What's the coolest hack you've seen or done? [closed]

问题

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 8 years ago.

As programmers, we've all put together a really cool program or pieced together some hardware in an interesting way to solve a problem. Today I was thinking about those hacks and how some of them are deprecated by modern technology (for example, you no longer need to hack your Tivo to add a network port). In the software world, we take things like drag-and-drop on a web page for granted now, but not too long ago that was a pretty exciting hack as well.

One of the neatest hardware hacks I've seen was done by a former coworker at a telecom company years ago. He had a small portable television in his office and he would watch it all day long while working. To get away with it, he wired a switch to the on/off that was activated via his foot under his desk.

What's the coolest hardware or software hack you've personally seen or done? What hack are you working on right now?

回答1:

I recall this hack as being written by Bob Smith, who did the old DOS-era memory manager called 386MAX (or "386 to the Max"). It wasn't part of the product, it was a little utility program he whipped up and posted somewhere. However, on the web the only reference to this technique I can find is a DDJ Undocumented Corner column from November 1996 by Robert Collins.

The Problem

Prior to Intel introducing the CPUID instruction, it was difficult to check the exact type and revision levels of the CPU on your system. It turns out that in most versions of the 386 and later, there actually was a CPU ID, but it was only visible at one specific time: right after the processor was reset in the EDX register. (It was assumed that the computer's BIOS would be the only software legitimately interested in this).

Problem: how can a normal program retrieve this register value if we are not the BIOS?

Background Material

This hack relied on six distinct peculiarities of IBM PC compatible computers. They were as follows:

1. Starting with the IBM AT and later, there is a way to independently disable the A20 address line on the bus.
2. Most computers do not have RAM installed in very high memory addresses just below the BIOS ROM.
3. Most IBM PC bus computers return 0xFF when you read a memory location that has no memory installed there.
4. 0xFF 0xFF 0xFF etc is an illegal opcode on Intel CPUs.
5. If you install an exception handler in memory, it will survive a soft reboot on most CPUs of this era (386 through 486).
6. Upon soft or hard reset, Intel processors jump to an address which is at the top of addressable memory, minus 16 bytes, which is why the BIOS ROM is placed there.

The program combined knowledge of all these pieces of trivia to achieve the goal.

The Hack

The result was a DOS command line program, that did the following:

• Installed an illegal opcode exception handler
• Turned off the A20 address line on the bus
• Soft-rebooted the CPU (I think this was through a BIOS call)

When the soft reboot occurred, the processor would try to jump to the top of memory minus 16 bytes, which is where the ROM startup code is located. However, since A20 was off, it would actually jump to top of memory minus 16 bytes minus one megabyte. On most PCs there is no RAM there. So it would fetch a series of 0xFF bytes from this non-existent RAM, and try to execute it. This would create an illegal opcode exception.

His exception handler would then pluck out the value of EDX (the CPUID) and stash it somewhere he could find it. It would then clean up the mess (turn A20 back on, flip back from protected mode to real mode for DOS) and return control to the original code.

When it worked, it was genius to behold. Voila, here was a simple command-line DOS program that would give you the CPUID value.

Of course, there were inevitably PCs out there which were "not quite compatible" which would crash horribly when you ran this. Ah well.

回答2:

The quake3 inverse square root and the MIT Magic/More Magic switch usually make these lists.

回答3:

Well, it's not the coolest, but it's definitely funny (to programmers).

We built an ad-hoc query builder for a resume database project. There were some ajaxy parts to it and the basic idea was that if you changed anything on the page, the search automatically re-ran itself. (It was triggered by the onBlur event of all the UI widgets)

So we had no real use for a "Search" or "Run Query" button. This confused the users to no end. So we added a search button which did nothing. It just sat there.

It worked because every time you clicked the search button, the onBlur event from the field you were just on would fire.

This made our user base very happy. Simple things.

回答4:

This wasn't a hack I did, but rather someone I worked for a long time ago told me about it (he actually did the hack).

It seems he worked for someone who was blind and who needed a way to read text files. So he figured out how to translate text files to braille and print them out using various characters such as . and :

The printers at the time were impact printers, so when a character was printed, the printing mechanism struck the paper hard enough to leave an impression that could be felt. Since the impression formed on the back of the paper, he had to print an inverted-backwards braille so that when the paper was turned around it was correct.

Of course, the act of reading eliminated the depressions so it was a read-once mechanism, but I always thought that was a pretty cool hack.

回答5:

While working on the reverse-engineering effort of the iPhone, I found a vulnerability in the baseband (chip that handles the telephony and the carrier lock) that would allow you to write zeros arbitrarily. Although this seemed useless at first, it quickly became apparent that this could do far more than I had initially thought. With the way ARM works, certain jumps could be made nullified by writing a single zero in the target, causing the execution path to always continue forward. This enabled a software unlock, but was quickly replaced by a more robust hack that allowed you to reflash the baseband entirely.

