AICollection Help

XCOFF (Extended Common Object File Format)

XCOFF is the Extended Common Object File Format, used primarily by IBM's AIX operating system. It builds on the original COFF format by adding support for 64-bit systems, dynamic linking, and other advanced features. Here's a breakdown of what the XCOFF header contains and how you can find where the code begins:

Structure of the XCOFF Header

The XCOFF header typically contains the following fields:

  1. Magic Number:

    • Identifies the file as an XCOFF binary.

    • Common values:

      • 0x01DF for 32-bit XCOFF.

      • 0x01F7 for 64-bit XCOFF.

  2. Header Fields:

    • F_MAGIC (2 bytes):

      • Magic number identifying the file type.

    • F_NSCNS (2 bytes):

      • Number of sections in the file.

    • F_TIMDAT (4 bytes):

      • Timestamp indicating when the file was created.

    • F_SYMPTR (4 bytes):

      • Offset to the symbol table.

    • F_NSYMS (4 bytes):

      • Number of entries in the symbol table.

    • F_OPTHDR (2 bytes):

      • Size of the optional header.

    • F_FLAGS (2 bytes):

      • Flags providing additional information about the binary.

  3. Optional Header (if present):

    • Contains additional metadata, including the entry point address and memory configuration.

Sections in an XCOFF File

An XCOFF file typically contains:

  1. XCOFF Header:

    • Contains metadata and structural information.

  2. Text Section (.text):

    • Contains the executable code.

  3. Data Section (.data):

    • Contains initialized global variables.

  4. BSS Section (.bss):

    • Contains uninitialized global variables.

  5. Relocation Information:

    • Provides data for address adjustments during loading.

  6. Symbol Table:

    • Contains symbols used for debugging and linking.

Finding Where the Code Begins

To determine where the code starts in an XCOFF file:

  1. Locate the Entry Point:

    • The entry point address is specified in the optional header (if present).

  2. Find the Text Section:

    • Use the section table to locate the .text section, which contains the executable code.

  3. Calculate the Code Offset:

    • Combine the base address of the .text section with the entry point address to determine the code's location.

  4. Resolve Relocations:

    • Use the relocation information to adjust addresses as necessary.

Commands to Analyze XCOFF Files

  • dump -o <file>: Displays the XCOFF header and optional header.

  • dump -X <file>: Displays the section headers and their details.

  • nm <file>: Lists the symbols in the file.

  • objdump -d <file>: Disassembles the executable code.

  • XCOFF-specific tools: Use dedicated AIX tools like dbx or strip for further analysis.

Example

# Display header information dump -o example.xcoff # Display section headers dump -X example.xcoff # Disassemble to find the entry point objdump -d example.xcoff # List symbols nm example.xcoff

These tools can help you analyze the XCOFF structure and understand how the binary is organized and executed.

Last modified: 19 January 2025
PEF (Preferred Executable Format)File systems