter 0x00F615F4 FC 6F BC A9 C0 03 5F D6
  Pattern:  FC 6F BC A9 F6 57 01 A9 F4 4F 02 A9 FD 7B 03 A9 FD C3 00 91 FF 03 0F D1

May be:
4112-DEV:0x00F2A078
4113-STA:0x00F2A25C
4114-DEV:0x00F615F4

Desciption Offset Original Patched
Persistent License Check 1 0x00F65F80 AF 94 03 94 1F 20 03 D5
  Pattern:  ? ? ? 94 61 46 41 F9 ? ? 00 10 1F 20 03 D5 02 53 87 52

May be:
4112-DEV:0x00F2E9BB
4113-STA:0x00F2EBA3
4114-DEV:0x00F65F83

Desciption Offset Original Patched
Persistent License Check 2 0x00F65F94 AA 94 03 94 1F 20 03 D5
  Pattern:  ? ? ? 94 ? 2F 00 ? F7 ? ? 91 E0 42 ? 91 E0 6F 00 F9

May be:
4112-DEV:0x00F2E9CF
4113-STA:0x00F2EBB7
4114-DEV:0x00F65F97

Desciption Offset Original Patched
Disable License Notify Thread 0x00FD3EE8 FC 6F BD A9 C0 03 5F D6
  Patterne:  FC 6F BD A9 F4 4F 01 A9 FD 7B 02 A9 FD 83 00 91 FF 43 0C D1 F3 03 00 AA

May be:
4112-DEV:0x00F9AC94
4113-STA:0x00F9AD48
4114-DEV:0x00FD3EE8

Desciption Offset Original Patched
Initial License Check 0x00FD4258 E6 03 1E AA ED 65 0E 94 E0 03 1F AA C0 03 5F D6
  Pattern:  None
Desciption Offset Original Patched
Disable Server Validation Thread 0x00FD52F0 F6 57 BD A9 C0 03 5F D6
  Pattern:  F6 57 BD A9 F4 4F 01 A9 FD 7B 02 A9 FD 83 00 91 ? ? ? 94 ? ? ? 94 F3 03 00 AA ? ? ? 94 74 1A 00 B9

May be:
4112-DEV:0x00F9C078
4113-STA:0x00F9C114
4114-DEV:0x00FD52F0

4112, 4113 and 4114 have very different offset, Pattern validity is in doubt

@leogx9r
Copy link

leogx9r commented Sep 14, 2021

Well I'll be, I didn't expect that to work, lol. @1-Dev1l thanks for that.

@maboloshi Thanks, unfortunately I don't remember exactly what I change (didn't document it since I didn't expect it to work) and my patching method was slightly different from the x64 versions (patched wrapper functions iirc). Didn't make the time to do it "properly" but I'll maybe try to work on it when I get some time and see if I can put it together a bit more coherently.

For patterns, my signature maker plugin doesn't work on ARM and would basically require heavy modifications so that's a task for another day.

Glad it all worked out. 😄

@Destitute-Streetdwelling-Guttersnipe

@maboloshi You use "C3" (ret) to patch "Disable License Notify Thread". But I saw @leogx9r wrote that "Simply return 0 here to disable." in comment https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3802197.
Is this a mistake? Why don't you use ret 0?

@Destitute-Streetdwelling-Guttersnipe

@leogx9r thanks for your great contribution. I'm curious about the Server Validation Thread. In your analysis, you suggest to use ret 1 to disable it.
However, I saw someone named rufoa posted patches for it using ret for many versions of SM (from 2027 to 2059).
I tried ret on SM 2059 and it seems ok.
Do you think patching with ret has the same effect?

@leogx9r
Copy link

leogx9r commented Sep 15, 2021

@Destitute-Streetdwelling-Guttersnipe It does have the same effect. The function returns the value of pthread_join() or something similar. I didn't see Sublime Text/Merge use the return value but decided to have it return the proper value anyways for consistency (which upon research seems it required zero so I guess I documented that wrong).

The only function you really need to have a return value is for the license checking function, which requires zero always. The rest are basically optional. The return value isn't actually used (based on my reverse engineering) on the other functions.

Edit: On Windows it returns the value of CreateThread() which requires a non-zero value to indicate success. I originally patched this on Windows so I used the same method for Linux/MacOS -- they instead use pthread which requires a zero value to indicate success, so I guess that's where I got mixed up. So you should ideally return 1 on Windows (or any non-zero value) and 0 on Linux but it doesn't matter really since the value is never used.

@Destitute-Streetdwelling-Guttersnipe

@leogx9r thanks for the explanation. I think this also answer my question to @maboloshi about "License Notify Thread". We can return anything since the return value is ignored.

