Skip to content

Instantly share code, notes, and snippets.

@JerryLokjianming
Last active November 22, 2024 09:33
Show Gist options
  • Save JerryLokjianming/71dac05f27f8c96ad1c8941b88030451 to your computer and use it in GitHub Desktop.
Save JerryLokjianming/71dac05f27f8c96ad1c8941b88030451 to your computer and use it in GitHub Desktop.
Crack Sublime Text 3.2.2 Build 3211 and Sublime Text 4 Alpha 4098 with Hex

How to Crack Sublime Text 3.2.2 Build 3211 with Hex Editor (Windows | Without License) ↓

  1. Download & Install Sublime Text 3.2.2 Build 3211
  2. Visit https://hexed.it/
  3. Open file select sublime_text.exe
  4. Offset 0x8545: Original 84 -> 85
  5. Offset 0x08FF19: Original 75 -> EB
  6. Offset 0x1932C7: Original 75 -> 74 (remove UNREGISTERED in title bar, so no need to use a license)
  7. Export File and save it to location you want
  8. Backup sublime_text.exe file (just rename)
  9. Copy sublime_text.exe modified to directory Sublime Text 3
  10. Happy Coding :)
Screenshot

Screenshot


How to Crack Sublime Text 4 Alpha 4098 with Hex Editor (Windows | Without License) ↓

  1. Download & Install Sublime Text 4 Alpha 4094
  2. Visit https://hexed.it/
  3. Open file select sublime_text.exe
  4. Go to Address: 0000A700 change 80 38 00 to FE 00 90
  5. Export File and save it to location you want
  6. Backup sublime_text.exe file (just rename)
  7. Copy sublime_text.exe modified to directory Sublime Text 4 (i.e C:\Program Files\Sublime Text)
  8. Use this License
----- BEGIN LICENSE ----- 
TwitterInc 
200 User License 
EA7E-890007 
1D77F72E 390CDD93 4DCBA022 FAF60790 
61AA12C0 A37081C5 D0316412 4584D136 
94D7F7D4 95BC8C1C 527DA828 560BB037 
D1EDDD8C AE7B379F 50C9D69D B35179EF 
2FE898C4 8E4277A8 555CE714 E1FB0E43 
D5D52613 C3D12E98 BC49967F 7652EED2 
9D2D2E61 67610860 6D338B72 5CF95C69 
E36B85CC 84991F19 7575D828 470A92AB 
------ END LICENSE ------
  1. Happy Coding :)
Screenshot

Screenshot


Blocked by Microsoft Defender SmartScreen -> More Info -> Run Anyway

Screenshot

Screenshot

Screenshot


How to Crack Sublime Text 3 & 4 Alpha 4094 with Hex Editor (Linux & MacOS | With License) ↓

  1. Download & Install Sublime Text 3 or 4
  2. Visit https://hexed.it/
  3. Open file select sublime_text
    • Linux Location: /opt/sublime_text/sublime_text
    • MacOS Location: /Application/Sublime Text [version].app (Correct Me If I'm Wrong)
  4. Search 97 94 0D and Change to 00 00 00
  5. Export File and save it to location you want
  6. Backup sublime_text file (just rename)
  7. Copy sublime_text modified to default directory Sublime Text
  8. Use this License
----- BEGIN LICENSE ----- 
TwitterInc 
200 User License 
EA7E-890007 
1D77F72E 390CDD93 4DCBA022 FAF60790 
61AA12C0 A37081C5 D0316412 4584D136 
94D7F7D4 95BC8C1C 527DA828 560BB037 
D1EDDD8C AE7B379F 50C9D69D B35179EF 
2FE898C4 8E4277A8 555CE714 E1FB0E43 
D5D52613 C3D12E98 BC49967F 7652EED2 
9D2D2E61 67610860 6D338B72 5CF95C69 
E36B85CC 84991F19 7575D828 470A92AB 
------ END LICENSE ------
  1. Happy Coding :)
Screenshot

Screenshot


@bms8197
Copy link

bms8197 commented Aug 31, 2021

@rohit-kumar-j thanks but I don't actually trust that site. The only site I have ever downloaded cracked software for mac is macdrop.

@tientq64
Copy link

tientq64 commented Sep 3, 2021

Has anyone cracked build 4114 yet?

@strotee
Copy link

strotee commented Sep 3, 2021

Has anyone cracked build 4114 yet?

see https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451#gistcomment-3865017 but why not wait until a final version instead of beta?

Untitled

Copy link

ghost commented Sep 4, 2021

@tiencoffee

I've updated my Windows x64 patcher to support the Dev builds too (from v4109 onwards), so v4114 should work. Feel free to test it out!
https://github.com/rainbowpigeon/sublime-text-4-patcher

@mrparag94
Copy link

@Rain

@tiencoffee

I've updated my Windows x64 patcher to support the Dev builds too (from v4109 onwards), so v4114 should work. Feel free to test it out!
https://github.com/rainbowpigeon/sublime-text-4-patcher

Bro do you have merge patcher..?

@strotee
Copy link

strotee commented Sep 28, 2021

Untitled :)

@strotee
Copy link

strotee commented Sep 30, 2021

Untitled

@Danny4096
Copy link

@rainbowpigeon How does your script calculate the actual address from the relative address?

Copy link

ghost commented Oct 11, 2021

How does your script calculate the actual address from the relative address?

@Dannyboi21 When code/data is being referenced across sections, I calculate it by using the PointerToRawData and VirtualAddress values of the sections involved.

https://github.com/rainbowpigeon/sublime-text-4-patcher/blob/main/sublime_text_4_patcher.py#L244

    def off_to_rva(self, section: str):
        return self.offset - self.file.sections[section].PointerToRawData + self.file.sections[section].VirtualAddress

    def rva_to_off(self, section: str):
        return self.offset - self.file.sections[section].VirtualAddress + self.file.sections[section].PointerToRawData

@strotee
Copy link

strotee commented Oct 16, 2021

Untitled

For info on how to crack it, I followed these steps (I'm on Win x64, I can't guarantee this will work for other platforms): https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451#gistcomment-3758682

@leogx9r
Copy link

leogx9r commented Oct 16, 2021

@strotee What's the point of showing that off without providing a way to patch it? To show off?

To those of you that do want Sublime Text/Merge patched and can't be bothered to beg strotee, check here. There's also ARM64 patches for Sublime Text and Merge too.

@strotee
Copy link

strotee commented Oct 16, 2021

@leogx9r - if one were to scroll up, I first mention how to crack it in https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451#gistcomment-3881935. It's definitely not to show off, merely to show a new version came out and the existing crack works (just two items to search and throw in a custom, generic license) and one has an updated, newer version of Sublime. I can certainly provide a link to the steps I followed.

@bms8197
Copy link

bms8197 commented Oct 16, 2021

@strotee A link with the steps would be really helpfull :)
@leogx9r Thank you again for patching v4118 MacOS M1 version!

@strotee
Copy link

strotee commented Oct 16, 2021

Tip: If you don't use a firewall, just know that it checks every time the application starts. To prevent Sublime from checking online for an update & God knows what else, disable it by doing this: Click Preferences, Settings. On the right side, add "update_check": false
Untitled

@bms8197
Copy link

bms8197 commented Oct 16, 2021

@strotee Had that setting configured already but thanks for the tip!

@leogx9r
Copy link

leogx9r commented Oct 16, 2021

@strotee Guess I misunderstood, sorry about that.

checking online for an update & God knows what else

There's 3 telemetry-like checks in the program, update checking (config file like you showed can stop that that), a license check thread run once on startup (usually patched via hosts) and a license notify thread (that triggers whenever you enter/change a license, sending your IP, HWID, version and license info to the server). You can disable all of them by patching host file or disabling the methods (linked thread).

You get the same thing essentially but avoid having your IP address and HWID sent to the server which they can theoretically blacklist (or if they're serious enough and you're not using a VPN, contact your ISP).

image
image

@bms8197 You don't need to disable update checks (unless you click update and it replaces the patched binary) in the patched MacOS binaries -- they have everything "sketchy" disabled already. Ditto for anyone using my patching methods.

@PlamenOBM
Copy link

Here's my method for breaking their license protection. I've specifically applied the below to v4107.

Quick note: This isn't meant for newbies, this shows you how to patch the current and (most likely) future versions of Sublime Text. I've been using this for a while now.

Here's a basic rundown of how license validation and invalidation works:

  • Licenses have hardcoded (lol, remove blacklist and patch server thread, 10/10 protection) blacklists in the executable and are signed via an RSA public key (which is 'encrypted' in the binary, basically some xor stuff).
  • Application tries to validate an invalid license every 5 seconds. It expects this to fail but if it succeeds, it will unregister you after 480 seconds. This is why simply patching the validity function isn't enough.
  • Application tries to validate your current license every 15 seconds. It expects this to succeed but if it fails, it will unregister you after 360 seconds.
  • The application creates a thread to validate the current license with the server at license.sublimehq.com whenever the application is started (config file read) or when modifying your current license. If this succeeds to connect and your license isn't correct it will unregister you.

