Skip to content

Instantly share code, notes, and snippets.

@dmknght

dmknght/sublimetext_4121_crack.py

Last active January 19, 2022 05:37
Show Gist options
  • Save dmknght/a39b0466c67a0443ad6837aa85c5a304 to your computer and use it in GitHub Desktop.
Save dmknght/a39b0466c67a0443ad6837aa85c5a304 to your computer and use it in GitHub Desktop.
Download ZIP
Patch binary of sublimtext amd64 linux build 4121
Raw
sublimetext_4121_crack.py
import os
sublime_binary_path = "/tmp/sublime_text"
version_magic_string = "/updates/4/stable_update_check?version=4121&platform=linux&arch=x64"
sz_magic_string = 67
version_magic_string_offset = 0x000106bd # (Real offset from xxd)
is_file_read = os.access(sublime_binary_path, os.R_OK)
if not is_file_read:
print(f"File {sublime_binary_path} is not readable. Exit!")
exit(1)
is_file_write = os.access(sublime_binary_path, os.W_OK)
if not is_file_write:
print(f"File {sublime_binary_path} is not writable. Only check for patch.")
f = open(sublime_binary_path, "rb")
f.seek(version_magic_string_offset)
data = f.read(sz_magic_string)
if data.decode() == version_magic_string:
print("File matched sublime_text build 4121")
else:
print("File doesn't have build 4121 magic string")
f.close()
offset_1 = 0x00376160 # data = 84 8c; patched = 85 8c
offset_2 = 0x0037621b # data = 74 09; patched = 75 09
if is_file_write:
f = open(sublime_binary_path, "rb+")
f.seek(offset_1)
if f.read(2) == b"\x84\x8c":
print("Patching first jump")
f.seek(offset_1)
f.write(b"\x85")
f.seek(offset_2)
if f.read(2) == b"\x74\x09":
print("Patching second jump")
f.seek(offset_2)
f.write(b"\x75")
f.close()
else:
f = open(sublime_binary_path, "rb")
f.seek(offset_1)
if f.read(2) == b"\x84\x8c":
print("First jump is not patched")
f.seek(offset_2)
if f.read(2) == b"\x74\x09":
print("Second jump is not patched")
f.close()
@dmknght
Copy link
Author

dmknght commented Dec 2, 2021

First offset:
image
Second offset
image
Use reverse jump method to patch license calculation

@vampirepapi
Copy link

can i use this script to patch linux st?

@vampirepapi
Copy link

File /tmp/sublime_text is not readable. Exit!

@dmknght
Copy link
Author

dmknght commented Dec 7, 2021

File /tmp/sublime_text is not readable. Exit!

The file path is hard coded. You just need to copy the sublime_text binary to /tmp/, run the script, and copy the patched binary to original path. Or just edit the absolute path to sublime_text, make sure the binary file is editable.
My patch is using the reverse jump method to edit return code of checking license status. Sublime text has an other background thread to check it. It is possibly an online check and I didn't have time to track the code out.

@Destitute-Streetdwelling-Guttersnipe
Copy link

@dmknght what did you use to decompile this? I looked at your screenshot and don't know what tool it is.

@dmknght
Copy link
Author

dmknght commented Jan 19, 2022

@dmknght what did you use to decompile this? I looked at your screenshot and don't know what tool it is.

It's ghidra.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment