Joshua's Blog

Analysing Red Star OS's mysterious binary

North Korea's proprietary operating system, Red Star OS, contains a binary executable called opprc. This component is known to implement a sophisticated watermarking system that embeds unique identifiers, including your disk's serial number, into files processed by the system. As a result, any file created, modified, or even simply accessed on a Red Star OS machine can potentially be traced back to its source.

Opening opprc in a disassembler quickly reveals some suspicious sounding functions. What's it doing with my optical discs?

It seems to especially care about Video CDs, North Korea must be pretty behind in technology if people are still using Video CDs.

This checks if the specified device is a CD, not a DVD, is a Video CD and has failed it's 'check', if so it ejects the disc and reboots the system.

The decompiled CheckVideoCD() The decompiled CheckVideoCD()

Is it possible that every Video CD inserted into this system is checked against a database? And why are Video DVDs disregarded?

Here it seems to be preforming some operations on gfd.

What I've worked out so far is gfd is the device /dev/res, but what is /dev/res? From what I've gathered it appears to be responsible for starting and stopping Red Star OS's kernel module rtscan and protecting files.

opprc also seems to record the time and date of install and the free space on your disk, the latter of which appears to be used to check if there is enough space on the disk to preform the operations in the DecodeFile function.

Conclusion

  1. Comprehensive watermarking: The operating system implements a fingerprinting system that marks documents, audio files, and video content with your disk serial.

  2. Content monitoring: opprc actively scans removable media for prohibited content. Upon detection, it ejects the device and reboots the system.

  3. File system protection: Any attempts to modify or remove protected system files trigger a reboot.

These preventions are surprisingly easy to bypass but you would imagine someone living in North Korea would not have access to that knowledge.

Further Reading

Notes on Red Star OS

Red Star OS Watermarking

Error? Suggestion? joshuawhe@proton.me