So how can you bypass all this? Dare I say, efficiently?

  • Patch the validation function (isLicenseValid as I call it) for anything to always return 0 (valid). Values from 1-4 specify either an invalid, blacklisted or unsupported/expired license.
  • Prevent thread creation for the validation/invalidation routines to avoid the license being unregistered after X seconds due to patching isLicenseValid. Optionally simply remove the "unregister" function here. Doesn't matter how you go about it really.
  • Disable server validation thread or patch the HTTP host so it always fails to connect. Most people resort to using hosts to redirect the license server to localhost or renaming the host in the binary. A far better way is simply to avoid a dead thread being created that does this check.

Disabling creation of these 3 threads is my preferred method since you obviously save resources as you don't need to constantly have new threads opened every X seconds.

Why I consider this better than other methods?

  • No need to find a "working"/"nonblacklisted" license. You can literally enter "Hello World!" as a valid license.
  • No useless thread creation eating up resources. A small performance improvement you'll absolutely never notice.
  • You don't have to patch /etc/hosts or system32/drivers/etc/hosts.
  • Relies on patterns so you can build your own script to auto-patch on updates, provided patterns don't break of course.
  • Doesn't decide to randomly expire.

How tho?

Patch the following methods:

  • License Validity Checking (Aka IsValidLicense

Make isLicenseValid return 0, pattern is a reference to call isLicenseValid. I personally just replaced the method with xor rax, rax; ret so 48 31 C0 C3.

    Linux/MacOS x64 Pattern: `direct reference sig: E8 ? ? ? ? 49 8B BF ? ? ? ? 85 C0`
    Windows x64 Pattern:     `direct reference sig: E8 ? ? ? ? 48 8B 8B ? ? ? ? 85 C0`
  • Invalidation/Validation Functions

These cause delayed unregistration after 360/480 seconds so NOP out the calls to avoid them. Aka replace E8 XX XX XX XX with 90 90 90 90 90.

    Windows x64 Pattern 1: `direct reference sig: (+0x6) 41 B8 ? ? ? ? E8 ? ? ? ? 49 8B 96`
                Pattern 2: `raw sig: E8 ? ? ? ? E8 ? ? ? ? 4C 89 F1 E8`
    Linux x64   Pattern 1: `raw sig: E8 ? ? ? ? 48 89 5C 24 ? 48 8B B3`
                Pattern 2: `raw sig: E8 ? ? ? ? BF ? ? ? ? E8 ? ? ? ? 83 25`
    MacOS       Pattern 1: `raw sig: E8 ? ? ? ? 48 89 9D ? ? ? ? 48 8B B3`
                Pattern 2: `raw sig: E8 ? ? ? ? 48 8D 3D ? ? ? ? E8 ? ? ? ? 83 25`
  • Server Validation Thread

Simply make this instantly return 1 to disable thread creation or patch the hostname to something invalid. I personally prefer to simply disable thread creation by making this return 1, aka 48 31 C0 48 FF C0 C3, xor rax, rax; inc rax; ret.

    Windows x64 Pattern: `raw sig: 55 56 57 48 83 EC 30 48 8D 6C 24 ? 48 C7 45 ? ? ? ? ? 89 D6 48 89 CF 6A 28`
    Linux x64   Pattern: `raw sig: 55 41 56 53 41 89 F6 48 89 FD 6A 28`
    MacOS       Pattern: `raw sig: 55 48 89 E5 41 57 41 56 53 50 41 89 F6 49 89 FF 6A 20`

Now what?

After patching simply register with anything you want. It can even be just a random letter, a space, a word, a sentence, a valid or invalid license -- whatever you want. Here's what I registered with:

Paying 80$ For A License Is Stupid

But I wanna download!

Linux

For Linux x64 on v4107, you can use this (replace /opt/sublime_text/sublime_text with the path to the binary):

# 554157415641554154534881EC68240000 -> 4831C0C390909090909090909090909090
sed -i 's/\x55\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xEC\x68\x24\x00\x00/\x48\x31\xC0\xC3\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/g' /opt/sublime_text/sublime_text

# E8C2781800 -> 9090909090
sed -i 's/\xE8\xC2\x78\x18\x00/\x90\x90\x90\x90\x90/g' /opt/sublime_text/sublime_text
# E8A7781800 -> 9090909090
sed -i 's/\xE8\xA7\x78\x18\x00/\x90\x90\x90\x90\x90/g' /opt/sublime_text/sublime_text

# 554156534189F64889FD6A28 -> 4831C048FFC0C39090909090
sed -i 's/\x55\x41\x56\x53\x41\x89\xF6\x48\x89\xFD\x6A\x28/\x48\x31\xC0\x48\xFF\xC0\xC3\x90\x90\x90\x90\x90/g' /opt/sublime_text/sublime_text

Windows

I've uploaded a portable copy of the Windows x64 bit version, already patched, here. Simply replace the sublime_text.exe file from the portable download with the above. Here's the virus scan. Note: PE.Heur.InvalidSig is due to patching the executable to bypass the license checks. Don't trust it? Then patch it yourself :P

I've been using this on both Windows and Linux since the new version dropped without issues.

