A more advanced attacker can go further and modify the
$sys$parking
file to set the counter to an
arbitrary value. The file consists of a 16 byte header followed by a series of 177 byte structures. For each
XCP disc used on the machine, the file contains a whole-disc structure and an individual structure for each
track. Each disc structure stores the number of permitted copies remaining for the disc as a 32-bit integer
beginning 100 bytes from the start of the structure.
The file is protected by primitive encryption. Each structure is XORed with a repeating 256-bit pad.
The pad--a single pad is used for all structures--is randomly chosen when XCP is first installed and stored
in the system registry in the key
HKLM\SOFTWARE\$sys$reference\ClassID
. Note that this key,
which is hidden by the rootkit, is intentionally misnamed "ClassID" to confuse investigators. Instead of a
ClassID, it contains the 32 bytes of pad data.
Hiding the pad actually doesn't increase the security of the design. An attacker who knows only the
format of the
$sys$parking
file and the current number of copies remaining can change the counter
to an arbitrary value without needing to know the pad. Say the counter indicates that there are x copies
remaining and the attacker wants to set it to y copies remaining. Without decrypting the structure, she can
XOR the padded bytes where the counter is stored with the value x y. If the original value was padded
with p, the new value is (x p) (x y) = (y p), y padded with p.
6.1.1
iPod Compatibility
Ironically, Sony itself furnishes directions for carrying out another kind of attack on the player DRM. Con-
spicuously absent from the XCP and MediaMax players is support for the Apple iPod--by far the most
popular portable music player. A Sony FAQ blames Apple for this shortcoming and urges users to direct
complaints to them: "Unfortunately, in order to directly and smoothly rip content into iTunes it [sic.] re-
quires the assistance of Apple. To date, Apple has not been willing to cooperate with our protection vendors
to make ripping to iTunes and to the iPod a simple experience." [32]. Strictly speaking, it is untrue that Sony
requires Apple's cooperation to work with the iPod, as the iPod can import MP3s and other open formats.
What Sony has difficulty doing is moving music to the iPod while keeping it wrapped in copy protection.
This is because Apple has so far refused to support interoperation with its FairPlay DRM.
Yet so great is consumer demand for iPod compatibility that Sony gives out--to any customer who fills
out a form on its web site [31]--instructions for working around its own copy protection and transforming
the music into a DRM-free format that will work with the iPod. The procedure is simple but cumbersome:
users are directed to use the player software to rip the songs into Windows Media DRM files; use Windows
Media Player to burn the files to a blank CD, which will be free of copy protection; and then use iTunes to
rip the songs once more and transfer them to the iPod.
6.2
XCP's Hidden iPod Support
A further irony came to light in the weeks following the public disclosure of the XCP rootkit when it was
discovered that XCP itself infringes on the copyrights to several open source software projects. In one
case, Sam Hocevar found conclusive evidence [14] that part of XCP's code was copied from a program
called DRMS [18], which he co-authored with Jon Lech Johansen and released under the terms of the
GNU General Public License (GPL). This was particularly curious, because the purpose of DRMS is to
break Apple's FairPlay DRM. Its presence in XCP is interesting enough to warrant a digression from our
discussion of player-related attacks.
We discovered that XCP utilizes the DRMS code not to remove Apple DRM but to add it, as part of a
hidden XCP feature that provides iTunes and iPod compatibility. This functionality shipped on nearly every
XCP CD, but it was never enabled or made visible in the XCP user interface. Despite being inactive, the
code appears to be fully functional and was compatible with the current version of iTunes when the first
15