Still damn proud of that hack, regardless of its uselessness now.

回答6:

I made a divide-by-eight counter out of pneumatic valves in college in order to get exempted from the remainder of the pneumatics course.

回答7:

Its such a trivial thing, but when I first saw this code (by a fellow developer of mine) I was shocked because it is something I would have never thought of (comments added by me):

cglobal x264_sub8x8_dct_sse2, 3,3  ;3,3 means 3 arguments and 3 registers used
.skip_prologue:
    call .8x4
    add  r0, 64                    ;increment pointers
    add  r1, 4*FENC_STRIDE
    add  r2, 4*FDEC_STRIDE
.8x4:
    SUB_DCT4 2x4x4W                ;this macro does the actual transform
    movhps [r0+32], m0             ;store second half of output data
    movhps [r0+40], m1             ;the rest is done in the macro
    movhps [r0+48], m2
    movhps [r0+56], m3
    ret

It does an 8x8 block of 4 transforms by doing sets of 8x4 at a time. But it doesn't paste the code twice (that would waste code size), nor does it have an 8x4 function and call it twice. Nor does it have a loop either. Instead, it calls the "function" and then increments the pointers, and then "falls" right into it and does it again.

It gets the best of both worlds: no function calling overhead beyond the original (since the pointers r0, r1, and r2 aren't incremented in SUB_DCT4) and no code duplication, and no loop overhead.

回答8:

This summer I wrote a game that I call SatelliteRush. It's a Breakout game for mobile phones with Java and GPS. It can be played in two modes: "boring mode" and "satellite mode". In boring mode, you use buttons to move the paddle, just as usual, but in satellite mode it uses the phone's GPS receiver. You run back and forth, and the paddle moves with you.

I've only tested it on a Sony-Ericsson W760i, and it works reasonably well, given that GPS position updates are rather slow and inexact.

So far I have made a "technical test version" of this game, so it's is not very good-looking or easy to use. But if you have a GPS phone with Java you can download it here: http://www.lysator.liu.se/~padrone/temporary/SatelliteRushTest/

EDIT:

Now available for Android as a free app on Android Market: https://market.android.com/details?id=se.nekotronic.satelliterush

回答9:

Duff's Device. Does that count? :)

回答10:

Duffs Device, for the above question.

The Story of Mel. Hardcore hack.

回答11:

I got an early Commodore 64 Computer, and needed to write assembly code for it.

Problem was, there was no Assembler Program for the C64 (either that, or I couldn't afford one).

So I wrote an assembler by looking up the 6502 opcodes in a book, and creating the program out of the raw bytes.

At some point it was able to take assembly code as its input, and assemble into a program.

A friend of mine had written a disassembler for his PET in BASIC. I used this program to disassemble my assembler, and was then able to use my assembler to assemble newer versions of itself.

Oh, the hoops we had to jump through in the old days :)

回答12:

The coolest hack (and it's not really a hack in the true sense of the word, but it passes as well as some of the above answers) I've ever created was on my Apple //e.

There was one line in the reference manual that said $C010 was the 'any key down' flag.

Which it turned out was true. The high bit of the $C010 soft switch would tell you if a key was down or not despite the built-in key repeat hardware.

What they didn't tell you and everybody found out the hard way was that there was no reliably way to find out WHAT key was being pressed.

If you wrote a little assembly program... (pardon my mistakes, my 6502 assembly is a lot rusty)

  :1
  lda $C010
  cmp #$80
  bcc :1  ; branch if less than? I forget how to do that.
  lda $C000
  jsr $FDF0   ;output the accumulator value to the screen

So it would loop until you pressed a key and would output the key by loading from the $C000 keyboard read switch.

But if you ran that program, it wouldn't quite work right.

It would certainly print out something while you were holding a key down and nothing when you weren't but there was a little lag on the bus somewhere (I think, I'm not a hardware guy) so if you pressed 'f' you'd get lots of f's. But if you stopped, then pressed 'g', you'd get a bunch of 'f's before it switched to 'g'.

You could see evidence of this problem in the apple ][ version of Gauntlet, you'd move in one direction, and if you tried to move in a second direction, you'd move a little bit in your original direction until the you passed the lag.

It made no sense really, because reading $C000 was always 100% accurate, unless you pinged $C010 first.

I found this problem fascinating and after weeks of playing I finally came up with what I still think is the coolest program I've ever written.

The program itself made no sense, it did a few useless ORA's but for some reason it worked, and it yielded correct values from $C000 after querying $C010.

So cool was this, I wrote an article for nibble magazine, which they accepted but never published (either because they went out of business or because the article read like it was written by 15 year old, which it was) where I wrote a replacement keyboard input program and hooked it into the zero page location that everybody calls to get keyboard input and I was able to programmatically change the keyboard repeat delay and repeat rate, something that was otherwise impossible as it was wired into the hardware. Of course the Apple //e was on its way out at that point, but still to this day, my coolest hack.

Update 3/2/2010: Going through some old papers, I found a printout of my little assembly routine. I'm posting it here to see if anybody can figure out why it works, and so it will be forever enshrined in digital form somewhere...

$0300  AD 10 C0  LDA $C010  ; load accumulator with any-key-down flag
$0303  29 80     AND #$80   ; keep only high bit flag
$0305  0D 00 C0  ORA $C000  ; OR accumulate with keyboard soft switch
$0308  10 F9     BPL $0303  ; erm, I forget exactly which branch this is
$030A  09 80     ORA #$80   ; turn the high bit on 
$030C  20 ED FD  JSR $FDED  ; print char in accumulator
$030F  4C 00 30  JMP $0300  ; start again.

Makes no sense why this should work, but it does. Or did. 25 years ago.

回答13:

The Fast Inverse Square Root-- a bizarre little routine that somehow manages to compute the inverse square root of something, but you'd never guess that from looking at it.

http://betterexplained.com/articles/understanding-quakes-fast-inverse-square-root/

回答14:

A friend of mine was replacing the motherboard in his Dell with newer, faster, OEM motherboard. However, he couldn't get the power button, and other front-panel stuff, to work -- the connectors were different sizes, with different pin layouts. I took a bunch of spare jumpers and spare wires, and connected the proper pins one by one. No soldering needed :)

Code-wise, I'm constantly being impressed. I always thought there was no elegant way of determining whether a forked child successfully execed, but there actually is.

child:

execvp(argv[0], argv);
errval = errno;
write(data->fd, &errval, sizeof(errval));

parent:

socketpair(AF_UNIX, SOCK_STREAM, 0, fds);
flag = fcntl(fds[1], F_GETFD) | FD_CLOEXEC;
fcntl(fds[1], F_SETFD, flag);
pid = clone(child, NULL, SIGCHLD, NULL);
if(pid < 0){
        ...
}
close(fds[1]);
/* Read the errno value from the child, if the exec failed, or get 0 if
 * the exec succeeded because the pipe fd was set as close-on-exec.
 */
n = read(fds[0], &ret, sizeof(ret));
if (n < 0) {
        ...
} else if(n != 0){
        /* exec failed */
} else {
        /* exec succeeded */
}

回答15:

Steve Wozniak's disk controller.

回答16:

We were compromised at the small company I worked at by some supposedly Russian hackers. Myself and a few other developers wanted to see how, and so I pulled down the most elegant PHP script I have ever seen down from our server, and promptly deleted it from our live machine.

It was a trojan horse called c99shell which did so much with so little that it was both horrible and beautiful at the same time. The thing had an embedded GUI with images using base64 to output them from the PHP so everything was self contained. The feature list was sick! This thing could start shells, scan for connection strings, lock itself down and a number of other useful things for an attacker.

It was beautiful.

Everyone in the office thought I was nuts, but really, truly this code had quite a bit of thought put into it. They kept the file size small so as to sneak past those pesky upload limits and even had a base64 encoded email notification which collected all the information for the attacker.

回答17:

Tesla's device set the record for man-made lightning (42 meters or 130 feet) and all the lights in Colorado Springs had gone out.

回答18:

The Black Sunday Hack.

回答19:

I would tell you, but they may want my high school diploma back if I admitted to it ;)

回答20:

Back in the days of DOS, I wrote a scripting program to demonstrate my company's software. This scripting program would start the application and then pop up windows on top of the application, describe some of its features using animated type, then close the window, feed keystrokes to the application, wait for the application to display the proper screen, and then pop up more windows. It had its own scripting language and even a script editor so I could interrupt the script, edit it, and then resume running it. The best part is that it ran on top of an unmodified version of our application.

The whole demo application was written in C and assembly language. It hooked timer and keyboard interrupts in order to interact with the application. I wrote everything, including the windowing library.

回答21:

I once hacked together a simple dos-style commandline for the psion 3a during a university lecture. It could only do basic directory listing, browsing, copy & move, but it looked the part - full screen a small font.

Oh, and I programmed pong for the 68008 with pots for input and an oscilloscope for output. Not that hard using a dev board, but there was something cool about playing it on an osc.

回答22:

Not done by me, of course, but I came across it recently and it looked cool:

Self-printing Game of Life in C#

"Conway’s Game of Life has fascinated computer scientists for decades. Even though its rules are ridiculously simple, Conway’s universe gives rise to a variety of gliders, spaceships, oscillators, glider guns, and other forms of “life”. Self-printing programs are similarly curious, and - rather surprisingly - have an important place in the theory of computation.

