Last active
January 19, 2022 05:37
-
-
Save dmknght/a39b0466c67a0443ad6837aa85c5a304 to your computer and use it in GitHub Desktop.
Patch binary of sublimtext amd64 linux build 4121
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| sublime_binary_path = "/tmp/sublime_text" | |
| version_magic_string = "/updates/4/stable_update_check?version=4121&platform=linux&arch=x64" | |
| sz_magic_string = 67 | |
| version_magic_string_offset = 0x000106bd # (Real offset from xxd) | |
| is_file_read = os.access(sublime_binary_path, os.R_OK) | |
| if not is_file_read: | |
| print(f"File {sublime_binary_path} is not readable. Exit!") | |
| exit(1) | |
| is_file_write = os.access(sublime_binary_path, os.W_OK) | |
| if not is_file_write: | |
| print(f"File {sublime_binary_path} is not writable. Only check for patch.") | |
| f = open(sublime_binary_path, "rb") | |
| f.seek(version_magic_string_offset) | |
| data = f.read(sz_magic_string) | |
| if data.decode() == version_magic_string: | |
| print("File matched sublime_text build 4121") | |
| else: | |
| print("File doesn't have build 4121 magic string") | |
| f.close() | |
| offset_1 = 0x00376160 # data = 84 8c; patched = 85 8c | |
| offset_2 = 0x0037621b # data = 74 09; patched = 75 09 | |
| if is_file_write: | |
| f = open(sublime_binary_path, "rb+") | |
| f.seek(offset_1) | |
| if f.read(2) == b"\x84\x8c": | |
| print("Patching first jump") | |
| f.seek(offset_1) | |
| f.write(b"\x85") | |
| f.seek(offset_2) | |
| if f.read(2) == b"\x74\x09": | |
| print("Patching second jump") | |
| f.seek(offset_2) | |
| f.write(b"\x75") | |
| f.close() | |
| else: | |
| f = open(sublime_binary_path, "rb") | |
| f.seek(offset_1) | |
| if f.read(2) == b"\x84\x8c": | |
| print("First jump is not patched") | |
| f.seek(offset_2) | |
| if f.read(2) == b"\x74\x09": | |
| print("Second jump is not patched") | |
| f.close() |
Author
@dmknght what did you use to decompile this? I looked at your screenshot and don't know what tool it is.
Author
@dmknght what did you use to decompile this? I looked at your screenshot and don't know what tool it is.
It's ghidra.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The file path is hard coded. You just need to copy the
sublime_textbinary to/tmp/, run the script, and copy the patched binary to original path. Or just edit the absolute path tosublime_text, make sure the binary file is editable.My patch is using the reverse jump method to edit return code of checking license status. Sublime text has an other background thread to check it. It is possibly an online check and I didn't have time to track the code out.