MacOS

No.

Proof

image image image

You sir, are a legend! Worked like a charm. Thank you very much!

@Destitute-Streetdwelling-Guttersnipe

@leogx9r Here they patched the domain name inside ST (license.sublimehq.com) and the RSA key function. There are 2 places to patch (1 plain text, 1 machine code). So it's more stable in future version (in comparison to your method of patching 6 functions).

Of course, your method is the most complete (their method may not able to block the crash reporter, and the checking threads are left running in the background).

There's 3 telemetry-like checks in the program, update checking (config file like you showed can stop that that), a license check thread run once on startup (usually patched via hosts) and a license notify thread (that triggers whenever you enter/change a license, sending your IP, HWID, version and license info to the server). You can disable all of them by patching host file or disabling the methods (linked thread).

You get the same thing essentially but avoid having your IP address and HWID sent to the server which they can theoretically blacklist (or if they're serious enough and you're not using a VPN, contact your ISP).

Hey @leogx9r, do you know where the crash reporter send the request to? If it's the same domain (license.sublimehq.com), then their method is good enough (just using more CPU & energy in the background).

@Issam28
Copy link

Issam28 commented Oct 26, 2021

Is this still working on build 4121 ?

@strotee
Copy link

strotee commented Oct 26, 2021

Is this still working on build 4121 ?

yes, at least on Win x64, see https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451#gistcomment-3758682

Untitled

Edit: If you don't use a firewall, then it'll attempt to connect. Block the update check (link) or use hosts. (link)
I don't take credit for the cracks, I'm just a messenger.

@duckimann
Copy link

@vanja-san take a look at this one

@tes123id
Copy link

Is this still working on build 4121 ?

it does not seem to work on linux. i've just tried it using this https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451#gistcomment-3933346. it works on previous version.

or maybe i've missed something ?

@leogx9r
Copy link

leogx9r commented Oct 27, 2021

@Destitute-Streetdwelling-Guttersnipe The crash reporter function in sublime_text[.exe] is a wrapper function that spawns a new process with some parameters (<build_id> /path/to/dump_file /path/to/executable_file), calling another executable in the main directory, crash_reporter[.exe].

The crash_reporter[.exe] handles all the magic and contains the actual server name it sends telemetry to, crash-report.sublimehq.com, basically sending an HTTP POST request to that URL (<URI>/crash) with the SHA-256 checksum of the binary and a deflated compressed dump of the crash.

Pretty sure it also sets the user-agent to sublime-crash-reporter/3.0 to potentially rule out fake requests but that's easy to bypass. If you were particularly evil, you could load their servers up with tons of invalid files since there doesn't seem to be any security checking here.

@Destitute-Streetdwelling-Guttersnipe

Thanks @leogx9r for the analysis of crash reporter. I think I can delete crash_reporter in case I can't patch the crash reporter function in ST/SM.

@jowinjohnchemban
Copy link

Is this still working on build 4121 ?

Thank you @andhika96 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3941342

image

Replace following, [PREFERRED]

0000711A: E8 > 90
0000711B: 55 > 90
0000711C: 1E > 90
0000711D: 20 > 90
0000711E: 00 > 90

000A84E3: 55 > 48
000A84E4: 56 > 31
000A84E5: 57 > C0

000A84E7: 83 > FF
000A84E8: EC > C0
000A84E9: 30 > C3

OR
Search and replace following (make sure replace at the correct positions),

E8 55 1E 20 00  >  90 90 90 90 90
55 56 57  >  48 31 C0
83 EC 30  >  FF C0 C3

Tool used,
https://hexed.it/

@nemesisnes
Copy link

Thanks for this mate!

@PlamenOBM
Copy link

Any chances to have this for linux too?

@fredgolightly
Copy link

4125 Win x64?

@strotee
Copy link

strotee commented Dec 22, 2021

@Leoyut
Copy link

Leoyut commented Dec 29, 2021

hey im getting this error when running in linux : md5sum: WARNING: 1 computed checksum did NOT match

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment