A few months ago, I downloaded an evaluation copy of IBM’s XLC compiler to try it out on FFmpeg. The trial licence has now expired, so what better way to spend a few minutes than by cracking it?
The installation script, as expected, copied a number of files into a directory under /opt. More unusually, it also created a small shared library, libxlc101e.so.1, and placed it in /usr/lib. No other files from the installation package were modified, so this must be where the licence is hiding. Without further ado, we proceed to take it apart.
We begin by looking at the symbol table using readelf -s:
Symbol table '.symtab' contains 44 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND
     1: 000000b4     0 SECTION LOCAL  DEFAULT    1
     2: 0000017c     0 SECTION LOCAL  DEFAULT    2
     3: 0000036c     0 SECTION LOCAL  DEFAULT    3
     4: 0000055c     0 SECTION LOCAL  DEFAULT    4
     5: 00000580     0 SECTION LOCAL  DEFAULT    5
     6: 000005c4     0 SECTION LOCAL  DEFAULT    6
     7: 00010a3c     0 SECTION LOCAL  DEFAULT    7
     8: 00010a50     0 SECTION LOCAL  DEFAULT    8
     9: 00010ac8     0 SECTION LOCAL  DEFAULT    9
    10: 00010ad8     0 SECTION LOCAL  DEFAULT   10
    11: 00000000     0 SECTION LOCAL  DEFAULT   11
    12: 00000000     0 SECTION LOCAL  DEFAULT   12
    13: 00000000     0 SECTION LOCAL  DEFAULT   13
    14: 00000000     0 SECTION LOCAL  DEFAULT   14
    15: 00000000     0 FILE    LOCAL  DEFAULT  ABS xleval.c
    16: 00010a50     0 OBJECT  LOCAL  HIDDEN   ABS _DYNAMIC
    17: 00010acc     0 OBJECT  LOCAL  HIDDEN   ABS _GLOBAL_OFFSET_TABLE_
    18: 000005f0    24 OBJECT  GLOBAL DEFAULT    6 xlc_extended_eval_lic_dir
    19: 00000660    22 OBJECT  GLOBAL DEFAULT    6 libxlfextendeval_name
    20: 00000738    42 OBJECT  GLOBAL DEFAULT    6 stm_compiler_name
    21: 00000640    16 OBJECT  GLOBAL DEFAULT    6 libupclicense_name
    22: 00000764    32 OBJECT  GLOBAL DEFAULT    6 xlf_compiler_name
    23: 00000580    68 FUNC    GLOBAL DEFAULT    5 _xlgetevalbeta
    24: 00000678    22 OBJECT  GLOBAL DEFAULT    6 libxlcextendeval_name
    25: 00000608    24 OBJECT  GLOBAL DEFAULT    6 xlf_extended_eval_lic_dir
    26: 000006d8    17 OBJECT  GLOBAL DEFAULT    6 xlcmp_name
    27: 000006c0    12 OBJECT  GLOBAL DEFAULT    6 xlc_package_name
    28: 00000650    16 OBJECT  GLOBAL DEFAULT    6 libstmlicense_name
    29: 000005e0    16 OBJECT  GLOBAL DEFAULT    6 xlf_extend_eval_env_var
    30: 000005d0    16 OBJECT  GLOBAL DEFAULT    6 xlc_extend_eval_env_var
    31: 00000620    16 OBJECT  GLOBAL DEFAULT    6 libxlflicense_name
    32: 00010cd0     0 NOTYPE  GLOBAL DEFAULT  ABS __bss_start
    33: 00010a3c    20 OBJECT  GLOBAL DEFAULT    7 _xlevalbeta
    34: 000005c4    10 OBJECT  GLOBAL DEFAULT    6 liblicense_dir
    35: 00000690    22 OBJECT  GLOBAL DEFAULT    6 libupcextendeval_name
    36: 000006ec    30 OBJECT  GLOBAL DEFAULT    6 xlc_compiler_name
    37: 00000630    16 OBJECT  GLOBAL DEFAULT    6 libxlclicense_name
    38: 00010cd0     0 NOTYPE  GLOBAL DEFAULT  ABS _edata
    39: 00010cd0     0 NOTYPE  GLOBAL DEFAULT  ABS _end
    40: 000006cc    12 OBJECT  GLOBAL DEFAULT    6 xlf_package_name
    41: 000006a8    22 OBJECT  GLOBAL DEFAULT    6 libstmextendeval_name
    42: 00010ad8   504 OBJECT  GLOBAL DEFAULT   10 versionString
    43: 0000070c    42 OBJECT  GLOBAL DEFAULT    6 upc_compiler_name
Notice the lone function at position 23, _xlgetevalbeta, which we proceed to disassemble:
00000580 <_xlgetevalbeta>: 580: 94 21 ff f0 stwu r1,-16(r1) 584: 93 c1 00 08 stw r30,8(r1) 588: 93 e1 00 0c stw r31,12(r1) 58c: 7c 3f 0b 78 mr r31,r1 590: 7d 88 02 a6 mflr r12 594: 42 9f 00 05 bcl- 20,4*cr7+so,598 <_xlgetevalbeta+0x18> 598: 7f c8 02 a6 mflr r30 59c: 3f de 00 01 addis r30,r30,1 5a0: 3b de 05 34 addi r30,r30,1332 5a4: 7d 88 03 a6 mtlr r12 5a8: 80 1e ff fc lwz r0,-4(r30) 5ac: 7c 03 03 78 mr r3,r0 5b0: 81 61 00 00 lwz r11,0(r1) 5b4: 83 cb ff f8 lwz r30,-8(r11) 5b8: 83 eb ff fc lwz r31,-4(r11) 5bc: 7d 61 5b 78 mr r1,r11 5c0: 4e 80 00 20 blr
This is fairly standard, unoptimised code. After saving a few registers on the stack, it computes the address of the global offset table: 0x598 + 0x10000 + 1332 = 0x10acc, matching _GLOBAL_OFFSET_TABLE_ from the symbol table. Next, a value is loaded from the GOT, forming the return value of the function after the stack has been restored.
To find out what this return value really is, we look at the relocation table (by means of readelf -r):
Relocation section '.rela.dyn' at offset 0x55c contains 3 entries: Offset Info Type Sym.Value Sym. Name + Addend 00010a40 00000016 R_PPC_RELATIVE 00000784 00010a44 00000016 R_PPC_RELATIVE 0000097c 00010ac8 00001414 R_PPC_GLOB_DAT 00010a3c _xlevalbeta + 0
The third entry is the one we are looking for: its offset matches the location read by the code at 0x5a8. This means the _xlgetevalbeta function is returning a pointer to _xlevalbeta, which makes some kind of sense.
Another quick look at the symbol table tells us _xlevalbeta lives at address 0x10a3c and is 20 bytes in size. The section header (provided by readelf -S) helps us find the corresponding location in the file:
Section Headers: [Nr] Name Type Addr Off Size ES Flg [ 0] NULL 00000000 000000 000000 00 [ 1] .hash HASH 000000b4 0000b4 0000c8 04 A [ 2] .dynsym DYNSYM 0000017c 00017c 0001f0 10 A [ 3] .dynstr STRTAB 0000036c 00036c 0001ee 00 A [ 4] .rela.dyn RELA 0000055c 00055c 000024 0c A [ 5] .text PROGBITS 00000580 000580 000044 00 AX [ 6] .rodata PROGBITS 000005c4 0005c4 000475 00 A [ 7] .data.rel.ro PROGBITS 00010a3c 000a3c 000014 00 WA [ 8] .dynamic DYNAMIC 00010a50 000a50 000078 08 WA [ 9] .got PROGBITS 00010ac8 000ac8 000010 04 WA [10] .data PROGBITS 00010ad8 000ad8 0001f8 00 WA [11] .comment PROGBITS 00000000 000cd0 000028 00 [12] .shstrtab STRTAB 00000000 000cf8 000073 00 [13] .symtab SYMTAB 00000000 000fc4 0002c0 10 [14] .strtab STRTAB 00000000 001284 000206 00 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific)
The address we are looking for is at the start of the .data.rel.ro section, which can be found at offset 0xa3c in the file. It is time for the hexdump tool:
00000a30 69 62 69 74 65 64 2e 00 00 00 00 00 00 00 00 01 00000a40 00 00 00 00 00 00 00 00 00 00 24 05 4a 0c 65 c8
The last four bytes here, 4a 0c 65 c8, are interesting. Taken as a 32-bit big endian value, they are exactly equal to the modification time of the file, or in other words, the time the compiler was installed. This cannot be a coincidence, so using a hex editor, we replace this with the current time, 4a 80 74 31.
Lo and behold, the compiler is working again.
One hopes the engineers at IBM developing the compiler are not the same ones thinking this copy protection method was a good idea. Then again, perhaps they are; it failed miserably at compiling FFmpeg.
Wow – that seemed relatively easy. I always thought cracking software was hard.
Grumblings I’ve heard from “people that know” say the XL C is a pretty good compiler and sticks to the standards. Generally, you need to do some light patching and usually need to use some extra compiler flags since many projects use nonstandard GNU stuff.
This may help a bit http://www.perzl.org/aix/index.php?n=Main.Instructions, also look through his patches to see common things.