What happens when you combine the two? You are about to find out, but one thing is for sure: the geekiness factor should be pretty high.

I wrote a little C# program that contains a Game-of-Life grid. The program advances the game grid to the next generation and prints out a copy of itself, with the grid updated. You can take the output, compile it with a C# compiler, run it, and you’ll get the next generation of the game. You can iterate the process, or change the initial grid state manually. "

Follow the link above for source code.

回答23:

I wrote a simple Windows batch file to let me quickly play tracks matching some pattern from my music library (on f: drive) on a painfully slow machine (opening iTunes takes about 3 minutes on this machine!). It supports regular expressions via the findstr command and uses mplayer to play the tracks. All I have to do is press Windows+R and type:

play u2

or:

play "neighbo.+rhood"

or:

play "blink[0-9][0-9][0-9]"

The batch file is like this, in play.bat.

cd /d f:
findstr /I /R %1 dirlist.txt > playlist.txt
mplayer -playlist playlist.txt

Both mplayer and play.bat should be added to your path.

回答24:

I wrote an assembler for a small Virtual Machine (UDVM) with Excel and Visual Basic. You write your assembly code in the Excel cells and your memory layout in the other worksheet, and then at the bottom the machine code binary strings will be calculated. Imagine the dread of hand assemblying every time you change your assembly code.

回答25:

After several days of debugging a dial-up server that was experiencing an unacceptable number of dropped calls, I traced the problem to a home-grown authentication mechanism that depended on the text representation of the running getty's PID. The getty would generate an error and abort if its PID contained an even number followed by a 9, causing the call to drop and the getty to respawn with a new PID.

After the problem was identified, I was taken off the project and later discovered that the "fix" was to change the numeric-to-text conversion from

sprintf(strval, "%d", pid);

to

sprintf(strval, "%o", pid);

Rather than troubleshooting the authentication routine, someone chose to convert the PID to octal, making it impossible to contain a 9!

回答26:

And a self-printing program ('quine') in C#, 149 characters long:

C# Quine

class P{static void Main(){var S=“class P{{static void Main(){{var S={1}{0}{1};System.Console.Write(S,S,’{1}’);}}}}”;System.Console.Write(S,S,‘”‘);}}

回答27:

A couple years ago I was developing a web interface and using some brand-new JS libs for AJAX functionality. The lib only eval'd JS that was in the html doc header, but there was too much data being returned to fit in the header. What to do?

Some poking around revealed that the JS in the header had access to the body of the html doc, so I wrote a generic 'eval the body' function that was returned in the header. Very useful at the time, especially b/c a different JS lib we were evaluating only eval'd JS from the body, so this was compatible for both JS libs and avoided any size constraints from the header!

Yes, simple, but I felt quite awesome for a whole month after figuring this out :)

回答28:

Seeing my former workmate rewriting a playstation one 3d engine within three weeks from scratch in assembler. The old one was to slow and we didn't had the time to change the graphic assets anymore. He started that rewrite two month before deadline.

It was the same guy (and some other dudes as well - it was an act of teamwork) who did an amazing job stuffing 10 minutes of graphics and sound into a 64kb executable.

http://pouet.net/prod.php?which=1221

回答29:

When looking at how to use TCP in 4D, I came across this variation of the Duff Device in the documentation:

$SentOK:=False  //A flag to indicate if we made it through all of the calls
Case of 
   : (SMTP_New ($smtp_id)!=0)
   : (SMTP_Host ($smtp_id;<>pref_Server)!=0)
   : (SMTP_From ($smtp_id;vFrom)!=0)
   : (SMTP_To ($smtp_id;vTo)!=0)
   : (SMTP_Subject ($smtp_id;vSubject)!=0)
   : (SMTP_Body ($smtp_id;vMessage)!=0)
   : (SMTP_Send ($smtp_id)!=0)
Else 
   $SentOK:=True  //message was composed and mailed successfully
End case 
If ($smtp_id!=0)  //If a Message Envelope was created we should clear it now
   $OK:=SMTP_Clear ($smtp_id)
End if 

I looked at it and thought it was really clever (I still do). Unfortunately, it wasn't what I needed and I never got the chance to use it.

回答30:

Not by me:

#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
  int i;

  printf("((((");
  for(i=1;i!=argc;i++){
    if(     strcmp(argv[i], "^")==0) printf(")^(");
    else if(strcmp(argv[i], "*")==0) printf("))*((");
    else if(strcmp(argv[i], "/")==0) printf("))/((");
    else if(strcmp(argv[i], "+")==0) printf(")))+(((");
    else if(strcmp(argv[i], "-")==0) printf(")))-(((");
    else                             printf("%s", argv[i]);
  }
  printf("))))\n");
  return 0;
}

来源：https://stackoverflow.com/questions/192479/whats-the-coolest-hack-youve-seen-or-done