I created a patcher in my github which uses the patterns you posted. I upgraded them to use reghex (which is regex with hex bytes), so that I can combine more actions into 1 pattern.
For example: reghex="(?<= 41 B8 . . . . ) E8 . . . . (48|49) . .", fix=nop5 can be used to patch the invalidate1 call for both dev and stable versions of ST (48 for dev, 49 for stable), the offset to E8 is described by the lookahead (?<= 41 B8 . . . . ).
Another example: reghex="(?<= E8 ) . . . .", patch=ret0, is_ref=True can be used to patch the license_check call without the need to analyze the instruction length of Call (E8).
I hope to make it less dependent on x64 and easier to add support for arm64.

@ShineUnM
Copy link

How about 4115?

@Destitute-Streetdwelling-Guttersnipe

@kepeto you must provide the list of Fix yourself. Please see the section usage in README.md for detail.

If you don't know any fix, you can use the famous patch for 97 94 0D (see https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451)

@leogx9r
Copy link

leogx9r commented Sep 24, 2021

Sublime Text v4115 Crack

Windows (x64 Only)

Patterns have updated for invalidation/validation function:

    Windows x64 Pattern 1: `direct reference sig: (+0x6) 41 B8 ? ? ? ? E8 ? ? ? ? 48 8B 96 ? ? ? ?`
                Pattern 2: `direct reference sig: (+0x6) 41 B8 ? ? ? ? E8 ? ? ? ? E8 ? ? ? ? 48 89 F1`

Note: Patterns are unchanged for Linux/MacOS.

image

Linux (x64 Only)

image

MacOS (x64 Only)

image

Proof

image

@kepeto
Copy link

kepeto commented Sep 26, 2021

I have made a rough Python 3 patcher for Sublime Text v4113 Windows x64 that uses leogx9r's signatures instead of hardcoded offsets.

https://github.com/rainbowpigeon/sublime-text-4-patcher

image

If there is demand, I can probably update it to support Linux and macOS.

from @leogx9r recommendation I can confirm 4115 work with this tool (same pattern), just add 4115 @line: 264

image

image

@Destitute-Streetdwelling-Guttersnipe

I put a regex pattern in my patcher that can detect new version (along with channel, os, arch) without any modification.
/updates/(?P<channel>\w+)_update_check\?version=\d+&platform=(?P<os>\w+)&arch=(?P<arch>\w+)

@bms8197
Copy link

bms8197 commented Sep 28, 2021

So is there a patcher that works on MacOS (ARM version) or just for Windows for now?

@Destitute-Streetdwelling-Guttersnipe

Current patterns still work on SM 2060. They use ret 281 again in license check. All releases since SM 2056 (except 2058) are like this. Maybe SM 2058 was just an anomaly.

@Destitute-Streetdwelling-Guttersnipe
Copy link

Based on the work of @leogx9r and @maboloshi, I updated my patcher to support Mac M1. But I guess it's only suitable for version 4114 on Mac M1.
image

PS: the patterns of @maboloshi are mostly correct, except the license check. My pattern is:

Fix(name="license_check", reghex="E6 03 1E AA ED 65 0E 94", patch="E0 03 1F AA C0 03 5F D6")

@bms8197
Copy link

bms8197 commented Sep 28, 2021

@Destitute-Streetdwelling-Guttersnipe where exactly can I get that patcher?

@Destitute-Streetdwelling-Guttersnipe

Mac version of ST can run on both x64 and M1 CPUs, so I improved my patcher to patch for both platforms at once:
image

@Destitute-Streetdwelling-Guttersnipe
Copy link

@bms8197 it's at https://github.com/Destitute-Streetdwelling-Guttersnipe/reghex_patcher
The patterns are similar to the ones in rainbowpigeon's patcher.

If you don't know any fix, you can use the famous patch for 97 94 0D (see https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451)

@bms8197
Copy link

bms8197 commented Sep 29, 2021

@Destitute-Streetdwelling-Guttersnipe is that patcher going to work for 4115 MacOS on M1 cpu or just for 4114?

@Destitute-Streetdwelling-Guttersnipe

@bms8197 I don't include patterns since I want to make a generic patcher. You have to add patterns yourself.

There are patterns for 4114 on Mac M1 in this page, such as https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3908103.
I don't know if they work on 4115 or not.

@bms8197
Copy link

bms8197 commented Sep 29, 2021

@Destitute-Streetdwelling-Guttersnipe allright, thanks for the info. It beats me at the moment so I'll just stick with my 4114 fully registered version. There are no things that I actually need in 4115 at the moment so...

@maboloshi
Copy link
Author

maboloshi commented Sep 30, 2021

Sublime Text v4116

==========================================================================================
[*] Download: sublime_text_build_4116_x64.zip, from: https://download.sublimetext.com/sublime_text_build_4116_x64.zip ...
>>>: 29.1MB [00:12, 2.31MB/s]
[*] Extract: sublime_text.exe, from: sublime_text_build_4116_x64.zip ...
[>] Attempting to autodetect application type ...
[*] Detected input file as Sublime Text ...
[*] Windows PE Detected -> 9849248 Bytes
    MD5 Checksum -> 1E9700C9AE636755E674176196C6546D
[>] Found RVA pattern for "isValidLicense" at 0xA8730 -> 0xFFFFE29F -> 0xA69D4 ...
[*] Rewrite data '55 41 57 41' -> '48 31 C0 C3' ...

[>] Found pattern for "invalidationFunction" at 0x711A ...
[*] Rewrite data 'E8 A5 60 20 00' -> '90 90 90 90 90' ...

[!] No pattern found for "validationFunction" ...

[>] Found pattern for "validationFunction2" at 0x7133 ...
[*] Rewrite data 'E8 8C 60 20 00' -> '90 90 90 90 90' ...

[>] Found pattern for "serverThread" at 0xA847F ...
[*] Rewrite data '55 56 57 48 83 EC 30' -> '48 31 C0 48 FF C0 C3' ...

[>] Found pattern for "licenseNotifyThread" at 0xA65CF ...
[*] Rewrite data '55' -> 'C3' ...

[>] Found pattern for "crashReporter" at 0x400 ...
[*] Rewrite data '41' -> 'C3' ...

==========================================================================================
[*] Download: sublime_text_build_4116_x64.tar.xz, from: https://download.sublimetext.com/sublime_text_build_4116_x64.tar.xz ...
>>>: 17.2MB [00:04, 3.86MB/s]
[*] Extract: sublime_text/sublime_text, from: sublime_text_build_4116_x64.tar.xz ...
[>] Attempting to autodetect application type ...
[*] Detected input file as Sublime Text ...
[*] Linux ELF Detected -> 8739760 Bytes
    MD5 Checksum -> E825B21D7821A49D1DB6583D089CF0E9
[>] Found RVA pattern for "isValidLicense" at 0x3781CE -> 0xFFFFE96F -> 0x376B42 ...
[*] Rewrite data '55 41 57 41' -> '48 31 C0 C3' ...

[>] Found pattern for "invalidationFunction" at 0x36CC85 ...
[*] Rewrite data 'E8 A4 B4 11 00' -> '90 90 90 90 90' ...

[>] Found pattern for "validationFunction" at 0x36CCA0 ...
[*] Rewrite data 'E8 89 B4 11 00' -> '90 90 90 90 90' ...

[>] Found pattern for "serverThread" at 0x3785CD ...
[*] Rewrite data '55 41 56 53 41 89 F6' -> '48 31 C0 48 FF C0 C3' ...

[>] Found pattern for "licenseNotifyThread" at 0x376806 ...
[*] Rewrite data '41' -> 'C3' ...

[>] Found pattern for "crashReporter" at 0x360930 ...
[*] Rewrite data '55' -> 'C3' ...

==========================================================================================
[*] Download: sublime_text_build_4116_mac.zip, from: https://download.sublimetext.com/sublime_text_build_4116_mac.zip ...
>>>: 43.7MB [00:16, 2.59MB/s]
[*] Extract: Sublime Text.app/Contents/MacOS/sublime_text, from: sublime_text_build_4116_mac.zip ...
[>] Attempting to autodetect application type ...
[*] Detected input file as Sublime Text ...
[*] MacOS Mach-O Detected -> 33166448 Bytes
    MD5 Checksum -> DA00E096337A07B659B573CA7FC4D352
[>] Found RVA pattern for "isValidLicense" at 0x93D8A -> 0xFFFFF1A3 -> 0x92F32 ...
[*] Rewrite data '55 48 89 E5' -> '48 31 C0 C3' ...

[>] Found pattern for "invalidationFunction" at 0x8E7E ...
[*] Rewrite data 'E8 93 16 12 00' -> '90 90 90 90 90' ...

[>] Found pattern for "validationFunction" at 0x8E9D ...
[*] Rewrite data 'E8 74 16 12 00' -> '90 90 90 90 90' ...

[>] Found pattern for "serverThread" at 0x94297 ...
[*] Rewrite data '55 48 89 E5 41 57 41' -> '48 31 C0 48 FF C0 C3' ...

[>] Found pattern for "licenseNotifyThread" at 0x92B50 ...
[*] Rewrite data '55' -> 'C3' ...

[>] Found pattern for "crashReporter" at 0x2FE7 ...
[*] Rewrite data '55' -> 'C3' ...

↓ The following rules are not validated for ARM64 and are missing rule "license_check" ↓

[>] Found pattern for "invalidationFunction_arm64" at 0xF69744 ...
[*] Rewrite data '48 95 03 94' -> '1F 20 03 D5' ...

[>] Found pattern for "validationFunction_arm64" at 0xF69758 ...
[*] Rewrite data '43 95 03 94' -> '1F 20 03 D5' ...

[>] Found pattern for "serverThread_arm64" at 0xFD8F38 ...
[*] Rewrite data 'F6 57 BD A9' -> 'C0 03 5F D6' ...

[>] Found pattern for "licenseNotifyThread_arm64" at 0xFD7AAC ...
[*] Rewrite data 'FC 6F BD A9' -> 'C0 03 5F D6' ...

[>] Found pattern for "crashReporte_arm64" at 0xF64DB8 ...
[*] Rewrite data 'FC 6F BC A9' -> 'C0 03 5F D6' ...

@bms8197
Copy link

bms8197 commented Sep 30, 2021

@maboloshi can we get that patcher from somewhere or is it private?

@kepeto
Copy link

kepeto commented Sep 30, 2021

@rainbowpigeon patch working for 4116 build

image
image
image

@Destitute-Streetdwelling-Guttersnipe

@maboloshi You can use my pattern for license_check (for ARM64 on Mac M1) at https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3908103

@maboloshi
Copy link
Author

@Destitute-Streetdwelling-Guttersnipe I know, but this only applies to 4114.

@Destitute-Streetdwelling-Guttersnipe

It's Friday, so let's have some fun with binary 🚀
@maboloshi you can use this pattern for license_check with 4116:

        Fix(name="license_check", reghex=f"(?<= {0b0000000000001000:02x} {0b0000000000000000:02x} {0b0000000010000000:02x} {0b0000000001010010:02x} . . . {0b0000000000010100:02x} ) {0b0000000011100110:02x} {0b0000000000000011:02x} {0b0000000000011110:02x} {0b0000000010101010:02x} . . . {0b0000000010010100:02x} {0b0000000011111110:02x} {0b0000000000000011:02x} {0b0000000000000110:02x} {0b0000000010101010:02x}", patch=_ret0),

@bms8197 if you want to patch 4116, you can combine the patches of maboloshi at https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3911981 with my patch for license_check:

printf %02x  $((2#0000000011100000)) $((2#0000000000000011)) $((2#0000000000011111)) $((2#0000000010101010)) $((2#0000000011000000)) $((2#0000000000000011)) $((2#0000000001011111)) $((2#0000000011010110)) | xxd -r -p -s $((2#00000000111111010111111000011100)) sublime_text

I haven't tested it on Mac M1, but you can give it a try if you're not afraid of binary digits.

@maboloshi
Copy link
Author

@Destitute-Streetdwelling-Guttersnipe Good job 😆 👍

[>] Found pattern for "isValidLicense_arm64" at 0xFD7E1C ...
[*] Rewrite data 'E6 03 1E AA E4 65 0E 94' -> 'E0 03 1F AA C0 03 5F D6' ...

@bms8197
Copy link

bms8197 commented Oct 1, 2021

@Destitute-Streetdwelling-Guttersnipe it beats me completely how to patch 4116. I tried several methods combining those patches but it's not working. I'm pretty sure I'm doing something wrong here. This hex stuff is not for me as it seems...

Copy link

ghost commented Oct 5, 2021

@rainbowpigeon patch working for 4116 build

@kepeto Thanks for testing. I have pushed the changes to support those new dev builds.

@sharunkumar
Copy link

sharunkumar commented Oct 6, 2021

echo|set /p="7D6D201F6E924801C0B872398877C8A1 sublime_merge.exe" >nul 2>&1 | md5sum -c - || exit

getting an exit at this point in SM version 2060 🤔

@sharunkumar
Copy link

@sharunkumar You need to download Command Line Tools for Windows 64 and extract the Command Line Tools.

I did download that and added the binaries to path. I am still getting the exit. I think the MD5 sum isn't matching

@sharunkumar
Copy link

also, if I skip the md5sum check the rest of the commands doesn't seem to work

@bms8197
Copy link

bms8197 commented Oct 6, 2021

So in the end does anyone have a patcher that works for MacOS M1 cpu for dev 4116? I tried several times to make it work based on the informations and the patterns provided here but since my skills related to assembly stuff are pretty limit, I had no success so right now I'm using dev 4114 patched.

@sharunkumar
Copy link

Nvm, it works when I run them in git bash, but strange that it doesn't work in command prompt.

@maboloshi
Copy link
Author

maboloshi commented Oct 6, 2021

Nvm, it works when I run them in git bash, but strange that it doesn't work in command prompt.

@sharunkumar Thank you very much for your feedback. I'll look into it then.

@maboloshi
Copy link
Author

@sharunkumar
The command line is amended to:

echo|set /p="7D6D201F6E924801C0B872398877C8A1  sublime_merge.exe" | md5sum -c - >nul 2>&1 || exit