News

Bypassing the guard. How applications protected by a Sentinel hardware key are opened

Security Parrot Editorial Team

Bypassing Sentinel Hardware Key Protection for Java Applications

Reverse engineering applications written in Java is usually not difficult, unless the developers have taken steps to protect their code. To make life difficult for hackers and researchers, various tools are used, one of which is protection with a Sentinel hardware key. In this article, we will look at a way to bypass such protection.

Weak Point of Protection

Those who have read previous articles on protecting Java applications know the weakest point of such protection: the transparency of the bytecode and the ease of restoring it to source code. Therefore, the developers of such tools strive to hide the code from the prying eyes of hackers as cunningly as possible, using various techniques: obfuscation, compilation to native, encryption. We began to analyze a clear example of the latter in the article “Defenseless Java. Breaking Java bytecode encryption. Then we settled on inline patching of the decoded bytecode directly from the JVMTI agent library.

Bypassing Sentinel Hardware Key Protection

Today we will continue this topic and learn how to patch the encrypted code directly. As an example, we will take an application protected by the Sentinel Licensing API Java Class Library, a special Java class protection library that comes with Hasp keys. The application itself is protected by the Hasp key, and hasp_rt files specific to Sentinel are present in its working directory. exe , hasp_windows_x64_34344. dll , haspvlib_34344. dll and Java-specific HASPJava. dll , HASPJava_x64. dll , sntljavaclsrt. dll , sntljavaclsrt_x64. dll.
We know from experience that it’s better not to even try to break these libraries “on the forehead”, they are very severely virtualized and protected from debugging and modification. Therefore, we look at the compiled classes contained inside the JAR . Everything is gloomy there too: except for the main class, all the rest are encrypted with high entropy.
The cryptor is not connected as a JavaAgent when the application is launched, but from the main class, which is essentially an application loader with the only open source:
public static void main ( String [ ] stringArray ) {
try {
String string ;
String string2 = System . getProperty("java.class.path");
int n = Math . max ( string2 . lastIndexOf ( "\ "), string2. lastIndexOf( " / ")) ;
String string3 = string = string2. substring( 0, ++n) ;
if ( JavaClsEntry. isWindows()) {
string3 = string3 + " sntljavaclsrt ";
if ( 0 == System. getProperty( " sun . arch . data . model "). compareTo( " 64 ")) {
string3 = string3 + " _x64 ";
}
string3 = string3 + ".dll";
} else if ( JavaClsEntry. isLinux()) {
string3 = string3 + " libsntljavaclsrt_x86_64 . so ";
} else {
return;
}
File file = new File(string3) ;
string3 = file. getAbsolutePath() ;
System. load(string3);
}

In the next article, we will look at how to patch the encrypted code directly. Stay tuned!

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?